my user is configured as follow: pippo Auth-Type := Local, User-Password == pippo
i would put the eap module as the last one in authorize and as the only one in the authenticate, just like in the faq. why don't you begin with a _simple_ configuration and add things later? why are you using a huge one with 10 modules in every section? and then, is your user configured properly? Auth-Type := Local? ciao artur [EMAIL PROTECTED] wrote: > yes I also think there's something wrong in the configuration. I put in attach my > authorize/authenticate section configuration. Where do you think I'm getting wrong?? > > Thank you very much for your help!! > emi > > > > > hi > > comments inline. > > >>I'm trying to authenticate a client with EAP-MD5. I followed directives coming from >>the link >> >>http://www.freeradius.org/doc/EAP-MD5.html, but I have some problems. In attach is >>reported the output of radiusd -X. Could someone give a little look to it and help >>me to understand the meaning of those messages? I don't understand for example why >>there are message related to rlm_chap whereas rlm_eap is not mentioned. >> >>Thanks in advance, >> >>emi > > > > i think that your authenticate/authorize sections are not properly > configured since the eap module is not involved in request processing. > > check the configuration. > > ciao > artur > > > > > > >>------------------------------------------------------------------------ >> >>rad_recv: Access-Request packet from host 172.31.71.202:1212, id=186, length=144 >> User-Name = "pippo" >> Cisco-AVPair = "ssid=tsunami" >> NAS-IP-Address = 172.31.71.202 >> Called-Station-Id = "000bfd04198e" >> Calling-Station-Id = "000b46563147" >> NAS-Identifier = "AP1200-04198e" >> NAS-Port = 37 >> Framed-MTU = 1400 >> NAS-Port-Type = Wireless-802.11 >> EAP-Message = "\002\002\000\n\001pippo" >> Message-Authenticator = 0x66fe8b278590ec51c42880de858063e1 >>modcall: entering group authorize >> modcall[authorize]: module "preprocess" returns ok >>rlm_chap: Could not find proper Chap-Password attribute in request >> modcall[authorize]: module "chap" returns noop >> modcall[authorize]: module "mschap" returns notfound >> modcall[authorize]: module "eap" returns updated >> rlm_realm: No '@' in User-Name = "pippo", looking up realm NULL >> rlm_realm: No such realm NULL >> modcall[authorize]: module "suffix" returns noop >> users: Matched pippo at 65 >> modcall[authorize]: module "files" returns ok >>modcall: group authorize returns updated >> rad_check_password: Found Auth-Type EAP >> rad_check_password: Found Auth-Type Local >>Warning: Found 2 auth-types on request for user 'pippo' >>auth: type Local >>auth: No User-Password or CHAP-Password attribute in the request >>auth: Failed to validate the user. >>Delaying request 4 for 1 seconds >>Finished request 4 >>Going to the next request >>--- Walking the entire request list --- >>Waking up in 1 seconds... >>--- Walking the entire request list --- >>Waking up in 1 seconds... >>--- Walking the entire request list --- >>Sending Access-Reject of id 186 to 172.31.71.202:1212 >>Waking up in 4 seconds... >>--- Walking the entire request list --- >>Cleaning up request 4 ID 186 with timestamp 3e63636b >>Nothing to do. Sleeping until we see a request. > > > > > ------------------------------------------------------------------------ > > modules {... > # Extensible Authentication Protocol > # > # For all EAP related authentications > eap { > # Invoke the default supported EAP type when > # EAP-Identity response is received > # default_eap_type = md5 > > # Default expiry time to clean the EAP list, > # It is maintained to co-relate the > # EAP-response for each EAP-request sent. > # timer_expire = 60 > > # Supported EAP-types > > default_eap_type=md5 > md5 { > } > > > authorize { > # > # The preprocess module takes care of sanitizing some bizarre > # attributes in the request, and turning them into attributes > # which are more standard. > # > # It takes care of processing the 'raddb/hints' and the > # 'raddb/huntgroups' files. > # > # It also adds a Client-IP-Address attribute to the request. > preprocess > > # > # The chap module will set 'Auth-Type := CHAP' if we are > # handling a CHAP request and Auth-Type has not already been set > chap > > # > # If the users are logging in with an MS-CHAP-Challenge > # attribute for authentication, the mschap module will find > # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' > # to the request, which will cause the server to then use > # the mschap module for authentication. > mschap > > counter > attr_filter > > eap > > suffix > files > etc_smbpasswd > > > # The ldap module will set Auth-Type to LDAP if it has not already been set > ldap > } > > > > authenticate { > # > # PAP authentication, when a back-end database listed > # in the 'authorize' section supplies a password. The > # password can be clear-text, or encrypted. > authtype PAP { > pap > } > > # > # Most people want CHAP authentication > # A back-end database listed in the 'authorize' section > # MUST supply a CLEAR TEXT password. Encrypted passwords > # won't work. > authtype CHAP { > chap > } > > # > # MSCHAP authentication. > authtype MS-CHAP { > mschap > } > > pam > > # > # See 'man getpwent' for information on how the 'unix' > # module checks the users password. Note that packets > # containing CHAP-Password attributes CANNOT be authenticated > # against /etc/passwd! See the FAQ for details. > # > unix > > # Uncomment it if you want to use ldap for authentication > authtype LDAP { > ldap > } > > > eap > } > -- Artur Hecker D�partement Informatique et R�seaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
