** High Priority ** ** Reply Requested When Convenient ** Hi, I have configure freeradius ver 1.1.5 on an MS XP Box. I need to authenticate and authorize MS Windows XP clients (people connect to Access Point manage by an 3Com wireless switch). I have set up the windos box's for EAP-PEAP and MSCHAP Here is the resaults from the debug Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: ../etc/raddb/proxy.conf Config: including file: ../etc/raddb/clients.conf Config: including file: ../etc/raddb/snmp.conf Config: including file: ../etc/raddb/eap.conf main: prefix = ".." main: localstatedir = "../var" main: logdir = "../var/log/radius" main: libdir = "../lib" main: radacctdir = "../var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "../var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "../var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "../sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is ../lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "../var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Server.pem" tls: certificate_file = "../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Server.crt" tls: CA_file = "../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-CA.crt" tls: private_key_password = "demo" tls: dh_file = "../etc/raddb/certs/FreeRADIUS.net/DemoCerts/dh" tls: random_file = "../etc/raddb/certs/FreeRADIUS.net/DemoCerts/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "%{User-Name}" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "../etc/raddb/huntgroups" preprocess: hints = "../etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = yes preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log" detail: detailperm = 511 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "../etc/raddb/users" files: acctusersfile = "../etc/raddb/acct_users" files: preproxy_usersfile = "../etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) detail: detailfile = "../var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d.log" detail: detailperm = 511 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded Counter counter: filename = "../etc/raddb/db.daily" counter: key = "User-Name" counter: reset = "daily" counter: count-attribute = "Acct-Session-Time" counter: counter-name = "Daily-Session-Time" counter: check-name = "Max-Daily-Session" counter: allowed-servicetype = "Framed-User" counter: cache-size = 5000 rlm_counter: Counter attribute Daily-Session-Time is number 1830 rlm_counter: Current Time: 1190188203 [2007-09-19 09:50:03], Next reset 1190239200 [2007-09-20 00:00:00] Module: Instantiated counter (daily) Module: Loaded radutmp radutmp: filename = "../var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 511 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) detail: detailfile = "../var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d.log" detail: detailperm = 511 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (pre_proxy_log) detail: detailfile = "../var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d.log" detail: detailperm = 511 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (post_proxy_log) detail: detailfile = "../var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d.log" detail: detailperm = 511 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (reply_log) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.219.157.232:20000, id=63, length=149 NAS-Port-Id = "2/1" Calling-Station-Id = "00-0F-CB-FA-D4-63" Called-Station-Id = "00-18-6E-95-A2-C0:ELHC" Service-Type = Framed-User EAP-Message = 0x0201001401434e393030305c3533393836303637 User-Name = "CN9000\\53986067" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 10.219.157.232 Message-Authenticator = 0x9e21864de4c626d3cfdac3077ceda7bb Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '../var/log/radius/radacct/10.219.157.232/auth-detail-20070919.log' rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/10.219.157.232/auth-detail-20070919.log modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "53986067", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry 53986067 at line 84 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [53986067/<no User-Password attribute>] (from client elhc-network port 0 cli 00-0F-CB-FA-D4-63) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 63 to 10.219.157.232 port 20000 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 63 with timestamp 46f0d4b4 Nothing to do. Sleeping until we see a request.
Wayne, hoekom doen jy nie jou EAP-PEAP authentication van 'n linux box af nie? jy sal jou lewe soveel makliker maak. On 9/20/07, WAYNE VANDERMERWE <WAYNE.VANDERMERWE@impilo.ecprov.gov.za> wrote:
Hi,
I have configure freeradius ver 1.1.5 on an MS XP Box. I need to authenticate and authorize MS Windows XP clients (people connect to Access Point manage by an 3Com wireless switch). I have set up the windos box's for EAP-PEAP and MSCHAP
Here is the resaults from the debug
Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: ../etc/raddb/proxy.conf Config: including file: ../etc/raddb/clients.conf Config: including file: ../etc/raddb/snmp.conf Config: including file: ../etc/raddb/eap.conf main: prefix = ".." main: localstatedir = "../var" main: logdir = "../var/log/radius" main: libdir = "../lib" main: radacctdir = "../var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "../var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "../var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "../sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is ../lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "../var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Server.pem" tls: certificate_file = "../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Server.crt" tls: CA_file = "../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-CA.crt" tls: private_key_password = "demo" tls: dh_file = "../etc/raddb/certs/FreeRADIUS.net/DemoCerts/dh" tls: random_file = "../etc/raddb/certs/FreeRADIUS.net/DemoCerts/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "%{User-Name}" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "../etc/raddb/huntgroups" preprocess: hints = "../etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = yes preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log" detail: detailperm = 511 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "../etc/raddb/users" files: acctusersfile = "../etc/raddb/acct_users" files: preproxy_usersfile = "../etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) detail: detailfile = "../var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d.log" detail: detailperm = 511 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded Counter counter: filename = "../etc/raddb/db.daily" counter: key = "User-Name" counter: reset = "daily" counter: count-attribute = "Acct-Session-Time" counter: counter-name = "Daily-Session-Time" counter: check-name = "Max-Daily-Session" counter: allowed-servicetype = "Framed-User" counter: cache-size = 5000 rlm_counter: Counter attribute Daily-Session-Time is number 1830 rlm_counter: Current Time: 1190188203 [2007-09-19 09:50:03], Next reset 1190239200 [2007-09-20 00:00:00] Module: Instantiated counter (daily) Module: Loaded radutmp radutmp: filename = "../var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 511 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) detail: detailfile = "../var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d.log" detail: detailperm = 511 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (pre_proxy_log) detail: detailfile = "../var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d.log" detail: detailperm = 511 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (post_proxy_log) detail: detailfile = "../var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d.log" detail: detailperm = 511 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (reply_log) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
rad_recv: Access-Request packet from host 10.219.157.232:20000, id=63, length=149 NAS-Port-Id = "2/1" Calling-Station-Id = "00-0F-CB-FA-D4-63" Called-Station-Id = "00-18-6E-95-A2-C0:ELHC" Service-Type = Framed-User EAP-Message = 0x0201001401434e393030305c3533393836303637 User-Name = "CN9000\\53986067" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 10.219.157.232 Message-Authenticator = 0x9e21864de4c626d3cfdac3077ceda7bb Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '../var/log/radius/radacct/10.219.157.232/auth- detail-20070919.log' rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/10.219.157.232/auth- detail-20070919.log modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' <%27@%27> in User-Name = "53986067", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry 53986067 at line 84 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [53986067/<no User-Password attribute>] (from client elhc-network port 0 cli 00-0F-CB-FA-D4-63) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 63 to 10.219.157.232 port 20000 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 63 with timestamp 46f0d4b4 Nothing to do. Sleeping until we see a request.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
** High Priority ** ** Reply Requested When Convenient **
What? This isnt a paid-for service. answers given on this mailing list are given in community spirit. however, should you wish to take any of us on in a consulting role for usual financial reimbursements under contractual agreement ona commercial basis then i am sure that such requests would be taken for granted. so, PEAP isnt working. have you tested from a non windows box to ensure that you havent fallen foul of the usual EAP problems - as clearly noted at the top of eap.conf? if so, then i would be concerned by this int he debug:
modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [53986067/<no User-Password attribute>] (from client elhc-network port 0 cli 00-0F-CB-FA-D4-63)
what are you doing with the User-Name and/or identity? you cant play with those packets as it breaks EAP. the debug also looks worryingly short. you should post the whole debug. also, HOW are you authenticating the users? you dont have ntlm_auth set and LDAP doesnt seem to be doing anything...I fear very very much that you have some Auth-Type := EAP in yours users file or something worse! please post your config files. oh, and dont hurry, i'm certainly not demanding an urgent response. alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Donny Jekels -
WAYNE VANDERMERWE