> hi > > summarizing: > > - freeradius authenticates the user > - windows XP "thinks that it is authenticated", so it has received the > EAP Success message > > right? then, except your AP implementation is broken or some > incompatible L2 features are activated on the two ends of your L2-link, > your L2 link should be established. thus, any further problems should be > L3 problems: incorrect address, dead DHCP, wrong routes, i don't know > what. >
But client configuration is the same that works with EAP-TLS... only the XP supplicant configuration is different (MD5, not certificates). > anyway, make sure the above assumptions are true. windows sometimes > shows "connected" symbol although it DOES NOT "think" that it is > authenticated correclty. the status of the authentication can be found > in your Network device list. > > if the assumptions are true, then let me put it this way: > - EITHER your AP is broken or your link improperly configured > - OR your network/windows XP are not IP-configured correctly > > choose one... > The AP is a PC with Linux + HostAP, and it has FreeRADIUS + OpenSSL + OpenLDAP too. Is work fine without EAP and with EAP-TLS. The logs seems to be correct too... > for troubleshooting: can you connect without problems when no EAP is > activated? deactivate EAP on your access point *without touching > anything else* and see if you can connect with your windows. if not you > have identified your problem. > I can connect when I use EAP-TLS and when I don't use EAP at all. And the IP, routing, etc, configuration is the same in all cases. > it is difficult to deduce more from what we know so far... > > > ciao > artur > > > Israel Cardenas Romero wrote: > > > > Hi, > > > > i'm trying FreeRADIUS with HostAP and OpenLDAP to build a 'secure' AP. > > I've configured it to work with EAP-TLS and it work's fine with the Windows > > XP supplicant. > > But if I configure it to work with EAP-MD5, it seems not to work: > > - the Windows XP client is configured with EAP-MD5 > > - it takes login and password from user > > - FreeRADIUS seems to validate him correctly (here is the log): > > > > rad_recv: Access-Request packet from host 192.168.49.222:1029, id=3, > > length=231 > > User-Name = "Nombre2 Apellido2" > > NAS-IP-Address = 192.168.49.222 > > NAS-Port = 1 > > Called-Station-Id = "00-50-C2-10-92-82:SecureAP" > > Calling-Station-Id = "00-0B-46-26-1B-E2" > > Framed-MTU = 2304 > > NAS-Port-Type = Wireless-802.11 > > Connect-Info = "CONNECT 11Mbps 802.11b" > > EAP-Message = > > "\002\004\000'\004\020\226f\026\271\\\235\202\247\206~^\367\026pV\242Nombre2 > > Apellido2" > > State = > > 0x548fc174e88138adeecadde08ef4263f2e078b3ee6798cd2f2fd877659244ef7889a108c > > Message-Authenticator = 0x3da5ed71acd933e4d3f404747dae12ee > > modcall: entering group authorize > > modcall[authorize]: module "preprocess" returns ok > > rlm_ldap: - authorize > > rlm_ldap: performing user authorization for Nombre2 Apellido2 > > radius_xlat: '(uid=Nombre2 Apellido2)' > > radius_xlat: 'ou=Wireless,dc=sgi,dc=es' > > ldap_get_conn: Got Id: 0 > > rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter > > (uid=Nombre2 Apellido2) > > rlm_ldap: Added password izadisan in check items > > rlm_ldap: looking for check items in directory... > > rlm_ldap: Adding radiusExpiration as Expiration, value 11 & op=21 > > rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP & op=21 > > rlm_ldap: looking for reply items in directory... > > rlm_ldap: user Nombre2 Apellido2 authorized to use remote access > > ldap_release_conn: Release Id: 0 > > modcall[authorize]: module "ldap" returns ok > > modcall: group authorize returns ok > > rad_check_password: Found Auth-Type EAP > > auth: type "EAP" > > modcall: entering group authenticate > > rlm_eap: Request found, released from the list > > rlm_eap: EAP_TYPE - md5 > > rlm_eap: processing type md5 > > modcall[authenticate]: module "eap" returns ok > > modcall: group authenticate returns ok > > Sending Access-Accept of id 3 to 192.168.49.222:1029 > > EAP-Message = "\003\004\000\004" > > Message-Authenticator = 0x00000000000000000000000000000000 > > Finished request 30 > > Going to the next request > > Waking up in 6 seconds... > > > > - Windows XP client thinks itself it's authenticated, because don't try to > > login more > > - but the network is not accesible for the client... > > -- > Artur Hecker > artur[at]hecker.info > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
