"[eap] = reject" after "Calling eap_md5 to process EAP data"
Kris Armstrong
kris.armstrong at me.com
Tue Jul 7 22:23:07 CEST 2015
Ok I see that. I assume the username is coming from this portion of the client.cnf?
[client]
countryName = FR
stateOrProvinceName = Radius
localityName = Somewhere
organizationName = Example Inc.
emailAddress = user at example.com
commonName = user at example.com
I would have expected FR3 to ignore UserID/PWD when using EAP/TLS Certificates??? if it doesn’t do I have to create a username for each client cert?
Or is there a conf file that I need to modify to work with EAP/TLS?
> On Jul 7, 2015, at 2:07 PM, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Jul 6, 2015, at 1:56 PM, Zeus Panchenko <zeus at ibs.dn.ua> wrote:
>> I am trying to configure MAC auth by implementing EAP/MD5 as it is described here:
>> http://wiki.freeradius.org/modules/Rlm_eap#My-Userbase-is-in-LDAP-and-I-want-to-use-EAP-MD5-authentication
>>
>> FR v.3.0.8 is on FreeBSD 10.1R
>> supplicant is on FreeBSD 10.1R connected (by wire) to FR wia switch
>>
>> but something is wrong and I can not understand what ... please help me to see what I do not see ...
>
> You edited the default configuration and broke it. Don't do that.
>
>> as backend I have LDAP and in it, userPassword format is Cleartext-Password (for the sample from the debug bellow it is `00-25-90-D9-76-2C'
>>
>> as I understand from the debug bellow, I successfully pass authorization but fail to authenticate against eap_md5 ...
>>
>> why?
>
> Because you deleted the "pap" module from the "authorize" section. It should be listed last there. It takes care of normalizing passwords. In this case, turning Password-With-Header into Cleartext-Password.
>
>> ---[ quotation start ]-------------------------------------------
>> Mon Jul 6 20:27:36 2015 : Debug: (0) Received Access-Request Id 200 from 192.168.0.1:49205 to 192.168.0.254:1812 length 137
>
> PLEASE just post "radiusd -X". This is what is requested in the FAQ, "man" pages, and daily on this list. Adding extra debug information doesn't help in most cases. Here, it just makes the problem harder to spot.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list