Re: PEAP problem - HELP PLEASE
Thanks everyone for your help, yes Brian, you are right, i made a mistake when I wrote my users entry in the last mail! I wanted to say: ourson User-password = testtest In fact your right for the = which is better to be renplaced by == here. But in reallity, I didn't put any space on my user paswword I tried to put this entry: ourson User-Password == a Reply-Message = YSS, %u With this, I tought that if authentication were bad, my reply message won't appear, isn't it right? But in fact, I have already the same error, but in response I have my reply message! It's very strange. here are my last logs : rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, authentication failed. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Login incorrect: [ourson/no User-Password attribute] (from client AP1 port 37 cli 000af49c507f)Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 113 to 192.168.1.2:3186 Reply-Message = yeess Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 113 with timestamp 3fdf0ed2 Nothing to do. Sleeping until we see a request. I really don't understand how radiusd can say : Identity does not match User-Name, authentication failed and [ourson/no User-Password attribute] ... It seems that no password is sent from my supplicant..?? I tried to do radtest from another unix machine and it works : ... rad_recv: Access-Request packet from host 192.168.1.1:32769, id=85, length=58 User-Name = ourson User-Password = a NAS-IP-Address = 255.255.255.255 NAS-Port = 10 modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 6 rlm_realm: No '@' in User-Name = ourson, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 users: Matched ourson at 97 modcall[authorize]: module files returns ok for request 6 modcall[authorize]: module mschap returns noop for request 6 modcall: group authorize returns ok for request 6 auth: type Local auth: user supplied User-Password matches local User-Password radius_xlat: ' YSS, ourson' Sending Access-Accept of id 85 to 192.168.1.1:32769 Reply-Message = YSS, ourson Finished request 6 Going to the next request --- Walking the entire request list --- Cleaning up request 5 ID 170 with timestamp 3fdf22be Waking up in 6 seconds... I think that freeradius is well configured and it must be a windows or Access Point problem, don't you think so? Please if someone knows or just have an idea, tell me !! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP problem - HELP PLEASE
Hi Alan!
Thanks for your help.
I did what you told me, but it seems that it wasn't the only error I made...
I put in the users file :
ourson User-Password = testtest
and my user on the XP supplicant is also the same, but authentication is
still impossible! I really don't understand because the same error message
appears even if I change the users file like I show you before.
I am asking myself about which options must be put on the MS-CHAP module
(on radiusd.conf) ?
I didn't change any options on the MS-CHAP module ( use_mppe,
require_encryption, require_strong with a # before), but is it necessary??
(I tried quickly to put these options = yes ,but I had same results)
If you have any idea about what is wrong with my configuration, please
tell me! here are my log with the beginning of freeradius when it's
launched:
+ LD_LIBRARY_PATH=/usr/local/ssl-end/lib
+ LD_PRELOAD=/usr/local/ssl-end/lib/libcrypto.so
+ export LD_LIBRARY_PATH LD_PRELOAD
+ /usr/local/sbin/radiusd -X -y -z
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: passwd = (null)
mschap: authtype = MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = peap
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /sauv-certif/cert/new/serveur6.pem
tls: certificate_file = /sauv-certif/cert/new/serveur6.pem
tls: CA_file = /sauv-certif/cert/new/root.pem
tls: private_key_password = saucisson
tls: dh_file = /sauv-certif/cert/new/dh
tls: random_file = /sauv-certif/cert/new/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = mschapv2
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
rlm_eap: Loaded and initialized type peap
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
[/usr/local/etc/raddb/users]:156 WARNING! Changing
PEAP problem - HELP PLEASE
hello everybody!
I am tryong to make a secure wireless access using PEAP, but I have a
problem during authentication.
I had successfully configured TLS module, and all work fine.
But when I want to have a peap authentication, there is a problem.
In fact could someone try to look at my log, and tell me where is my
problem? I would be great!
Another point is the configuration of the users file, for peap. I've read
the list but nobody gave a real answer to this question.. how this file
have to be configured?? I tried :
username Auth-type := EAP , User-password == xxx
or
username Auth-type := Local , User-password == xxx
or ...
I don't really know which syntax is good according to peap
authentication..maybe my problem is here?
Thank you for your help!
there are my logs :
...
auth: type EAP
modcall: entering group authenticate for request 15
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Proceeding to decode tunneled
attributes.
rlm_eap_peap: Identity - NOMADE\ourson
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x02810012014e4f4d4144455c6f7572736f6e
PEAP: Got tunneled identity of NOMADE\ourson
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Sending tunneled request
EAP-Message = 0x02810012014e4f4d4144455c6f7572736f6e
Freeradius-Proxied-To = 127.0.0.1
User-Name = NOMADE\\ourson
modcall: entering group authorize for request 15
modcall[authorize]: module preprocess returns ok for request 15
radius_xlat:
'/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215
modcall[authorize]: module auth_log returns ok for request 15
rlm_eap: EAP packet type response id 129 length 18
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 15
rlm_realm: No '@' in User-Name = NOMADE\ourson, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 15
modcall[authorize]: module files returns notfound for request 15
modcall: group authorize returns updated for request 15
rad_check_password: Found Auth-Type EAP
auth: type EAP
modcall: entering group authenticate for request 15
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module eap returns handled for request 15
modcall: group authenticate returns handled for request 15
PEAP: Got tunneled reply RADIUS code 11
EAP-Message =
0x018200271a01820022104c50168820c00ade9de928725f57b2964e4f4d4144455c6f7572736f6e
Message-Authenticator = 0x
State = 0xc2efbd051aa877ec625ee103a4a76b76
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module eap returns handled for request 15
modcall: group authenticate returns handled for request 15
Sending Access-Challenge of id 158 to 192.168.1.2:2462
EAP-Message =
0x0182003e19001703010033d078dd9a67221656dce0acbb5519d8b9af452bb0eaf5f600fcabafd63a385dfe8b1d076837f1798de3ca6d5b2a0d7269ad9f2f
Message-Authenticator = 0x
State = 0x55cbafd5eafc1a8c249ad219c5d26a3b
Finished request 15
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.2:2463, id=159,
length=250
User-Name = NOMADE\\ourson
Cisco-AVPair = ssid=bebe
NAS-IP-Address = 192.168.1.2
Called-Station-Id = 00409656deff
Calling-Station-Id = 000af49c507f
NAS-Identifier = AP350-56deff
NAS-Port = 37
Framed-MTU = 1400
State = 0x55cbafd5eafc1a8c249ad219c5d26a3b
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x028200581900170301004d7375a04660bd286865a528793617699cb52551682fc670d49518765d8d8c78754448d9e3eea2d3d4c05fe1367daa485f6e915eebd1fa6d301bb4996dac7906667fa1013b41e11f29e367
Message-Authenticator = 0x63157043cdd0b024b172ecaf24dfb290
modcall: entering group authorize for request 16
modcall[authorize]: module preprocess returns ok for request 16
radius_xlat:
'/usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215
modcall[authorize]: module auth_log returns ok for request 16
rlm_eap: EAP packet type response id 130 length 88
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
Re: Compilation Problem using EAP/TLS
hello,
your snapshot version of freeradius isn't the one who is mentioned in the
HOWTO, and the syntax is different on this new version! I had the same
problem like you, and I tested with the snapshot of the HOWTO. If you use
it, you will see that your errors will diseapear and your TLS tunnel will
work.
But I will be very interessted in which syntax and options which could be
use for new snapshots ?? of course it's not those is in the HOWTO because
I tried so many time whithout results! If someone knows about it?
(RedHat 6.2)Using the CVS snapshot from 20031208, I configured the
MakeFile file in src/modules/rlm_eap/types/rlm_eap_tls to match the
documentation provided by Raymond McKay at
http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm#7. Nothing
existed in the MakeFile when I accessed it with pico. The current text
is:
TARGET = rlm_eap_tls
SRCS = rlm_eap_tls.c eap_tls.c cb.c tls.c mppe_keys.c
RLM_CFLAGS = $(INCLTDL) -I../.. -I/usr/local/openssl/include
HEADERS = eap_tls.h
RLM_INSTALL =
RLM_LDFLAGS += -L/usr/local/openssl/lib
RLM_LIBS += -lssl -lcrypto
$(STATIC_OBJS): $(HEADERS)
$(DYNAMIC_OBJS): $(HEADERS)
RLM_DIR=../../
include ${RLM_DIR}../rules.mak
I have triple checked that the directories provided
(/usr/local/openssl/include and lib) are the valid paths to the
openssl-SNAP installation. Upon building freeRADIUS, however, when the
MakeFile is reached, errors occur and the process aborts.
I have installed freeRADIUS on this machine previously and am planning
on installing right over the top of the 0.9.3 build so I can use
PEAP/MSCHAPv2. Any ideas why this is failing?
One other tidbit: Raymond's HOWTO has one check on installation of
openssl-SNAP-20021027 that libssl.so and libssl.so.0 are sym linked to
libssl.so.0.9.8 and that libcrypto.so libcrypto.so.0 are sym linked to
libcrypto.so.0.9.8 What is sym linked? Libcrypto.so.0.9.8 and
libssl.so.0.9.8 exist, but libssl.so, libssl.so.0, libcrypto.so, and
libcrypto.so.0 are not contained with in /lib.
Perhaps this is my problem?
Thanks,
Justin
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with EAP-TLS authentication
Hello, I am trying to configure a wireless communication network using authentication with Freeradius. I have already configured one client, my access point (aironet cisco), and my freeradius server to use TLS authentication. I took the EAP/TLS authentication HOW-TO, and I tried to do exactly what it was said inside (with the version of freeradius referenced there and the 3 versions of openssl) But it seem that I made a mistake somewhere, my authentication doesn't work! I tried to understand and I seems to be in relation with SSL. I catch just a little part of my logs, in order to show you. If someone could tell me where I made a mistake, It would be great! thank you for your help! --- ... TLS 1.0 Handshake [length 02af], Certificate chain-depth=1, error=0 -- User-Name = ourson -- BUF-Name = server1 -- subject = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=server1/[EMAIL PROTECTED] -- issuer = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=server1/[EMAIL PROTECTED] -- verify return:1 chain-depth=0, error=0 -- User-Name = ourson -- BUF-Name = ourson -- subject = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=ourson/[EMAIL PROTECTED] -- issuer = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=server1/[EMAIL PROTECTED] -- verify return:1 TLS_accept: SSLv3 read client certificate A TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A TLS 1.0 Handshake [length 0086], CertificateVerify TLS_accept: SSLv3 read certificate verify A TLS 1.0 ChangeCipherSpec [length 0001] TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data undefined: SSL negotiation finished successfully rlm_eap_tls: SSL_read Error Error code is . 2 SSL Error . 2 modcall[authenticate]: module eap returns ok modcall: group authenticate returns ok Login OK: [ourson/no User-Password attribute] (from client AP1 port 37 cli 000af49c507f) Sending Access-Challenge of id 118 to 192.168.1.2:1142 EAP-Message = \001\254\0005\r\200\000\000\000+\024\003\001\000\001\001\026\003\001\000 \253d\\\300\247n!O\037\304\023\375\241\256$\202\304\257ZJ\266\211\315\226\243V\221\246\274\345\375 Message-Authenticator = 0x State = 0xac94e782d24993bfbb31ef873c7ce4086b9bd43fca08d61ec7662c58b4c5187074e9db3b Finished request 15 Going to the next request Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.1.2:1143, id=119, length=208 User-Name = ourson Cisco-AVPair = ssid=bebe NAS-IP-Address = 192.168.1.2 Called-Station-Id = 00409656deff Calling-Station-Id = 000af49c507f NAS-Identifier = AP350-56deff NAS-Port = 37 Framed-MTU = 1400 State = 0xac94e782d24993bfbb31ef873c7ce4086b9bd43fca08d61ec7662c58b4c5187074e9db3b NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = \002\254\000!\r\200\000\000\000\027\025\003\001\000\022\334\207\370Z\010\276y/\013\246\271\370\242tM]R Message-Authenticator = 0x6d785533c66ebb2b4d456cefd2121d94 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module eap returns updated rlm_realm: No '@' in User-Name = ourson, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched ourson at 157 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Length Included TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_tls: SSL_read Error 20083:error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied:s3_pkt.c:1037:SSL alert number 49 Error code is . 6 SSL Error . 6 rlm_eap_tls: BIO_read Error Error code is . 5 Error in SSL . 5 modcall[authenticate]: module eap returns ok modcall: group authenticate returns ok Login OK: [ourson/no User-Password attribute] (from client AP1 port 37 cli 000af49c507f) Delaying request 16 for 1 seconds Finished request 16 Going to the next request Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 119 to 192.168.1.2:1143 EAP-Message = \004\254\000\004 Message-Authenticator = 0x Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request
