WPA/RADIUS Problems
Loukas Kalenderidis
loukas at hb.com.au
Tue Sep 5 01:51:03 CEST 2006
Hi,
On 04/09/2006, at 11:36 AM, Alan DeKok wrote:
> Loukas Kalenderidis <loukas at hb.com.au> wrote:
>> I've been trying to use an existing user that works with dialup
>> access, but kept having authorization rejected, so I decided to try
>> configuring that test user with Auth-Type:= Accept to simplify the
>> problem. Bad idea? I was under the impression I don't need
>> certificates unless I'm using TLS, is this incorrect?
>
> As I said in my previous message, you need to configure users,
> passwords, and certificates for it to work.
>
> You can believe me, or you can continue doing what you're doing now,
> which doesn't work.
I asked you questions relating to your statement in your previous
message and you didn't really answer them. Can you elaborate on
"configure users, passwords and certificates for it to work" please?
Do you mean the users file needs specific configuration to work with
WPA-EAP? And as I said before, I was under the impression I don't
need certificates unless I'm using TLS, am I wrong? I'm happy to
follow your advice, if you give me some that isn't just "configure
stuff dude".
This is what the debug log says when I connect now:
rad_recv: Access-Request packet from host 10.0.0.100:1026, id=0,
length=193
Message-Authenticator = 0x5206d718f6573c1eb840261956ec4ed5
Service-Type = Framed-User
User-Name = "pants"
Framed-MTU = 1488
Called-Station-Id = "00-11-95-DB-37-0B:TestWPA"
Calling-Station-Id = "00-0D-93-86-48-8E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0200000a0170616e7473
NAS-IP-Address = 10.0.0.100
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_eap: EAP packet type response id 0 length 10
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
rlm_realm: No '@' in User-Name = "pants", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
radius_xlat: 'pants'
rlm_sql (sql): sql_set_user escaped user --> 'pants'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM
dialup_radcheck WHERE Username = 'pants' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): User pants not found in radcheck
radius_xlat: 'SELECT
dialup_radgroupcheck.id,dialup_radgroupcheck.GroupName,dialup_radgroupch
eck.Attribute,dialup_radgroupcheck.Value,dialup_radgroupcheck.op
FROM dialup_radgroupcheck,dialup_usergroup WHERE
dialup_usergroup.Username = 'pants' AND dialup_usergroup.GroupName =
dialup_radgroupcheck.GroupName ORDER BY dialup_radgroupcheck.id'
radius_xlat: 'SELECT
dialup_radgroupreply.id,dialup_radgroupreply.GroupName,dialup_radgroupre
ply.Attribute,dialup_radgroupreply.Value,dialup_radgroupreply.op
FROM dialup_radgroupreply,dialup_usergroup WHERE
dialup_usergroup.Username = 'pants' AND dialup_usergroup.GroupName =
dialup_radgroupreply.GroupName ORDER BY dialup_radgroupreply.id'
rlm_sql (sql): User pants not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns notfound for request 0
users: Matched entry pants at line 47
users: Matched entry DEFAULT at line 156
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [pants] (from client testap port 1 cli 00-0D-93-86-48-8E)
Sending Access-Accept of id 0 to 10.0.0.100:1026
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 10.0.0.100:1026, id=0,
length=38
Authentication reply packet code 2 sent to a non-proxy reply port
from client testap:1026 - ID 0 : IGNORED
--- Walking the entire request list ---
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 10.0.0.100:1026, id=1,
length=193
Message-Authenticator = 0x593aef9381f04eb85805621b1ee22f6d
Service-Type = Framed-User
User-Name = "pants"
Framed-MTU = 1488
Called-Station-Id = "00-11-95-DB-37-0B:TestWPA"
Calling-Station-Id = "00-0D-93-86-48-8E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0201000a0170616e7473
NAS-IP-Address = 10.0.0.100
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_eap: EAP packet type response id 1 length 10
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
rlm_realm: No '@' in User-Name = "pants", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
radius_xlat: 'pants'
rlm_sql (sql): sql_set_user escaped user --> 'pants'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM
dialup_radcheck WHERE Username = 'pants' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): User pants not found in radcheck
radius_xlat: 'SELECT
dialup_radgroupcheck.id,dialup_radgroupcheck.GroupName,dialup_radgroupch
eck.Attribute,dialup_radgroupcheck.Value,dialup_radgroupcheck.op
FROM dialup_radgroupcheck,dialup_usergroup WHERE
dialup_usergroup.Username = 'pants' AND dialup_usergroup.GroupName =
dialup_radgroupcheck.GroupName ORDER BY dialup_radgroupcheck.id'
radius_xlat: 'SELECT
dialup_radgroupreply.id,dialup_radgroupreply.GroupName,dialup_radgroupre
ply.Attribute,dialup_radgroupreply.Value,dialup_radgroupreply.op
FROM dialup_radgroupreply,dialup_usergroup WHERE
dialup_usergroup.Username = 'pants' AND dialup_usergroup.GroupName =
dialup_radgroupreply.GroupName ORDER BY dialup_radgroupreply.id'
rlm_sql (sql): User pants not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns notfound for request 1
users: Matched entry pants at line 47
users: Matched entry DEFAULT at line 156
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 1
modcall[authorize]: module "mschap" returns noop for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [pants] (from client testap port 1 cli 00-0D-93-86-48-8E)
Sending Access-Accept of id 1 to 10.0.0.100:1026
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 44fcba57
Waking up in 4 seconds...
rad_recv: Access-Accept packet from host 10.0.0.100:1026, id=1,
length=38
Authentication reply packet code 2 sent to a non-proxy reply port
from client testap:1026 - ID 1 : IGNORED
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 1 with timestamp 44fcba5b
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 10.0.0.100:1026, id=2,
length=193
Message-Authenticator = 0xf0a27f90359498a1ec16af5eb7268366
Service-Type = Framed-User
User-Name = "pants"
Framed-MTU = 1488
Called-Station-Id = "00-11-95-DB-37-0B:TestWPA"
Calling-Station-Id = "00-0D-93-86-48-8E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0202000a0170616e7473
NAS-IP-Address = 10.0.0.100
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_eap: EAP packet type response id 2 length 10
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
rlm_realm: No '@' in User-Name = "pants", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
radius_xlat: 'pants'
rlm_sql (sql): sql_set_user escaped user --> 'pants'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM
dialup_radcheck WHERE Username = 'pants' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): User pants not found in radcheck
radius_xlat: 'SELECT
dialup_radgroupcheck.id,dialup_radgroupcheck.GroupName,dialup_radgroupch
eck.Attribute,dialup_radgroupcheck.Value,dialup_radgroupcheck.op
FROM dialup_radgroupcheck,dialup_usergroup WHERE
dialup_usergroup.Username = 'pants' AND dialup_usergroup.GroupName =
dialup_radgroupcheck.GroupName ORDER BY dialup_radgroupcheck.id'
radius_xlat: 'SELECT
dialup_radgroupreply.id,dialup_radgroupreply.GroupName,dialup_radgroupre
ply.Attribute,dialup_radgroupreply.Value,dialup_radgroupreply.op
FROM dialup_radgroupreply,dialup_usergroup WHERE
dialup_usergroup.Username = 'pants' AND dialup_usergroup.GroupName =
dialup_radgroupreply.GroupName ORDER BY dialup_radgroupreply.id'
rlm_sql (sql): User pants not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 2
modcall[authorize]: module "sql" returns notfound for request 2
users: Matched entry pants at line 47
users: Matched entry DEFAULT at line 156
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 2
modcall[authorize]: module "mschap" returns noop for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [pants] (from client testap port 1 cli 00-0D-93-86-48-8E)
Sending Access-Accept of id 2 to 10.0.0.100:1026
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 10.0.0.100:1026, id=2,
length=38
Authentication reply packet code 2 sent to a non-proxy reply port
from client testap:1026 - ID 2 : IGNORED
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 2 with timestamp 44fcba61
Nothing to do. Sleeping until we see a request.
Thanks,
Loukas
More information about the Freeradius-Users
mailing list