Im trying to get freeradius v2.1.12 to work with my LDAP server in school with peap. radtest is working, but connecting my android phone via Access Point with SSID eduroam1 to freeradius and to LDAP server - now so much *radtest works : * root@notebook:/home/uniza-sk# radtest skuska skuska localhost 0 testing123 Sending Access-Request of id 228 to 127.0.0.1 port 1812 User-Name = "skuska" User-Password = "skuska" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=228, length=20 *debug : * rad_recv: Access-Request packet from host 127.0.0.1 port 58878, id=228, length=76 User-Name = "skuska" User-Password = "skuska" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x2a5dcc7deb1dbac6d6abbb04e9b7f311 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20140408 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20140408 [auth_log] expand: %t -> Tue Apr 8 13:35:45 2014 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "skuska", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for skuska [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> skuska [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=skuska) [ldap] expand: dc=fri,dc=uniza,dc=sk -> dc=fri,dc=uniza,dc=sk [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=fri,dc=uniza,dc=sk, with filter (uid=skuska) [ldap] Added User-Password = {SSHA}CA+M2KYvU3oYGtotgDtQEBta2WliH5w3 in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}CA+M2KYvU3oYGtotgDtQEBta2WliH5w3" [ldap] looking for reply items in directory... [ldap] user skuska authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "skuska" [pap] Using SSHA encryption. [pap] Normalizing SSHA1-Password from base64 encoding [pap] User authenticated successfully ++[pap] returns ok Login OK: [skuska] (from client localhost port 0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} [reply_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/reply-detail-20140408 [reply_log] /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/reply-detail-20140408 [reply_log] expand: %t -> Tue Apr 8 13:35:45 2014 ++[reply_log] returns ok ++[exec] returns noop Sending Access-Accept of id 228 to 127.0.0.1 port 58878 *but if i connect from android phone via Access point :* rad_recv: Access-Request packet from host 192.168.1.1 port 3072, id=0, length=138 Cleaning up request 12 ID 0 with timestamp +37 User-Name = "skuska" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00904c910003" Calling-Station-Id = "1cb094111188" NAS-Identifier = "00904c910003" NAS-Port = 8 Framed-MTU = 1400 State = 0xfd4902fefe4d1bbe3a2596e3bf6ac7bb NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061900 Message-Authenticator = 0xc52506a949478fe4d20b63da335ebdee server eduroam1 { # Executing section authorize from file /etc/freeradius/sites-enabled/eduroam1 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.1.1/auth-detail-20140408 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.1.1/auth-detail-20140408 [auth_log] expand: %t -> Tue Apr 8 13:37:40 2014 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "skuska", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [ldap] performing user authorization for skuska [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> skuska [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=skuska) [ldap] expand: dc=fri,dc=uniza,dc=sk -> dc=fri,dc=uniza,dc=sk [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=fri,dc=uniza,dc=sk, with filter (uid=skuska) [ldap] Added User-Password = {SSHA}CA+M2KYvU3oYGtotgDtQEBta2WliH5w3 in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}CA+M2KYvU3oYGtotgDtQEBta2WliH5w3" [ldap] looking for reply items in directory... [ldap] user skuska authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/freeradius/sites-enabled/eduroam1 +- entering group EAP {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled } # server eduroam1 Sending Access-Challenge of id 0 to 192.168.1.1 port 3072 EAP-Message = 0x0105002b190017030100206fb4433047881387cf9d3a1297cdfacfa5fa56da9e3cac8319000142f92d35cf Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfd4902fef94c1bbe3a2596e3bf6ac7bb Finished request 13. Going to the next request Waking up in 4.9 seconds. Its just sending Acess-Challenge and then Sending Access-Reject of id 0 to 192.168.1.1 port 3072
Rado Matisko wrote:
Im trying to get freeradius v2.1.12 to work with my LDAP server in school with peap.
Read http://deployingradius.com/ It gives detailed instructions on configuring EAP.
radtest is working, but connecting my android phone via Access Point with SSID eduroam1 to freeradius and to LDAP server - now so much
radtest working doesn't mean anything. EAP is different.
Its just sending Acess-Challenge and then Sending Access-Reject of id 0 to 192.168.1.1 port 3072
If you were running a recent version of the server, you would get pointed to this web page: http://wiki.freeradius.org/guide/Certificate%20Compatibility Alan DeKok.
participants (2)
-
Alan DeKok -
Rado Matisko