FreeRadius + LDAP on WPA2

rrperez rrperez at apc.edu.ph
Mon Aug 9 04:50:05 CEST 2010


Thanks for the quick response Alan.

I have removed now the Auth-Type := EAP in my users file and the server now
is able to respond to the access point. My problem now is the clients can't
connect to the server with the correct authentication.

Here is the debug from the server...

rad_recv: Access-Request packet from host 10.96.100.205 port 1095, id=0,
length=127
        User-Name = "rrperez"
        NAS-IP-Address = 10.96.100.205
        Called-Station-Id = "0014bf8abbc5"
        Calling-Station-Id = "0016e3cdc0a3"
        NAS-Identifier = "0014bf8abbc5"
        NAS-Port = 46
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0201000c017272706572657a
        Message-Authenticator = 0x4f2ba1b95873a9bf8b13863f1ce6d52f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rrperez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry rrperez at line 93
++[files] returns ok
[ldap] performing user authorization for rrperez
[ldap]  expand: %{Stripped-User-Name} -> 
[ldap]  expand: %{User-Name} -> rrperez
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=rrperez)
[ldap]  expand: dc=testldap1,dc=test,dc=corpoff ->
dc=testldap1,dc=test,dc=corpoff
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testldap1,dc=test,dc=corpoff, with filter
(uid=rrperez)
[ldap] looking for check items in directory...
rlm_ldap: userpassword -> Cleartext-Password == "p at ssw0rd"
rlm_ldap: userPassword -> User-Password == "p at ssw0rd"
[ldap] looking for reply items in directory...
[ldap] user rrperez authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 1095
        EAP-Message = 0x010200160410b26f8606d20313bfb074702fb88c12dc
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x472a339647283709d04328c11ec504b2
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 1097, id=0,
length=139
        User-Name = "rrperez"
        NAS-IP-Address = 10.96.100.205
        Called-Station-Id = "0014bf8abbc5"
        Calling-Station-Id = "0016e3cdc0a3"
        NAS-Identifier = "0014bf8abbc5"
        NAS-Port = 46
        Framed-MTU = 1400
        State = 0x472a339647283709d04328c11ec504b2
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020200060319
        Message-Authenticator = 0x2d96e463cb33f53668e660cc806f5396
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rrperez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry rrperez at line 93
++[files] returns ok
[ldap] performing user authorization for rrperez
[ldap]  expand: %{Stripped-User-Name} -> 
[ldap]  expand: %{User-Name} -> rrperez
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=rrperez)
[ldap]  expand: dc=testldap1,dc=test,dc=corpoff ->
dc=testldap1,dc=test,dc=corpoff
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testldap1,dc=test,dc=corpoff, with filter
(uid=rrperez)
[ldap] looking for check items in directory...
rlm_ldap: userpassword -> Cleartext-Password == "p at ssw0rd"
rlm_ldap: userPassword -> User-Password == "p at ssw0rd"
[ldap] looking for reply items in directory...
[ldap] user rrperez authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 1097
        EAP-Message = 0x010300061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x472a339646292a09d04328c11ec504b2
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 1099, id=0,
length=251
        User-Name = "rrperez"
        NAS-IP-Address = 10.96.100.205
        Called-Station-Id = "0014bf8abbc5"
        Calling-Station-Id = "0016e3cdc0a3"
        NAS-Identifier = "0014bf8abbc5"
        NAS-Port = 46
        Framed-MTU = 1400
        State = 0x472a339646292a09d04328c11ec504b2
        NAS-Port-Type = Wireless-802.11
        EAP-Message =
0x0203007619800000006c16030100670100006303014c60485419960635d1ade97d45e42d310da2c1bd2228f6a268e4c8d2725deccc000018002f00350005000ac009c00ac013c0140032003800130004010000220000000c000a0000077272706572657a000a00080006001700180019000b00020100
        Message-Authenticator = 0xfb781696d1e2b68de3ca4be44368e6ba
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rrperez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 118
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 108
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap]     (other): before/accept initialization 
[peap]     TLS_accept: before/accept initialization 
[peap] <<< TLS 1.0 Handshake [length 0067], ClientHello  
[peap]     TLS_accept: SSLv3 read client hello A 
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello  
[peap]     TLS_accept: SSLv3 write server hello A 
[peap] >>> TLS 1.0 Handshake [length 0847], Certificate  
[peap]     TLS_accept: SSLv3 write certificate A 
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: SSLv3 write server done A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 1099
        EAP-Message =
0x0104040019c000000884160301002a0200002603014c5ef69f90cc66244e85fa9ea030af56c83a42baaf970ef5afd98d6a5c23a1af00002f0016030108470b00084300084000039e3082039a30820282a003020102020101300d06092a864886f70d010104050030818e310b3009060355040613025048310f300d060355040813064d616e696c61310e300c0603550407130550617361793111300f060355040a1308534d205072696d653123302106092a864886f70d0109011614706572657a2e32726f6e40676d61696c2e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d31
        EAP-Message =
0x30303830353231343433315a170d3131303830353231343433315a3079310b3009060355040613025048310f300d060355040813064d616e696c613111300f060355040a1308534d205072696d65312330210603550403131a4578616d706c65205365727665722043657274696669636174653121301f06092a864886f70d01090116127272706572657a406170632e6564752e706830820122300d06092a864886f70d01010105000382010f003082010a0282010100c6e7ab6d35efefbf0f386233076f46ad36cbbd54ddc07f0488bee8c4db14c0fe37a0ea6818d01ebbd3b409769818e4036bfc962238f8475d6583da6ac2512363845f5fb04d9d
        EAP-Message =
0xbd5b53e9c2ef6647a4b8dd02daceb3066d9a9ae26cd11a8300b9d53c043f09b33b53354bdbcf6ce4d0b1a8e4770eb537f583c6ebce6487ffa1dc2b1c4cc541aa04e98fae7a73336ee461bdbdc0909080852e47fc49b64b146ad18cbafaf350647f19758c5e781d6bd8882f6d8e136f87b1f3e013342b79c05deef124b9c800c2461cb265ae547aa5c299facd146c391c91abcd5e0f03aac4cba67d9b5a86ff440e52850806b7c9b7f45ba4f4bcecb86bb5bb5f9dba3453e974fb0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101004aac0765701c5185080a5fb6e5363b88b5
        EAP-Message =
0xc7390b7836e78f8547c84ee349ca8b9d6a71e78cdf38ed81af871098700b1c03aa6970cd9a14107ec7aa9f4a84409a359a2c87c5eb09cca8b35d7c55ac7f2ee3db355438c00c50a5a0c96e5b6b850db681772588de4ca7035e033fa00f2c6091b1fbbdc232bc4374b1e653d08a9bdc91f5bdedc1f21ab134093737c8972f0ddd6c53bb535ba2808f59563caddf2c14f684f1856e78a49f8e6009495f1ec9115fc41f5fe3786444758c65121b714422aef588fa496d876beade61319aa7c4812908f4aeb34a13692a725fd11a5cd9a065daca5c078bf289686c7038c6e77fb9410b320bd5a62d7e3994d4353531cf7b00049c3082049830820380a00302
        EAP-Message = 0x0102020900e6d6f0b5c23c70
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x472a3396452e2a09d04328c11ec504b2
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 1101, id=0,
length=139
        User-Name = "rrperez"
        NAS-IP-Address = 10.96.100.205
        Called-Station-Id = "0014bf8abbc5"
        Calling-Station-Id = "0016e3cdc0a3"
        NAS-Identifier = "0014bf8abbc5"
        NAS-Port = 46
        Framed-MTU = 1400
        State = 0x472a3396452e2a09d04328c11ec504b2
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020400061900
        Message-Authenticator = 0x2e5b1abd57419deda1b17bc06072af82
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rrperez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 1101
        EAP-Message =
0x010503fc1940a5300d06092a864886f70d010105050030818e310b3009060355040613025048310f300d060355040813064d616e696c61310e300c0603550407130550617361793111300f060355040a1308534d205072696d653123302106092a864886f70d0109011614706572657a2e32726f6e40676d61696c2e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3130303830353231343433315a170d3131303830353231343433315a30818e310b3009060355040613025048310f300d060355040813064d616e696c61310e300c0603550407130550617361793111300f06
        EAP-Message =
0x0355040a1308534d205072696d653123302106092a864886f70d0109011614706572657a2e32726f6e40676d61696c2e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c377b277cfce89da192b6975f0e2c6f2860fd64da3fd80309a1ea8bb2ef91fa0d004899dfb920f5bd5bba909cc537b86d0ac729985a36c6c7bb562a02aeb6cbbadbd25c73240631e24c7bc66d8bcc423848426c6094bebdca51e781a251f99361eb4885aaa88541eabb41ccf08250ccfa82eb3f18b3ba6025f53e1994f0e9a5f81
        EAP-Message =
0x96ab436778d1b5b28ffa1d177836b9584f8228ae3f38eb1b255e5ecc9ffdb5fd5f41ed8f88d07fb1865be3b978d27fd8f5de8a5f66814c415f2f81948713e5475d61ff81076a6c12afd11a2b4efb8114e2dee083866a63775065a83aecaa60f96d32d41db2651e6523d1dda4968768503b77957ed302e70148af04bea6b33d0203010001a381f63081f3301d0603551d0e04160414eb114a719ea71a316c157f42cb959cbe3d7ad1453081c30603551d230481bb3081b88014eb114a719ea71a316c157f42cb959cbe3d7ad145a18194a4819130818e310b3009060355040613025048310f300d060355040813064d616e696c61310e300c0603550407
        EAP-Message =
0x130550617361793111300f060355040a1308534d205072696d653123302106092a864886f70d0109011614706572657a2e32726f6e40676d61696c2e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e6d6f0b5c23c70a5300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100560f8590dfda5419fd715a32a3c02c7dfea64b4f7ab3f1d76173a6206a9919d372f97837051eba6b10fa29e2f813863875f2f260ce5e7935ddc4267fb7b6230d9c2b4cdaaf825e25b4910d895ed0355c1860eb0cb62961ee54228efe26aa5315820139132002a30d07
        EAP-Message = 0xbd4b27e772945483
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x472a3396442f2a09d04328c11ec504b2
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 1103, id=0,
length=139
        User-Name = "rrperez"
        NAS-IP-Address = 10.96.100.205
        Called-Station-Id = "0014bf8abbc5"
        Calling-Station-Id = "0016e3cdc0a3"
        NAS-Identifier = "0014bf8abbc5"
        NAS-Port = 46
        Framed-MTU = 1400
        State = 0x472a3396442f2a09d04328c11ec504b2
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020500061900
        Message-Authenticator = 0x748755f79dc28feaac6975d483fb2606
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rrperez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 1103
        EAP-Message =
0x0106009e19006f0fd8a5dc5276fa83706f679780f3e60b36f5b3489d5551b7dc0590f2ddf6959d4ba9550b38329c20dce0ab3182205608a19b3d2964953695b467af4cd29ade6a679b18dfa5492a4286fe5b2a13c12d8305450e32b2441a68b97f9701655d60ad7d399f3b693b9562b3353d3bd5d730cab42857c0e5edb72fde0d9b70eeb03dd0afd787e1ceede01810d2c9e83bdc16030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x472a3396432c2a09d04328c11ec504b2
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 1105, id=0,
length=139
        User-Name = "rrperez"
        NAS-IP-Address = 10.96.100.205
        Called-Station-Id = "0014bf8abbc5"
        Calling-Station-Id = "0016e3cdc0a3"
        NAS-Identifier = "0014bf8abbc5"
        NAS-Port = 46
        Framed-MTU = 1400
        State = 0x472a3396432c2a09d04328c11ec504b2
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020600061900
        Message-Authenticator = 0x31c7e07cdcbfbce9826ce983e511159b
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rrperez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 1105
        EAP-Message = 0x010700061900
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x472a3396422d2a09d04328c11ec504b2
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 2 ID 0 with timestamp +50
Cleaning up request 3 ID 0 with timestamp +50
Cleaning up request 4 ID 0 with timestamp +50
Cleaning up request 5 ID 0 with timestamp +50
Cleaning up request 6 ID 0 with timestamp +50
Cleaning up request 7 ID 0 with timestamp +51
Ready to process requests.

I can't find the problem/error, need help...
-- 
View this message in context: http://old.nabble.com/FreeRadius-%2B-LDAP-on-WPA2-tp29381148p29384249.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.




More information about the Freeradius-Users mailing list