FreeRadius MAC address authorization (no authentication)
Hi, I'm trying to implement FreeRadius to authenticate Wireless CLient based on MAC address only, unfortunately all my wireless client using EAP/TLS (Windows XP SP2) . I found that tutorials and doc are not leading me to the right direction. Besides, I will not burden my Windows XP SP2 client to search hotfix for EAP/TLS compatibility with FreeRadius. After digging more, I realize that Authorization using checkval module is enough to verified valid MAC address from Wireless Client. But my question is how can I use only Authorization where Authentication will always return Access-Accept. Here is my radiusd -X output: Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.2 port 1027, id=183, length=199 User-Name = "PIDEL-3C5B30E9C\\Administrator" NAS-IP-Address = 10.0.0.2 NAS-Port = 0 Called-Station-Id = "00-1E-E5-9D-61-85:DEL_LR1" Calling-Station-Id = "00-21-00-0B-68-E3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201002201504944454c2d3343354233304539435c41646d696e6973747261746f72 Message-Authenticator = 0x891b437263cd48909255484bb081c823 +- entering group authorize ++[preprocess] returns ok .... .... rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok rlm_checkval: Item Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3 ++[checkval] returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Sending Access-Reject of id 183 to 10.0.0.2 port 1027 Finished request 0. Thanks in advance. Ramot Lubis.
hi you can only send the Accounting requests.no access accept request to use it. els is you have to configure radiusd.conf in raddb for auth-type On Fri, Aug 8, 2008 at 7:26 AM, Ramot Lubis <ramot.lubis@gmail.com> wrote:
Hi, I'm trying to implement FreeRadius to authenticate Wireless CLient based on MAC address only, unfortunately all my wireless client using EAP/TLS (Windows XP SP2) . I found that tutorials and doc are not leading me to the right direction. Besides, I will not burden my Windows XP SP2 client to search hotfix for EAP/TLS compatibility with FreeRadius.
After digging more, I realize that Authorization using checkval module is enough to verified valid MAC address from Wireless Client. But my question is how can I use only Authorization where Authentication will always return Access-Accept.
Here is my radiusd -X output:
Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.2 port 1027, id=183, length=199 User-Name = "PIDEL-3C5B30E9C\\Administrator" NAS-IP-Address = 10.0.0.2 NAS-Port = 0 Called-Station-Id = "00-1E-E5-9D-61-85:DEL_LR1" Calling-Station-Id = "00-21-00-0B-68-E3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201002201504944454c2d3343354233304539435c41646d696e6973747261746f72 Message-Authenticator = 0x891b437263cd48909255484bb081c823 +- entering group authorize ++[preprocess] returns ok .... .... rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok rlm_checkval: Item Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3 ++[checkval] returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Sending Access-Reject of id 183 to 10.0.0.2 port 1027 Finished request 0.
Thanks in advance.
Ramot Lubis. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Yawar Hadi Noshahi QAU Islamabad (+92-0300-5504798)
Ramot Lubis wrote:
Hi, I'm trying to implement FreeRadius to authenticate Wireless CLient based on MAC address only, unfortunately all my wireless client using EAP/TLS (Windows XP SP2) . I found that tutorials and doc are not leading me to the right direction.
Could you explain?
Besides, I will not burden my Windows XP SP2 client to search hotfix for EAP/TLS compatibility with FreeRadius.
Does that mean you won't be installing the hotfix? If so, it's likely that XP may not work. And it's not "compatibility with FreeRADIUS", it's "following the standards". FreeRADIUS works with every other supplicant that exists. Microsoft keeps breaking their supplicants with new releases of their OS, and *every* RADIUS server has to change in order to "be compatible".
After digging more, I realize that Authorization using checkval module is enough to verified valid MAC address from Wireless Client.
I would not use the checkval module. Try using another module.
But my question is how can I use only Authorization where Authentication will always return Access-Accept.
You can do MAC address checking in the "authorization" stage.
Here is my radiusd -X output: ... EAP-Message = 0x0201002201504944454c2d3343354233304539435c41646d696e6973747261746f72 Message-Authenticator = 0x891b437263cd48909255484bb081c823 ... auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user.
You edited the default configuration and broke it. Don't do that. Alan DeKok.
Yes, I aim not to install hotfix in Windows XP client. My main purpose is to check valid MAC address of every Wireless Device (with Windows XP SP2). Based on "radiusd -X" log in my previous email, I tried to conclude that even in Authorization phase, calling-station-id has been validated to be match with MAC address data in SQL db. In this case, I don't need further Authentication phase. However, I dont know how to configure radius server to ignore authentication phase. Is there any idea for me to follow? thanks in advance. On Fri, Aug 8, 2008 at 12:44 PM, Alan DeKok <aland@deployingradius.com> wrote:
Ramot Lubis wrote:
Hi, I'm trying to implement FreeRadius to authenticate Wireless CLient based on MAC address only, unfortunately all my wireless client using EAP/TLS (Windows XP SP2) . I found that tutorials and doc are not leading me to the right direction.
Could you explain?
Besides, I will not burden my Windows XP SP2 client to search hotfix for EAP/TLS compatibility with FreeRadius.
Does that mean you won't be installing the hotfix? If so, it's likely that XP may not work. And it's not "compatibility with FreeRADIUS", it's "following the standards". FreeRADIUS works with every other supplicant that exists. Microsoft keeps breaking their supplicants with new releases of their OS, and *every* RADIUS server has to change in order to "be compatible".
After digging more, I realize that Authorization using checkval module is enough to verified valid MAC address from Wireless Client.
I would not use the checkval module. Try using another module.
But my question is how can I use only Authorization where Authentication will always return Access-Accept.
You can do MAC address checking in the "authorization" stage.
Here is my radiusd -X output: ... EAP-Message = 0x0201002201504944454c2d3343354233304539435c41646d696e6973747261746f72 Message-Authenticator = 0x891b437263cd48909255484bb081c823 ... auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user.
You edited the default configuration and broke it. Don't do that.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ramot Lubis wrote:
Yes, I aim not to install hotfix in Windows XP client.
Good luck.
My main purpose is to check valid MAC address of every Wireless Device (with Windows XP SP2). Based on "radiusd -X" log in my previous email, I tried to conclude that even in Authorization phase, calling-station-id has been validated to be match with MAC address data in SQL db. In this case, I don't need further Authentication phase.
That's not how EAP-TLS works.
However, I dont know how to configure radius server to ignore authentication phase. Is there any idea for me to follow?
If you only need to do MAC authentication, see MAC authentication bypass, which is in Cisco switches. Alan DeKok.
Hi,
Hi, I'm trying to implement FreeRadius to authenticate Wireless CLient based on MAC address only, unfortunately all my wireless client using EAP/TLS (Windows XP SP2) . I found that tutorials and doc are not leading me to the right direction. Besides, I will not burden my Windows XP SP2 client to search hotfix for EAP/TLS compatibility with FreeRadius.
there is no hotfix for EAP/TLS compatability. there ARE 2 important windows hotfixes for wireless supplicant bahaviour etc.
is enough to verified valid MAC address from Wireless Client. But my question is how can I use only Authorization where Authentication will always return Access-Accept.
you cant. if you're trying to use PEAP than you must follow all the specifications and return the correct stuff when and as needed. you cant just throw back an accept. if you want a noddy poor wireless infrastructure then just go for WPa-PSK or even a MAC-based captive portal alan
Thanks for all advices. So, I decide to change my course. Now, I am using default radiusd.conf. I have installed hotfix for supplicant Windows XP SP2. I have also installed Certificate on supplicant based. Btw, I am using Linksys WAP4400N as my NAS access point now I still got this clueless log messages. Please, help me. rlm_checkval: Item Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3 ++[checkval] returns ok rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: NAK asked for unsupported type 25 rlm_eap: No common EAP types found. rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> PIDEL-3C5B30E9C\Administrator attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 3 to 10.0.0.2 port 1027 EAP-Message = 0x04020004 Message-Authenticator = 0x00000000000000000000000000000000 thanks in advance. On Fri, Aug 8, 2008 at 2:09 PM, Alan DeKok <aland@deployingradius.com> wrote:
Ramot Lubis wrote:
Yes, I aim not to install hotfix in Windows XP client.
Good luck.
My main purpose is to check valid MAC address of every Wireless Device (with Windows XP SP2). Based on "radiusd -X" log in my previous email, I tried to conclude that even in Authorization phase, calling-station-id has been validated to be match with MAC address data in SQL db. In this case, I don't need further Authentication phase.
That's not how EAP-TLS works.
However, I dont know how to configure radius server to ignore authentication phase. Is there any idea for me to follow?
If you only need to do MAC authentication, see MAC authentication bypass, which is in Cisco switches.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Aug 8, 2008 at 2:13 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Hi, I'm trying to implement FreeRadius to authenticate Wireless CLient based on MAC address only, unfortunately all my wireless client using EAP/TLS (Windows XP SP2) . I found that tutorials and doc are not leading me to the right direction. Besides, I will not burden my Windows XP SP2 client to search hotfix for EAP/TLS compatibility with FreeRadius.
there is no hotfix for EAP/TLS compatability. there ARE 2 important windows hotfixes for wireless supplicant bahaviour etc.
is enough to verified valid MAC address from Wireless Client. But my question is how can I use only Authorization where Authentication will always return Access-Accept.
you cant. if you're trying to use PEAP than you must follow all the specifications and return the correct stuff when and as needed. you cant just throw back an accept. if you want a noddy poor wireless infrastructure then just go for WPa-PSK or even a MAC-based captive portal
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
now I still got this clueless log messages. Please, help me.
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3 ++[checkval] returns ok rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: NAK asked for unsupported type 25 rlm_eap: No common EAP types found.
The client asked for an EAP type which is not configured in your server. Check eap.conf and uncomment the tls { } section for doing EAP-TLS. If you also want to enable PEAP, also uncomment the peap { } and maschapv2 { } sections. Greetings, Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
thanks Stefan. it's already uncommented by default. I didn't change any default value except the SQL authorization. I wonder what might be the problem? rgds. On Fri, Aug 8, 2008 at 2:53 PM, Stefan Winter <stefan.winter@restena.lu> wrote:
Hi,
now I still got this clueless log messages. Please, help me.
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3 ++[checkval] returns ok rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: NAK asked for unsupported type 25 rlm_eap: No common EAP types found.
The client asked for an EAP type which is not configured in your server. Check eap.conf and uncomment the tls { } section for doing EAP-TLS. If you also want to enable PEAP, also uncomment the peap { } and maschapv2 { } sections.
Greetings,
Stefan
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg
Tel: +352 424409 1 Fax: +352 422473
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ramot Lubis wrote:
thanks Stefan. it's already uncommented by default. I didn't change any default value except the SQL authorization. I wonder what might be the problem?
You haven't installed the OpenSSL libraries and header files. As a result, FreeRADIUS wasn't built with support for PEAP. Run the server in debug mode, and read the output. When it's loading the EAP module, it will TELL YOU that it's not loading PEAP. It will also tell you why it's not loading PEAP. Alan DeKok.
Thanks Alan, it was my mistake. I have fixed the openssl trouble. Now PEAP is running. But I still have problem with authentication. I put the log here. Please, tell me what my next mistake is. rad_recv: Access-Request packet from host 10.0.0.2 port 1027, id=76, length=189 User-Name = "PIDEL-3C5B30E9C\\Administrator" NAS-IP-Address = 10.0.0.2 NAS-Port = 0 Called-Station-Id = "00-1E-E5-9D-61-85:DEL_LR1" Calling-Station-Id = "00-21-00-0B-68-E3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020c00061900 State = 0x61fcdc3962f0c5fd5ac44742bec48a4e Message-Authenticator = 0xf9de9a4b155e31af40d1602df959ad77 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "PIDEL-3C5B30E9C\Administrator", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 12 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 76 to 10.0.0.2 port 1027 EAP-Message = 0x010d00061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x61fcdc3965f1c5fd5ac44742bec48a4e Finished request 9. rgds On Fri, Aug 8, 2008 at 3:06 PM, Alan DeKok <aland@deployingradius.com> wrote:
Ramot Lubis wrote:
thanks Stefan. it's already uncommented by default. I didn't change any default value except the SQL authorization. I wonder what might be the problem?
You haven't installed the OpenSSL libraries and header files. As a result, FreeRADIUS wasn't built with support for PEAP.
Run the server in debug mode, and read the output. When it's loading the EAP module, it will TELL YOU that it's not loading PEAP. It will also tell you why it's not loading PEAP.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ramot Lubis wrote:
Thanks Alan, it was my mistake. I have fixed the openssl trouble. Now PEAP is running. But I still have problem with authentication.
I put the log here. Please, tell me what my next mistake is. [...] Sending Access-Challenge of id 76 to 10.0.0.2 port 1027 EAP-Message = 0x010d00061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x61fcdc3965f1c5fd5ac44742bec48a4e Finished request 9.
Lucky guess... http://deployingradius.com/documents/configuration/eap-problems.html :-) kind regards, -- Lech Karol Pawłaszek <ike> "You will never see me fall from grace" [KoRn]
hi siply go to raddb directory and explore users dictionery file... 2:see any example of user with password in that file 3:similerly add a user with password. and now try it. it will work.. On Fri, Aug 8, 2008 at 2:02 PM, Lech Karol Pawłaszek <ike@szluug.org> wrote:
Ramot Lubis wrote:
Thanks Alan, it was my mistake. I have fixed the openssl trouble. Now PEAP is running. But I still have problem with authentication.
I put the log here. Please, tell me what my next mistake is.
[...]
Sending Access-Challenge of id 76 to 10.0.0.2 port 1027 EAP-Message = 0x010d00061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x61fcdc3965f1c5fd5ac44742bec48a4e Finished request 9.
Lucky guess...
http://deployingradius.com/documents/configuration/eap-problems.html
:-) kind regards, -- Lech Karol Pawłaszek <ike> "You will never see me fall from grace" [KoRn]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Yawar Hadi Noshahi QAU Islamabad (+92-0300-5504798)
As you guess, now I am stucked in EAP problem as described in http://deployingradius.com/documents/configuration/eap-problems.html Problem: A lot of text scrolls by, the server sends an Access-Challenge, and then prints out a message saying Cleaning up request .... After that, nothing more happens. I have followed the instructed solution on the web, but I still have the same problem. What might be the trouble? this is my log output: rad_recv: Access-Request packet from host 10.0.0.2 port 1027, id=169, length=189 User-Name = "PIDEL-3C5B30E9C\\Administrator" NAS-IP-Address = 10.0.0.2 NAS-Port = 0 Called-Station-Id = "00-1E-E5-9D-61-85:DEL_LR1" Calling-Station-Id = "00-21-00-0B-68-E3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020c00061900 State = 0x8e584f678d5456652c4dc94a57520460 Message-Authenticator = 0x7b7251c229539af1b067c6bf5161a3e8 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "PIDEL-3C5B30E9C\Administrator", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 12 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 169 to 10.0.0.2 port 1027 EAP-Message = 0x010d00061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8e584f678a5556652c4dc94a57520460 Finished request 9. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 165 with timestamp +305 Cleaning up request 6 ID 166 with timestamp +305 Cleaning up request 7 ID 167 with timestamp +305 Cleaning up request 8 ID 168 with timestamp +305 Cleaning up request 9 ID 169 with timestamp +305 Ready to process requests. thanks. On Fri, Aug 8, 2008 at 4:02 PM, Lech Karol Pawłaszek <ike@szluug.org> wrote:
Ramot Lubis wrote:
Thanks Alan, it was my mistake. I have fixed the openssl trouble. Now PEAP is running. But I still have problem with authentication.
I put the log here. Please, tell me what my next mistake is.
[...]
Sending Access-Challenge of id 76 to 10.0.0.2 port 1027 EAP-Message = 0x010d00061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x61fcdc3965f1c5fd5ac44742bec48a4e Finished request 9.
Lucky guess...
http://deployingradius.com/documents/configuration/eap-problems.html
:-) kind regards, -- Lech Karol Pawłaszek <ike> "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ramot Lubis wrote:
Problem: A lot of text scrolls by, the server sends an Access-Challenge, and then prints out a message saying Cleaning up request .... After that, nothing more happens.
Which OS are you using as a client? Are you using the default certificates that are created with the server?
I have followed the instructed solution on the web, but I still have the same problem. What might be the trouble?
You're likely running Windows. Even Microsoft has a hard time getting Windows to do 802.1X. Alan DeKok.
Yes, I am using Windows XP as client. I have followed these steps: 1. Creating production certificate as described in http://deployingradius.com/documents/configuration/certificates.html 2. update hotfix as described in http://support.microsoft.com/kb/885453/en-us 3. Install certificate ca.der into Windows client. Use the new installed certificate in client when using PEAP from client. what else should I do? thanks in advance. On Fri, Aug 8, 2008 at 8:00 PM, Alan DeKok <aland@deployingradius.com> wrote:
Ramot Lubis wrote:
Problem: A lot of text scrolls by, the server sends an Access-Challenge, and then prints out a message saying Cleaning up request .... After that, nothing more happens.
Which OS are you using as a client?
Are you using the default certificates that are created with the server?
I have followed the instructed solution on the web, but I still have the same problem. What might be the trouble?
You're likely running Windows. Even Microsoft has a hard time getting Windows to do 802.1X.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ramot Lubis wrote:
1. Creating production certificate as described in http://deployingradius.com/documents/configuration/certificates.html 2. update hotfix as described in http://support.microsoft.com/kb/885453/en-us 3. Install certificate ca.der into Windows client. Use the new installed certificate in client when using PEAP from client.
For instructions on debugging the client side, see: http://deployingradius.com/documents/configuration/eap-problems.html Alan DeKok.
I guess, Windows XP client has been able to communicate (EAP problem has been fixed) according to the following log. However, the client has not been authenticated because of username and password problem, but its OK since my purpose is to authenticate based on client MAC address rather than username/password. My question is how can I configure FreeRadius to authenticate client based on MAC address? Is there in possibility to use "unlang", if so how can I use unlang to authenticate client MAC address. thanks in advance. ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: Told to do MS-CHAPv2 for PIDEL-3C5B30E9C\Administrator with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 52 to 10.0.0.2 port 1027 EAP-Message = 0x010800261900170301001b916dabf876b637e708a5f0472e047d95636c8d755a4db6398bfd5a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5e8a10c0598209f9d72120367b73e4be Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.2 port 1027, id=53, length=221 User-Name = "PIDEL-3C5B30E9C\\Administrator" NAS-IP-Address = 10.0.0.2 NAS-Port = 0 Called-Station-Id = "00-1E-E5-9D-61-85:DEL_LR1" Calling-Station-Id = "00-21-00-0B-68-E3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020800261900170301001b09c3f1df213e452b936c4d3a3a42a177644f14e998e6d36c128a55 State = 0x5e8a10c0598209f9d72120367b73e4be Message-Authenticator = 0xaa9d67c2641d1c6281c0b7e1dcff3aec +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "PIDEL-3C5B30E9C\Administrator", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 8 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> PIDEL-3C5B30E9C\Administrator attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 53 to 10.0.0.2 port 1027 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 8. Going to the next request On Sun, Aug 10, 2008 at 2:20 PM, Alan DeKok <aland@deployingradius.com> wrote:
Ramot Lubis wrote:
1. Creating production certificate as described in http://deployingradius.com/documents/configuration/certificates.html 2. update hotfix as described in http://support.microsoft.com/kb/885453/en-us 3. Install certificate ca.der into Windows client. Use the new installed certificate in client when using PEAP from client.
For instructions on debugging the client side, see:
http://deployingradius.com/documents/configuration/eap-problems.html
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ramot Lubis wrote:
I guess, Windows XP client has been able to communicate (EAP problem has been fixed) according to the following log. However, the client has not been authenticated because of username and password problem, but its OK since my purpose is to authenticate based on client MAC address rather than username/password.
My question is how can I configure FreeRadius to authenticate client based on MAC address? Is there in possibility to use "unlang", if so how can I use unlang to authenticate client MAC address.
It's impossible. EAP doesn't work like that. Alan DeKok.
Everything works down to the "Configuring Freeradius to use ntlm_auth for MS-CHAP. I am using the doc at http://deployingradius.com/documents/configuration/active_directory.html When I try to connect through modem bank, I get this
rlm_realm: Looking up realm "umpublishing.org" for User-Name = "cyoho@umpublishing.org" rlm_realm: No such realm "umpublishing.org"
When I registered my linux server with AD using the "net join -U administrator" command, it came back successful but said it was using "Short name UMPH" - is there any way to force it to use the umpublishing.org realm? I don't remember the exact message, is it ok to run this command again so I can write down exactly what it said? Should I "UNjoin myself first :-)? I thought at the time that it was fine, since the Windows login screen has UMPH in the pulldown for network logins, but our AD admin said the AD domain and the AD realm are both umpublishing.org, and the UMPH is a holdover from "the old days". Thanks in advance for any help~ Cindy Yoho
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Lech Karol Pawłaszek -
Ramot Lubis -
Stefan Winter -
Yawar Hadi -
Yoho, Cindy