Hi Friends, I want to test radiusd with radeapclient. I am following from radeapclient man page, and using "./radeapclient -x localhost auth testing123 <req.txt". req.txt is like this, User-Name = "bob" EAP-MD5-Password = "hello" NAS-IP-Address = marajade.sandelman.ottawa.on.c EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = "bob" Message-Authenticator = 0x00 NAS-Port = 0 But radeapclient is getting access-reject with Failure EAP-Code from radiusd (running like ./radiusd -X in another console). ============== +++> About to send encoded packet: User-Name = "bob" EAP-MD5-Password = "hello" NAS-IP-Address = 255.255.255.255 EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = "bob" Message-Authenticator = 0x00 NAS-Port = 0 Sending Access-Request of id 116 to 127.0.0.1 port 1812 User-Name = "bob" NAS-IP-Address = 255.255.255.255 Message-Authenticator = 0x00000000000000000000000000000000 NAS-Port = 0 EAP-Message = 0x02d2000801626f62 rad_recv: Access-Challenge packet from host 127.0.0.1:1812, id=116, length=80 EAP-Message = 0x01d30016041066eb786fd424a0ee6f85a194ea8c9d30 Message-Authenticator = 0x323ec83f657e741fc131ba05f1bac39f State = 0xa3e884a46fc0e687c2bce84c917cc61e <+++ EAP decoded packet: EAP-Message = 0x01d30016041066eb786fd424a0ee6f85a194ea8c9d30 Message-Authenticator = 0x323ec83f657e741fc131ba05f1bac39f State = 0xa3e884a46fc0e687c2bce84c917cc61e EAP-Id = 211 EAP-Code = Request EAP-Type-MD5 = 0x1066eb786fd424a0ee6f85a194ea8c9d30 +++> About to send encoded packet: User-Name = "bob" EAP-MD5-Password = "hello" NAS-IP-Address = 255.255.255.255 EAP-Code = Response EAP-Id = 211 Message-Authenticator = 0x00000000000000000000000000000000 NAS-Port = 0 EAP-Type-MD5 = 0x108d31440ff81df18a9294cd9bd36bdce6 State = 0xa3e884a46fc0e687c2bce84c917cc61e Sending Access-Request of id 117 to 127.0.0.1 port 1812 User-Name = "bob" NAS-IP-Address = 255.255.255.255 Message-Authenticator = 0x00000000000000000000000000000000 NAS-Port = 0 State = 0xa3e884a46fc0e687c2bce84c917cc61e EAP-Message = 0x02d3001604108d31440ff81df18a9294cd9bd36bdce6 Re-sending Access-Request of id 117 to 127.0.0.1 port 1812 User-Name = "bob" EAP-MD5-Password = "hello" NAS-IP-Address = 255.255.255.255 EAP-Code = Response EAP-Id = 211 Message-Authenticator = 0x00000000000000000000000000000000 NAS-Port = 0 EAP-Type-MD5 = 0x108d31440ff81df18a9294cd9bd36bdce6 State = 0xa3e884a46fc0e687c2bce84c917cc61e EAP-Message = 0x02d3001604108d31440ff81df18a9294cd9bd36bdce6 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=117, length=44 EAP-Message = 0x04d30004 Message-Authenticator = 0x083613356791ba254aa786ddbb62d393 <+++ EAP decoded packet: EAP-Message = 0x04d30004 Message-Authenticator = 0x083613356791ba254aa786ddbb62d393 EAP-Id = 211 EAP-Code = Failure ============== I have added in radiusd.conf the following info eap { default_eap_type = md5 md5 { } ==================================== My queries are as following.. Do I need to add any md5 related attributes in server configuration? I have found in some file like digest-auth-MD5 "<>/freeradius-1.1.7/src/tests", but not sure how to inform radiusd server about this file. Also do not find any documentation about usage of "digest-auth-MD5". Any information/help regarding this is highly appreciated. Kind Regards, Nilanjan
Nilanjan Sarkar wrote:
I want to test radiusd with radeapclient. I am following from radeapclient man page, and using "./radeapclient -x localhost auth testing123 <req.txt". ... But radeapclient is getting access-reject with Failure EAP-Code from radiusd (running like ./radiusd -X in another console).
Please post that. The README, FAQ, INSTALL, etc. all say to do this.
Do I need to add any md5 related attributes in server configuration?
No. http://deployingradius.com/documents/configuration/pap.html
I have found in some file like digest-auth-MD5 "<>/freeradius-1.1.7/src/tests", but not sure how to inform radiusd server about this file. Also do not find any documentation about usage of "digest-auth-MD5".
You don't inform radius about those files. They are tests. If you don't understand what they do, ignore them. Alan DeKok.
Hi Alan, Ivan, Thanks for the reply. I have posted the log below. After observing the radiusd log, I guess the authentication failed due to this ----------------- rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select ----------------- Do you have information about what does it mean? Here is the full radiusd log for your reference. Kind Regards, Nilanjan LOG: <./radiusd -X> =============================================================== Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32940, id=144, length=65 User-Name = "bob" NAS-IP-Address = 255.255.255.255 Message-Authenticator = 0xa60a0c258dad3abb53aea01bf11f49c0 NAS-Port = 0 EAP-Message = 0x02d2000801626f62 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "bob", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 210 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 156 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication m ay fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 144 to 127.0.0.1 port 32940 EAP-Message = 0x01d300160410a3b0bad42fe0907b49b1a040d29b3f0c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x64c86949f0febe84aa06ac1938cb3768 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32940, id=145, length=97 User-Name = "bob" NAS-IP-Address = 255.255.255.255 Message-Authenticator = 0x4ac0488daabee8edcd3f63f9b43131ae NAS-Port = 0 State = 0x64c86949f0febe84aa06ac1938cb3768 EAP-Message = 0x02d300160410daf91e69f62c17f3cbd3dc31ec0936b1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "bob", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 211 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 156 modcall[authorize]: module "files" returns ok for request 1 rlm_pap: WARNING! No "known good" password found for the user. Authentication m ay fail because of this. modcall[authorize]: module "pap" returns noop for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 1 modcall: leaving group authenticate (returns invalid) for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32940, id=145, length=97 Sending Access-Reject of id 145 to 127.0.0.1 port 32940 EAP-Message = 0x04d30004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 144 with timestamp 47610c4b Cleaning up request 1 ID 145 with timestamp 47610c4b Nothing to do. Sleeping until we see a request. ===============================================================
Nilanjan Sarkar wrote:
Thanks for the reply. I have posted the log below.
That's one piece of the solution.
After observing the radiusd log, I guess the authentication failed due to this ... Do you have information about what does it mean?
Yes. Go read the web page I posted my last email. It contains the solution to your problem. I don't see any point in re-posting that information on this mailing list. The documentation exists, you have been told where it exists, and you now need to go read it, and follow the instructions given there. Alan DeKok.
Hi Alan, Ivan, After adding entry in users file, this is working correctly now. Thanks a lot for your help. Kind Regards, Nilanjan -----Original Message----- From: freeradius-users-bounces+nilanjans=condornetworks.com@lists.freeradius.org [mailto:freeradius-users-bounces+nilanjans=condornetworks.com@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Thursday, December 13, 2007 4:47 PM To: FreeRadius users mailing list Subject: Re: Need help to test EAP-MD5 Nilanjan Sarkar wrote:
Thanks for the reply. I have posted the log below.
That's one piece of the solution.
After observing the radiusd log, I guess the authentication failed due to this ... Do you have information about what does it mean?
Yes. Go read the web page I posted my last email. It contains the solution to your problem. I don't see any point in re-posting that information on this mailing list. The documentation exists, you have been told where it exists, and you now need to go read it, and follow the instructions given there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.17.1/1182 - Release Date: 12/12/2007 11:29 AM
Dana 13/12/2007, "Nilanjan Sarkar" <nilanjans@condornetworks.com> piše:
Hi Alan, Ivan,
Thanks for the reply. I have posted the log below.
After observing the radiusd log, I guess the authentication failed due to this ----------------- rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select -----------------
Do you have information about what does it mean?
It means that server couldn't find the password for that user. Where is the password? Users file? Somewhere else? Ivan Kalik Kalik Informatika ISP
participants (3)
-
Alan DeKok -
Nilanjan Sarkar -
tnt@kalik.co.yu