Testing EAP-PEAP with freeradius
Hi, I want to deploy the EAP-PEAP in our WLAN hotspot, we are using EAP-TLS before and it works fine with our AP. But a PKI is very inconvenient so we want to migrate to EAP-PEAP. Any changes need to be done to radiusd.conf? The client will provide the user-name and password, the file 'users' will used to match the user-name and password? And is it enough? I mean, in EAP-TLS it also need user-name and password, just left the same as EAP-TLS? And, I also want to know when the AP or Windows client encounter obstacle to cooperate with this change, which client should I use to verify in freeradius side the configuration is work but not the windows client's problem? Can radclient be used and how can I do? I am newbie to this area and may be silly question, any help appreciated. Thanks in advance. Bin Chen
By checking the radius log, I found this: rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. Bin Chen wrote:
Hi,
I want to deploy the EAP-PEAP in our WLAN hotspot, we are using EAP-TLS before and it works fine with our AP. But a PKI is very inconvenient so we want to migrate to EAP-PEAP.
Any changes need to be done to radiusd.conf? The client will provide the user-name and password, the file 'users' will used to match the user-name and password? And is it enough? I mean, in EAP-TLS it also need user-name and password, just left the same as EAP-TLS?
And, I also want to know when the AP or Windows client encounter obstacle to cooperate with this change, which client should I use to verify in freeradius side the configuration is work but not the windows client's problem? Can radclient be used and how can I do?
I am newbie to this area and may be silly question, any help appreciated.
Thanks in advance. Bin Chen
Bin Chen wrote:
By checking the radius log, I found this:
rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 ERROR: Unknown value specified for Auth-Type. Cannot perform requested action.
Why did you deleted the "mschapv2" text from the stock radiusd.conf? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
Bin Chen wrote:
By checking the radius log, I found this:
rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 ERROR: Unknown value specified for Auth-Type. Cannot perform requested action.
Why did you deleted the "mschapv2" text from the stock radiusd.conf?
This is my config file, whats wrong? ## ## radiusd.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id: radiusd.conf.in,v 1.161 2003/11/17 18:10:27 kkalev Exp $ ## prefix = /usr exec_prefix = ${prefix} sysconfdir = /usr/local/etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = 192.168.1.104 port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no Checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } eap { # default_eap_type = tls default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no md5 { } leap { } tls { private_key_password = whatever private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem dh_file = /usr/local/etc/raddb/certs/dh random_file = /usr/local/etc/raddb/certs/random fragment_size = 1024 include_length = yes } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } peap { } mschapv2 { } } mschap { authtype = MS-CHAP } ldap { server = "ldap.your.domain" basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } realm realmslash { format = prefix delimiter = "/" } realm suffix { format = suffix delimiter = "@" } realm realmpercent { format = suffix delimiter = "%" } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no } } instantiate { expr } authorize { preprocess eap realmslash suffix files } authenticate { eap } preacct { preprocess suffix files } accounting { acct_unique detail radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap }
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
This is my config file, whats wrong?
apart from being munged into a mix of single file and include files? ;-)
peap { }
huh? This has been sliced and diced! just look at the default eap.conf that comes with FreeRADIUS source code... you should have a default_eap_type = mschapv2 within that section. you have to tell the server the type of inner tunnel EAP to use with PEAP. alan
Bin Chen wrote:
Hi,
I want to deploy the EAP-PEAP in our WLAN hotspot, we are using EAP-TLS before and it works fine with our AP. But a PKI is very inconvenient so we want to migrate to EAP-PEAP.
Any changes need to be done to radiusd.conf? The client will provide the user-name and password, the file 'users' will used to match the user-name and password? And is it enough? I mean, in EAP-TLS it also need user-name and password, just left the same as EAP-TLS?
You need to edit eap.conf and set the default eap type to "peap", enable "mschapv2" in the "peap" section, and correctly configure the "mschap" module in the main radiusd.conf This is well documented.
And, I also want to know when the AP or Windows client encounter obstacle to cooperate with this change, which client should I use to verify in freeradius side the configuration is work but not the windows client's problem? Can radclient be used and how can I do?
See "eapol_test" in the "wpa_supplicant" distribution.
Phil Mayers wrote:
Bin Chen wrote:
Hi,
I want to deploy the EAP-PEAP in our WLAN hotspot, we are using EAP-TLS before and it works fine with our AP. But a PKI is very inconvenient so we want to migrate to EAP-PEAP.
Any changes need to be done to radiusd.conf? The client will provide the user-name and password, the file 'users' will used to match the user-name and password? And is it enough? I mean, in EAP-TLS it also need user-name and password, just left the same as EAP-TLS?
You need to edit eap.conf and set the default eap type to "peap", enable "mschapv2" in the "peap" section, and correctly configure the "mschap" module in the main radiusd.conf
This is well documented.
Thanks all, I have solved, you are so sweet person in this list:)
And, I also want to know when the AP or Windows client encounter obstacle to cooperate with this change, which client should I use to verify in freeradius side the configuration is work but not the windows client's problem? Can radclient be used and how can I do?
See "eapol_test" in the "wpa_supplicant" distribution. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Bin Chen -
Phil Mayers