a freeradious/wireless solution for a school

John Wan J.Wan at mbs.edu
Thu Feb 1 06:20:25 CET 2007

Hi Michael,

I have setup the "chillispot"+"freeRadius"+"Win2k3AD" for my wireless
network. Everything is working but the AD authentication. Apparently the
reason not working is because AD does not like the CHAP authentication
and AD likes MS-CHAP. I do not know how to configure and where to
configure my Linux box to use MS-CHAP instead of CHAP.

Have you done this before? If you do would you please teach me how to
rectify this problem.

Please see the following output from "$ Radius -X" when a wireless
client uses "administrator" logon into the chillispot web logon page:

Ready to process requests.
rad_recv: Access-Request packet from host, id=0,
        User-Name = "administrator"
        CHAP-Challenge = 0xa784482e8ac92fd573e87bbbad9ca58f
        CHAP-Password = 0x00f54cc04e288eec67feff0b13e9448bd2
        NAS-IP-Address =
        Service-Type = Login-User
        Framed-IP-Address =
        Calling-Station-Id = "00-16-6F-79-91-F4"
        Called-Station-Id = "00-05-5D-9E-0F-94"
        NAS-Identifier = "nas01"
        Acct-Session-Id = "45aec9a900000000"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Message-Authenticator = 0x97668bae73249b0dd4755ab03d364f34
        WISPr-Logoff-URL = ""
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  rlm_chap: Setting 'Auth-Type := CHAP'
  modcall[authorize]: module "chap" returns ok for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "administrator", looking up realm
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched DEFAULT at 153
  modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
  rlm_chap: login attempt by "administrator" with CHAP password
  rlm_chap: Could not find clear text password for user administrator
  modcall[authenticate]: module "chap" returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host, id=0,
length=223 Sending Access-Reject of id 0 to
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 45aecedc Nothing to do.
Sleeping until we see a request.

Many thanks in advance.

John Wan

> -----Original Message-----
> From: 
> freeradius-users-bounces+j.wan=mbs.edu at lists.freeradius.org 
> [mailto:freeradius-users-bounces+j.wan=mbs.edu at lists.freeradiu
> s.org] On Behalf Of gkalinec
> Sent: Friday, 26 January 2007 2:06 AM
> To: freeradius-users at lists.freeradius.org
> Subject: RE: a freeradious/wireless solution for a school
> The database is not a problem, since we have a huge one in 
> place, one stored in Active Directory (for which I can use 
> the freeradius LDAP module) or MySQL one. The database is 
> really our main strength, since we have tons of information 
> about every student, staff and parent in (its what my main 
> job responsibility entails).  A quick question, however, 
> would this be just as eay to set up on a Macintosh? (since 
> many of my supplicants will be macs..)
> German Kalinec
> King, Michael wrote:
> > 
> > Without being too subtle, You've mis-understood much of the 
> research 
> > you've read.  Don't worry about it, there is quite a bit of 
> > contradictory information out there.
> > 
> > There's quite a bit of background information, so it'll be a little 
> > bit before I mention FreeRADIUS.
> > 
> > First.  It's WPA, not WAP.   (Different fields of technology)
> > 
> > Forget much of what you've read.
> > 
> > First, This is what you have been doing.
> > 
> > Its called MAC filtering.  The AP will only talk to MAC's 
> that it has 
> > in it's table.
> > In short, this is useless, since if I wanted to get on, I'd 
> just fire 
> > up a packet sniffer.
> > (They're free and easy to get.  http://www.wireshark.org/ 
> for example) 
> > Copy some poor souls MAC address, and I'm on.  It's an 
> administrative 
> > nightmare.
> > 
> > You should not do this.   A second form of this, is to load 
> all the MAC
> > addresses into a radius server, then the AP will 
> interrogate Radius to 
> > find out if it's on it's allow list.  This is as useless as the way 
> > your doing it now, because I can still easily copy your MAC 
> address.  
> > You should not do this either.
> > 
> > Second:
> > You mention 802.1x with WEP.  You do not enter WEP keys at all, the 
> > RADIUS server takes care of it.  This is a standard way of doing 
> > wireless.  However I'd highly recommend you DO NOT pursue this, as 
> > it's very insecure, and has been replaced by WPA.  All the 
> benefits of 
> > doing this apply to WPA.  But you can do this if you want, but I'd 
> > suggest not to.
> > 
> > Third
> > Now we're on to WPA.  This is what you should implement.
> > 
> > WPA comes in two forms.  WPA and WPA2
> > 
> > The primary difference is the WPA was designed as a interim 
> protocol, 
> > with backward compatibility in mind.
> > WPA2 was designed to be run on new hardware, and uses AES 
> encryption. 
> > If you are setting a new network up, just use WPA2.
> > 
> > Both WPA and WPA2 come in two forms.  PSK and Enterprise
> > 
> > PSK (or Pre-Shared Key) is what you mentioned.  You load a 
> secret key 
> > onto all your AP's, and then put the same key on all your users 
> > machines. It's designed for HOME Use.  You do NOT want to 
> use this form.
> > 
> > Enterprise is what you WANT to use.  You have all your 
> usernames and 
> > passwords stored in a database.  (Be it SQL, ActiveDirctory, LDAP, 
> > etc) This is where FreeRADIUS comes in.  You configure all 
> your AP's 
> > to use RADIUS, and give it the radius IP.
> > 
> > You configure RADIUS to perform either TTLS and/or PEAP.  (This is 
> > site specific, you need to decide your backend database to 
> determine 
> > which one you can use)
> > 
> > You configure your client to use TTLS or PEAP, and upon 
> connecting to 
> > the network, they will be prompted to enter username and 
> password.  If 
> > they don't have one, they don't get on.  If they do have 
> one, they get 
> > on.
> > 
> > 
> > Now we're at RADIUS.  What type of user database do you have?
> > Activedirectory?   Novell?  No having one is an acceptable answer as
> > well.
> > 
> > Post back, it's a lot of info, but we're here to help.
> > 
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > 
> > 
> --
> View this message in context: 
> http://www.nabble.com/a-freeradious-wireless-solution-for-a-sc
> hool-tf3036221.html#a8626010
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html



Notice from Melbourne Business School Ltd 

The information contained in this e-mail is confidential, and is intended for
the named person's use only.  It may contain proprietary or legally privileged
information. If you have received this email in error, please notify the
sender and delete it immediately.  You must not, directly or indirectly, use,
disclose, distribute, print, or copy any part of this message if you are not
the intended recipient

Internet communications are not secure. You should scan this message and any
attachments for viruses. Melbourne Business School does not accept any
liability for loss or damage which may result from receipt of this message or
any attachments.



More information about the Freeradius-Users mailing list