I have read and done what the EAP/MD5 FAQ says but unfortunately it did not worked. Next I tried all other combinations again not worked. So I started from the beginning again not worked. I am in trouble, I guess we need an update for the FAQ!!
Below are the simplified users,radius.conf and "radiusd -X" output file....
Regards,
Tamer
Users File:
*****************************************************************************\
[root@radius raddb]# cat users
#
bob Auth-Type := Local, User-Password = "hello"
DEFAULT Auth-Type := System
Fall-Through = 1
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
# On no match, the user is denied access.
*****************************************************************************
Radius.conf file:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[root@radius raddb]# cat radiusd.conf
# request. See 'doc/variables.txt' for more information.
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
#user = nobody
#group = nobody
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
eap {
# default_eap_type = md5
# timer_expire = 60
md5 {
}
}
mschap {
authtype = MS-CHAP
}
ldap {
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
tls_mode = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmslash {
format = prefix
delimiter = "/"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter {
filename = ${raddbdir}/db.counter
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
}
instantiate {
expr
}
authorize {
preprocess
files
eap
}
authenticate {
eap
}
preacct {
preprocess
suffix
files
}
accounting {
acct_unique
detail
# counter
unix # wtmp file
radutmp
# sradutmp
}
session {
radutmp
# sql
}
post-auth {
# Get an address from the IP Pool.
#main_pool
}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Output:
******************************************************************************
[root@radius raddb]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: servers_per_realm = 15
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
[/usr/local/etc/raddb/users]:2 WARNING! Changing 'User-Password =' to 'User-Password ==' ?for comparing RADIUS attribute in check item list for user bob
Module: Instantiated files (files)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
**********************************************************************rad_recv: Access-Request packet from host 192.168.91.102:192, id=1, length=110
User-Name = "bob"
NAS-IP-Address = 192.168.91.102
Called-Station-Id = "00022d034186"
Calling-Station-Id = "00022d176e31"
NAS-Identifier = "Orinoco 2"
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1400
EAP-Message = "\002\001\000\010\001bob"
Message-Authenticator = 0x5e92e3b76a8cdda96c86e7f5a0759f5f
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
users: Matched bob at 2
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "eap" returns updated
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Login OK: [bob/<no User-Password attribute>] (from client AP102 port 0 cli 00022d176e31)
Sending Access-Challenge of id 1 to 192.168.91.102:192
EAP-Message = "\001\002\000\026\004\020\352\214\347=\276$Cu\372O9\324\232R\341\267"
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe70a7e23ec5636d88fdcd2041a5c50ad5de1ec3d7d399bf7817221bdb074a18416ece725
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 1 with timestamp 3dece15d
Nothing to do. Sleeping until we see a request.
******************************************************************************
At 18:44 02.12.2002, you wrote:
hi tamer
read the EAP/MD5 FAQ.
the solution: get rid of the Reply-Message incuded by xlat in the
Challenge.
and by the way what's all this mess with the Framed-MTU?
greetings
artur
Tamer Demir wrote:
>
> After the radius server send the challenge, XP does not send respond and
> stays in the authentication state. Do you know any solution?
>
> I am doing both MAC address and user authantication, The Windows XP asks a
> user name and password when I wrote this, XP is stucks at authenticating
> state!!!!! (In the XP ptions I chosed MD5 challenge...)
>
> Config files:
>
> users:
> ******************************
> #my user
> tamer Auth-Type := EAP, User-Password = "demir"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-Routing = Broadcast-Listen,
> Framed-MTU = 1750,
> Framed-Compression = Van-Jacobsen-TCP-IP
>
> #Orinoco Card Cisca
> 00022d-034186 Auth-Type := Local, User-Password == "secret"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-Routing = Broadcast-Listen,
> Framed-MTU = 1500,
> Framed-Compression = Van-Jacobsen-TCP-IP
> ******************************
>
> radius.conf:
> ******************************
> user = root
> group = root
> modules {
> unix {
> cache = yes
> cache_reload = 600
> passwd = /etc/passwd
> shadow = /etc/shadow
> group = /etc/group
> radwtmp = ${logdir}/radwtmp
> }
> eap {
> #default_eap_type = md5
> # Supported EAP-types
> md5 {
> }
> ......
> }
> authorize {
> eap
> preprocess
> files
> suffix
> }
> authenticate {
> eap
> unix
> }
> accounting {
> detail
> unix
> radutmp
>
> }
> session {
> radutmp
> }
> ******************************
>
> Output:
>
> *****************************
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /usr/local/etc/raddb/proxy.conf
> Config: including file: /usr/local/etc/raddb/clients.conf
> Config: including file: /usr/local/etc/raddb/snmp.conf
> Config: including file: /usr/local/etc/raddb/sql.conf
> main: prefix = "/usr/local"
> main: localstatedir = "/usr/local/var"
> main: logdir = "/usr/local/var/log/radius"
> main: libdir = "/usr/local/lib"
> main: radacctdir = "/usr/local/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = yes
> main: log_file = "/usr/local/var/log/radius/radius.log"
> main: log_auth = yes
> main: log_auth_badpass = yes
> main: log_auth_goodpass = yes
> main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
> main: user = "root"
> main: group = "root"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/local/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: servers_per_realm = 15
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> read_config_files: reading clients
> read_config_files: reading realms
> radiusd: entering modules setup
> Module: Library search path is /usr/local/lib
> Module: Loaded eap
> eap: default_eap_type = "md5"
> eap: timer_expire = 60
> rlm_eap: Loaded and initialized the type md5
> Module: Instantiated eap (eap)
> Module: Loaded preprocess
> preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
> preprocess: hints = "/usr/local/etc/raddb/hints"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded files
> files: usersfile = "/usr/local/etc/raddb/users"
> files: acctusersfile = "/usr/local/etc/raddb/acct_users"
> files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
> files: compat = "no"
> [/usr/local/etc/raddb/users]:90 WARNING! Changing 'User-Password =' to
> 'User-Password ==' ?for comparing RADIUS attribute in check item list for
> user tamer
> Module: Instantiated files (files)
> Module: Loaded realm
> realm: format = "suffix"
> realm: delimiter = "@"
> Module: Instantiated realm (suffix)
> Module: Loaded detail
> detail: detailfile =
> "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded System
> unix: cache = yes
> unix: passwd = "/etc/passwd"
> unix: shadow = "/etc/shadow"
> unix: group = "/etc/group"
> unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
> unix: usegroup = no
> unix: cache_reload = 600
> HASH: Reinitializing hash structures and lists for caching...
> HASH: user root found in hashtable bucket 11726
> HASH: user bin found in hashtable bucket 86651
> HASH: user daemon found in hashtable bucket 11668
> HASH: user adm found in hashtable bucket 26466
> HASH: user lp found in hashtable bucket 54068
> HASH: user sync found in hashtable bucket 42895
> HASH: user shutdown found in hashtable bucket 71746
> HASH: user halt found in hashtable bucket 7481
> HASH: user mail found in hashtable bucket 79471
> HASH: user news found in hashtable bucket 5375
> HASH: user uucp found in hashtable bucket 38541
> HASH: user operator found in hashtable bucket 21748
> HASH: user games found in hashtable bucket 47657
> HASH: user gopher found in hashtable bucket 47357
> HASH: user ftp found in hashtable bucket 56226
> HASH: user nobody found in hashtable bucket 99723
> HASH: user ntp found in hashtable bucket 21418
> HASH: user rpc found in hashtable bucket 72373
> HASH: user vcsa found in hashtable bucket 25959
> HASH: user nscd found in hashtable bucket 36306
> HASH: user sshd found in hashtable bucket 71560
> HASH: user rpm found in hashtable bucket 72383
> HASH: user mailnull found in hashtable bucket 78086
> HASH: user smmsp found in hashtable bucket 13600
> HASH: user rpcuser found in hashtable bucket 552
> HASH: user nfsnobody found in hashtable bucket 51830
> HASH: user pcap found in hashtable bucket 55326
> HASH: user xfs found in hashtable bucket 17213
> HASH: user named found in hashtable bucket 7729
> HASH: user gdm found in hashtable bucket 50360
> HASH: user mysql found in hashtable bucket 46314
> HASH: user avillani found in hashtable bucket 10152
> HASH: user apache found in hashtable bucket 26582
> HASH: user demir found in hashtable bucket 60045
> HASH: user kkcsaba found in hashtable bucket 96040
> HASH: Stored 35 entries from /etc/passwd
> HASH: Stored 41 entries from /etc/group
> Module: Instantiated unix (unix)
> Module: Loaded radutmp
> radutmp: filename = "/usr/local/var/log/radius/radutmp"
> radutmp: username = "%{User-Name}"
> radutmp: perm = 384
> radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
> Ready to process requests.
> rad_recv: Access-Request packet from host 192.168.91.102:192, id=7, length=114
> User-Name = "tamer"
> NAS-IP-Address = 192.168.91.102
> Called-Station-Id = "00022d034186"
> Calling-Station-Id = "00022d176e31"
> NAS-Identifier = "Orinoco 2"
> NAS-Port-Type = Wireless-802.11
> Framed-MTU = 1400
> EAP-Message = "\002\001\000\n\001tamer"
> Message-Authenticator = 0x41dd101823facf80842de926f5001ac2
> modcall: entering group authorize
> modcall[authorize]: module "preprocess" returns ok
> users: Matched tamer at 90
> modcall[authorize]: module "files" returns ok
> modcall[authorize]: module "eap" returns updated
> modcall: group authorize returns updated
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate
> rlm_eap: processing type md5
> rlm_eap_md5: Issuing Challenge
> modcall[authenticate]: module "eap" returns ok
> modcall: group authenticate returns ok
> radius_xlat: 'Naber Lan Got'
> Login OK: [tamer/<no User-Password attribute>] (from client AP102 port 0
> cli 00022d176e31)
> Sending Access-Challenge of id 7 to 192.168.91.102:192
> Reply-Message = "Naber Lan Got"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-Routing = Broadcast-Listen
> Framed-MTU = 1400
> Framed-Compression = Van-Jacobson-TCP-IP
> EAP-Message =
> "\001\002\000\026\004\020\352\214\347=\276$Cu\372O9\324\232R\341\267"
> Message-Authenticator = 0x00000000000000000000000000000000
> State =
> 0xd99291b333d1b83fe72366d105d9f6effb60eb3d070cd086387a9f6d9308c8c9a1d7794d
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 7 with timestamp 3deb60fb
> Nothing to do. Sleeping until we see a request.
> rad_recv: Access-Request packet from host 192.168.91.102:192, id=8, length=114
> User-Name = "tamer"
> NAS-IP-Address = 192.168.91.102
> Called-Station-Id = "00022d034186"
> Calling-Station-Id = "00022d176e31"
> NAS-Identifier = "Orinoco 2"
> NAS-Port-Type = Wireless-802.11
> Framed-MTU = 1400
> EAP-Message = "\002\t\000\n\001tamer"
> Message-Authenticator = 0x8b1e46a77567cb5cae9d9cf8ef9237b4
> modcall: entering group authorize
> modcall[authorize]: module "preprocess" returns ok
> users: Matched tamer at 90
> modcall[authorize]: module "files" returns ok
> modcall[authorize]: module "eap" returns updated
> modcall: group authorize returns updated
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate
> rlm_eap: list_clean deleted one item
> rlm_eap: processing type md5
> rlm_eap_md5: Issuing Challenge
> modcall[authenticate]: module "eap" returns ok
> modcall: group authenticate returns ok
> radius_xlat: 'Naber Lan'
> Login OK: [tamer/<no User-Password attribute>] (from client AP102 port 0
> cli 00022d176e31)
> Sending Access-Challenge of id 8 to 192.168.91.102:192
> Reply-Message = "Naber Lan Got"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-Routing = Broadcast-Listen
> Framed-MTU = 1400
> Framed-Compression = Van-Jacobson-TCP-IP
> EAP-Message =
> "\001\n\000\026\004\020\225\346~>\021\270\341\312\306\260\004\022\321\223g\231"
> Message-Authenticator = 0x00000000000000000000000000000000
> State =
> 0x2f8845208ee71a767d564d2961a99f7de462eb3d17bb2c911c4ff713bf8834398e7550e8
> Finished request 1
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> ******************************
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Artur Hecker
artur[at]hecker.info
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
