I posted a while ago about our school trying to setup essentially an open wpa system (anyone can connect with WPA with little or no changes to windows settings). The actual user auth is done later via a hotspot server of some sort. Anyhow, I currently have freeradius set to Auth-Type:=Accept so it should accept any connection. This works fine using radtest, but breaks when trying to do a peap connection. Attached is the log output from a peap attempt. Any suggestions on how to fix the error? Thanks. Mark II mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded DIGEST Module: Instantiated digest (digest) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) realm: format = "prefix" realm: delimiter = "\" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (ntdomain) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.109.195:1061, id=0, length=252 Message-Authenticator = 0x41eb703e9f3512dd95d5baa8c95398af Service-Type = Framed-User User-Name = "MONTGOMERY-MARK\\markmontgomery" Framed-MTU = 1488 Called-Station-Id = "00-11-95-BF-EF-1C:DBCWIFI" Calling-Station-Id = "00-14-A5-7C-1A-46" NAS-Identifier = "D-Link Access Point with POE" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02000023014d4f4e54474f4d4552592d4d41524b5c6d61726b6d6f6e74676f6d657279 NAS-IP-Address = 192.168.109.195 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 81 radius_xlat: '' modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall[authorize]: module "digest" returns noop for request 0 rlm_realm: No '@' in User-Name = "MONTGOMERY-MARK\markmontgomery", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_realm: Looking up realm "MONTGOMERY-MARK" for User-Name = "MONTGOMERY-MARK\markmontgomery" rlm_realm: No such realm "MONTGOMERY-MARK" modcall[authorize]: module "ntdomain" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 35 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 160 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type ACCEPT rad_check_password: Auth-Type = Accept, accepting the user Login OK: [MONTGOMERY-MARK\\markmontgomery] (from client internal-network port 1 cli 00-14-A5-7C-1A-46) Sending Access-Accept of id 0 to 192.168.109.195:1061 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Accept packet from host 192.168.109.195:1061, id=0, length=20 Authentication reply packet code 2 sent to a non-proxy reply port from client internal-network:1061 - ID 0 : IGNORED --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 446b74d8 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.109.195:1062, id=0, length=252 Message-Authenticator = 0xcc2effc2183aeadc6a7562d425a30878 Service-Type = Framed-User User-Name = "MONTGOMERY-MARK\\markmontgomery" Framed-MTU = 1488 Called-Station-Id = "00-11-95-BF-EF-1C:DBCWIFI" Calling-Station-Id = "00-14-A5-7C-1A-46" NAS-Identifier = "D-Link Access Point with POE" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02000023014d4f4e54474f4d4552592d4d41524b5c6d61726b6d6f6e74676f6d657279 NAS-IP-Address = 192.168.109.195 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 hints: Matched DEFAULT at 81 radius_xlat: '' modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 modcall[authorize]: module "digest" returns noop for request 1 rlm_realm: No '@' in User-Name = "MONTGOMERY-MARK\markmontgomery", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_realm: Looking up realm "MONTGOMERY-MARK" for User-Name = "MONTGOMERY-MARK\markmontgomery" rlm_realm: No such realm "MONTGOMERY-MARK" modcall[authorize]: module "ntdomain" returns noop for request 1 rlm_eap: EAP packet type response id 0 length 35 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 160 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type ACCEPT rad_check_password: Auth-Type = Accept, accepting the user Login OK: [MONTGOMERY-MARK\\markmontgomery] (from client internal-network port 1 cli 00-14-A5-7C-1A-46) Sending Access-Accept of id 0 to 192.168.109.195:1062 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Accept packet from host 192.168.109.195:1062, id=0, length=20 Authentication reply packet code 2 sent to a non-proxy reply port from client internal-network:1062 - ID 0 : IGNORED --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 0 with timestamp 446b74e2 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.109.195:1063, id=0, length=252 Message-Authenticator = 0x7b4d94434e62a332c52855fc18400629 Service-Type = Framed-User User-Name = "MONTGOMERY-MARK\\markmontgomery" Framed-MTU = 1488 Called-Station-Id = "00-11-95-BF-EF-1C:DBCWIFI" Calling-Station-Id = "00-14-A5-7C-1A-46" NAS-Identifier = "D-Link Access Point with POE" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02000023014d4f4e54474f4d4552592d4d41524b5c6d61726b6d6f6e74676f6d657279 NAS-IP-Address = 192.168.109.195 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 hints: Matched DEFAULT at 81 radius_xlat: '' modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 modcall[authorize]: module "digest" returns noop for request 2 rlm_realm: No '@' in User-Name = "MONTGOMERY-MARK\markmontgomery", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_realm: Looking up realm "MONTGOMERY-MARK" for User-Name = "MONTGOMERY-MARK\markmontgomery" rlm_realm: No such realm "MONTGOMERY-MARK" modcall[authorize]: module "ntdomain" returns noop for request 2 rlm_eap: EAP packet type response id 0 length 35 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 160 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type ACCEPT rad_check_password: Auth-Type = Accept, accepting the user Login OK: [MONTGOMERY-MARK\\markmontgomery] (from client internal-network port 1 cli 00-14-A5-7C-1A-46) Sending Access-Accept of id 0 to 192.168.109.195:1063 Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Accept packet from host 192.168.109.195:1063, id=0, length=20 Authentication reply packet code 2 sent to a non-proxy reply port from client internal-network:1063 - ID 0 : IGNORED --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 0 with timestamp 446b74eb Nothing to do. Sleeping until we see a request.
"Mark D. Montgomery II" <techiem2@techiem2.net> wrote:
Anyhow, I currently have freeradius set to Auth-Type:=Accept so it should accept any connection. This works fine using radtest, but breaks when trying to do a peap connection. Attached is the log output from a peap attempt. Any suggestions on how to fix the error?
Turn off WPA. PEAP requires knowing the password. "Open" WPA systems don't know the passwords, so it's impossible to use PEAP. Alan DeKok.
participants (2)
-
Alan DeKok -
Mark D. Montgomery II