No subject

Saman Kwok ssaman at hotmail.com
Thu Apr 1 16:42:46 CEST 2010


Hi ,I am happing problem that I couldn't resolve alone. If anyone in the list could help me will be appreciated.
I have access point EnGenius 2610 and I run freeradius under RHEL5.RHEL5 have two ethernet card, eth0 : 192.168.1.4 to Internet, eth1 to Wifi Client with IP 192.168.0.1 (Client is Windows XP).
Client authenticated with MS-Chapv2. I had installed ca_cert.der in XP.
when I run radiusd -X everytime seem fine.
Ready to process requests.rad_recv: Access-Request packet from host 192.168.0.3 port 1024, id=4, length=194        User-Name = "GRACELIA-4E4DD9\\gracelia"        NAS-IP-Address = 192.168.0.3        NAS-Port = 0        Called-Station-Id = "00-02-6C-5B-0A-A3:mars_net"        Calling-Station-Id = "00-80-A8-C1-C0-A3"        Framed-MTU = 1400        NAS-Port-Type = Wireless-802.11        Connect-Info = "CONNECT 11Mbps 802.11b"        EAP-Message = 0x020d001d0147524143454c49412d3445344444395c67726163656c6961        Message-Authenticator = 0x5ad14aa7bbf1f169e0d16b594a0888ea+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns noop[suffix] No '@' in User-Name = "GRACELIA-4E4DD9\gracelia", looking up realm NULL[suffix] No such realm "NULL"++[suffix] returns noop[eap] EAP packet type response id 13 length 29[eap] No EAP Start, assuming it's an on-going EAP conversation++[eap] returns updated++[unix] returns notfound[files] users: Matched entry GRACELIA-4E4DD9\gracelia at line 94[files]         expand: Hello, %{User-Name} -> Hello, GRACELIA-4E4DD9\gracelia++[files] returns ok++[expiration] returns noop++[logintime] returns noop[pap] Found existing Auth-Type, not changing it.++[pap] returns noopFound Auth-Type = EAP+- entering group authenticate {...}[eap] EAP Identity[eap] processing type tls[tls] Initiate[tls] Start returned 1++[eap] returns handledSending Access-Challenge of id 4 to 192.168.0.3 port 1024        Reply-Message = "Hello, GRACELIA-4E4DD9\\gracelia"        EAP-Message = 0x010e00061920        Message-Authenticator = 0x00000000000000000000000000000000        State = 0x1b2c209a1b2239d39cc5bd6f4ac49d46Finished request 18.Going to the next requestWaking up in 4.9 seconds.Cleaning up request 18 ID 4 with timestamp +307Ready to process requests.
But it keep looping Access-Challege and Access-Request without Access-Reject or authenticated. I believe the certificate already have OID.
When I check with Access Point Log..here the output
Jan  1 00:17:35 (none) daemon.debug setup.cgi[465]: main: process ./html/CM_SystemStatus.htm takes 2300 ms----------------------------Jan  1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: aborting authenticationJan  1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: unauthorizing portJan  1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: received EAP packet (code=2 id=54 len=29) from STA: EAP Response-Identity (1)Jan  1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: STA identity 'GRACELIA-4E4DD9\gracelia'Jan  1 00:17:42 (none) daemon.debug hostapd: ath1: RADIUS Sending RADIUS message to authentication serverJan  1 00:17:42 (none) daemon.debug hostapd: ath1: RADIUS Next RADIUS client retransmit in 3 seconds Jan  1 00:17:45 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:c3 RADIUS: Resending RADIUS message (id=28)Jan  1 00:17:45 (none) daemon.debug hostapd: ath1: RADIUS Next RADIUS client retransmit in 1 secondsJan  1 00:17:45 (none) daemon.debug setup.cgi[491]: cgi_setup::main()------------------>HTTP_REFERER=http://192.168.0.3/setup.cgi?reqfile=./html/left.htm
if I try to bind to eth1 or IP-Address, the server not receipt any request.
Here the client.conf setting
# -*- text -*-#### clients.conf -- client configuration directives####	$Id$
#########################################################################  Define RADIUS clients (usually a NAS, Access Point, etc.).
##  Defines a RADIUS client.##  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,#  to allow testing of the server after an initial installation.  If you#  are not going to be permitting RADIUS queries from localhost, we suggest#  that you delete, or comment out, this entry.##
##  Each client has a "short name" that is used to distinguish it from#  other clients.##  In version 1.x, the string after the word "client" was the IP#  address of the client.  In 2.0, the IP address is configured via#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x#  format is still accepted.#client localhost {	#  Allowed values are:	#	dotted quad (1.2.3.4)	#       hostname    (radius.example.com)	ipaddr = 192.168.1.4
	#  OR, you can use an IPv6 address, but not both	#  at the same time.#	ipv6addr = ::	# any.  ::1 == localhost
	#	#  A note on DNS:  We STRONGLY recommend using IP addresses	#  rather than host names.  Using host names means that the	#  server will do DNS lookups when it starts, making it	#  dependent on DNS.  i.e. If anything goes wrong with DNS,	#  the server won't start!	#	#  The server also looks up the IP address from DNS once, and	#  only once, when it starts.  If the DNS record is later	#  updated, the server WILL NOT see that update.	#
	#  One client definition can be applied to an entire network.	#  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and	#  "netmask = 8"	#	#  If not specified, the default netmask is 32 (i.e. /32)	#	#  We do NOT recommend using anything other than 32.  There	#  are usually other, better ways to acheive the same goal.	#  Using netmasks of other than 32 can cause security issues.	#	#  You can specify overlapping networks (127/8 and 127.0/16)	#  In that case, the smallest possible network will be used	#  as the "best match" for the client.	#	#  Clients can also be defined dynamically at run time, based	#  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,	#  etc.	#  See raddb/sites-available/dynamic-clients for details.	#
#	netmask = 32
	#	#  The shared secret use to "encrypt" and "sign" packets between	#  the NAS and FreeRADIUS.  You MUST change this secret from the	#  default, otherwise it's not a secret any more!	#	#  The secret can be any string, up to 8k characters in length.	#	#  Control codes can be entered vi octal encoding,	#	e.g. "\101\102" == "AB"	#  Quotation marks can be entered by escaping them,	#	e.g. "foo\"bar"	#	#  A note on security:  The security of the RADIUS protocol	#  depends COMPLETELY on this secret!  We recommend using a	#  shared secret that is composed of:	#	#	upper case letters	#	lower case letters	#	numbers	#	#  And is at LEAST 8 characters long, preferably 16 characters in	#  length.  The secret MUST be random, and should not be words,	#  phrase, or anything else that is recognizable.	#	#  The default secret below is only for testing, and should	#  not be used in any real environment.	#	secret		= testing123
	#	#  Old-style clients do not send a Message-Authenticator	#  in an Access-Request.  RFC 5080 suggests that all clients	#  SHOULD include it in an Access-Request.  The configuration	#  item below allows the server to require it.  If a client	#  is required to include a Message-Authenticator and it does	#  not, then the packet will be silently discarded.	#	#  allowed values: yes, no	require_message_authenticator = no
	#	#  The short name is used as an alias for the fully qualified	#  domain name, or the IP address.	#	#  It is accepted for compatibility with 1.x, but it is no	#  longer necessary in 2.0	##	shortname	= localhost
	#	# the following three fields are optional, but may be used by	# checkrad.pl for simultaneous use checks	#
	#	# The nastype tells 'checkrad.pl' which NAS-specific method to	#  use to query the NAS for simultaneous use.	#	#  Permitted NAS types are:	#	#	cisco	#	computone	#	livingston	#	max40xx	#	multitech	#	netserver	#	pathras	#	patton	#	portslave	#	tc	#	usrhiper	#	other		# for all other types
	#	nastype     = other	# localhost isn't usually a NAS...
	#	#  The following two configurations are for future use.	#  The 'naspasswd' file is currently used to store the NAS	#  login name and password, which is used by checkrad.pl	#  when querying the NAS for simultaneous use.	##	login       = !root#	password    = someadminpas
	#	#  As of 2.0, clients can also be tied to a virtual server.	#  This is done by setting the "virtual_server" configuration	#  item, as in the example below.	##	virtual_server = home1}
# IPv6 Client#client ::1 {#	secret		= testing123#	shortname	= localhost#}## All IPv6 Site-local clients#client fe80::/16 {#	secret		= testing123#	shortname	= localhost#}
#client some.host.org {#	secret		= testing123#	shortname	= localhost#}
##  You can now specify one secret for a network of clients.#  When a client request comes in, the BEST match is chosen.#  i.e. The entry from the smallest possible network.#client 192.168.0.0/24 {	secret		= testing123-1	shortname	= private-network-1}##client 192.168.0.0/16 {#	secret		= testing123-2#	shortname	= private-network-2#}

#client 10.10.10.10 {#	# secret and password are mapped through the "secrets" file.#	secret      = testing123#	shortname   = liv1#       # the following three fields are optional, but may be used by#       # checkrad.pl for simultaneous usage checks#	nastype     = livingston#	login       = !root#	password    = someadminpas#}
#########################################################################  Per-socket client lists.  The configuration entries are exactly#  the same as above, but they are nested inside of a section.##  You can have as many per-socket client lists as you have "listen"#  sections, or you can re-use a list among multiple "listen" sections.##  Un-comment this section, and edit a "listen" section to add:#  "clients = per_socket_clients".  That IP address/port combination#  will then accept ONLY the clients listed in this section.##clients per_socket_clients {#	client 192.168.3.4 {#		secret = testing123#        }#}
Am I wrongly configured in client.conf hence NAS-port = 0.


 		 	   		  
_________________________________________________________________
Looking for a new home? With all the latest places, searching has never been easier.
http://clk.atdmt.com/NMN/go/157631292/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100401/a4c91ef6/attachment.html>


More information about the Freeradius-Users mailing list