PEAP, Freeradius and Cisco AP 350
J Zakhar
jzakhar at gmail.com
Wed Aug 31 22:46:28 CEST 2005
Having some trouble setting up PEAP with a windows XP workstation, a Cisco
350 AP (upgraded to IOS version 12.2), I am using the default XP Client to
set things up. Many moons ago I had LEAP working great, the hard drive on
this linux machine failed and it was time to reinstall. Not sure why i'm
having such trouble with this.
Mousing over the icon in my task bar Status: Validating Identity is all it
ever says while trying to associate. I do however get prompted for my user
name and password. Any advice/help would be much appreciated.
./radiusd -A -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/freeradius/etc/raddb/proxy.conf
Config: including file: /usr/local/freeradius/etc/raddb/clients.conf
Config: including file: /usr/local/freeradius/etc/raddb/snmp.conf
Config: including file: /usr/local/freeradius/etc/raddb/eap.conf
Config: including file: /usr/local/freeradius/etc/raddb/sql.conf
main: prefix = "/usr/local/freeradius"
main: localstatedir = "/usr/local/freeradius/var"
main: logdir = "/usr/local/freeradius/var/log/radius"
main: libdir = "/usr/local/freeradius/lib"
main: radacctdir = "/usr/local/freeradius/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/freeradius/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/freeradius/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/freeradius/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/freeradius/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/freeradius/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = yes
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/freeradius/etc/raddb/certs/cert- srv.pem
"
tls: certificate_file = "/usr/local/freeradius/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/usr/local/freeradius/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/usr/local/freeradius/etc/raddb/certs/dh"
tls: random_file = "/usr/local/freeradius/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/freeradius/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/freeradius/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/freeradius/etc/raddb/users"
files: acctusersfile = "/usr/local/freeradius/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/freeradius/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/freeradius/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host
172.28.42.253:21646<http://172.28.42.253:21646/>,
id=35, length=132
User-Name = "jzakhar"
Framed-MTU = 1400
Called-Station-Id = "0040.9647.f2d6"
Calling-Station-Id = "000e.9b2e.179a"
Message-Authenticator = 0x657f7e3dee2731c4e91f25c395ef47d7
EAP-Message = 0x0202000c016a7a616b686172
NAS-Port-Type = Wireless-802.11
NAS-Port = 312
Service-Type = Framed-User
NAS-IP-Address = 172.28.42.253 <http://172.28.42.253/>
NAS-Identifier = "apcisco"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "jzakhar", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 2 length 12
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched jzakhar at 53
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 35 to 172.28.42.253:21646
<http://172.28.42.253:21646/>
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf730c83b331f347cf002f96adbba538e
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host
172.28.42.253:21646<http://172.28.42.253:21646/>,
id=35, length=132
Sending duplicate reply to client EAP:21646 - ID: 35
Re-sending Access-Challenge of id 35 to
172.28.42.253:21646<http://172.28.42.253:21646/>
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 35 with timestamp 4315dbd4
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host
172.28.42.253:21646<http://172.28.42.253:21646/>,
id=36, length=132
User-Name = "jzakhar"
Framed-MTU = 1400
Called-Station-Id = "0040.9647.f2d6"
Calling-Station-Id = "000e.9b2e.179a"
Message-Authenticator = 0x843b8ca357e3281d250307dff3caa9e6
EAP-Message = 0x0202000c016a7a616b686172
NAS-Port-Type = Wireless-802.11
NAS-Port = 313
Service-Type = Framed-User
NAS-IP-Address = 172.28.42.253 <http://172.28.42.253/>
NAS-Identifier = "apcisco"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "jzakhar", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 2 length 12
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched jzakhar at 53
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 36 to
172.28.42.253:21646<http://172.28.42.253:21646/>
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x479ac19253ee20dc4d21810846227fc5
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050831/1c5b2a28/attachment.html>
More information about the Freeradius-Users
mailing list