Re: PEAP problem - HELP PLEASE
Thanks everyone for your help, yes Brian, you are right, i made a mistake when I wrote my users entry in the last mail! I wanted to say: ourson User-password = testtest In fact your right for the = which is better to be renplaced by == here. But in reallity, I didn't put any space on my user paswword I tried to put this entry: ourson User-Password == a Reply-Message = YSS, %u With this, I tought that if authentication were bad, my reply message won't appear, isn't it right? But in fact, I have already the same error, but in response I have my reply message! It's very strange. here are my last logs : rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, authentication failed. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Login incorrect: [ourson/no User-Password attribute] (from client AP1 port 37 cli 000af49c507f)Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 113 to 192.168.1.2:3186 Reply-Message = yeess Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 113 with timestamp 3fdf0ed2 Nothing to do. Sleeping until we see a request. I really don't understand how radiusd can say : Identity does not match User-Name, authentication failed and [ourson/no User-Password attribute] ... It seems that no password is sent from my supplicant..?? I tried to do radtest from another unix machine and it works : ... rad_recv: Access-Request packet from host 192.168.1.1:32769, id=85, length=58 User-Name = ourson User-Password = a NAS-IP-Address = 255.255.255.255 NAS-Port = 10 modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 6 rlm_realm: No '@' in User-Name = ourson, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 users: Matched ourson at 97 modcall[authorize]: module files returns ok for request 6 modcall[authorize]: module mschap returns noop for request 6 modcall: group authorize returns ok for request 6 auth: type Local auth: user supplied User-Password matches local User-Password radius_xlat: ' YSS, ourson' Sending Access-Accept of id 85 to 192.168.1.1:32769 Reply-Message = YSS, ourson Finished request 6 Going to the next request --- Walking the entire request list --- Cleaning up request 5 ID 170 with timestamp 3fdf22be Waking up in 6 seconds... I think that freeradius is well configured and it must be a windows or Access Point problem, don't you think so? Please if someone knows or just have an idea, tell me !! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP problem - HELP PLEASE
Hi Alan! Thanks for your help. I did what you told me, but it seems that it wasn't the only error I made... I put in the users file : ourson User-Password = testtest and my user on the XP supplicant is also the same, but authentication is still impossible! I really don't understand because the same error message appears even if I change the users file like I show you before. I am asking myself about which options must be put on the MS-CHAP module (on radiusd.conf) ? I didn't change any options on the MS-CHAP module ( use_mppe, require_encryption, require_strong with a # before), but is it necessary?? (I tried quickly to put these options = yes ,but I had same results) If you have any idea about what is wrong with my configuration, please tell me! here are my log with the beginning of freeradius when it's launched: + LD_LIBRARY_PATH=/usr/local/ssl-end/lib + LD_PRELOAD=/usr/local/ssl-end/lib/libcrypto.so + export LD_LIBRARY_PATH LD_PRELOAD + /usr/local/sbin/radiusd -X -y -z Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /sauv-certif/cert/new/serveur6.pem tls: certificate_file = /sauv-certif/cert/new/serveur6.pem tls: CA_file = /sauv-certif/cert/new/root.pem tls: private_key_password = saucisson tls: dh_file = /sauv-certif/cert/new/dh tls: random_file = /sauv-certif/cert/new/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no rlm_eap: Loaded and initialized type peap rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no [/usr/local/etc/raddb/users]:156 WARNING! Changing
PEAP problem - HELP PLEASE
hello everybody! I am tryong to make a secure wireless access using PEAP, but I have a problem during authentication. I had successfully configured TLS module, and all work fine. But when I want to have a peap authentication, there is a problem. In fact could someone try to look at my log, and tell me where is my problem? I would be great! Another point is the configuration of the users file, for peap. I've read the list but nobody gave a real answer to this question.. how this file have to be configured?? I tried : username Auth-type := EAP , User-password == xxx or username Auth-type := Local , User-password == xxx or ... I don't really know which syntax is good according to peap authentication..maybe my problem is here? Thank you for your help! there are my logs : ... auth: type EAP modcall: entering group authenticate for request 15 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Proceeding to decode tunneled attributes. rlm_eap_peap: Identity - NOMADE\ourson rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x02810012014e4f4d4144455c6f7572736f6e PEAP: Got tunneled identity of NOMADE\ourson PEAP: Setting default EAP type for tunneled EAP session. PEAP: Sending tunneled request EAP-Message = 0x02810012014e4f4d4144455c6f7572736f6e Freeradius-Proxied-To = 127.0.0.1 User-Name = NOMADE\\ourson modcall: entering group authorize for request 15 modcall[authorize]: module preprocess returns ok for request 15 radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215 modcall[authorize]: module auth_log returns ok for request 15 rlm_eap: EAP packet type response id 129 length 18 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 15 rlm_realm: No '@' in User-Name = NOMADE\ourson, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 15 modcall[authorize]: module files returns notfound for request 15 modcall: group authorize returns updated for request 15 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 15 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module eap returns handled for request 15 modcall: group authenticate returns handled for request 15 PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x018200271a01820022104c50168820c00ade9de928725f57b2964e4f4d4144455c6f7572736f6e Message-Authenticator = 0x State = 0xc2efbd051aa877ec625ee103a4a76b76 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module eap returns handled for request 15 modcall: group authenticate returns handled for request 15 Sending Access-Challenge of id 158 to 192.168.1.2:2462 EAP-Message = 0x0182003e19001703010033d078dd9a67221656dce0acbb5519d8b9af452bb0eaf5f600fcabafd63a385dfe8b1d076837f1798de3ca6d5b2a0d7269ad9f2f Message-Authenticator = 0x State = 0x55cbafd5eafc1a8c249ad219c5d26a3b Finished request 15 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.2:2463, id=159, length=250 User-Name = NOMADE\\ourson Cisco-AVPair = ssid=bebe NAS-IP-Address = 192.168.1.2 Called-Station-Id = 00409656deff Calling-Station-Id = 000af49c507f NAS-Identifier = AP350-56deff NAS-Port = 37 Framed-MTU = 1400 State = 0x55cbafd5eafc1a8c249ad219c5d26a3b NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x028200581900170301004d7375a04660bd286865a528793617699cb52551682fc670d49518765d8d8c78754448d9e3eea2d3d4c05fe1367daa485f6e915eebd1fa6d301bb4996dac7906667fa1013b41e11f29e367 Message-Authenticator = 0x63157043cdd0b024b172ecaf24dfb290 modcall: entering group authorize for request 16 modcall[authorize]: module preprocess returns ok for request 16 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215 modcall[authorize]: module auth_log returns ok for request 16 rlm_eap: EAP packet type response id 130 length 88 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
Re: Compilation Problem using EAP/TLS
hello, your snapshot version of freeradius isn't the one who is mentioned in the HOWTO, and the syntax is different on this new version! I had the same problem like you, and I tested with the snapshot of the HOWTO. If you use it, you will see that your errors will diseapear and your TLS tunnel will work. But I will be very interessted in which syntax and options which could be use for new snapshots ?? of course it's not those is in the HOWTO because I tried so many time whithout results! If someone knows about it? (RedHat 6.2)Using the CVS snapshot from 20031208, I configured the MakeFile file in src/modules/rlm_eap/types/rlm_eap_tls to match the documentation provided by Raymond McKay at http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm#7. Nothing existed in the MakeFile when I accessed it with pico. The current text is: TARGET = rlm_eap_tls SRCS = rlm_eap_tls.c eap_tls.c cb.c tls.c mppe_keys.c RLM_CFLAGS = $(INCLTDL) -I../.. -I/usr/local/openssl/include HEADERS = eap_tls.h RLM_INSTALL = RLM_LDFLAGS += -L/usr/local/openssl/lib RLM_LIBS += -lssl -lcrypto $(STATIC_OBJS): $(HEADERS) $(DYNAMIC_OBJS): $(HEADERS) RLM_DIR=../../ include ${RLM_DIR}../rules.mak I have triple checked that the directories provided (/usr/local/openssl/include and lib) are the valid paths to the openssl-SNAP installation. Upon building freeRADIUS, however, when the MakeFile is reached, errors occur and the process aborts. I have installed freeRADIUS on this machine previously and am planning on installing right over the top of the 0.9.3 build so I can use PEAP/MSCHAPv2. Any ideas why this is failing? One other tidbit: Raymond's HOWTO has one check on installation of openssl-SNAP-20021027 that libssl.so and libssl.so.0 are sym linked to libssl.so.0.9.8 and that libcrypto.so libcrypto.so.0 are sym linked to libcrypto.so.0.9.8 What is sym linked? Libcrypto.so.0.9.8 and libssl.so.0.9.8 exist, but libssl.so, libssl.so.0, libcrypto.so, and libcrypto.so.0 are not contained with in /lib. Perhaps this is my problem? Thanks, Justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with EAP-TLS authentication
Hello, I am trying to configure a wireless communication network using authentication with Freeradius. I have already configured one client, my access point (aironet cisco), and my freeradius server to use TLS authentication. I took the EAP/TLS authentication HOW-TO, and I tried to do exactly what it was said inside (with the version of freeradius referenced there and the 3 versions of openssl) But it seem that I made a mistake somewhere, my authentication doesn't work! I tried to understand and I seems to be in relation with SSL. I catch just a little part of my logs, in order to show you. If someone could tell me where I made a mistake, It would be great! thank you for your help! --- ... TLS 1.0 Handshake [length 02af], Certificate chain-depth=1, error=0 -- User-Name = ourson -- BUF-Name = server1 -- subject = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=server1/[EMAIL PROTECTED] -- issuer = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=server1/[EMAIL PROTECTED] -- verify return:1 chain-depth=0, error=0 -- User-Name = ourson -- BUF-Name = ourson -- subject = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=ourson/[EMAIL PROTECTED] -- issuer = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=server1/[EMAIL PROTECTED] -- verify return:1 TLS_accept: SSLv3 read client certificate A TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A TLS 1.0 Handshake [length 0086], CertificateVerify TLS_accept: SSLv3 read certificate verify A TLS 1.0 ChangeCipherSpec [length 0001] TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data undefined: SSL negotiation finished successfully rlm_eap_tls: SSL_read Error Error code is . 2 SSL Error . 2 modcall[authenticate]: module eap returns ok modcall: group authenticate returns ok Login OK: [ourson/no User-Password attribute] (from client AP1 port 37 cli 000af49c507f) Sending Access-Challenge of id 118 to 192.168.1.2:1142 EAP-Message = \001\254\0005\r\200\000\000\000+\024\003\001\000\001\001\026\003\001\000 \253d\\\300\247n!O\037\304\023\375\241\256$\202\304\257ZJ\266\211\315\226\243V\221\246\274\345\375 Message-Authenticator = 0x State = 0xac94e782d24993bfbb31ef873c7ce4086b9bd43fca08d61ec7662c58b4c5187074e9db3b Finished request 15 Going to the next request Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.1.2:1143, id=119, length=208 User-Name = ourson Cisco-AVPair = ssid=bebe NAS-IP-Address = 192.168.1.2 Called-Station-Id = 00409656deff Calling-Station-Id = 000af49c507f NAS-Identifier = AP350-56deff NAS-Port = 37 Framed-MTU = 1400 State = 0xac94e782d24993bfbb31ef873c7ce4086b9bd43fca08d61ec7662c58b4c5187074e9db3b NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = \002\254\000!\r\200\000\000\000\027\025\003\001\000\022\334\207\370Z\010\276y/\013\246\271\370\242tM]R Message-Authenticator = 0x6d785533c66ebb2b4d456cefd2121d94 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module eap returns updated rlm_realm: No '@' in User-Name = ourson, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched ourson at 157 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Length Included TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_tls: SSL_read Error 20083:error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied:s3_pkt.c:1037:SSL alert number 49 Error code is . 6 SSL Error . 6 rlm_eap_tls: BIO_read Error Error code is . 5 Error in SSL . 5 modcall[authenticate]: module eap returns ok modcall: group authenticate returns ok Login OK: [ourson/no User-Password attribute] (from client AP1 port 37 cli 000af49c507f) Delaying request 16 for 1 seconds Finished request 16 Going to the next request Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 119 to 192.168.1.2:1143 EAP-Message = \004\254\000\004 Message-Authenticator = 0x Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request