ldap+wireless wpa-eap
José Campos
jjscampos at gmail.com
Thu Feb 4 12:00:55 CET 2010
Hello,
I can authenticate ldap users using the NTRadPing tool without a problem.
But I can’t do it through an Access Point. Can you help me?
I have the AP(D-Link 2100 AP+) configure to WPA-EAP, Cipher Type=Auto.
I list the radius config and debug.
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 172.22.0.21 {
ipaddr = 172.22.0.21
require_message_authenticator = no
secret = "si"
shortname = "xxxxx"
nastype = "other"
}
client AP1-E1 {
ipaddr = 192.168.70.70
require_message_authenticator = no
secret = "si"
shortname = "AP1-E1"
nastype = "other"
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.70.70 port 1038, id=0,
length=201
Message-Authenticator = 0x0bad8dc9bc9d09a88d777055e87bc06f
Service-Type = Framed-User
User-Name = "ldapuser"
Framed-MTU = 1488
Called-Station-Id = "00-22-B0-69-74-74:RadiusServer"
Calling-Station-Id = "00-1C-BF-63-43-7F"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0200000c0139303230313535
NAS-IP-Address = 192.168.70.70
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ldapuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for ldapuser
[ldap] expand: %{Stripped-User-Name} ->
[ldap] expand: %{User-Name} -> ldapuser
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=ldapuser)
[ldap] expand: dc=test,dc=test,dc=pt -> dc=test,dc=test,dc=pt
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to xxx.xxx.xxx.xxx:389, authentication 0
rlm_ldap: bind as uid=borat,dc=test,dc=test,dc=pt/ldappassword to
xxx.xxx.xxx.xxx:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=test,dc=test,dc=pt, with filter
(uid=ldapuser)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user ldapuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.70.70 port 1038
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1f5a0c851f5b15f67ae48d03f8beffe6
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.70.70 port 1038, id=1,
length=490
Message-Authenticator = 0xba2e0b898f91a1e37da464dd4a07b311
Service-Type = Framed-User
User-Name = "ldapuser"
Framed-MTU = 1488
State = 0x1f5a0c851f5b15f67ae48d03f8beffe6
Called-Station-Id = "00-22-B0-69-74-74:RadiusServer"
Calling-Station-Id = "00-1C-BF-63-43-7F"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0201011919800000010f160301010a0100010603014b69b17864a990f749baa2f53df13aca
45cbccacb1f5bc685e3635514f1e42cb00003800390038003500880087008400160013000a00
330032002f009a00990096004500440041000500040015001200090014001100080006000302
010000a4002300a0d01907820de47ddfa68661ec44d31e5dd8dacaafdad2c82305e227265d28
f850f8a524da4fe4c3b7c860c7de1c52e36def98c4cfb43292159ec293311df317029fc16077
541d9238068a112f6e77a2935fa16efacb85cf609cbfff1577c0d2c9e859cee24b718b747fc9
25802b1e680e86d03e864c6b551b3108afeab659710248cb35aa
EAP-Message =
0x8575d2b42e895e1ec907d7e69d9e7386b69232cfa63df6d12d7da003
NAS-IP-Address = 192.168.70.70
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ldapuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 271
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 010a], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0030], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.70.70 port 1038
EAP-Message =
0x0102040019c000000ab316030100300200002c03014b69affea71157c286b09b1dcb48c1f8
c7c3c073d302d7cc8d002c5b4f42e2be00003901000400230000160301085e0b00085a000857
0003a6308203a23082028aa003020102020101300d06092a864886f70d010104050030819331
0b3009060355040613024652310f300d06035504081306526164697573311230100603550407
1309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e
06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
03131d4578616d706c6520436572746966696361746520417574
EAP-Message =
0x686f72697479301e170d3130303230333134343231395a170d313130323033313434323139
5a307c310b3009060355040613024652310f300d060355040813065261646975733115301306
0355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c652053
65727665722043657274696669636174653120301e06092a864886f70d010901161161646d69
6e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f0030
82010a0282010100b86c5396cfd7e7e922dbb26df4f4b69f25d3714a819fd36762ad32dc140e
303d5ba97e0db2e28046c54d3019a5e2759ad37694fbc08b03d2
EAP-Message =
0xed836feeac8a599b268410d77e15160bd5cab44dc763c97898b8bffeba36ae5c14913bf44c
ed0427f5ee12f2232958d3f2b70a3041c794dd24091ffe85e8f8d4bbb7a787a301a8c1dc902c
c95b1dc810e7539a391366deca63ce30c51a889717b865961d1aef3dd308b12431bc8b401d24
7c8a97e7c968ee6a9652809bcc95cbdab84d1a3fe9968916f7a0115448827b960af7203527b1
7990519d26ec1cd7a3fa35dee8ddb488a917d27790afc11347f393a272f8a456106a08a3b28f
7007e69fafa5a61a693ac30203010001a317301530130603551d25040c300a06082b06010505
070301300d06092a864886f70d0101040500038201010094945d
EAP-Message =
0x22948e117c5f66d8b5d23a05004dc7141b85059576c06616919c5357136e434b2b1ff34e6e
bcc5960d22fff1cfe0456c531603e238de97f9160d792ef10b748ce0b49c01625e24a712ce5f
0a2fb284117bbd355bd598b566d07cfe45d21670d5344de9fde5e581862121fa80c957cb6000
fa418d958d3b09bda9e05bfa5b0806ea0decb18a2d566906224f3cd04e4fcdacbbeaa8772cba
4b3fb165c64a66e3886d006700cd65d0d943f386be08582a020d1f070a9e625e6824500a2810
cda4f3ef919f2495b158a67c76a71196c404b794ee6d3cfc9d6c878259d3e6afc5daa28a0e4d
6e8ab1ff8a6cebb2397215952dfd4253ea689454bd4294fd2633
EAP-Message = 0x0004ab308204a73082038fa0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1f5a0c851e5815f67ae48d03f8beffe6
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.70.70 port 1038, id=9,
length=303
Message-Authenticator = 0x40181150ae53bc834616acde8bded5ce
Service-Type = Framed-User
User-Name = "ldapuser"
Framed-MTU = 1488
State = 0x1f5a0c85175315f67ae48d03f8beffe6
Called-Station-Id = "00-22-B0-69-74-74:RadiusServer"
Calling-Station-Id = "00-1C-BF-63-43-7F"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x02090060190017030100203740cd6052be3de4a2dae33ed1e4699866af641dee6261f14e94
93e21b49db0217030100305406714a1fee8d73edfa87c60a0046641329975a279ecbc1b2ee7d
ec5e9d60b9bc61efd8b9e8e5304a341f7eee16e533
NAS-IP-Address = 192.168.70.70
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ldapuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> ldapuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 9 to 192.168.70.70 port 1038
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.4 seconds.
I did cut some debug info, in order to not exceed the max
message limit of 100K.
I think the problem is here:
[eap] processing type md5
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
but in eap.conf is:
eap{
default_eap_type = peap
Peap{
default_eap_type = mschapv2
}
}
Sorry I’m not familiar enough with wifi to understand what wrong.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100204/61402ee4/attachment.html>
More information about the Freeradius-Users
mailing list