802.1x + freeradius authentication problem
Hi all, We are trying to set up an environment with 802.1x + Freeradius for our Wireless net. Our goal is to authenticate Windows XP clients using EAP. Our radius server is bound to an LDAP database. We have tested our users with a "radius-test" tool and everything seems to work fine, but when trying to validate in our 802.1x environment, the radius server rejects the user. In fact, although we get a "authorize returns ok", there seems to be an additional check that claims the user has no password. Any ideas? We attach the radiusd log (hope it helps!). Thanks in advance, rad_recv: Access-Request packet from host **NAS_ IP_ADDRESS** port 1027, id=2, length=187 Message-Authenticator = 0xc40883257068815f1b14f3b80780eeab Service-Type = Framed-User User-Name = "ID_of_USER" Framed-MTU = 1488 State = 0xb32f32ffc94e41b83d5af8f919ee449e Called-Station-Id = "00-12-CF-1A-15-80:Eduroam" Calling-Station-Id = "00-0E-35-FE-1F-6D" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200060319 NAS-IP-Address = 1.0.1.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 radius_xlat: '/home/radmgr/freeradius/var/log/radius/radacct/158.109.1.15/auth-detail-20070201' rlm_detail: /home/radmgr/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /home/radmgr/freeradius/var/log/radius/radacct/NAS_IP_ADDRESS/auth-detail-20070201 radius_xlat: 'Thu Feb 1 17:06:44 2007' modcall[authorize]: module "auth_log" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "ID_of_USER", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: Ignoring NAK with request for unknown EAP type modcall[authorize]: module "eap" returns noop for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for ID_of_USER radius_xlat: '(uid=ID_of_USER)' radius_xlat: 'ou=People,dc=my_org,dc=es' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=my_org,dc=es, with filter (uid=ID_of_USER) rlm_ldap: Password header not found in password {SSHA}HzNGeJ1eXDD/B9ZOG+QdbpeCGUx1Q+UiMSdLZg== for user ID_of_USER rlm_ldap: Added User-Password = {SSHA}HzNGeJ1eXDD/B9ZOG+QdbpeCGUx1Q+UiMSdLZg== in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding LDAP attribute UserClass as RADIUS attribute Filter-Id = GRUPS_INTERES#951#Servei d'InformÃ?tica rlm_ldap: Adding LDAP attribute UserClass as RADIUS attribute Filter-Id = USUARI_PROVES#951#Servei d'InformÃ?tica rlm_ldap: user IP_of_USER authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 modcall: group authorize returns ok for request 6 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [ID_of_User/<no User-Password attribute>] (from client NAS_IP_ADDRESS port 1 cli 00-0E-35-FE-1F-6D) Delaying request 6 for 1 seconds Finished request 6 Going to the next request Waking up in 5 seconds... --- Walking the entire request list --- Sending Access-Reject of id 2 to NAS_IP_ADDRESS port 1027 Filter-Id = "GRUPS_INTERES#951#Servei d'Inform\303\240tica" Cleaning up request 6 ID 2 with timestamp 45c21014 Cleaning up request 5 ID 1 with timestamp 45c21014 Cleaning up request 4 ID 0 with timestamp 45c21014 Nothing to do. Sleeping until we see a request. -- Ramón Barquier Montalbán Comunicacions Servei d'Informàtica Edifici D Campus de la UAB 08193 Bellaterra. Barcelona Tel. +34 935 811 488 Fax: +34 935 812 094 Ramon.Barquier@uab.es www.uab.es/si
Ramon Barquier wrote:
We are trying to set up an environment with 802.1x + Freeradius for our Wireless net. Our goal is to authenticate Windows XP clients using EAP.
Then... configure EAP.
rlm_eap: EAP packet type response id 2 length 6 rlm_eap: Ignoring NAK with request for unknown EAP type
The client is asking to do PEAP, and you haven't configured PEAP on the server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
En/na Alan DeKok ha escrit:
Ramon Barquier wrote:
We are trying to set up an environment with 802.1x + Freeradius for our Wireless net. Our goal is to authenticate Windows XP clients using EAP.
Then... configure EAP.
rlm_eap: EAP packet type response id 2 length 6 rlm_eap: Ignoring NAK with request for unknown EAP type
The client is asking to do PEAP, and you haven't configured PEAP on the server.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan, Thanks for your response. We have tried to configure ttls as you suggested in your mail. Unfortunately we have not succeeded. To make things easier, we have tried to set up a completely new configuration, with just one local user called test. Our Windows XP client is using now SecureW2 (with EAP-TTLS/PAP). We attach the connection log. We see the 'negotiation' messages, but no sign of "Success" at the end (neither Wireless connection, of course). Any ideas? ------------------------------------------------------------------------ =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2007.02.02 16:42:42 =~=~=~=~=~=~=~=~=~=~=~= find . -mtime -1 -printls -lafind . -mtime -1 -printcd ..etclscd raddblsvi radiusd.conffg/home/radmgr/freeradius/sbin/radiusd -X -A Config: including file: /home/radmgr/freeradius/etc/raddb/radiusd.conf Config: including file: /home/radmgr/freeradius/etc/raddb/proxy.conf Config: including file: /home/radmgr/freeradius/etc/raddb/clients.conf Config: including file: /home/radmgr/freeradius/etc/raddb/snmp.conf Config: including file: /home/radmgr/freeradius/etc/raddb/eap.conf Config: including file: /home/radmgr/freeradius/etc/raddb/sql.conf Config: including file: /home/radmgr/freeradius/etc/raddb/sql/mysql-dialup.conf FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Jan 16 2007 at 07:30:42 Starting - reading configuration files ... read_config_files: reading dictionary main: prefix = "/home/radmgr/freeradius" main: localstatedir = "/home/radmgr/freeradius/var" main: logdir = "/home/radmgr/freeradius/var/log/radius" main: libdir = "/home/radmgr/freeradius/lib" main: radacctdir = "/home/radmgr/freeradius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/home/radmgr/freeradius/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/home/radmgr/freeradius/var/run/radiusd/radiusd.pid" main: user = "radmgr" main: checkrad = "/home/radmgr/freeradius/sbin/checkrad" main: debug_level = 0 main: proxy_requests = yes log: syslog_facility = "daemon" proxy: retry_delay = 5 proxy: retry_count = 3 proxy: default_fallback = yes proxy: dead_time = 120 proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no read_config_files: reading realms main: port = 1812 listen: type = "auth" listen: ipaddr = 10.0.0.11 IP address [10.0.0.11] listen: port = 11812 listen: type = "acct" listen: ipaddr = * listen: port = 11813 client: secret = "testing" client: shortname = "localhost" client: nastype = "other" client: secret = "testing" client: shortname = "10.0.164.205" client: secret = "testing" client: shortname = "10.0.170.53" radiusd: entering modules setup Module: Library search path is /home/radmgr/freeradius/lib Module: Loaded exec exec: wait = yes exec: input_pairs = "request" exec: shell_escape = yes rlm_exec: wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded expiration expiration: reply-message = "Password Has Expired " Module: Instantiated expiration (expiration) Module: Loaded logintime logintime: reply-message = "You are calling outside your allowed timespan " logintime: minimum-timeout = 60 Module: Instantiated logintime (logintime) Module: Loaded PAP pap: encryption_scheme = "auto" pap: auto_header = no Module: Instantiated pap (pap) Module: Loaded eap eap: default_eap_type = "ttls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: pem_file_type = yes tls: private_key_file = "/home/radmgr/freeradius/etc/raddb/certs/server_keycert.pem" tls: certificate_file = "/home/radmgr/freeradius/etc/raddb/certs/server_keycert.pem" tls: CA_file = "/home/radmgr/freeradius/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "xxxxxxx" tls: dh_file = "/home/radmgr/freeradius/etc/raddb/certs/dh" tls: random_file = "/home/radmgr/freeradius/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/home/radmgr/freeradius/etc/raddb/huntgroups" preprocess: hints = "/home/radmgr/freeradius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/home/radmgr/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: header = "%t" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no detail: log_packet_header = no Module: Instantiated detail (auth_log) Module: Loaded files files: usersfile = "/home/radmgr/freeradius/etc/raddb/users" files: acctusersfile = "/home/radmgr/freeradius/etc/raddb/acct_users" files: preproxy_usersfile = "/home/radmgr/freeradius/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) detail: detailfile = "/home/radmgr/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: header = "%t" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no detail: log_packet_header = no Module: Instantiated detail (detail) Module: Loaded System unix: radwtmp = "/home/radmgr/freeradius/var/log/radius/radwtmp" Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/home/radmgr/freeradius/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Module: Loaded attr_filter attr_filter: attrsfile = "/home/radmgr/freeradius/etc/raddb/attrs.accounting_response" attr_filter: key = "%{User-Name}" Module: Instantiated attr_filter (attr_filter.accounting_response) detail: detailfile = "/home/radmgr/freeradius/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d" detail: header = "%t" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no detail: log_packet_header = no Module: Instantiated detail (reply_log) attr_filter: attrsfile = "/home/radmgr/freeradius/etc/raddb/attrs.access_reject" attr_filter: key = "%{User-Name}" Module: Instantiated attr_filter (attr_filter.access_reject) Initializing the thread pool... Listening on authentication address 10.0.0.11 port 11812 Listening on accounting address * port 11813 Listening on proxy address 10.0.0.11 port 11814 Ready to process requests. Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.1.15 port 1027, id=0, length=169 Message-Authenticator = 0x684003590372513db1c8c0172cce4e24 Service-Type = Framed-User User-Name = "test" Framed-MTU = 1488 Called-Station-Id = "00-12-CF-1A-15-80:Eduroam" Calling-Station-Id = "00-0E-35-FE-1F-6D" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020000090174657374 NAS-IP-Address = 1.0.1.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/home/radmgr/freeradius/var/log/radius/radacct/10.0.1.15/auth-detail-20070202' rlm_detail: /home/radmgr/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /home/radmgr/freeradius/var/log/radius/radacct/10.0.1.15/auth-detail-20070202 radius_xlat: 'Fri Feb 2 16:42:56 2007' modcall[authorize]: module "auth_log" returns ok for request 0 rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry test at line 93 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 0 to 10.0.1.15 port 1027 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x125a0c9a48141a42f6dfbf6d92b85018 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.0.1.15 port 1027, id=1, length=238 Message-Authenticator = 0xede79451101fbad4fbb1516c9a7d89e9 Service-Type = Framed-User User-Name = "test" Framed-MTU = 1488 State = 0x125a0c9a48141a42f6dfbf6d92b85018 Called-Station-Id = "00-12-CF-1A-15-80:Eduroam" Calling-Station-Id = "00-0E-35-FE-1F-6D" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201003c158000000032160301002d0100002903014dd9269456336a81ed0e49e5c6d26e71262af49d73effbd2d1ad24236bbde800000002000a0100 NAS-IP-Address = 1.0.1.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 radius_xlat: '/home/radmgr/freeradius/var/log/radius/radacct/10.0.1.15/auth-detail-20070202' rlm_detail: /home/radmgr/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /home/radmgr/freeradius/var/log/radius/radacct/10.0.1.15/auth-detail-20070202 radius_xlat: 'Fri Feb 2 16:42:56 2007' modcall[authorize]: module "auth_log" returns ok for request 1 rlm_eap: EAP packet type response id 1 length 60 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry test at line 93 modcall[authorize]: module "files" returns ok for request 1 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 04f2], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 1 to 10.0.1.15 port 1027 EAP-Message = 0x0102040a15c00000054f160301004a02000046030145c35c00c5dd3c92df539312bdf4cc2b0664e6679e57c6b8f85d5420cbde506220f4a62af3e1e21491cf118af4937886a28593ae4e5e88f94dcf2f77c16b9c753b000a0016030104f20b0004ee0004eb00024c30820248308201b1a003020102020101300d06092a864886f70d01010505003052310b3009060355040613024553311230100603550408130942617263656c6f6e61310c300a060355040a1303554142310b3009060355040b13025349311430120603550403130b70726f7661726164697573301e170d3037303131363138343330305a170d3038303131363138343330305a3069 EAP-Message = 0x310b3009060355040613024553311230100603550408130942617263656c6f6e61311330110603550407130a42656c6c617465727261310c300a060355040a1303554142310b3009060355040b13025349311630140603550403130d6a75616e616e2e7561622e657330819f300d06092a864886f70d010101050003818d0030818902818100bd889f95d9b0a16e6360088d62c7ff539ec2dd9c7115780c9d24d10cd89f9de6227db8aa6a97b898be86b46bb548c6891b28fceb1b06d2fe6d7395c4be05359996aedf01e01a0690074efd0234462b466014bc3d9afb321ae65ddb18e90165c12b411d1920bad1323ecd166c096be0a6148061110866c3 EAP-Message = 0x935c511cca72c94f030203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181002e4033d6f6f2668a451296510b35d267f9e77f99d605724905300b80bf852fd733add9a4cee9a71b00d3fa7a5b24148f9c185f30c7a2def8721b125d5af122a433b56e752bb527b514454d8dade7ed6eb27d7331313dac28568ed258363f48da3631aac660caef6baebcddfdca3a4a13d1c9e6a681b6fcfc40422e88c3ebb20000029930820295308201fea003020102020100300d06092a864886f70d01010505003052310b3009060355040613024553311230100603550408130942617263656c6f EAP-Message = 0x6e61310c300a060355040a1303554142310b3009060355040b13025349311430120603550403130b70726f7661726164697573301e170d3037303131363138333933325a170d3130303131353138333933325a3052310b3009060355040613024553311230100603550408130942617263656c6f6e61310c300a060355040a1303554142310b3009060355040b13025349311430120603550403130b70726f766172616469757330819f300d06092a864886f70d010101050003818d0030818902818100c33d2b97f70df69f6bd19e0766a452aaf060523f9655a4d372729e34132d78e40df0aa3e8f615058964a97d88a89bfd2fb8654283bd12f1fbe EAP-Message = 0xfcf08e632a72e724041fd9648cde4cbf35468267c805 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9b073dc5a0997740cd7d044a6a88b433 Finished request 1 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.0.1.15 port 1027, id=2, length=184 Message-Authenticator = 0xa730084ccfaa9745119db3671a73f629 Service-Type = Framed-User User-Name = "test" Framed-MTU = 1488 State = 0x9b073dc5a0997740cd7d044a6a88b433 Called-Station-Id = "00-12-CF-1A-15-80:Eduroam" Calling-Station-Id = "00-0E-35-FE-1F-6D" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200061500 NAS-IP-Address = 1.0.1.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 radius_xlat: '/home/radmgr/freeradius/var/log/radius/radacct/10.0.1.15/auth-detail-20070202' rlm_detail: /home/radmgr/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /home/radmgr/freeradius/var/log/radius/radacct/10.0.1.15/auth-detail-20070202 radius_xlat: 'Fri Feb 2 16:42:56 2007' modcall[authorize]: module "auth_log" returns ok for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry test at line 93 modcall[authorize]: module "files" returns ok for request 2 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 2 to 10.0.1.15 port 1027 EAP-Message = 0x0103015915800000054f7697fbb421046882af2076df0805f1ca1bd01b849e20d3981eaa50948cc113beb0fccb08aef3be80fcee2454c8b2d2f50b0203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414e9b3ffbf0cd121556b28b7bc4049d5eee649ddb9301f0603551d23041830168014e9b3ffbf0cd121556b28b7bc4049d5eee649ddb9300d06092a864886f70d01010505000381810041bf8430b618f3297290973694e4784a9181c6c6f0290cbaa5509e1836e99c69652b924105c0a76e949567e4d4 EAP-Message = 0x84a487f4336f7dc2cdd0632c375223dd02fcf62cb558e39ce5b3d1bf4045daa1d19057beabf65b0f14abbaadbff175a6e9fdfddcad77478f10b621751568ee3b7d97c38e91c25d0624b0ec6ec12503924a786f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5cebe4a2ccb87aa9ab3d6385ae6ebea0 Finished request 2 Going to the next request Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 2 with timestamp 45c35c00 Cleaning up request 1 ID 1 with timestamp 45c35c00 Cleaning up request 0 ID 0 with timestamp 45c35c00 Nothing to do. Sleeping until we see a request. -- Ramón Barquier Montalbán Comunicacions Servei d'Informàtica Edifici D Campus de la UAB 08193 Bellaterra. Barcelona Tel. +34 935 811 488 Fax: +34 935 812 094 Ramon.Barquier@uab.es www.uab.es/si
Alan,
Thanks for your response.
We have tried to configure ttls as you suggested in your mail. Unfortunately we have not succeeded.
To make things easier, we have tried to set up a completely new configuration, with just one local user called test. Our Windows XP client is using now SecureW2 (with EAP-TTLS/PAP). We attach the connection log.
We see the 'negotiation' messages, but no sign of "Success" at the end (neither Wireless connection, of course).
Any ideas?
I only gave a quick look at the debug log... As a SecureW2 user myslef I would first check if this is not a certificate verification issue on the Client side (because I suspect the EAP-TLS connection to have been interrupted by the client). Can you: * make a test with verify server certificate disabled on SecureW2 * If this changes the debug log: make sure you have corectly installed your CA's certificate on the HOST certificate store on Windows XP, also check the server name you gave to SecureW2 (it should match your radius' server CN). Let me know, Thibault
I am having a hard time getting FreeRadius to log the FramedIPAddress in my MySQL database. This worked perfectly when I was using ICRadius, but quit when I upgraded (migrated) to FreeRadius over a year ago. Anyone now what I need to look at to enable this once agin? Thanks, Scott
Ramon Barquier wrote:
We see the 'negotiation' messages, but no sign of "Success" at the end (neither Wireless connection, of course).
The client stops talking to the server. This is in the FAQ. Read it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (4)
-
Alan DeKok -
Ramon Barquier -
Scott Miller -
Thibault Le Meur