Hi I'm having troubles setting up EAP-PEAP with freeradius (2.1.0) + hostapd (0.6.9) + wpa_supplicant (0.6.6) What I've done is mostly to follow http://tldp.org/HOWTO/8021X-HOWTO/freeradius.html Which basically is to update eap.conf to use peap and add my login details to the users file: "testuser" User-Password == "Secret149" The problem is that I always get the following output from freeradius -X upon connecting: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 45567, id=1, length=168 User-Name = "0016dbd4b7d5" User-Password = "0016dbd4b7d5" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-21-91-F3-D2-21:My-radius" Calling-Station-Id = "00-16-EA-E5-C8-E6" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" ... No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. I've tried to search for the problem and I think it has to do with inner and outer identity since the User-Name is set to my MAC address. One solution suggested was to use virtual servers and have different users files for the outer and inner identity. But I haven't found an examples explaining how to do this. Per
Hi I'm having troubles setting up EAP-PEAP with freeradius (2.1.0) + hostapd (0.6.9) + wpa_supplicant (0.6.6) What I've done is mostly to follow http://tldp.org/HOWTO/8021X-HOWTO/freeradius.html Which basically is to update eap.conf to use peap and add my login details to the users file:
"testuser" User-Password == "Secret149"
That howto is years out of date. In 2.x peap works by default - you don't need to make any changes to configuration files. Just put this (password attribute and operator should be changed) in users file: testuser Cleartext-Password := "Secret149" If you have troubles still, post the whole debug (not just pointless snip). Ivan Kalik Kalik Informatika ISP
Hi I'm having troubles setting up EAP-PEAP with freeradius (2.1.0) + hostapd (0.6.9) + wpa_supplicant (0.6.6) What I've done is mostly to follow http://tldp.org/HOWTO/8021X-HOWTO/freeradius.html Which basically is to update eap.conf to use peap and add my login details to the users file:
"testuser" User-Password == "Secret149"
That howto is years out of date. In 2.x peap works by default - you don't need to make any changes to configuration files. Just put this (password attribute and operator should be changed) in users file:
testuser Cleartext-Password := "Secret149"
If you have troubles still, post the whole debug (not just pointless snip).
Ivan Kalik Kalik Informatika ISP
Thanks for your quick response. I purged all my old configuration and did a reinstall. This time only updated the users file by adding the line above but with the same result. FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Apr 22 2009 at 17:12:02 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "gfj3FDf4dcq" nastype = "other" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.pem" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Accounting-Request packet from host 127.0.0.1 port 32885, id=0, length=87 Acct-Status-Type = Accounting-On Acct-Authentic = RADIUS NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-21-91-F3-D2-21:MY-radius" Acct-Terminate-Cause = NAS-Reboot +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent [acct_unique] WARNING: Attribute Acct-Session-Id was not found in request, unique ID MAY be inconsistent [acct_unique] WARNING: Attribute User-Name was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing ',Client-IP-Address = 127.0.0.1,NAS-IP-Address = 192.168.1.1,,' [acct_unique] Acct-Unique-Session-ID = "fa3b5d1fcce877f0". ++[acct_unique] returns ok [suffix] Proxy reply, or no User-Name. Ignoring. ++[suffix] returns ok ++[files] returns noop +- entering group accounting {...} expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/detail-20090423 [detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/detail-20090423 expand: %t -> Thu Apr 23 21:46:18 2009 ++[detail] returns ok ++[unix] returns noop expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp rlm_radutmp: NAS 192.168.1.1 restarted (Accounting-On packet seen) rlm_radutmp: Error accessing file /var/log/freeradius/radutmp: No such file or directory ++[radutmp] returns ok expand: %{User-Name} -> ++[attr_filter.accounting_response] returns noop Sending Accounting-Response of id 0 to 127.0.0.1 port 32885 Finished request 0. Cleaning up request 0 ID 0 with timestamp +3 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 43395, id=1, length=168 User-Name = "0016dbd4b7d5" User-Password = "0016dbd4b7d5" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-21-91-F3-D2-21:MY-radius" Calling-Station-Id = "00-16-EA-E5-C8-E6" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" Message-Authenticator = 0xd33a8bb379cbb4798259751e0532df73 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "0016dbd4b7d5", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> 0016dbd4b7d5 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 1 to 127.0.0.1 port 43395 Waking up in 4.9 seconds. Cleaning up request 1 ID 1 with timestamp +9 Ready to process requests.
Thanks for your quick response. I purged all my old configuration and did a reinstall. This time only updated the users file by adding the line above but with the same result.
Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 43395, id=1, length=168 User-Name = "0016dbd4b7d5" User-Password = "0016dbd4b7d5" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-21-91-F3-D2-21:MY-radius" Calling-Station-Id = "00-16-EA-E5-C8-E6" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" Message-Authenticator = 0xd33a8bb379cbb4798259751e0532df73
That's not a PEAP request. It's mac authentication (PAP) request. Set your NAS to use the proper authentication. Ivan Kalik Kalik Informatika ISP
Hi, Per, if you read the debug log you will clearly see the problem. (cutting everything until the auth occurring.
rad_recv: Access-Request packet from host 127.0.0.1 port 43395, id=1, length=168 User-Name = "0016dbd4b7d5" User-Password = "0016dbd4b7d5" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-21-91-F3-D2-21:MY-radius" Calling-Station-Id = "00-16-EA-E5-C8-E6" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" Message-Authenticator = 0xd33a8bb379cbb4798259751e0532df73 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "0016dbd4b7d5", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop
there. look. its not EAP. the server tells you this...and you can clearly see this isnt EAP. this is just plain PAP - even worse, its nothing to do with your username - this is a very dumb MAC address PAP. you'd find that if you put "0016dbd4b7d5" Cleartext-Password := "0016dbd4b7d5" into your users file this would probably work straight away..but do you want PAP - if you want EAP, configure your NAS to do EAP (from the other log entries, looks like this NAS doesnt send proper accounting data either) alan
there. look. its not EAP. the server tells you this...and you can clearly see this isnt EAP. this is just plain PAP - even worse, its nothing to do with your username - this is a very dumb MAC address PAP.
you'd find that if you put
"0016dbd4b7d5" Cleartext-Password := "0016dbd4b7d5"
into your users file this would probably work straight away..but do you want PAP - if you want EAP, configure your NAS to do EAP (from the other log entries, looks like this NAS doesnt send proper accounting data either)
alan
Thanks for the clarification As I've said on my first mail I'm using hostapd with freeradius on the same box. So maybe I should ask on the hostap mailing-list instead? Basically I've configured hostapd to use freeradius as the authentication and accounting server, so I can't understand what I would have to change to configure it to use peap instead. Is the propper way to use hostap for authentication and use freeradius for accounting? Per
So maybe I should ask on the hostap mailing-list instead?
No.
Basically I've configured hostapd to use freeradius as the authentication and accounting server, so I can't understand what I would have to change to configure it to use peap instead.
You need to set that on your AP. AP is set to do mac authentication, not EAP (probably called WPA-Enerprise). Fix AP configuration. Ivan Kalik Kalik Informatika ISP
Per Hermansson wrote:
I'm having troubles setting up EAP-PEAP with freeradius (2.1.0) + hostapd (0.6.9) + wpa_supplicant (0.6.6) What I've done is mostly to follow http://tldp.org/HOWTO/8021X-HOWTO/freeradius.html
I should update the "man" page to say IGNORE ALL THIRD PARTY HOWTOs Nearly all of them haven't been updated in *years*. i.e. Since long before 2.0 was released. They are not just wrong, they are actively harmful. ALan DeKok.
Hi,
Nearly all of them haven't been updated in *years*. i.e. Since long before 2.0 was released. They are not just wrong, they are actively harmful.
yeh. most of them are from 2006/2007 era and are 'heres how I configured FreeRADIUS 1.x in some wierd way to do this' - which, whilst may have been appropriate then, the server has been massively upgraded and improved to basically work out of the source ball with minimal extra work - eg EAP stuff, certificates, database, inner authentication and handling multiple servers. alan
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Ivan Kalik -
Per Hermansson -
tnt@kalik.net