help with EAP MD5 wired authentication
Artur Hecker
hecker at wave-storm.com
Thu Nov 24 15:38:53 CET 2005
hi
the following line seems to be principally correct (don't use
explicit Auth-Type):
> a User-Password == "a"
the eap module fails in authentication because it can't find the User-
Password for the user. Make sure that the "files" module is used in
authorize i.e. that the users file is actually used.
the modules pap and mschap are of no interest whatsoever. also, i
don't understand the DEFAULT accept policy - imho it's nonsense.
hope this helps
artur
> 1. modules section
> ...
> pap {
> encryption_scheme = crypt
> }
>
> # CHAP module
> #
> # To authenticate requests containing a CHAP-Password
> attribute.
> #
> chap {
> authtype = CHAP
> }
> ...
> $INCLUDE ${confdir}/eap.conf
>
> mschap {
> ...
> }
>
> files {
> ...
> }
>
> ...
>
>
> The console output of radiusd -X -s is
>
> Ready to process requests.
> rad_recv: Access-Request packet from host 10.11.12.107:1024, id=76,
> length=214
> Framed-MTU = 1480
> NAS-IP-Address = 10.11.12.107
> NAS-Identifier = "HP ProCurve Switch 2824"
> User-Name = "test"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> NAS-Port = 24
> NAS-Port-Type = Ethernet
> NAS-Port-Id = "24"
> Called-Station-Id = "00-0f-20-8d-04-c8"
> Calling-Station-Id = "00-c0-9f-0d-4a-1f"
> Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "1010"
> EAP-Message = 0x020200090174657374
> Message-Authenticator = 0xb12214c2d6fb14f33c7cc758ccfb54b7
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_eap: EAP packet type response id 2 length 9
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 0
> users: Matched entry DEFAULT at line 152
> users: Matched entry DEFAULT at line 171
> users: Matched entry DEFAULT at line 183
> modcall[authorize]: module "files" returns ok for request 0
> modcall: group authorize returns updated for request 0
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_eap: EAP Identity
> rlm_eap: processing type md5
> rlm_eap_md5: Issuing Challenge
> modcall[authenticate]: module "eap" returns handled for request 0
> modcall: group authenticate returns handled for request 0
> Sending Access-Challenge of id 76 to 10.11.12.107:1024
> Framed-IP-Address = 255.255.255.254
> Framed-MTU = 576
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-Compression = Van-Jacobson-TCP-IP
> EAP-Message = 0x0103001604100118f4899111b27fc08900284095e5e2
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x33fe6026586af730cd367983bb9ea8b6
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 10.11.12.107:1024, id=77,
> length=249
> Framed-MTU = 1480
> NAS-IP-Address = 10.11.12.107
> NAS-Identifier = "HP ProCurve Switch 2824"
> User-Name = "test"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> NAS-Port = 24
> NAS-Port-Type = Ethernet
> NAS-Port-Id = "24"
> Called-Station-Id = "00-0f-20-8d-04-c8"
> Calling-Station-Id = "00-c0-9f-0d-4a-1f"
> Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "1010"
> State = 0x33fe6026586af730cd367983bb9ea8b6
> EAP-Message =
> 0x0203001a04101c913399463bebf9f6dc2d0af18f0c7974657374
> Message-Authenticator = 0x2592cd875d1068f5b16fe7999f451769
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
> modcall[authorize]: module "preprocess" returns ok for request 1
> modcall[authorize]: module "chap" returns noop for request 1
> modcall[authorize]: module "mschap" returns noop for request 1
> rlm_eap: EAP packet type response id 3 length 26
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 1
> users: Matched entry DEFAULT at line 152
> users: Matched entry DEFAULT at line 171
> users: Matched entry DEFAULT at line 183
> modcall[authorize]: module "files" returns ok for request 1
> modcall: group authorize returns updated for request 1
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/md5
> rlm_eap: processing type md5
> rlm_eap_md5: User-Password is required for EAP-MD5 authentication
> rlm_eap: Handler failed in EAP/md5
> rlm_eap: Failed in EAP select
> modcall[authenticate]: module "eap" returns invalid for request 1
> modcall: group authenticate returns invalid for request 1
> auth: Failed to validate the user.
> Delaying request 1 for 1 seconds
> Finished request 1
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 10.11.12.107:1024, id=77,
> length=249
> Sending Access-Reject of id 77 to 10.11.12.107:1024
> EAP-Message = 0x04030004
> Message-Authenticator = 0x00000000000000000000000000000000
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 76 with timestamp 43826690
> Cleaning up request 1 ID 77 with timestamp 43826690
> Nothing to do. Sleeping until we see a request.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
> users.html
> <2#Mime.822>
> <GWAVADAT.TXT>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
> users.html
More information about the Freeradius-Users
mailing list