TTLS : where to indicate User/Password ?
Hello, I'm trying to configure FreeRadius using TTLS but got confused about the User/Password definiton and/or location as it seems that (please see log hereafter) user is found but not the password. Currently I indicate it in table radcheck in MySQL. radius.log returns me: ... Debug: modcall[authorize]: module "sql" returns ok for request 0 Debug: modcall: leaving group authorize (returns updated) for request 0 Debug: rad_check_password: Found Auth-Type Local Debug: auth: type Local Debug: auth: No User-Password or CHAP-Password attribute in the request Debug: auth: Failed to validate the user. Auth: Login incorrect: [acer9100/<no User-Password attribute>] (from client Olitec402SG port 1 cli 00-12-F0-21-1A-B6 ... file 'radiusd.conf' contains: ... authorize { auth_log chap suffix eap files sql } authenticate { Auth-Type CHAP { chap } unix eap } ... in file 'users' acer9100 Auth-Type := EAP Thanks for any help. Bye, Bruno -- Register Linux User 353844 http://counter.li.org/ --
Bruno Costacurta wrote:
Hello, I'm trying to configure FreeRadius using TTLS but got confused about the User/Password definiton and/or location as it seems that (please see log hereafter) user is found but not the password. Currently I indicate it in table radcheck in MySQL.
Are you sure? The debug output doesn't seem to say that. Or, you've edited rather a lot of it.
Debug: rad_check_password: Found Auth-Type Local Debug: auth: type Local Debug: auth: No User-Password or CHAP-Password attribute in the request
So... you forced Auth-Type to Local. Why?
in file 'users' acer9100 Auth-Type := EAP
Why? The comments in eap.conf make it clear that this is wrong. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Monday 04 December 2006 06:09, Alan DeKok wrote:
Bruno Costacurta wrote:
Hello, I'm trying to configure FreeRadius using TTLS but got confused about the User/Password definiton and/or location as it seems that (please see log hereafter) user is found but not the password. Currently I indicate it in table radcheck in MySQL.
Are you sure? The debug output doesn't seem to say that. Or, you've edited rather a lot of it.
Debug: rad_check_password: Found Auth-Type Local Debug: auth: type Local Debug: auth: No User-Password or CHAP-Password attribute in the request
So... you forced Auth-Type to Local. Why?
I did not force any Auth-Type to Local (as far as I know...if so where to check this ?) However, accepted the fact User-Password or CHAP-Password are valid with TTLS so Auth-Type=Local is acceptable (correct me If I'm wrong) where can I indicate these values so the request contain them ?
in file 'users' acer9100 Auth-Type := EAP
Why? The comments in eap.conf make it clear that this is wrong.
I tried few options for file 'users' without any change. Same if there is no entry at all. So what are valid types here ? Remark: indeed this EAP option is confusing in file 'users': implemented but not to be used ? Thanks for your attention. -Bruno
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Monday 04 December 2006 10:17, Bruno Costacurta wrote:
On Monday 04 December 2006 06:09, Alan DeKok wrote:
Bruno Costacurta wrote:
Hello, I'm trying to configure FreeRadius using TTLS but got confused about the User/Password definiton and/or location as it seems that (please see log hereafter) user is found but not the password. Currently I indicate it in table radcheck in MySQL.
Are you sure? The debug output doesn't seem to say that. Or, you've edited rather a lot of it.
Debug: rad_check_password: Found Auth-Type Local Debug: auth: type Local Debug: auth: No User-Password or CHAP-Password attribute in the request
So... you forced Auth-Type to Local. Why?
I did not force any Auth-Type to Local (as far as I know...if so where to check this ?)
However, accepted the fact User-Password or CHAP-Password are valid with TTLS so Auth-Type=Local is acceptable (correct me If I'm wrong) where can I indicate these values so the request contain them ?
in file 'users' acer9100 Auth-Type := EAP
Why? The comments in eap.conf make it clear that this is wrong.
I tried few options for file 'users' without any change. Same if there is no entry at all. So what are valid types here ?
Remark: indeed this EAP option is confusing in file 'users': implemented but not to be used ?
Thanks for your attention. -Bruno
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I noticed my previous explanations/questions are maybe cumbersome. Some clarifications hereafter : I'm trying to configure FreeRadius using TTLS (certificate on server side only) and MySQL. Client is a Linux laptop using wpa_supplicant. I'm in a learning curve regarding 802.1x and FreeRadius and especially TTLS. Note : however the config was working before Auth-Type and/or MySQL tables (apparently) were touched (but at least this can valid certain part of the config like the certificate). Questions: - TTLS available authentications are: CHAP,PAP,MS-CHAP,EAP (correct ?) - 'Auth-Type=local' means CHAP,PAP and MS-CHAP (correct ?) - for the learning curve : --- which is the easiest authentications to start with ? --- MySQL will be removed at the first stage to ease debugging / setup of the config (good idea ?) Thanks for attention and remarks, Bruno
Bruno Costacurta wrote:
I'm trying to configure FreeRadius using TTLS (certificate on server side only) and MySQL. Client is a Linux laptop using wpa_supplicant. I'm in a learning curve regarding 802.1x and FreeRadius and especially TTLS.
That should work without too much effort.
Questions: - TTLS available authentications are: CHAP,PAP,MS-CHAP,EAP (correct ?)
Yes.
- 'Auth-Type=local' means CHAP,PAP and MS-CHAP (correct ?)
No, just CHAP and PAP. You shouldn't be using it at all.
- for the learning curve : --- which is the easiest authentications to start with ?
PAP.
--- MySQL will be removed at the first stage to ease debugging / setup of the config (good idea ?)
Yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Monday 04 December 2006 22:21, Alan DeKok wrote:
Bruno Costacurta wrote:
I'm trying to configure FreeRadius using TTLS (certificate on server side only) and MySQL. Client is a Linux laptop using wpa_supplicant. I'm in a learning curve regarding 802.1x and FreeRadius and especially TTLS.
That should work without too much effort.
Questions: - TTLS available authentications are: CHAP,PAP,MS-CHAP,EAP (correct ?)
Yes.
- 'Auth-Type=local' means CHAP,PAP and MS-CHAP (correct ?)
No, just CHAP and PAP. You shouldn't be using it at all.
- for the learning curve : --- which is the easiest authentications to start with ?
PAP.
--- MySQL will be removed at the first stage to ease debugging / setup of the config (good idea ?)
Yes.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dear Alan, thanks for your answers. Indeed starting from a fresh FreeRadius install, following instructions http://deployingradius.com/documents/configuration/ I'm now able to authenticate via TTLS. Thanks again for attention. Bye, Bruno
participants (2)
-
Alan DeKok -
Bruno Costacurta