Freeradius-Devel Digest, Vol 112, Issue 6

Aaron Hurt ahurt at ena.com
Fri Aug 8 19:11:30 CEST 2014


Here are a couple resources that would be worth reading:

http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO

http://deployingradius.com/documents/configuration/active_directory.html

The second is actually referenced in the first on the FR wiki.

— Aaron

On Aug 8, 2014, at 11:21 AM, Ammu Argh <ammu3634 at gmail.com<mailto:ammu3634 at gmail.com>> wrote:


Hi Stefan,

Thank you for reply.
But By default FR takes MS-CHAPv2.  How to configure to GTC/PAP?

However i will try FR connects to samba or active directory.

Regards
Ammu


On Fri, Aug 8, 2014 at 3:30 PM, <freeradius-devel-request at lists.freeradius.org<mailto:freeradius-devel-request at lists.freeradius.org>> wrote:
Send Freeradius-Devel mailing list submissions to
        freeradius-devel at lists.freeradius.org<mailto:freeradius-devel at lists.freeradius.org>

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.freeradius.org/mailman/listinfo/freeradius-devel
or, via email, send a message with subject or body 'help' to
        freeradius-devel-request at lists.freeradius.org<mailto:freeradius-devel-request at lists.freeradius.org>

You can reach the person managing the list at
        freeradius-devel-owner at lists.freeradius.org<mailto:freeradius-devel-owner at lists.freeradius.org>

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Devel digest..."


Today's Topics:

   1. RE: EAP-FAST phase2 failed (Stefan Paetow)


----------------------------------------------------------------------

Message: 1
Date: Thu, 7 Aug 2014 21:25:46 +0000
From: Stefan Paetow <Stefan.Paetow at ja.net<mailto:Stefan.Paetow at ja.net>>
To: FreeRadius developers mailing list
        <freeradius-devel at lists.freeradius.org<mailto:freeradius-devel at lists.freeradius.org>>
Subject: RE: EAP-FAST phase2 failed
Message-ID: <C072996E0B81144DBB9426B44462540C0D6935BF at EXC001>
Content-Type: text/plain; charset="iso-8859-1"

The log says this:

EAP-MSCHAPV2: eap_server Password not configured
EAP-FAST: Phase2 method failed
EAP-FAST: PHASE2_METHOD -> FAILURE

Leads me to believe you either need to configure EAP-FAST to use EAP-GTC or PAP as the second phase, or connect FR to SAMBA or Active Directory (which both speak MSCHAPv2).

Stefan

________________________________
From: freeradius-devel-bounces+stefan.paetow=ja.net at lists.freeradius.org<mailto:ja.net at lists.freeradius.org> [freeradius-devel-bounces+stefan.paetow=ja.net at lists.freeradius.org<mailto:ja.net at lists.freeradius.org>] on behalf of Ammu Argh [ammu3634 at gmail.com<mailto:ammu3634 at gmail.com>]
Sent: 07 August 2014 17:16
To: freeradius-devel at lists.freeradius.org<mailto:freeradius-devel at lists.freeradius.org>
Subject: EAP-FAST phase2 failed

Hi,

I was trying to connect to AP using EAP-FAST authentication.
But Freeradius EAP-FAST failed with below error:

  State = 0x97d5bb340dc1cb0c525e6b44738f3553
        Message-Authenticator = 0xdce2fb540845c5ee76a5f48b505bb4eb
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 107
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry DEFAULT at line 202
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group EAP {
[eap2] Request found, released from the list
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 respId=4 respMethod=43 respVendor=0 respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
SSL: Received packet(len=107) - Flags 0x01
SSL: Received packet: Flags 0x1 Message Length 0
EAP-FAST: Received 101 bytes encrypted data for Phase 2
EAP-FAST: Decrypted Phase 2 TLVs - hexdump(len=67): [REMOVED]
EAP-FAST: Received Phase 2: TLV type 9 length 63 (mandatory)
EAP-FAST: EAP-Payload TLV - hexdump(len=63): 02 04 00 3f 1a 02 04 00 3a 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 67 a5 fd 37 80 a6 91 10 ed 46 97 b2 70 75 aa cc 57 27 17 4e dc 0c 6c 00 77 69 66 69
EAP-FAST: Received Phase 2: code=2 identifier=4 length=63
EAP-MSCHAPV2: eap_server Password not configured
EAP-FAST: Phase2 method failed
EAP-FAST: PHASE2_METHOD -> FAILURE
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: method failed -> FAILURE
EAP: EAP entering state FAILURE
EAP: Building EAP-Failure (id=4)
==> Fail
[eap2] Freeing handler
EAP: Server state machine removed
++[eap2] = reject
+} # group EAP = reject
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 117 to 10.10.2.2 port 46531
        EAP-Message = 0x04040004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.


Other details are as below"

Users file"
wifi  Auth-Type := EAP, Cleartext-Password := "welcome123"

eap.conf
eap2 {
                fast {
                        pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f
                        eap_fast_a_id = tjsys
                        eap_fast_a_id_info = my_server
                        eap_fast_prov = 3
                        pac_key_lifetime = 604800 # 7 days
                        pac_key_refresh_tim = 86400
                }

                tls {
                        ca_cert = /usr/local/etc/raddb/certs/ca.pem
                        server_cert = /usr/local/etc/raddb/certs/server.pem
                        private_key_file = /usr/local/etc/raddb/certs/server.key
                        private_key_password = whatever
                        dh_file = /usr/local/etc/raddb/certs/dh
                        random_file = /usr/local/etc/raddb/certs/random
                }
        }


Sites-enabled/default:
Added in authenticate block
Auth-Type EAP {
                eap2
        }



wpa_supplicant.conf
update_config=1
ap_scan=1
fast_reauth=1

network={
        ssid="WiFi-11g"
        key_mgmt=WPA-EAP
        proto=WPA
        pairwise=TKIP
        group=TKIP
        eap=FAST
        anonymous_identity="fast"
        identity="fast"
        password="koro"
        phase1="fast_provisioning=3"
        pac_file="/data/misc/wifi/eap_fast.pac"
}



FreeRADIUS Version 2.2.5,
OpenSSL 1.0.1e 11
Ubuntu 14.04.1

Please help me to get it work.

Regards
Ammu

Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238



------------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html


End of Freeradius-Devel Digest, Vol 112, Issue 6
************************************************

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140808/6ad473da/attachment-0001.html>


More information about the Freeradius-Devel mailing list