PAM authentication not working
Hi folks, Having managed to get freeradius 2.10 to run on Debian squeeze with a username and password defined in /etc/freeradius/users, I was hoping to take a step forward by getting it to authenticate users through PAM. But, that's not working out as I had hoped. Could sombody please tell me what's missing, or what I'm doing wrong? So far I have done the following: 1.) Copied a set of 4096-bit MD5 SSL certificates that were used in the previous configuration to the /etc/freeradius/certs directory. To generate them, each time I used "LongStringNumberOne" for both the input and output passwords. Among the encryption files generated are ca.pem, dh, server.key and server.pem. The ca.pem file was also copied to my laptop's /etc/certs directory and is used with wpasupplicant for testing the system. 2.) Added the following lines to the end of /etc/freeradius/clients: client 192.168.2.0/24 { secret = LongStringNumberTwo shortname = mynet } 3.) Added the following line to the end of /etc/freeradius/users: DEFAULT Auth-Type = Pam 4.) In /etc/freeradius/eap.conf I changed the values of the following two attributes to: default_eap_type = ttls private_key_password = LongStringNumberOne 5.) In /etc/freeradius/radiusd.conf I changed the value of the following attribute to: user = root 6.) In both /etc/freeradius/sites-enabled/default and /etc/freeradius/sites-enabled/inner-tunnel, I uncommented the "pam" entry in section "authenticate". 7.) Some sources suggest changing it, but I chose to leave the contents of /etc/pam.d/radiusd unmodified: @include common-auth @include common-account @include common-password @include common-session 8.) My NAS is a Linksys is a WRT54GS running DD-WRT v24 firmware and is configured as follows: Wireless Mode AP Wireless Network Mode Mixed Wireless Network Name (SSID) mynet Wireless Channel 6 - 2.437 GHz Wireless SSID Broadcast Enable Network Configuration Bridged Security Mode WPA2 Enterprise WPA Algorithms TKIP+AES RADIUS Server Address 192.168.2.12 RADIUS Server Port 1812 RADIUS Shared Secret LongStringNumberTwo Key Renewal Interval (in sec.) 3600 Unfortunately, after starting the server in debugging mode with "freeradius -X", my client's authentication attempts get rejected and I get the following output from the freeradius server: ========================================= rad_recv: Access-Request packet from host 192.168.2.2 port 1025, id=0, length=245 Cleaning up request 6 ID 0 with timestamp +12 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x2ecb21dd28cc340c did not finish! WARNING: !! Please read http://wiki.freeradius.org/ Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "jwinius" NAS-IP-Address = 192.168.2.2 Called-Station-Id = "0014bf72f676" Calling-Station-Id = "00110a81fb2b" NAS-Identifier = "0014bf72f676" NAS-Port = 17 Framed-MTU = 1400 State = 0x2ecb21dd28cc340c8873b5871c637572 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020700701500170301002073bdd7051dfb44f3caccd4c92... Message-Authenticator = 0x6cbe906a70bc7ee95f9ad3365a0471b0 # Executing section authorize from file /etc/freeradius/sites-enabled/ default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "jwinius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x0201001604109f00ed2b3ff2dd5111997f0ba6cee99e FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x0201001604109f00ed2b3ff2dd5111997f0ba6cee99e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "jwinius" State = 0xdbd7fca1dbd6f80c791225e3340ea6e4 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/ inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jwinius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 1 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 211 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication [eap] Handler failed in EAP/md5 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user jwinius [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> jwinius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 0 to 192.168.2.2 port 1025 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 ========================================= Any idea what I'm doing wrong? Thanks, Jaap
Try by adding jwinius Cleartext-Password := xxx On Fri, Feb 8, 2013 at 11:41 AM, Jaap Winius <jwinius@umrk.nl> wrote:
Hi folks,
Having managed to get freeradius 2.10 to run on Debian squeeze with a username and password defined in /etc/freeradius/users, I was hoping to take a step forward by getting it to authenticate users through PAM. But, that's not working out as I had hoped.
Could sombody please tell me what's missing, or what I'm doing wrong? So far I have done the following:
1.) Copied a set of 4096-bit MD5 SSL certificates that were used in the previous configuration to the /etc/freeradius/certs directory. To generate them, each time I used "LongStringNumberOne" for both the input and output passwords. Among the encryption files generated are ca.pem, dh, server.key and server.pem. The ca.pem file was also copied to my laptop's /etc/certs directory and is used with wpasupplicant for testing the system.
2.) Added the following lines to the end of /etc/freeradius/clients:
client 192.168.2.0/24 { secret = LongStringNumberTwo shortname = mynet }
3.) Added the following line to the end of /etc/freeradius/users:
DEFAULT Auth-Type = Pam
4.) In /etc/freeradius/eap.conf I changed the values of the following two attributes to:
default_eap_type = ttls private_key_password = LongStringNumberOne
5.) In /etc/freeradius/radiusd.conf I changed the value of the following attribute to:
user = root
6.) In both /etc/freeradius/sites-enabled/**default and /etc/freeradius/sites-enabled/**inner-tunnel, I uncommented the "pam" entry in section "authenticate".
7.) Some sources suggest changing it, but I chose to leave the contents of /etc/pam.d/radiusd unmodified:
@include common-auth @include common-account @include common-password @include common-session
8.) My NAS is a Linksys is a WRT54GS running DD-WRT v24 firmware and is configured as follows:
Wireless Mode AP Wireless Network Mode Mixed Wireless Network Name (SSID) mynet Wireless Channel 6 - 2.437 GHz Wireless SSID Broadcast Enable Network Configuration Bridged
Security Mode WPA2 Enterprise WPA Algorithms TKIP+AES RADIUS Server Address 192.168.2.12 RADIUS Server Port 1812 RADIUS Shared Secret LongStringNumberTwo Key Renewal Interval (in sec.) 3600
Unfortunately, after starting the server in debugging mode with "freeradius -X", my client's authentication attempts get rejected and I get the following output from the freeradius server:
==============================**===========
rad_recv: Access-Request packet from host 192.168.2.2 port 1025, id=0, length=245 Cleaning up request 6 ID 0 with timestamp +12 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!**!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!** !!!!!!!!!! WARNING: !! EAP session for state 0x2ecb21dd28cc340c did not finish! WARNING: !! Please read http://wiki.freeradius.org/ Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!**!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!** !!!!!!!!!! User-Name = "jwinius" NAS-IP-Address = 192.168.2.2 Called-Station-Id = "0014bf72f676" Calling-Station-Id = "00110a81fb2b" NAS-Identifier = "0014bf72f676" NAS-Port = 17 Framed-MTU = 1400 State = 0x2ecb21dd28cc340c8873b5871c63**7572 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020700701500170301002073bdd7** 051dfb44f3caccd4c92... Message-Authenticator = 0x6cbe906a70bc7ee95f9ad3365a04**71b0 # Executing section authorize from file /etc/freeradius/sites-enabled/ default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "jwinius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/**default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "jwinius" State = 0xdbd7fca1dbd6f80c791225e3340e**a6e4 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/ inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jwinius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 1 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 211 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/**inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication [eap] Handler failed in EAP/md5 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 EAP-Message = 0x04010004 Message-Authenticator = 0x0000000000000000000000000000**0000 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user jwinius [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/**default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> jwinius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 0 to 192.168.2.2 port 1025 EAP-Message = 0x04070004 Message-Authenticator = 0x0000000000000000000000000000**0000
==============================**===========
Any idea what I'm doing wrong?
Thanks,
Jaap - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Sorry about the incomplete previous email, Try by adding jwinius Auth-Type = pam Cleartext-Password := xxx Deepti On Fri, Feb 8, 2013 at 12:31 PM, Deepti kulkarni <deepti.kdeeps@gmail.com>wrote:
Try by adding jwinius Cleartext-Password := xxx
On Fri, Feb 8, 2013 at 11:41 AM, Jaap Winius <jwinius@umrk.nl> wrote:
Hi folks,
Having managed to get freeradius 2.10 to run on Debian squeeze with a username and password defined in /etc/freeradius/users, I was hoping to take a step forward by getting it to authenticate users through PAM. But, that's not working out as I had hoped.
Could sombody please tell me what's missing, or what I'm doing wrong? So far I have done the following:
1.) Copied a set of 4096-bit MD5 SSL certificates that were used in the previous configuration to the /etc/freeradius/certs directory. To generate them, each time I used "LongStringNumberOne" for both the input and output passwords. Among the encryption files generated are ca.pem, dh, server.key and server.pem. The ca.pem file was also copied to my laptop's /etc/certs directory and is used with wpasupplicant for testing the system.
2.) Added the following lines to the end of /etc/freeradius/clients:
client 192.168.2.0/24 { secret = LongStringNumberTwo shortname = mynet }
3.) Added the following line to the end of /etc/freeradius/users:
DEFAULT Auth-Type = Pam
4.) In /etc/freeradius/eap.conf I changed the values of the following two attributes to:
default_eap_type = ttls private_key_password = LongStringNumberOne
5.) In /etc/freeradius/radiusd.conf I changed the value of the following attribute to:
user = root
6.) In both /etc/freeradius/sites-enabled/**default and /etc/freeradius/sites-enabled/**inner-tunnel, I uncommented the "pam" entry in section "authenticate".
7.) Some sources suggest changing it, but I chose to leave the contents of /etc/pam.d/radiusd unmodified:
@include common-auth @include common-account @include common-password @include common-session
8.) My NAS is a Linksys is a WRT54GS running DD-WRT v24 firmware and is configured as follows:
Wireless Mode AP Wireless Network Mode Mixed Wireless Network Name (SSID) mynet Wireless Channel 6 - 2.437 GHz Wireless SSID Broadcast Enable Network Configuration Bridged
Security Mode WPA2 Enterprise WPA Algorithms TKIP+AES RADIUS Server Address 192.168.2.12 RADIUS Server Port 1812 RADIUS Shared Secret LongStringNumberTwo Key Renewal Interval (in sec.) 3600
Unfortunately, after starting the server in debugging mode with "freeradius -X", my client's authentication attempts get rejected and I get the following output from the freeradius server:
==============================**===========
rad_recv: Access-Request packet from host 192.168.2.2 port 1025, id=0, length=245 Cleaning up request 6 ID 0 with timestamp +12 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!**!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!** !!!!!!!!!! WARNING: !! EAP session for state 0x2ecb21dd28cc340c did not finish! WARNING: !! Please read http://wiki.freeradius.org/ Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!**!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!** !!!!!!!!!! User-Name = "jwinius" NAS-IP-Address = 192.168.2.2 Called-Station-Id = "0014bf72f676" Calling-Station-Id = "00110a81fb2b" NAS-Identifier = "0014bf72f676" NAS-Port = 17 Framed-MTU = 1400 State = 0x2ecb21dd28cc340c8873b5871c63**7572 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020700701500170301002073bdd7** 051dfb44f3caccd4c92... Message-Authenticator = 0x6cbe906a70bc7ee95f9ad3365a04**71b0 # Executing section authorize from file /etc/freeradius/sites-enabled/ default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "jwinius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/**default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "jwinius" State = 0xdbd7fca1dbd6f80c791225e3340e**a6e4 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/ inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jwinius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 1 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 211 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/**inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication [eap] Handler failed in EAP/md5 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 EAP-Message = 0x04010004 Message-Authenticator = 0x0000000000000000000000000000**0000 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user jwinius [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/**default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> jwinius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 0 to 192.168.2.2 port 1025 EAP-Message = 0x04070004 Message-Authenticator = 0x0000000000000000000000000000**0000
==============================**===========
Any idea what I'm doing wrong?
Thanks,
Jaap - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Quoting Deepti kulkarni <deepti.kdeeps@gmail.com>:
Try by adding jwinius Auth-Type = pam Cleartext-Password := xxx
Thanks for your reply, but that makes virtually no difference. The result is the same and freeradius' debug output only changes slightly: ======================================== ... [files] users: Matched entry jwinius at line 211 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication [eap] Handler failed in EAP/md5 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 Cleartext-Password := "xxx" EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user jwinius [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject ... ======================================== I should also mention that I've so far seen no activity in /var/log/auth.log, which I would expect if freeradius was actually making use of PAM, so I think a more basic issue is involved. Thanks anyway, Jaap
Quoting Alan DeKok <aland@deployingradius.com>:
You can't use PAM and EAP-MD5 together. It's impossible.
That sounds like important information! To turn off EAP, I commented out all of the lines related to EAP in /etc/freeradius/sites-enabled/default and in /etc/freeradius/sites-enabled/inner-tunnel. Unfortunately, the result is still the same, but freeradius' debug output has changed significantly: ================================================== ... rad_recv: Access-Request packet from host 192.168.2.2 port 1028, id=0, length=127 User-Name = "jwinius" NAS-IP-Address = 192.168.2.2 Called-Station-Id = "0014bf72f676" Calling-Station-Id = "00110a81fb2b" NAS-Identifier = "0014bf72f676" NAS-Port = 17 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000c016a77696e697573 Message-Authenticator = 0x0695dc9b4d3f16a1fd94a9be695eb90d # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "jwinius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 211 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = PAM # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} rlm_pam: Attribute "User-Password" is required for authentication. ++[pam] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> jwinius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 0 to 192.168.2.2 port 1028 ... ================================================== Still no activity ion /var/log/auth.log. Cheers, Jaap
Jaap Winius wrote:
That sounds like important information! To turn off EAP, I commented out all of the lines related to EAP in /etc/freeradius/sites-enabled/default and in /etc/freeradius/sites-enabled/inner-tunnel.
No. You can't turn off EAP. The client is sending EAP to the server. You need to change the client. And likely you can't, because it *needs* to do EAP.
Unfortunately, the result is still the same, but freeradius' debug output has changed significantly:
Read it. If the messages aren't clear, I really don't know what to do. Alan DeKok.
Quoting Alan DeKok <aland@deployingradius.com>:
No. You can't turn off EAP. The client is sending EAP to the server. You need to change the client. And likely you can't, because it *needs* to do EAP.
Indeed, the key_mgmt attribute in my wpa_supplicant.conf is set to WPA-EAP and it looks like that's my only option. But, if you're correct, then how is this supposed to work? You make it sound like a catch-22.
... freeradius' debug output has changed significantly:
Read it. If the messages aren't clear, I really don't know what to do.
AFAICT, the most pertinent message is: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. However, it seems freeradius is not actually using the PAM modules, because nothing is showing up in /var/log/auth.log (I have yet to see it do that). Otherwise, I've checked that the Unix password for my account on the freeradius host is correct. Cheers, Jaap
On 02/08/2013 11:42 PM, Jaap Winius wrote:
Quoting Alan DeKok <aland@deployingradius.com>:
No. You can't turn off EAP. The client is sending EAP to the server. You need to change the client. And likely you can't, because it *needs* to do EAP.
Indeed, the key_mgmt attribute in my wpa_supplicant.conf is set to WPA-EAP and it looks like that's my only option. But, if you're correct, then how is this supposed to work? You make it sound like a catch-22.
The choice of authentication algorithm (EAP) and any EAP-type are made client side. Different EAP types have different requirements, in terms of what data you need to successfully authenticate a user - see here: http://deployingradius.com/documents/protocols/compatibility.html http://deployingradius.com/documents/protocols/oracles.html PAM, as noted at the 2nd link, s an "oracle" that can *only* be used to authenticate PAP, and therefore EAP-TTLS/PAP. Your client is doing EAP-TTLS/EAP-MD5. You have two choices: 1. Reconfigure the client to do EAP-TTLS/PAP, which PAM will be able to authenticate 2. Stop using PAM, and provide the server with the client credentials in a form compatible with your EAP-type (see 1st URL above) These are your only options.
Quoting Phil Mayers <p.mayers@imperial.ac.uk>:
Your client is doing EAP-TTLS/EAP-MD5.
You have two choices:
1. Reconfigure the client to do EAP-TTLS/PAP, which PAM will be able to authenticate 2. Stop using PAM, and provide the server with the client credentials in a form compatible with your EAP-type (see 1st URL above)
Choice #1 seemed worth a shot, so I altered my client's wpa_supplicant.conf by adding one extra line -- a 'phase2' attribute for PAP: network={ ssid="mynet" scan_ssid=1 key_mgmt=WPA-EAP pairwise=CCMP TKIP group=CCMP TKIP eap=TTLS identity="jwinius" password="secret" ca_cert="/etc/certs/ca.pem" phase2="auth=PAP" } This configuration, together with the freeradius configuration already described in my first post in this thread, worked immediately. :-) Thank you very much, Phil Mayers, and thanks also to Alan DeKok. Cheers, Jaap
participants (4)
-
Alan DeKok -
Deepti kulkarni -
Jaap Winius -
Phil Mayers