Basic usage: What do I do next to get this to work?

tnt at kalik.co.yu tnt at kalik.co.yu
Tue Oct 30 20:10:15 CET 2007


You haven't configured PEAP in eap.conf. You need to configure tls and
peap sections. You will also need a server certificate and to export
root certificate to XP clients (if you are signing them yourself). Read
instructions in eap.conf, /scripts, wiki (about EAP) and howto for AD
integration before doing anything.

Ivan Kalik
Kalik Informatika ISP


Dana 30/10/2007, "Doc. Caliban" <doc.caliban at gmail.com> piše:

>Hello,
>
>I hate to ask this, but I'm running out of time on this project and I'm
>completely new to RADIUS.  I would be really happy if someone could just
>point me to a detailed HOW TO for what I need.
>
>I have freeRADIUS set up with an external MySQL user database and it's
>successfully authorizing requests from NTRadPing.
>
>Now I need to actually try it out "In the field".  I need people running
>XP, Vista (ugh), and Apple laptops to be able to auth using the MySQL
>database that I have set up.
>
>So far I'm not having any luck, and I don't mind saying that I'm a
>little over my head at this point.  Someone familiar with this will
>probably see glaring problems.
>
>I will provide all the details I can think of, but please let me know if
>you need more.
>
>Server:
>FreeRADIUS 1.1.7 with MySQL module.
>
>Database:
>Remote MySQL
>
>Access Point:
>D-Link DWL-7100AP (Ciscos coming in January)
>WPA-EAP
>TKIP
>
>Client Laptop:
>WPA Enterprise
>TKIP
>PEAP (Other options: EAP-SIM, TLS, TTLS, LEAP, EAP-FAST)
>MS-CHAP-V2 (Other options: GTC, TLS)
>
>
>
>
>
>
>I set up an AP to use RADIUS, and the requests get through to the RADIUS
>server, but they always fail.  Posted below is the debug output from the
>failed attempt.
>
>
>> Ready to process requests.
>> rad_recv: Access-Request packet from host 192.168.0.1:1030, id=0,
>> length=193
>>         Message-Authenticator = 0xf9c41895a382161a1d31b4a47bd830e0
>>         Service-Type = Framed-User
>>         User-Name = "testuser"
>>         Framed-MTU = 1488
>>         Called-Station-Id = "00-11-95-DA-16-A6:SUSOM"
>>         Calling-Station-Id = "00-1B-77-28-B3-CF"
>>         NAS-Identifier = "D-Link Access Point"
>>         NAS-Port-Type = Wireless-802.11
>>         Connect-Info = "CONNECT 54Mbps 802.11a"
>>         EAP-Message = 0x0200000b01746261727468
>>         NAS-IP-Address = 192.168.0.1
>>         NAS-Port = 1
>>         NAS-Port-Id = "STA port # 1"
>> rad_lowerpair:  User-Name now 'testuser'
>>   Processing the authorize section of radiusd.conf
>> modcall: entering group authorize for request 0
>>   modcall[authorize]: module "preprocess" returns ok for request 0
>>   modcall[authorize]: module "chap" returns noop for request 0
>>   modcall[authorize]: module "mschap" returns noop for request 0
>>     rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
>>     rlm_realm: No such realm "NULL"
>>   modcall[authorize]: module "suffix" returns noop for request 0
>>   rlm_eap: EAP packet type response id 0 length 11
>>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>   modcall[authorize]: module "eap" returns updated for request 0
>> radius_xlat:  'testuser'
>> rlm_sql (sql): sql_set_user escaped user --> 'testuser'
>> radius_xlat:  'SELECT id, UserName, Attribute, Value, op
>> FROM radcheck           WHERE Username = 'testuser'           ORDER BY id'
>> rlm_sql (sql): Reserving sql socket id: 4
>> radius_xlat:  'SELECT
>> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
>> FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND
>> usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>> radius_xlat:  'SELECT id, UserName, Attribute, Value, op
>> FROM radreply           WHERE Username = 'testuser'           ORDER BY id'
>> radius_xlat:  'SELECT
>> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
>> FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND
>> usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
>> rlm_sql (sql): Released sql socket id: 4
>>   modcall[authorize]: module "sql" returns ok for request 0
>> rlm_pap: Found existing Auth-Type, not changing it.
>>   modcall[authorize]: module "pap" returns noop for request 0
>> modcall: leaving group authorize (returns updated) for request 0
>>   rad_check_password:  Found Auth-Type EAP
>> auth: type "EAP"
>>   Processing the authenticate section of radiusd.conf
>> modcall: entering group authenticate for request 0
>>   rlm_eap: EAP Identity
>>   rlm_eap: processing type md5
>> rlm_eap_md5: Issuing Challenge
>>   modcall[authenticate]: module "eap" returns handled for request 0
>> modcall: leaving group authenticate (returns handled) for request 0
>> Sending Access-Challenge of id 0 to 192.168.0.1 port 1030
>>         Framed-Protocol := PPP
>>         Service-Type := Framed-User
>>         Framed-MTU := 1500
>>         Framed-Compression := Van-Jacobson-TCP-IP
>>         EAP-Message = 0x0101001604104e273ea966f4fb77466b296f9c607385
>>         Message-Authenticator = 0x00000000000000000000000000000000
>>         State = 0x149370a5228b3ae0acdd9dc3fb4a25a4
>> Finished request 0
>> Going to the next request
>> --- Walking the entire request list ---
>> Waking up in 6 seconds...
>> rad_recv: Access-Request packet from host 192.168.0.1:1030, id=1,
>> length=206
>>         Message-Authenticator = 0xc9926863cf3df06ac150bbb6f77208eb
>>         Service-Type = Framed-User
>>         User-Name = "testuser"
>>         Framed-MTU = 1488
>>         State = 0x149370a5228b3ae0acdd9dc3fb4a25a4
>>         Called-Station-Id = "00-11-95-DA-16-A6:SUSOM"
>>         Calling-Station-Id = "00-1B-77-28-B3-CF"
>>         NAS-Identifier = "D-Link Access Point"
>>         NAS-Port-Type = Wireless-802.11
>>         Connect-Info = "CONNECT 54Mbps 802.11a"
>>         EAP-Message = 0x020100060319
>>         NAS-IP-Address = 192.168.0.1
>>         NAS-Port = 1
>>         NAS-Port-Id = "STA port # 1"
>> rad_lowerpair:  User-Name now 'testuser'
>>   Processing the authorize section of radiusd.conf
>> modcall: entering group authorize for request 1
>>   modcall[authorize]: module "preprocess" returns ok for request 1
>>   modcall[authorize]: module "chap" returns noop for request 1
>>   modcall[authorize]: module "mschap" returns noop for request 1
>>     rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
>>     rlm_realm: No such realm "NULL"
>>   modcall[authorize]: module "suffix" returns noop for request 1
>>   rlm_eap: EAP packet type response id 1 length 6
>>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>   modcall[authorize]: module "eap" returns updated for request 1
>> radius_xlat:  'testuser'
>> rlm_sql (sql): sql_set_user escaped user --> 'testuser'
>> radius_xlat:  'SELECT id, UserName, Attribute, Value, op
>> FROM radcheck           WHERE Username = 'testuser'           ORDER BY id'
>> rlm_sql (sql): Reserving sql socket id: 3
>> radius_xlat:  'SELECT
>> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
>> FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND
>> usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>> radius_xlat:  'SELECT id, UserName, Attribute, Value, op
>> FROM radreply           WHERE Username = 'testuser'           ORDER BY id'
>> radius_xlat:  'SELECT
>> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
>> FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND
>> usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
>> rlm_sql (sql): Released sql socket id: 3
>>   modcall[authorize]: module "sql" returns ok for request 1
>> rlm_pap: Found existing Auth-Type, not changing it.
>>   modcall[authorize]: module "pap" returns noop for request 1
>> modcall: leaving group authorize (returns updated) for request 1
>>   rad_check_password:  Found Auth-Type EAP
>> auth: type "EAP"
>>   Processing the authenticate section of radiusd.conf
>> modcall: entering group authenticate for request 1
>>   rlm_eap: Request found, released from the list
>>   rlm_eap: EAP NAK
>>  rlm_eap: EAP-NAK asked for EAP-Type/peap
>>  rlm_eap: No such EAP type peap
>>   rlm_eap: Failed in EAP select
>>   modcall[authenticate]: module "eap" returns invalid for request 1
>> modcall: leaving group authenticate (returns invalid) for request 1
>> auth: Failed to validate the user.
>> Delaying request 1 for 1 seconds
>> Finished request 1
>> Going to the next request
>> Waking up in 6 seconds...
>> rad_recv: Access-Request packet from host 192.168.0.1:1030, id=1,
>> length=206
>> Sending Access-Reject of id 1 to 192.168.0.1 port 1030
>>         EAP-Message = 0x04010004
>>         Message-Authenticator = 0x00000000000000000000000000000000
>
>
>




More information about the Freeradius-Users mailing list