Freeradius, EAP-PEAP, LDAP and users file...

Marco Gaiarin gaio at sv.lnf.it
Wed Apr 2 19:09:21 CEST 2008 

Mandi! Phil Mayers
  In chel di` si favelave...

>> box (using freeradius with 1.1.3 recompiled by me to support EAP-TLS).
> Upgrade to 1.1.7 at least

...as a debian user, i prefer to keep on 'debian stable' ad using the
offical packet, even if repackaged...


>> But users file was 'no match, no party'? What i'm missing?
> What does "no match no party" mean?

On users file, last line say:

	# On no match, the user is denied access.

(so no match imply deny, that imply no WLAN-party ;).


> In all probability, you've got something like:

Precisely:

authorize {
        preprocess
        chap
        mschap
        ntdomain
        eap
        files
        ldap
}

authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        Auth-Type LDAP {
                ldap
        }
        eap
}

(indeed probably a bit more than needed...)


> ...if so, mschap (or eap, for the outer module) finds the relevant 
> attributes, sets Auth-Type to itself, and processes the request; if the 
> user has a password, they're authenticated. If you want to deny people you 
> need to do that.

Probably i'm missing something... i've tried to type a wrong password
and works (eg, radius refuse to auth me), i've not clear what you mean
with 'if the user has a password, they're authenticated' and expecially
with 'you need to do that': 'that' what? Explicitly neglet access?

More deeper, i've not clear if this is a configuration error by me, or
with this setup things NEED to be done in this way.


> Since you're not subscribed to the mailing list and haven't read the 

List refuse posts from non-subscribed user, so now i'm subscribed.
I've read tons of docs, expecially the FAQ (with no clue at all),
expecially the freeradius.org site where some doc say something and
some other doc say the converse (or at least this seems to me, clearly
i'm ignorant and stupid).


> documents, you have failed to see the advice repeated daily; namely, to run 
> radiusd under debugging with "radiusd -X", examine the output and if you 
> can't figure out what it's saying, post that output here.

It is two days that i run with 'freeradius -X' in my hand. I've solved
at least half a dozen of trouble myself using the FAQ and other docs on
the net.


Because this is not a trouble (at least for me, again remember i'm
ignorant and stupid), i think that was not the case to start sending
tons of attachments.


I've shut off my test system, and i've accumulated too many 'freeradius
-X' logs to remember where was the culprit, so please wait tomorrow for
the config file and associated log.


good night.

-- 
dott. Marco Gaiarin				    GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  marco.gaiarin(at)sv.lnf.it	  tel +39-0434-842711  fax +39-0434-842797

More information about the Freeradius-Users mailing list