radius dont work
Aziz YÜCELEN
ayucelen at msn.com
Wed Jul 7 10:19:15 CEST 2010
Hi
I am using freeradius version 2.1.4 and I want to set up config to eap TTLS using users and clients file but didnt work.Please help me.Thanks.
***************OUTPUT************************************Finished request 18.Going to the next requestWaking up in 2.0 seconds.Cleaning up request 17 ID 18 with timestamp +75Waking up in 2.9 seconds.rad_recv: Access-Request packet from host 10.1.1.252 port 1206, id=20, length=183 User-Name = "deneme" NAS-IP-Address = 10.1.1.252 NAS-Port = 0 Called-Station-Id = "00-30-4F-44-3D-C1" Calling-Station-Id = "00-18-DE-88-62-77" NAS-Identifier = "WirelessAccessPoint" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0211002219001703010017a5491ed47f0de82246939132f8766cf3c1a85f8c211be5 State = 0x56c2eb4850d3f233efbb27b16d1adb57 Message-Authenticator = 0x1ea576935b901d2c1f156615504ed0da+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns noop[suffix] No '@' in User-Name = "deneme", looking up realm NULL[suffix] No such realm "NULL"++[suffix] returns noop[eap] EAP packet type response id 17 length 34[eap] Continuing tunnel setu!
p.++[eap] returns okFound Auth-Type = EAP+- entering group authenticate {...}[eap] Request found, released from the list[eap] EAP/peap[eap] processing type peap[peap] processing EAP-TLS[peap] eaptls_verify returned 7 [peap] Done initial handshake[peap] eaptls_process returned 7 [peap] EAPTLS_OK[peap] Session established. Decoding tunneled attributes.[peap] Identity - deneme[peap] Got tunneled request EAP-Message = 0x0211000b0164656e656d65server { PEAP: Got tunneled identity of deneme PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to denemeSending tunneled request EAP-Message = 0x0211000b0164656e656d65 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "deneme"server inner-tunnel {No authenticate method (Auth-Type) configuration found for the request: Rejecting the userFailed to authenticate the user.} # server inner-tunnel[peap] Got tunneled reply code 3[peap] Got tunneled reply RADIUS code 3[peap] Tunneled authentication was rejected.[peap!
] FAILURE++[eap] returns handledSending Access-Challenge of id 20 to 1
0.1.1.252 port 1206 EAP-Message = 0x011200261900170301001b3f825aee84e1fd23b0089c976f25f2f4054e5c93627e072882688f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56c2eb4851d0f233efbb27b16d1adb57Finished request 19.Going to the next requestWaking up in 1.9 seconds.Cleaning up request 18 ID 19 with timestamp +78Waking up in 2.9 seconds.rad_recv: Access-Request packet from host 10.1.1.252 port 1206, id=21, length=187 User-Name = "deneme" NAS-IP-Address = 10.1.1.252 NAS-Port = 0 Called-Station-Id = "00-30-4F-44-3D-C1" Calling-Station-Id = "00-18-DE-88-62-77" NAS-Identifier = "WirelessAccessPoint" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021200261900170301001bd0f786fe5ec27d325f117cb1c6314a2fc09664e18d31038aaa2a5f State = 0x56c2eb4851d0f233efbb27b16d1adb57 Message-Authenticator = 0xe4dd7f51a3fd9548338084267728d316+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns noop[suffix] No '@' in User!
-Name = "deneme", looking up realm NULL[suffix] No such realm "NULL"++[suffix] returns noop[eap] EAP packet type response id 18 length 38[eap] Continuing tunnel setup.++[eap] returns okFound Auth-Type = EAP+- entering group authenticate {...}[eap] Request found, released from the list[eap] EAP/peap[eap] processing type peap[peap] processing EAP-TLS[peap] eaptls_verify returned 7 [peap] Done initial handshake[peap] eaptls_process returned 7 [peap] EAPTLS_OK[peap] Session established. Decoding tunneled attributes.[peap] Received EAP-TLV response.[peap] Had sent TLV failure. User was rejected earlier in this session.[eap] Handler failed in EAP/peap[eap] Failed in EAP select++[eap] returns invalidFailed to authenticate the user.Using Post-Auth-Type Reject+- entering group REJECT {...}[attr_filter.access_reject] expand: %{User-Name} -> deneme attr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject] returns updatedDelaying reject of request 20 for 1 secondsG!
oing to the next requestWaking up in 0.9 seconds.Sending delayed rejec
t for request 20Sending Access-Reject of id 21 to 10.1.1.252 port 1206 EAP-Message = 0x04120004 Message-Authenticator = 0x00000000000000000000000000000000Waking up in 0.9 seconds.Cleaning up request 19 ID 20 with timestamp +81Waking up in 3.9 seconds.
************EAP.conf********************# -*- text -*-#### eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)#### $Id$
######################################################################## eap { # default_eap_type = ttls
# A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 60
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given # a User-Name attribute in an Access-Accept, it copies one # more byte than it should. # # We can work around it by configurably adding an extra # zero byte. cisco_accounting_username_bug = no
# # Help prevent DoS attacks by limiting the number of # sessions that the server is tracking. Most systems # can handle ~30 EAP sessions/s, so the default limit # of 2048 is more than enough. max_sessions = 2048
# Supported EAP-types
# # We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # md5 { }
# Cisco LEAP # leap { }
# Generic Token Card. gtc { # The default challenge, which many clients # ignore.. #challenge = "Password: "
auth_type = PAP }
## EAP-TLS # # See raddb/certs/README for additional comments # on certificates. # http://www.dslreports.com/forum/remark,9286052~mode=flat # tls { # # These is used to simplify later configurations. # certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = 123456 private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random # fragment_size = 1024 # include_length = yes # check_crl = yes # # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" # check_cert_cn = %{User-Name} # cipher_list = "DEFAULT" # make_cert_command = "${certdir}/bootstrap"
cache { # # Enable it. The default is "no". # Deleting the entire "cache" subsection # Also disables caching. # # You can disallow resumption for a # particular user by adding the following # attribute to the control item list: # # Allow-Session-Resumption = No # # If "enable = no" below, you CANNOT # enable resumption for just one user # by setting the above attribute to "yes". # enable = no
# # Lifetime of the cached entries, in hours. # The sessions will be deleted after this # time. # lifetime = 24 # hours
# # The maximum number of entries in the # cache. Set to "0" for "infinite". # # This could be set to the number of users # who are logged in... which can be a LOT. # max_entries = 255 } }
ttls { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # TTLS tunnel, we recommend using EAP-MD5. # If the request does not contain an EAP # conversation, then this configuration entry # is ignored. default_eap_type = md5
# allowed values: {no, yes} copy_request_to_tunnel = no
# allowed values: {no, yes} use_tunneled_reply = no
virtual_server = "inner-tunnel" }
peap { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using MS-CHAPv2, # as that is the default type supported by # Windows clients. default_eap_type = mschapv2
# the PEAP module also has these configuration # items, which are the same as for TTLS. copy_request_to_tunnel = no use_tunneled_reply = no
# When the tunneled session is proxied, the # home server may not understand EAP-MSCHAP-V2. # Set this entry to "no" to proxy the tunneled # EAP-MSCHAP-V2 as normal MSCHAPv2. # proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel" }
mschapv2 { } }
***************** inner-tunnel ***********# -*- text -*-######################################################################## This is a virtual server that handles *only* inner tunnel# requests for EAP-TTLS and PEAP types.## $Id$#######################################################################
server inner-tunnel {authorize { suffix unix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files pap chap mschap# IPASS
# ntdomain
# See "Authorization Queries" in sql.conf# sql
# # If you are using /etc/smbpasswd, and are also doing # mschap authentication, the un-comment this line, and # configure the 'etc_smbpasswd' module, above.# etc_smbpasswd
# # The ldap module will set Auth-Type to LDAP if it has not # already been set# ldap
# # Enforce daily limits on time spent logged in.# daily
# # Use the checkval module# checkval
expiration logintime}
# Authentication.authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap }
# # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap }
# # MSCHAP authentication. Auth-Type MS-CHAP { mschap }
# # Pluggable Authentication Modules.# pam
# # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # #unix
# Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password.# Auth-Type LDAP {# ldap# }
# # Allow EAP authentication. eap}
######################################################################## There are no accounting requests inside of EAP-TTLS or PEAP# tunnels.#######################################################################
# Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this.# The rlm_sql module is *much* fastersession { radutmp
# # See "Simultaneous Use Checking Queries" in sql.conf# sql}
# Post-Authentication# Once we KNOW that the user has been authenticated, there are# additional steps we can take.post-auth { # Note that we do NOT assign IP addresses here. # If you try to assign IP addresses for EAP authentication types, # it WILL NOT WORK. You MUST use DHCP.
# # If you want to have a log of authentication replies, # un-comment the following line, and the 'detail reply_log' # section, above. reply_log
# # After authenticating the user, do another SQL query. # # See "Authentication Logging Queries" in sql.conf# sql
# # Instead of sending the query to the SQL server, # write it into a log file. ## sql_log
# # Un-comment the following if you have set # 'edir_account_policy_check = yes' in the ldap module sub-section of # the 'modules' section. ## ldap
# # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Add the ldap module name (or instance) if you have set # 'edir_account_policy_check = yes' in the ldap module configuration # Post-Auth-Type REJECT { attr_filter.access_reject }
}
## When the server decides to proxy a request to a home server,# the proxied request is first passed through the pre-proxy# stage. This stage can re-write the request, or decide to# cancel the proxy.## Only a few modules currently have this method.#pre-proxy {# attr_rewrite
# Uncomment the following line if you want to change attributes # as defined in the preproxy_users file.# files
# Uncomment the following line if you want to filter requests # sent to remote servers based on the rules defined in the # 'attrs.pre-proxy' file.# attr_filter.pre-proxy
# If you want to have a log of packets proxied to a home # server, un-comment the following line, and the # 'detail pre_proxy_log' section, above. pre_proxy_log}
## When the server receives a reply to a request it proxied# to a home server, the request may be massaged here, in the# post-proxy stage.#post-proxy {
# If you want to have a log of replies from a home server, # un-comment the following line, and the 'detail post_proxy_log' # section, above. post_proxy_log
# attr_rewrite
# Uncomment the following line if you want to filter replies from # remote proxies based on the rules defined in the 'attrs' file.# attr_filter.post-proxy
# # If you are proxying LEAP, you MUST configure the EAP # module, and you MUST list it here, in the post-proxy # stage. # # You MUST also use the 'nostrip' option in the 'realm' # configuration. Otherwise, the User-Name attribute # in the proxied request will not match the user name # hidden inside of the EAP packet, and the end server will # reject the EAP request. # eap
## Post-Proxy-Type Fail {# detail# }
}
} # inner-tunnel server block
_________________________________________________________________
Windows Live Hotmail: Arkadaşlarınız Facebook'taki güncellemelerinizi doğrudan Hotmail®'den alır.
http://www.microsoft.com/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:tr-tr:SI_SB_4:092009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100707/c1fdd57c/attachment.html>
More information about the Freeradius-Users
mailing list