i got a problem with the LEAP authentication.
I run Freeradius at Version 0.9.0 � (21 July, 2003) on Solaris 9.
Authenticator will be a CISCO AP 350 and Supplicant Win2k with the Aironet Client Utility.
Below here I�ll just describe what I did so far:
I added two users in the /raddb/users file:
test1 Auth-Type := eap, User-Password == "test1pwd"
Service-Type = Login-User
and:
test2 Auth-Type := Local, User-Password == "test2pwd"
Service-Type = Login-User// Radiusd.conf I changed: default_eap_type = md5 to: default_eap_type = leap
I turned on the following variables so later i could see if my typed in password was correct.
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
// Clients.conf
client 127.0.0.1 {
secret = localpwd
shortname = localhost
nasttype = other
}
Client 10.0.0.2 {
Secret = appwd
Shortname = ap350
Nastype = cisco
}After configuring i did :
# radtest test1 test1pwd localhost 0 localpwd
Sending Access-Request of id 172 to 127.0.0.1:1812
User-Name = "test1"
User-Password = "test1pwd"
NAS-IP-Address = wlan
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=172, length=20And I got the following message from radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1:32860, id=172, length=57 User-Name = "test1" User-Password = "test1pwd" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP-Message not found modcall[authorize]: module "eap" returns noop rlm_realm: No '@' in User-Name = "test1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched test1 at 97 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type eap auth: type "EAP" modcall: entering group authenticate rlm_eap: EAP-Message not found modcall[authenticate]: module "eap" returns noop modcall: group authenticate returns noop auth: Failed to validate the user. Login incorrect: [test1/test1pwd] (from client localhost port 0) Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 172 to 127.0.0.1:32860 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 172 with timestamp 3f574020 Nothing to do. Sleeping until we see a request.
But when I tried out the second user with:
# radtest test2 test2pwd localhost 0 localpwd
Sending Access-Request of id 177 to 127.0.0.1:1812
User-Name = "test2"
User-Password = "test2pwd"
NAS-IP-Address = wlan
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=177, length=26
Service-Type = Login-UserI get this answer from radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1:32861, id=177, length=57 User-Name = "test2" User-Password = "test2pwd" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP-Message not found modcall[authorize]: module "eap" returns noop rlm_realm: No '@' in User-Name = "test2", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched test2 at 100 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [test2/test2pwd] (from client localhost port 0) Sending Access-Accept of id 177 to 127.0.0.1:32861 Service-Type = Login-User Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 177 with timestamp 3f57405d Nothing to do. Sleeping until we see a request.
Why isn�t the first user working with Auth-Type := eap ?
As you might have seen the given Username and Password is equal to the /raddb/users file.
I first thougt that it might had to do with the problem that CISCO LEAP can�t read my stored Password, but I do use a plain-text User-Password as described in radiusd.conf.
After testing locally i tried out the same thing from a different machine on the network, but unfortunately with the same results :(.
Thanks in advance for any good Ideas!
best regards, cl
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
