Configuration Problem with FreeRadius, Unix Authentication, and WRT54G2 WAP

Jonathan Black frodowearinthering at gmail.com
Thu Aug 26 00:25:44 CEST 2010 

First off: I'm trying to configure FreeRadius on a Qnap TS-239 Pro.
I'm using ipkg to install freeradius. I've installed version 2.0.5-2
of freeradius. I'm attempting to set the system up so that users on
the Qnap unit (The Radius Server) can use the same username and
password to connect to wireless.

So this is what I've done. I went into the the "users" file and added
the following lines at the end of the file:

------------------------------------------------------------------------------------
DEFAULT         Group=="Wireless_Users",Auth-type :=System
                Fall-Through = Yes
------------------------------------------------------------------------------------

At the end of the client.conf file I've added:

------------------------------------------------------------------------------------
client 192.168.1.183/32{
        shortname ="WAP"
        secret = sharedsecret
        require_message_authenticator = no
        nastype     = other
}

------------------------------------------------------------------------------------


I went through and made the changes to the eap.conf that are listed in
Section 3.2 of http://tldp.org/HOWTO/8021X-HOWTO/freeradius.html .


Anyway, when I attempt to connect to wireless with my iPhone, I'm
getting rejected. I was running radiusd with "radiusd -X", and this is
the output


------------------------------------------------------------------------------------

rad_recv: Access-Request packet from host 192.168.1.183 port 1053,
id=55, length=158
        User-Name = "testuser"
        NAS-IP-Address = 192.168.1.183
        NAS-Port = 0
        Called-Station-Id = "68-7F-74-23-A5-AC:test"
        Calling-Station-Id = "90-27-E4-50-B3-1C"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11"
        EAP-Message = 0x0200000d017465737475736572
        Message-Authenticator = 0xb20d3523b73d726b86875844f6da1c8f
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 0 length 13
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
    users: Matched entry DEFAULT at line 202
++[files] returns ok
  rad_check_password:  Found Auth-Type System
auth: type "System"
+- entering group authenticate
rlm_unix: Attribute "User-Password" is required for authentication.
++[unix] returns invalid
auth: Failed to validate the user.
Sending Access-Reject of id 55 to 192.168.1.183 port 1053
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.


------------------------------------------------------------------------------------


If I enter "radtest testuser 123testing456 localhost 0 testing123"
from the command line I receive:

------------------------------------------------------------------------------------

Sending Access-Request of id 98 to 127.0.0.1 port 1812
        User-Name = "testuser"
        User-Password = "123testing456"
        NAS-IP-Address = 192.168.3.1
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=98, length=20


Radius -X Debugging shows:

rad_recv: Access-Request packet from host 127.0.0.1 port 36011, id=98, length=60
        User-Name = "testuser"
        User-Password = "123testing456"
        NAS-IP-Address = 192.168.3.1
        NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
    users: Matched entry DEFAULT at line 202
++[files] returns ok
  rad_check_password:  Found Auth-Type System
auth: type "System"
+- entering group authenticate
++[unix] returns ok
Sending Access-Accept of id 98 to 127.0.0.1 port 36011
Finished request 12.
Going to the next request


------------------------------------------------------------------------------------






I know that my iPhone is attempting to do EAP, and I see that it is
rejecting the authentication attempt because it doesn't have a
User-Password attribute set. I'm sure I've got this configured wrong
somehow. Any help will be very much appreciated. Thanks!

More information about the Freeradius-Users mailing list