The EAP Saga begins.
Phil Mayers
p.mayers at imperial.ac.uk
Mon Jan 22 16:45:10 CET 2007
Evan Vittitow wrote:
> Here is the result of my first attempt. I added a Pukey-EAP entry in
> the LDAP tree but it didn't do much good. And I can't tell whats the
> matter with my CA.
>
You have configured your LDAP tree to contain either the plaintext
password or NT/LM hashes, yes? And configured FreeRadius to extract
those from LDAP?
> rad_recv: Access-Request packet from host 192.168.0.250:1110, id=8,
> length=159
> User-Name = "Pukey-EAP"
> Cisco-AVPair = "ssid=Pukey-EAP"
> NAS-IP-Address = 192.168.0.250
> Called-Station-Id = "004096285ceb"
> Calling-Station-Id = "00095b679ccf"
> NAS-Identifier = "AP340-285ceb"
> NAS-Port = 37
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Service-Type = Login-User
> EAP-Message = 0x020d000e0150756b65792d454150
> Message-Authenticator = 0xebe4683da315ee95109c4736a19a37cd
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 7
> modcall[authorize]: module "preprocess" returns ok for request 7
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for Pukey-EAP
> radius_xlat: '(uid=Pukey-EAP)'
> radius_xlat: 'dc=pukey'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=pukey, with filter (uid=Pukey-EAP)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
Your LDAP entry was not found. Your LDAP search configuration is not
correct, or the entry you added does not match the filter.
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns notfound for request 7
> modcall[authorize]: module "chap" returns noop for request 7
> modcall[authorize]: module "mschap" returns noop for request 7
> rlm_realm: No '@' in User-Name = "Pukey-EAP", looking up realm NULL
> rlm_realm: Found realm "NULL"
> rlm_realm: Adding Stripped-User-Name = "Pukey-EAP"
> rlm_realm: Proxying request from user Pukey-EAP to realm NULL
> rlm_realm: Adding Realm = "NULL"
> rlm_realm: Authentication realm is LOCAL.
> modcall[authorize]: module "suffix" returns noop for request 7
> rlm_eap: EAP packet type response id 13 length 14
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 7
> modcall[authorize]: module "files" returns notfound for request 7
> modcall: leaving group authorize (returns updated) for request 7
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 7
> rlm_eap: EAP Identity
> rlm_eap: processing type tls
> rlm_eap_tls: Initiate
> rlm_eap_tls: Start returned 1
> modcall[authenticate]: module "eap" returns handled for request 7
> modcall: leaving group authenticate (returns handled) for request 7
> Sending Access-Challenge of id 8 to 192.168.0.250 port 1110
> EAP-Message = 0x010e00061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xe5a40fabb5846577f6543672d9313801
> Finished request 7
> Going to the next request
>
If that's where it stops, the problem lies at the client. The radius
server has started an EAP-TLS conversation - did you change the default
EAP type in the "eap.conf" in FreeRadius.
> Here is my /etc/xsupplicant.conf
>
> network_list = all
> default_netname = Pukey-EAP
>
> Pukey-EAP
> {
> type = wireless
> allow_types = eap_peap
> identity = Pukey-EAP
> eap-peap {
> random_file = /dev/urandom
> root_cert = /etc/raddb/certs/root.pem
> chunk_size = 1398
> allow_types = eap_mschapv2
> eap-mschapv2 {
> username = User
> password = Password
> }
> }
> }
>
> I've created a SSID called Pukey-EAP it requires EAP.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list