EAP-TLS and "default user"?!

Lukas Haase lukashaase at gmx.at
Tue Aug 10 21:19:58 CEST 2010


Hi,

I want to secure my WPA network with PEAP-MSCHAPv2 and EAP-TLS.

The first one already works (including LDAP server) but the second one 
fails. This is the output of freeradius -X:
n
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.200.151 port 2049, 
id=0, length=111
         NAS-IP-Address = 192.168.200.151
         Called-Station-Id = "0016b6a3ee04"
         Calling-Station-Id = "001de0121c0d"
         NAS-Identifier = "0016b6a3ee04"
         NAS-Port = 3
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         EAP-Message = 0x0200000501
         Message-Authenticator = 0x31e54d9d928ba685321f40fd2d46667a
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
     rlm_realm: Proxy reply, or no User-Name.  Ignoring.
++[suffix] returns noop
   rlm_eap: EAP packet type response id 0 length 5
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: UserIdentity Unknown
rlm_eap: Identity Unknown, authentication failed
   rlm_eap: Failed in handler
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [<no User-Name attribute>/<via Auth-Type = EAP>] (from 
client ap port 3 cli 001de0121c0d)
   Found Post-Auth-Type Reject
+- entering group REJECT
         expand: %{User-Name} ->
++[attr_filter.access_reject] returns noop
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 0 to 192.168.200.151 port 2049
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +106
Ready to process requests.

As client I use Windows XP SP2.

I searched a lot in the net and all I found was that the supplicant 
should be broken because it should send a username along.

Well, I can not image this because then this would be mentioned in ANY 
of these tutorials.

Maybe I also need to add a special "default" entry to the users file?

I played around but still I did not get it working.

Can anybody give me a hint where to start?

Regards, Luke
















More information about the Freeradius-Users mailing list