EAP-TTLS problem at phase 1
Hi all, I have been trying to figure this out for couple days, but could not get any clue. My test is about authentication with EAP-TTLS/MSCHAPV2. I am using freeradius v - 1.1.3, on Solaris 10. No matter what I do, I get "rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request" at the server. Anybody can help me what went wrong ? Here is my configs..and logs (truncated) Awaits some solution... Rafi Here is my eap.conf eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { rsa_key_exchange = yes dh_key_exchange = no rsa_key_length = 1024 dh_key_length = 1024 verify_depth = 2 pem_file_type = yes private_key_password = "wimax i2 test certs" private_key_file = /etc/freeradius/etc/certs/key2.pem certificate_file = /etc/freeradius/etc/certs/cert2.pem CA_file = /etc/freeradius/etc/certs/cacert.pem dh_file = /etc/freeradius/etc/certs/dh random_file = /etc/freeradius/etc/certs/random fragment_size = 1024 include_length = yes check_cert_cn = %{User-Name} } ttls { default_eap_type = mschapv2 # copy_request_to_tunnel = no # use_tunneled_reply = no } peap { default_eap_type = mschapv2 # copy_request_to_tunnel = no # use_tunneled_reply = no # proxy_tunneled_request_as_eap = yes } mschapv2 { } } Here is my users file : "testuser" Auth-Type := EAP, User-Password := "testuser" DEFAULT Auth-Type := EAP Here is my supplicant config : # cat supplicant.conf ctrl_interface=/var/tmp/supplicant.ctl eap_trace=1 enableWiMAXauth=1 validateFNECerts=1 checkCRL=1 ignoreTimeOfDay=0 update_config=0 data_interface=/var/tmp/supplicant_data.ctl ap_scan=0 fast_reauth=1 load_dynamic=/usr/lib/wpa_supplicant/eap_ttls.so network={ eap=TTLS eap_workaround=1 anonymous_identity="anonymous_identity" ca_path="/var/tmp/truststore" ca_cert="/var/tmp/root.crt" client_cert="/var/tmp/cpe.crt" private_key="/var/tmp/key" private_key_passwd="wimax i2 test certs" phase2="auth=MSCHAPV2" } Here is the radius log (only shown the failed part) rlm_fastusers: checking defaults^M fastusers: Matched DEFAULT at 6^M modcall[authorize]: module "fastusers" returns updated for request 1^M modcall: leaving group authorize (returns updated) for request 1^M rad_check_password: Found Auth-Type EAP^M auth: type "EAP"^M Processing the authenticate section of radiusd.conf^M modcall: entering group authenticate for request 1^M rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^M rlm_eap: Failed in handler^M modcall[authenticate]: module "eap" returns invalid for request 1^M modcall: leaving group authenticate (returns invalid) for request 1^M
Hi, as mentioned in various places in the documentation and countless times on this list: On 10/21/06, Rafiqul Ahsan <rafiqul.ahsan@gmail.com> wrote:
Here is my users file :
"testuser" Auth-Type := EAP, User-Password := "testuser"
DEFAULT Auth-Type := EAP
Dont't set Auth-Type
Here is the radius log (only shown the failed part)
rlm_fastusers: checking defaults^M fastusers: Matched DEFAULT at 6^M modcall[authorize]: module "fastusers" returns updated for request 1^M modcall: leaving group authorize (returns updated) for request 1^M rad_check_password: Found Auth-Type EAP^M auth: type "EAP"^M Processing the authenticate section of radiusd.conf^M modcall: entering group authenticate for request 1^M rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^M rlm_eap: Failed in handler^M modcall[authenticate]: module "eap" returns invalid for request 1^M modcall: leaving group authenticate (returns invalid) for request 1^M
Thats pretty much non-informative. In case, the above fix does not yet yield the desired results, provide the full debug output. regards K. Hoercher
Dear Hoercher, Thank you for your email. I noticed that too, however it didn't seem working and it stopped with error even before that with the following users entry : "testuser" User-Password := "testuser" the error was about no matching "anonymous_identity", and thats why I had to have a DEFAULT entry after this with Auth-Type :=EAP. Do you suggest any particular format of my users file ? Please note, the phase 1 user identity is "anonymous_identity", and phase 2 user/passwd is "testuser/testuser". Below is my full debug out put. Please advise further ... Rafi # ./radiusd -X -A -f -s^M Starting - reading configuration files ...^M reread_config: reading radiusd.conf^M Config: including file: /usr/local/etc/raddb/proxy.conf^M Config: including file: /usr/local/etc/raddb/clients.conf^M Config: including file: /usr/local/etc/raddb/snmp.conf^M Config: including file: /usr/local/etc/raddb/eap.conf^M Config: including file: /usr/local/etc/raddb/sql.conf^M main: prefix = "/usr/local"^M main: localstatedir = "/usr/local/var"^M main: logdir = "/usr/local/var/log/radius"^M main: libdir = "/usr/local/lib"^M main: radacctdir = "/usr/local/var/log/radius/radacct"^M main: hostname_lookups = no^M main: max_request_time = 30^M main: cleanup_delay = 4^M main: max_requests = 1024^M main: delete_blocked_requests = 0^M main: port = 0^M main: allow_core_dumps = no^M main: log_stripped_names = yes^M main: log_file = "/usr/local/var/log/radius/radius.log"^M main: log_auth = yes^M main: log_auth_badpass = yes^M main: log_auth_goodpass = yes^M main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"^M main: user = "(null)"^M main: group = "(null)"^M main: usercollide = no^M main: lower_user = "no"^M main: lower_pass = "no"^M main: nospace_user = "no"^M main: nospace_pass = "no"^M main: checkrad = "/usr/local/sbin/checkrad"^M main: proxy_requests = yes^M proxy: retry_delay = 5^M proxy: retry_count = 3^M proxy: synchronous = no^M proxy: default_fallback = yes^M proxy: dead_time = 120^M proxy: post_proxy_authorize = no^M proxy: wake_all_if_all_dead = no^M security: max_attributes = 20^M security: reject_delay = 2^M security: status_server = no^M main: debug_level = 0^M read_config_files: reading dictionary^M read_config_files: reading naslist^M Using deprecated naslist file. Support for this will go away soon.^M read_config_files: reading clients^M read_config_files: reading realms^M radiusd: entering modules setup^M Module: Library search path is /usr/local/lib^M Module: Loaded expr ^M Module: Instantiated expr (expr) ^M Module: Loaded PAP ^M pap: encryption_scheme = "crypt"^M Module: Instantiated pap (pap) ^M Module: Loaded DIGEST ^M Module: Instantiated digest (digest) ^M Module: Loaded eap ^M eap: default_eap_type = "ttls"^M eap: timer_expire = 60^M eap: ignore_unknown_eap_types = no^M eap: cisco_accounting_username_bug = no^M rlm_eap: Loaded and initialized type md5^M rlm_eap: Loaded and initialized type leap^M gtc: challenge = "Password: "^M gtc: auth_type = "PAP"^M rlm_eap: Loaded and initialized type gtc^M tls: rsa_key_exchange = yes^M tls: dh_key_exchange = no^M tls: rsa_key_length = 1024^M tls: dh_key_length = 1024^M tls: verify_depth = 2^M tls: CA_path = "(null)"^M tls: pem_file_type = yes^M tls: private_key_file = "/etc/freeradius/etc/certs/key2.pem"^M tls: certificate_file = "/etc/freeradius/etc/certs/cert2.pem"^M tls: CA_file = "/etc/freeradius/etc/certs/cacert.pem"^M tls: private_key_password = "wimax i2 test certs"^M tls: dh_file = "/etc/freeradius/etc/certs/dh"^M tls: random_file = "/etc/freeradius/etc/certs/random"^M tls: fragment_size = 1024^M tls: include_length = yes^M tls: check_crl = no^M tls: check_cert_cn = "%{User-Name}"^M tls: cipher_list = "(null)"^M tls: check_cert_issuer = "(null)"^M rlm_eap_tls: Loading the certificate file as a chain^M rlm_eap: Loaded and initialized type tls^M ttls: default_eap_type = "mschapv2"^M ttls: copy_request_to_tunnel = no^M ttls: use_tunneled_reply = no^M rlm_eap: Loaded and initialized type ttls^M peap: default_eap_type = "mschapv2"^M peap: copy_request_to_tunnel = no^M peap: use_tunneled_reply = no^M peap: proxy_tunneled_request_as_eap = yes^M rlm_eap: Loaded and initialized type peap^M mschapv2: with_ntdomain_hack = no^M rlm_eap: Loaded and initialized type mschapv2^M Module: Instantiated eap (eap) ^M Module: Loaded MS-CHAP ^M mschap: use_mppe = yes^M mschap: require_encryption = no^M mschap: require_strong = yes^M mschap: with_ntdomain_hack = no^M mschap: passwd = "(null)"^M mschap: ntlm_auth = "(null)"^M Module: Instantiated mschap (mschap) ^M Module: Loaded preprocess ^M preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"^M preprocess: hints = "/usr/local/etc/raddb/hints"^M preprocess: with_ascend_hack = no^M preprocess: ascend_channels_per_line = 23^M preprocess: with_ntdomain_hack = no^M preprocess: with_specialix_jetstream_hack = no^M preprocess: with_cisco_vsa_hack = no^M preprocess: with_alvarion_vsa_hack = no^M Module: Instantiated preprocess (preprocess) ^M Module: Loaded detail ^M detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"^M detail: detailperm = 384^M detail: dirperm = 493^M detail: locking = no^M Module: Instantiated detail (auth_log) ^M Module: Loaded CHAP ^M Module: Instantiated chap (chap) ^M Module: Loaded realm ^M realm: format = "suffix"^M realm: delimiter = "@"^M realm: ignore_default = no^M realm: ignore_null = no^M Module: Instantiated realm (realmsuffix) ^M realm: format = "prefix"^M realm: delimiter = "/"^M realm: ignore_default = no^M realm: ignore_null = no^M Module: Instantiated realm (realmslash) ^M realm: format = "prefix"^M realm: delimiter = "\"^M realm: ignore_default = no^M realm: ignore_null = no^M Module: Instantiated realm (realmbackslash) ^M realm: format = "suffix"^M realm: delimiter = "%"^M realm: ignore_default = no^M realm: ignore_null = no^M Module: Instantiated realm (realmpercent) ^M Module: Loaded fastusers ^M fastusers: usersfile = "/usr/local/etc/raddb/users"^M fastusers: acctusersfile = "/usr/local/etc/raddb/acct_users"^M fastusers: hashsize = 1000^M fastusers: stats = no^M fastusers: compat = "no"^M fastusers: hash_reload = 5^M fastusers: Reading /usr/local/etc/raddb/acct_users^M fastusers: Reading /usr/local/etc/raddb/users^M rlm_fastusers: Loaded 1 users and 1 defaults^M Module: Instantiated fastusers (fastusers) ^M Module: Loaded Acct-Unique-Session-Id ^M acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"^M Module: Instantiated acct_unique (acct_unique) ^M detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"^M detail: detailperm = 384^M detail: locking = no^M Module: Instantiated detail (auth_log) ^M Module: Loaded CHAP ^M Module: Instantiated chap (chap) ^M Module: Loaded realm ^M realm: format = "suffix"^M realm: delimiter = "@"^M realm: ignore_default = no^M realm: ignore_null = no^M Module: Instantiated realm (realmsuffix) ^M realm: format = "prefix"^M realm: delimiter = "/"^M realm: ignore_default = no^M realm: ignore_null = no^M Module: Instantiated realm (realmslash) ^M realm: format = "prefix"^M realm: delimiter = "\"^M realm: ignore_default = no^M realm: ignore_null = no^M Module: Instantiated realm (realmbackslash) ^M realm: format = "suffix"^M realm: delimiter = "%"^M realm: ignore_default = no^M realm: ignore_null = no^M Module: Instantiated realm (realmpercent) ^M Module: Loaded fastusers ^M fastusers: usersfile = "/usr/local/etc/raddb/users"^M fastusers: acctusersfile = "/usr/local/etc/raddb/acct_users"^M fastusers: hashsize = 1000^M fastusers: stats = no^M fastusers: compat = "no"^M fastusers: hash_reload = 5^M fastusers: Reading /usr/local/etc/raddb/acct_users^M fastusers: Reading /usr/local/etc/raddb/users^M rlm_fastusers: Loaded 1 users and 1 defaults^M Module: Instantiated fastusers (fastusers) ^M Module: Loaded Acct-Unique-Session-Id ^M acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"^M Module: Instantiated acct_unique (acct_unique) ^M detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"^M detail: detailperm = 384^M detail: dirperm = 493^M detail: locking = no^M Module: Instantiated detail (detail) ^M Module: Loaded radutmp ^M radutmp: filename = "/usr/local/var/log/radius/radutmp"^M radutmp: username = "%{User-Name}"^M radutmp: case_sensitive = yes^M radutmp: check_with_nas = yes^M radutmp: perm = 384^M radutmp: callerid = yes^M Module: Instantiated radutmp (radutmp) ^M detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"^M detail: detailperm = 384^M detail: dirperm = 493^M radutmp: callerid = yes^M Module: Instantiated radutmp (radutmp) ^M detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"^M detail: detailperm = 384^M detail: dirperm = 493^M detail: locking = no^M Module: Instantiated detail (reply_log) ^M Listening on authentication *:1812^M Listening on accounting *:1813^M Ready to process requests.^M rad_recv: Access-Request packet from host 192.168.1.102:19801, id=2, length=133^M User-Name = "anonymous_identity"^M NAS-IP-Address = 192.168.1.102^M NAS-Port = 19801^M Service-Type = Login-User^M Called-Station-Id = "\313\026\344Q\000"^M Calling-Station-Id = "DU\224I\272("^M NAS-Identifier = "testuser"^M NAS-Port-Type = Wireless-Other^M EAP-Message = 0x0202001701616e6f6e796d6f75735f6964656e74697479^M Message-Authenticator = 0x1612b328a300f3a07fb104ea3b1b2b79^M Processing the authorize section of radiusd.conf^M modcall: entering group authorize for request 0^M modcall[authorize]: module "preprocess" returns ok for request 0^M radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.102/auth-detail-20061020'^M rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/ra dius/radacct/192.168.1.102/auth-detail-20061020^M modcall[authorize]: module "auth_log" returns ok for request 0^M modcall[authorize]: module "chap" returns noop for request 0^M rlm_eap: EAP packet type response id 2 length 23^M rlm_eap: No EAP Start, assuming it's an on-going EAP conversation^M modcall[authorize]: module "eap" returns updated for request 0^M modcall[authorize]: module "mschap" returns noop for request 0^M modcall[authorize]: module "digest" returns noop for request 0^M rlm_realm: No '@' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmsuffix" returns noop for request 0^M rlm_realm: No '/' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmslash" returns noop for request 0^M rlm_realm: No '\' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmbackslash" returns noop for request 0^M rlm_realm: No '%' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmpercent" returns noop for request 0^M rlm_fastusers: Reloading fastusers hash^M rlm_fastusers: File /usr/local/etc/raddb/acct_users was unchanged. Not reloading.^M rlm_fastusers: File /usr/local/etc/raddb/users was unchanged. Not reloading.^M rlm_fastusers: checking defaults^M fastusers: Matched DEFAULT at 6^M modcall[authorize]: module "fastusers" returns updated for request 0^M modcall: leaving group authorize (returns updated) for request 0^M rad_check_password: Found Auth-Type EAP^M auth: type "EAP"^M Processing the authenticate section of radiusd.conf^M modcall: entering group authenticate for request 0^M rlm_eap: EAP Identity^M rlm_eap: processing type tls^M rlm_eap_tls: Initiate^M rlm_eap_tls: Start returned 1^M modcall[authenticate]: module "eap" returns handled for request 0^M modcall: leaving group authenticate (returns handled) for request 0^M Sending Access-Challenge of id 2 to 192.168.1.102 port 19801^M EAP-Message = 0x010300061520^M Message-Authenticator = 0x00000000000000000000000000000000^M State = 0xb6f4137eeccba240eb5fb35d9a7720fd^M Finished request 0^M Going to the next request^M --- Walking the entire request list ---^M Waking up in 5 seconds...^M --- Walking the entire request list ---^M Cleaning up request 0 ID 2 with timestamp 45394f82^M Nothing to do. Sleeping until we see a request.^M rad_recv: Access-Request packet from host 192.168.1.102:19801, id=3, length=218^M User-Name = "anonymous_identity"^M NAS-IP-Address = 192.168.1.102^M NAS-Port = 19801^M Service-Type = Login-User^M Called-Station-Id = "\313\026\344Q\000"^M Calling-Station-Id = "DU\224I\272("^M NAS-Identifier = "testuser"^M NAS-Port-Type = Wireless-Other^M EAP-Message = 0x0203006c150016030100610100005d03013d7b3c4fb8bbad3b5d5e3aab9cc3d3689c21b9c006cc4b1e77b3642e90d7 3ae200003600390038003500160013000a00330032002f000700660005000400630062006100150012000900650064006000140011000800060003 0100^M Message-Authenticator = 0x34960047891b107d3d82dda0a176d255^M Processing the authorize section of radiusd.conf^M modcall: entering group authorize for request 1^M modcall[authorize]: module "preprocess" returns ok for request 1^M radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.102/auth-detail-20061020'^M rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/ra dius/radacct/192.168.1.102/auth-detail-20061020^M modcall[authorize]: module "auth_log" returns ok for request 1^M modcall[authorize]: module "chap" returns noop for request 1^M rlm_eap: EAP packet type response id 3 length 108^M rlm_eap: No EAP Start, assuming it's an on-going EAP conversation^M modcall[authorize]: module "eap" returns updated for request 1^M modcall[authorize]: module "mschap" returns noop for request 1^M modcall[authorize]: module "digest" returns noop for request 1^M rlm_realm: No '@' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmsuffix" returns noop for request 1^M rlm_realm: No '/' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmslash" returns noop for request 1^M rlm_realm: No '\' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmbackslash" returns noop for request 1^M rlm_realm: No '%' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmpercent" returns noop for request 1^M rlm_fastusers: Reloading fastusers hash^M rlm_fastusers: File /usr/local/etc/raddb/acct_users was unchanged. Not reloading.^M rlm_fastusers: File /usr/local/etc/raddb/users was unchanged. Not reloading.^M rlm_fastusers: checking defaults^M fastusers: Matched DEFAULT at 6^M modcall[authorize]: module "fastusers" returns updated for request 0^M modcall: leaving group authorize (returns updated) for request 0^M rad_check_password: Found Auth-Type EAP^M auth: type "EAP"^M Processing the authenticate section of radiusd.conf^M modcall: entering group authenticate for request 0^M rlm_eap: EAP Identity^M rlm_eap: processing type tls^M rlm_eap_tls: Initiate^M rlm_eap_tls: Start returned 1^M modcall[authenticate]: module "eap" returns handled for request 0^M modcall: leaving group authenticate (returns handled) for request 0^M Sending Access-Challenge of id 2 to 192.168.1.102 port 19801^M EAP-Message = 0x010300061520^M Message-Authenticator = 0x00000000000000000000000000000000^M State = 0xb6f4137eeccba240eb5fb35d9a7720fd^M Finished request 0^M Going to the next request^M --- Walking the entire request list ---^M Waking up in 5 seconds...^M --- Walking the entire request list ---^M Cleaning up request 0 ID 2 with timestamp 45394f82^M Nothing to do. Sleeping until we see a request.^M rad_recv: Access-Request packet from host 192.168.1.102:19801, id=3, length=218^M User-Name = "anonymous_identity"^M NAS-IP-Address = 192.168.1.102^M NAS-Port = 19801^M Service-Type = Login-User^M Called-Station-Id = "\313\026\344Q\000"^M Calling-Station-Id = "DU\224I\272("^M NAS-Identifier = "testuser"^M NAS-Port-Type = Wireless-Other^M EAP-Message = 0x0203006c150016030100610100005d03013d7b3c4fb8bbad3b5d5e3aab9cc3d3689c21b9c006cc4b1e77b3642e90d7 3ae200003600390038003500160013000a00330032002f000700660005000400630062006100150012000900650064006000140011000800060003 0100^M Message-Authenticator = 0x34960047891b107d3d82dda0a176d255^M Processing the authorize section of radiusd.conf^M modcall: entering group authorize for request 1^M modcall[authorize]: module "preprocess" returns ok for request 1^M radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.102/auth-detail-20061020'^M rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/ra dius/radacct/192.168.1.102/auth-detail-20061020^M modcall[authorize]: module "auth_log" returns ok for request 1^M modcall[authorize]: module "chap" returns noop for request 1^M rlm_eap: EAP packet type response id 3 length 108^M rlm_eap: No EAP Start, assuming it's an on-going EAP conversation^M modcall[authorize]: module "eap" returns updated for request 1^M modcall[authorize]: module "eap" returns updated for request 1^M modcall[authorize]: module "mschap" returns noop for request 1^M modcall[authorize]: module "digest" returns noop for request 1^M rlm_realm: No '@' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmsuffix" returns noop for request 1^M rlm_realm: No '/' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmslash" returns noop for request 1^M rlm_realm: No '\' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmbackslash" returns noop for request 1^M rlm_realm: No '%' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmpercent" returns noop for request 1^M rlm_fastusers: Reloading fastusers hash^M rlm_fastusers: File /usr/local/etc/raddb/acct_users was unchanged. Not reloading.^M rlm_fastusers: File /usr/local/etc/raddb/users was unchanged. Not reloading.^M rlm_fastusers: checking defaults^M fastusers: Matched DEFAULT at 6^M modcall[authorize]: module "fastusers" returns updated for request 1^M modcall: leaving group authorize (returns updated) for request 1^M rad_check_password: Found Auth-Type EAP^M auth: type "EAP"^M Processing the authenticate section of radiusd.conf^M modcall: entering group authenticate for request 1^M rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^M rlm_eap: Failed in handler^M modcall[authenticate]: module "eap" returns invalid for request 1^M modcall: leaving group authenticate (returns invalid) for request 1^M auth: Failed to validate the user.^M Login incorrect: [anonymous_identity/<no User-Password attribute>] (from client 192.168.1.102 port 19801 cli DU?I\272( )^M Delaying request 1 for 2 seconds^M Finished request 1^M Going to the next request^M --- Walking the entire request list ---^M Waking up in 2 seconds...^M --- Walking the entire request list ---^M Waking up in 2 seconds...^M --- Walking the entire request list ---^M Sending Access-Reject of id 3 to 192.168.1.102 port 19801^M Waking up in 1 seconds...^M --- Walking the entire request list ---^M Cleaning up request 1 ID 3 with timestamp 45394f9b^M Nothing to do. Sleeping until we see a request.^M exit^M On 10/21/06, K. Hoercher <wbhoer@gmail.com> wrote:
Hi,
as mentioned in various places in the documentation and countless times on this list:
On 10/21/06, Rafiqul Ahsan <rafiqul.ahsan@gmail.com> wrote:
Here is my users file :
"testuser" Auth-Type := EAP, User-Password := "testuser"
DEFAULT Auth-Type := EAP
Dont't set Auth-Type
Here is the radius log (only shown the failed part)
rlm_fastusers: checking defaults^M fastusers: Matched DEFAULT at 6^M modcall[authorize]: module "fastusers" returns updated for request 1^M modcall: leaving group authorize (returns updated) for request 1^M rad_check_password: Found Auth-Type EAP^M auth: type "EAP"^M Processing the authenticate section of radiusd.conf^M modcall: entering group authenticate for request 1^M rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^M rlm_eap: Failed in handler^M modcall[authenticate]: module "eap" returns invalid for request 1^M modcall: leaving group authenticate (returns invalid) for request 1^M
Thats pretty much non-informative. In case, the above fix does not yet yield the desired results, provide the full debug output.
regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Rafiqul Ahsan 630-717-1698(h) 2120 Periwinkle Ln 630-689-1457(h) Naperville, IL 60540 847-812-6176(c)
Hi, ok, i played around a bit and found EAP-TTLS working with no particular problems. On 10/21/06, Rafiqul Ahsan <rafiqul.ahsan@gmail.com> wrote:
"testuser" User-Password := "testuser" looks ok, but I'm not absolutely sure about the quotation marks for the username, they are not needed in any case.
the error was about no matching "anonymous_identity", and thats why I had to have a DEFAULT entry after this with Auth-Type :=EAP.
As you didn't show that error one cannot check for it's real cause. Everything else correctly configured you don't need that setting (and it might be actually wrong depending on circumstances).
Do you suggest any particular format of my users file ? Please note, the phase 1 user identity is "anonymous_identity", and phase 2 user/passwd is "testuser/testuser".
I did take note. So, take an unaltered users file and just add your line as mentioned above. Something I found in your previous post led to an failure here. Use phase2="autheap=MSCHAPV2" instead of phase2="auth=MSCHAPV2"
modcall: entering group authenticate for request 1^M rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^M
That does look strange (and might indicate your real problem), if it still persists with the suggested changes it might be useful to dig further into that. Perhaps you could add another -x to the freeradius invocation to get timestamps on the logfile. regards K. Hoercher
Hello Hoercher, Please see below answers/questions (in red): ok, i played around a bit and found EAP-TTLS working with no particular problems. On 10/21/06, Rafiqul Ahsan <rafiqul.ahsan@gmail.com> wrote:
"testuser" User-Password := "testuser" looks ok, but I'm not absolutely sure about the quotation marks for the username, they are not needed in any case.
testuser User-Password :="testuser" I will try with only above entry in users file
the error was about no matching "anonymous_identity", and thats why I had to have a DEFAULT entry after this with Auth-Type :=EAP.
As you didn't show that error one cannot check for it's real cause. Everything else correctly configured you don't need that setting (and it might be actually wrong depending on circumstances).
OK, I found some positings about username_identity_check disabling for user "anonymous"...here it is Quote I guess since somebody implemented this check, there must be some broken NASes out there... and the attached patch fixes this situation. If user sets "username_identity_check = no" in eap section it will disable this check. The default for this setting is "yes". Unquote So, now I have added this patch to files eap.c, rlm_eap.h, and rlm_eap.c, compiled. I will test it this on monday.I am expecting this patch will lead to pass this anonymous user check phase in radius server.I will post you the result on that. Please let me know if you are aware of this.
Do you suggest any particular format of my users file ? Please note, the phase 1 user identity is "anonymous_identity", and phase 2 user/passwd is "testuser/testuser".
I did take note. So, take an unaltered users file and just add your line as mentioned above. Something I found in your previous post led to an failure here. Use phase2="autheap=MSCHAPV2" instead of phase2="auth=MSCHAPV2"
Not sure where we configure this phase2="autheap=MSCHAPV2" ? Are we at phase 2 yet ? I thought we have not passed the phase 1..can you pls clarify ?
modcall: entering group authenticate for request 1^M
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^M
That does look strange (and might indicate your real problem), if it still persists with the suggested changes it might be useful to dig further into that. Perhaps you could add another -x to the freeradius invocation to get timestamps on the logfile.
I will test with the above patch - and see if we can pass the anonymous identity check problem. If persists - I will recompile with original files mentioned above, and test again to give you the full debug logs. Thanks Rafi regards
K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
K. Hoercher -
Rafiqul Ahsan