Wireless WPA2 enterprise Radius authentication

balaram velega satyabalaram at gmail.com
Fri Oct 29 03:37:57 CEST 2010


I am using free-radius version 2.10

I am trying to get the server statistics to be displayed for number of
access-requests, responses etc:


echo "Message-Authenticator = 0x00,FreeRADIUS-Statistics-Type = 1" |
radclient localhost:18120 status testing5

but its only printing the “access accept”

I have seen the following example but somehow it doesn’t work on my setup,
is this some bug or some configuration issue? Can you please help?

Asking with radclient
The next step is to ask the status server questions about the state of the
server. There are some hints in the manual page of the radclient program and
the configuration file of the status server itself. Combining both
information you can ask i.e. about all authentication packet to and from the
server:
# echo "Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 1" | \
radclient localhost:18120 status adminsecret
Received response ID 180, code 2, length = 140
  FreeRADIUS-Total-Access-Requests = 3
  FreeRADIUS-Total-Access-Accepts = 1
  FreeRADIUS-Total-Access-Rejects = 0
  FreeRADIUS-Total-Access-Challenges = 0
  FreeRADIUS-Total-Auth-Responses = 1
  FreeRADIUS-Total-Auth-Duplicate-Requests = 0
  FreeRADIUS-Total-Auth-Malformed-Requests = 0
  FreeRADIUS-Total-Auth-Invalid-Requests = 0
  FreeRADIUS-Total-Auth-Dropped-Requests = 3
  FreeRADIUS-Total-Auth-Unknown-Types = 0
http://wiki.freeradius.org/Status


On Thu, Oct 28, 2010 at 6:28 PM, Maurice James <midnightsteel at msn.com>wrote:

> Working settings
> I will be stating the changes from the default settings that I made to get
> it to work. All file names are followed by a colon :
>
>
> <<<<< = notes changes
>
>
>
> ****First you must have your ldap server store password in clear text. They
> CANNOT be hashed in any way****
> eap.conf:
> default_eap_type = peap  <<<<<
>
>
> ldap.attrmap:
> checkItem       Cleartext-Password              userPassword   <<<<< (this
> entire line was added to the top of the list)
>
>
>
> inner-tunnel:
> #  The ldap module will set Auth-Type to LDAP if it has not
> #  already been set
> ldap <<<<<(this must be uncommented)
>
>
> ldap:
> ldap {
>        #
>        #  Note that this needs to match the name in the LDAP
>        #  server certificate, if you're using ldaps.
>        server = "xxx.xxx.xxx" <<<<<(your ldap server)
>        identity = "uid=xxx,ou=xxx,ou=TopologyManagement,o=xxx" <<<<<(your
> ldap admin user)
>        password = xxxxx <<<<<(your ldap admin password)
>        basedn = "dc=xxx,dc=xxx" <<<<<(your base dn)
>        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>
>
>
>
>
> mschap:
> use_mppe = yes<<<<<(not sure if this is needed but I changed it from no to
> yes)
> with_ntdomain_hack = yes<<<<<(not sure if this is needed but I changed it
> from no to yes)
>
>
>
> default:
> #  The ldap module will set Auth-Type to LDAP if it has not
> #  already been set
> ldap<<<<<(uncomment)
>
>
>
> These are all of the setting that I changed to get Windows 7/Vista x64 >
> WPA2 > freeradius > 389-DS(Fedora Directory Server) to work
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: freeradius-users-bounces+midnightsteel=msn.com at lists.freeradius.org
> [mailto:freeradius-users-bounces+midnightsteel<freeradius-users-bounces%2Bmidnightsteel>
> =msn.com at lists.freeradius.org]
> On Behalf Of Maurice James
> Sent: Thursday, October 28, 2010 4:37 PM
> To: 'FreeRadius users mailing list'
> Subject: RE: Wireless WPA2 enterprise Radius authentication
>
> OK gentlemen,
>          After many sleepless nights I finally got it working. I was almost
> in tears (lol) but its done. Full authentication and authorization for a
> mix
> of Windows7 x64/Vista x64 clients using WPA2 Enterprise, Freeradius,
> 389-DS(Fedora Directory Services). I will post the configs in a follow-up
> email.
>
> Special thanks to the following
> John Dennis
> Sven Hartge
> Phil Mayers
>
> Thanks guys
>
>
>
> MCITP Enterprise + Server
>  GIAC Security Leadership Certification (GSLC)
>
>
>
>
> -----Original Message-----
> From: freeradius-users-bounces+midnightsteel=msn.com at lists.freeradius.org
> [mailto:freeradius-users-bounces+midnightsteel<freeradius-users-bounces%2Bmidnightsteel>
> =msn.com at lists.freeradius.org]
> On Behalf Of John Dennis
> Sent: Wednesday, October 27, 2010 8:54 PM
> To: FreeRadius users mailing list
> Subject: Re: Wireless WPA2 enterprise Radius authentication
>
> On 10/27/2010 07:56 PM, Maurice James wrote:
> > I will give it another try. I've been trying to the last hour to get
> > the clear text password policy to stick to a user. Every time I run
> > the radius debug I see hashed value passed from LDAP. I have to search
> > online for the instructions on how to get 389-ds server to use clear
> > text. Thanks for all the help and advice all. This is one of the most
> > responsive lists that I have ever been a member of
>
> 389-ds has most all the features I mentioned. The Administrators Guide is
> your friend.
>
> 389-ds doc can be found here:
>
> http://directory.fedoraproject.org/wiki/Documentation#389_Documentation
>
> The Administrators Guide can be found here:
>
> http://www.redhat.com/docs/manuals/dir-server
>
> --
> John Dennis <jdennis at redhat.com>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101028/3a18c3f0/attachment.html>


More information about the Freeradius-Users mailing list