Freeradius + PEAP.. stuck on validating identity..

Matt Harlum matt at cactuar.net
Thu Apr 1 14:01:37 CEST 2010 

On 01/04/2010, at 8:40 PM, Bruno Kremel wrote:

> 2010/4/1 Matt Harlum <matt at cactuar.net>:
>> 
>> On 01/04/2010, at 1:44 PM, Matt Harlum wrote:
>> 
>> On 01/04/2010, at 7:39 AM, Bruno Kremel wrote:
>> 
>> On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote:
>> What should be there?
>> Beacuse I don't know I am using Daloradius web interafce for adding data to
>> database, so I just loaded default daloradius sql which was intendet
>> (according to readme od daloradius) for 2.X Freeradius... and added accounts
>> in web interface...
>> 
>> Here's an example from my radcheck table in the SQL Database
>>  id | UserName | Attribute     | op | Value      |
>> +----+----------+---------------+----+------------+
>> |  1 | exampleuser     | User-Password | == | password123 |
>> This is how yours should be set up, otherwise you will get the "validating"
>> issue in Windows.
>> 
>> I was wrong
>> it should be
>> Here's an example from my radcheck table in the SQL Database
>>  id | UserName | Attribute     | op | Value      |
>> +----+----------+---------------+----+------------+
>> |  1 | exampleuser     | Cleartext-Password | := | password123 |
>> My configuration was wrong it'd seem, I hadn't noticed as I'm primarily
>> using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to
>> 2.x
>> Regards,
>> Matt Harlum
>> 
>> 
>> To me it seems that name/password was accepted so I have no clue where
>> 
>> is the problem..
>> 
>>  The password was NOT accepted.  It was *ignored*.
>> 
>> And what is that Accept-Accept on the end of the log?... also radtest gives
>> me
>> Accept-Accept only on correct login and password so I think that it's not
>> that
>> SQL...
>> 
>> 
>> As Alan said, it was simply ignored because of the misconfiguration
>> Regards,
>> Matt Harlum
>> 
>> 
>> 
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> 
> 
> Thank you for answer.. You are right with that sql it is some mess in
> daloradius, but I tryed to disable SQL and use /etc/freeradius/users
> file instead, but I am stuck on Attempting to authenticate now.. log
> says this:

Are you trying to use EAP-TTLS?

> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0,
> length=137
> Cleaning up request 39 ID 0 with timestamp +589
>        User-Name = "pokus"
>        NAS-IP-Address = 192.168.3.1
>        Called-Station-Id = "00259c523046"
>        Calling-Station-Id = "001e650eb532"
>        NAS-Identifier = "00259c523046"
>        NAS-Port = 9
>        Framed-MTU = 1400
>        State = 0x53b1704550ba694fbe3359243d2a2638
>        NAS-Port-Type = Wireless-802.11
>        EAP-Message = 0x020b00061900
>        Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd
> +- entering group authorize
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
>    rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL
>    rlm_realm: No such realm "NULL"
> ++[suffix] returns noop
>  rlm_eap: EAP packet type response id 11 length 6
>  rlm_eap: Continuing tunnel setup.
> ++[eap] returns ok
>  rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> +- entering group authenticate
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/peap
>  rlm_eap: processing type peap
>  rlm_eap_peap: Authenticate
>  rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
>  rlm_eap_tls: ack handshake fragment handler
>  eaptls_verify returned 1
>  eaptls_process returned 13
>  rlm_eap_peap: EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 0 to 192.168.3.1 port 1320
>        EAP-Message = 0x010c00061900
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x53b1704557bd694fbe3359243d2a2638
> Finished request 40.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 40 ID 0 with timestamp +589
> Ready to process requests.

Hard for me to tell what's going wrong here, radiusd -X should give more diagnostic information that would help

also, what was the exact section of your users file like? with obfuscated login credentials of course.
  
> That Access-Challenge should authenticate my client if I am not wrong,
> but it still shows me validating identity and the attempting to
> authenticate...
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list