Testing EAP-PEAP with freeradius

Bin Chen binary.chen at gmail.com
Thu Jan 11 06:24:09 CET 2007


Alan DeKok wrote:
> Bin Chen wrote:
>   
>> By checking the radius log, I found this:
>>
>>  rad_check_password:  Found Auth-Type EAP
>> auth: type "EAP"
>>  Processing the authenticate section of radiusd.conf
>> modcall: entering group authenticate for request 7
>>  rlm_eap: Request found, released from the list
>>  rlm_eap: EAP/mschapv2
>>  rlm_eap: processing type mschapv2
>>  ERROR: Unknown value specified for Auth-Type.  Cannot perform requested
>> action.
>>     
>
>   Why did you deleted the "mschapv2" text from the stock radiusd.conf?
>   

This is my config file, whats wrong?

##
## radiusd.conf    -- FreeRADIUS server configuration file.
##
##    http://www.freeradius.org/
##    $Id: radiusd.conf.in,v 1.161 2003/11/17 18:10:27 kkalev Exp $
##

prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /usr/local/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = 192.168.1.104
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions    = yes
extended_expressions    = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
Checkrad = ${sbindir}/checkrad
security {
    max_attributes = 200
    reject_delay = 1
    status_server = no
}
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
snmp    = no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
    start_servers = 5
    max_servers = 32
    min_spare_servers = 3
    max_spare_servers = 10
    max_requests_per_server = 0
}
modules {
    pap {
        encryption_scheme = crypt
    }
    chap {
        authtype = CHAP
    }
    pam {
        pam_auth = radiusd
    }
    eap {
#        default_eap_type = tls
        default_eap_type = peap
        timer_expire     = 60
        ignore_unknown_eap_types = no
        md5 {
        }
        leap {
        }
        tls {
            private_key_password = whatever
            private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem
            certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem
            CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem
            dh_file = /usr/local/etc/raddb/certs/dh
            random_file = /usr/local/etc/raddb/certs/random
            fragment_size = 1024
            include_length = yes
        }
        ttls {
            default_eap_type = md5
            copy_request_to_tunnel = no
            use_tunneled_reply = no           
        }
        peap {
        }
        mschapv2 {
        }
    }
    mschap {
        authtype = MS-CHAP
    }
    ldap {
        server = "ldap.your.domain"
        basedn = "o=My Org,c=UA"
        filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
        start_tls = no
        access_attr = "dialupAccess"
        dictionary_mapping = ${raddbdir}/ldap.attrmap
        ldap_connections_number = 5
        timeout = 4
        timelimit = 3
        net_timeout = 1
    }
    realm realmslash {
        format = prefix
        delimiter = "/"
    }
    realm suffix {
        format = suffix
        delimiter = "@"
    }
    realm realmpercent {
        format = suffix
        delimiter = "%"
    }
    preprocess {
        huntgroups = ${confdir}/huntgroups
        hints = ${confdir}/hints
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
    }
    files {
        usersfile = ${confdir}/users
        acctusersfile = ${confdir}/acct_users
        compat = no
    }
    detail {
        detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
        detailperm = 0600
    }
    acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NAS-Port-Id"
    }
    radutmp {
        filename = ${logdir}/radutmp
        username = %{User-Name}
        case_sensitive = yes
        check_with_nas = yes       
        perm = 0600
        callerid = "yes"
    }
    radutmp sradutmp {
        filename = ${logdir}/sradutmp
        perm = 0644
        callerid = "no"
    }
    attr_filter {
        attrsfile = ${confdir}/attrs
    }
    counter daily {
        filename = ${raddbdir}/db.daily
        key = User-Name
        count-attribute = Acct-Session-Time
        reset = daily
        counter-name = Daily-Session-Time
        check-name = Max-Daily-Session
        allowed-servicetype = Framed-User
        cache-size = 5000
    }
    always fail {
        rcode = fail
    }
    always reject {
        rcode = reject
    }
    always ok {
        rcode = ok
        simulcount = 0
        mpp = no
    }
    expr {
    }
    digest {
    }
    exec {
        wait = yes
        input_pairs = request
    }
    exec echo {
        wait = yes
        program = "/bin/echo %{User-Name}"
        input_pairs = request
        output_pairs = reply
    }
    ippool main_pool {
        range-start = 192.168.1.1
        range-stop = 192.168.3.254
        netmask = 255.255.255.0
        cache-size = 800
        session-db = ${raddbdir}/db.ippool
        ip-index = ${raddbdir}/db.ipindex
        override = no
    }
}
instantiate {
    expr
}
authorize {
    preprocess
    eap
    realmslash
    suffix
    files
}
authenticate {
    eap
}
preacct {
    preprocess
    suffix
    files
}
accounting {
    acct_unique
    detail
    radutmp
}
session {
    radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
    eap
}

>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   




More information about the Freeradius-Users mailing list