yes I also think there's something wrong in the configuration. I put in attach my
authorize/authenticate section configuration. Where do you think I'm getting wrong??
Thank you very much for your help!!
emi
hi
comments inline.
> I'm trying to authenticate a client with EAP-MD5. I followed directives coming from
> the link
>
> http://www.freeradius.org/doc/EAP-MD5.html, but I have some problems. In attach is
> reported the output of radiusd -X. Could someone give a little look to it and help
> me to understand the meaning of those messages? I don't understand for example why
> there are message related to rlm_chap whereas rlm_eap is not mentioned.
>
> Thanks in advance,
>
> emi
i think that your authenticate/authorize sections are not properly
configured since the eap module is not involved in request processing.
check the configuration.
ciao
artur
>
> ------------------------------------------------------------------------
>
> rad_recv: Access-Request packet from host 172.31.71.202:1212, id=186, length=144
> User-Name = "pippo"
> Cisco-AVPair = "ssid=tsunami"
> NAS-IP-Address = 172.31.71.202
> Called-Station-Id = "000bfd04198e"
> Calling-Station-Id = "000b46563147"
> NAS-Identifier = "AP1200-04198e"
> NAS-Port = 37
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> EAP-Message = "\002\002\000\n\001pippo"
> Message-Authenticator = 0x66fe8b278590ec51c42880de858063e1
> modcall: entering group authorize
> modcall[authorize]: module "preprocess" returns ok
> rlm_chap: Could not find proper Chap-Password attribute in request
> modcall[authorize]: module "chap" returns noop
> modcall[authorize]: module "mschap" returns notfound
> modcall[authorize]: module "eap" returns updated
> rlm_realm: No '@' in User-Name = "pippo", looking up realm NULL
> rlm_realm: No such realm NULL
> modcall[authorize]: module "suffix" returns noop
> users: Matched pippo at 65
> modcall[authorize]: module "files" returns ok
> modcall: group authorize returns updated
> rad_check_password: Found Auth-Type EAP
> rad_check_password: Found Auth-Type Local
> Warning: Found 2 auth-types on request for user 'pippo'
> auth: type Local
> auth: No User-Password or CHAP-Password attribute in the request
> auth: Failed to validate the user.
> Delaying request 4 for 1 seconds
> Finished request 4
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 186 to 172.31.71.202:1212
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 4 ID 186 with timestamp 3e63636b
> Nothing to do. Sleeping until we see a request.
--
Artur Hecker
D�partement Informatique et R�seaux, ENST Paris
http://www.infres.enst.fr/~hecker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
modules {...
# Extensible Authentication Protocol
#
# For all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
# default_eap_type = md5
# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
# timer_expire = 60
# Supported EAP-types
default_eap_type=md5
md5 {
}
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds a Client-IP-Address attribute to the request.
preprocess
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
counter
attr_filter
eap
suffix
files
etc_smbpasswd
# The ldap module will set Auth-Type to LDAP if it has not already been set
ldap
}
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
authtype PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
authtype CHAP {
chap
}
#
# MSCHAP authentication.
authtype MS-CHAP {
mschap
}
pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix
# Uncomment it if you want to use ldap for authentication
authtype LDAP {
ldap
}
eap
}
