Radius Server with WPA not working for me

sankalpk sankalpk at tulip.net
Thu Feb 19 21:38:07 CET 2009 

Hi All,

I am new to Radius Servers and have a Project to get Radius Server 
configured in the organization for authenticating users through an 
Access Point which is based on Mikrotik. I have setup freeradius 
(version 1.0.1) server and have defined a user in the "users" file. When 
I test the configuration using the "radtest" command, it works fine and 
says "Access-Accept". However, when I try to authentcate the user 
through the access point, I am prompted for Username and Password at the 
client, but Debug mode on radius server shows "request rejected". It 
says "no User-Password attribute". (However, the the debug mode is 
showing correct Username as entered from the client)

I checked lot of Forums, but none of the solutions worked for me. I have 
stored user password in clear-text in the users file. Also, I am not 
using any certificate (TLS) in the setup.

The confiurations are as follows:


_*Radius Server:*_
##################################################################################
_*radiusd.conf:*_
##################################################################################
*_modules_*{

 pap {
                encryption_scheme = clear
        }
        pap md5{
                encryption_scheme = md5
        }

}

 chap {
                authtype = CHAP
        }

$INCLUDE ${confdir}/eap.conf

mschap {
 authtype = MS-CHAP
}

_*authenticate*_
{
eap
}

_*authorize*_
{
    preprocess
    eap
    files
}

##################################################################################


##################################################################################
_*eap.conf*_
##################################################################################

eap {
default_eap_type = mschapv2
mschapv2 {
                Auth-Type = PAP
                }
}

##################################################################################
_*users*_
##################################################################################

"radtest1"       Cleartext-Password == "password"

#(also tried User-Password instead of Cleartext-password, but no luck !!)
##################################################################################
_*clients.conf*_
##################################################################################

client 192.168.xxx.xxx {
        secret          =    test
        shortname       = private-network
        nastype     =  other
}


##################################################################################
##################################################################################
_*Access Point Configuration:*_
##################################################################################

Network Authentication: WPA with Radius
Data Encryption: TKIP


Have given Radius Server IP, Port and shared key(Which is same as 
mentioned in clients.conf)


##################################################################################
_*Client Machine Configuration:*_
##################################################################################


The client machine is a Windows Vista OS, and have the following 
configurations for Wireless Network:
Security Type: WPA-Enterprise
Encryption: TKIP

Authentication Method: PEAP (Secured Password MSCHAPv2)

##################################################################################

_*Debug mode of Radius Server says this:*_


        User-Name = "radtest1"
        NAS-IP-Address = 192.168.1.254
        NAS-Port = 0
        Called-Station-Id = "00-21-DE-00-17-B2:Wireless1"
        Calling-Station-Id = "00-19-D2-AD-4A-BF"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x0201000d017261647465737431
        Message-Authenticator = 0x2376aab3c18a8a9cbe0320fc1add824a
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
  rlm_eap: EAP packet type response id 1 length 13
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
    users: Matched radtest1 at 100
  modcall[authorize]: module "files" returns ok for request 6
modcall: group authorize returns updated for request 6
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: EAP Identity
  rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
  modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
Sending Access-Challenge of id 0 to 192.168.104.168:3111
        EAP-Message = 
0x010200221a0102001d10f60a0398e4f61c9beba89b3dbcefde677261647465737431
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc02709d0e2c702124f02a4d451d0a59d
Finished request 6
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.104.168:3111, id=0, 
length=159
Sending duplicate reply to client private-network:3111 - ID: 0
Re-sending Access-Challenge of id 0 to 192.168.104.168:3111
--- Walking the entire request list ---









Would appreciate if someone could suggest me the resolution for the 
problem. ALso, if someone can get me a working copy of freeradius server 
with Mikrotik (or otherwise Linksys) Access Point, it would be of great 
help.


Thanks and Regards,
SaN
sankalpk at tulip.net






DISCLAIMER: This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may containconfidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies and the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. The recipient acknowledges that Tulip Telecom Limited is unable to exercise control or ensure or guarantee the integrity of/overthe contents of the information contained in e-mail transmissions and further acknowledges that any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of Tulip Telecom Limited. Before opening any attachments please check them for viruses!
  and defects.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090219/b3627dfe/attachment.html>

More information about the Freeradius-Users mailing list