hello everybody!
I am tryong to make a secure wireless access using PEAP, but I have a
problem during authentication.
I had successfully configured TLS module, and all work fine.
But when I want to have a peap authentication, there is a problem.
In fact could someone try to look at my log, and tell me where is my
problem? I would be great!
Another point is the configuration of the users file, for peap. I've read
the list but nobody gave a real answer to this question.. how this file
have to be configured?? I tried :
<username> Auth-type := EAP , User-password == " xxxxxxx"
or
<username> Auth-type := Local , User-password == " xxxxxxx"
or ...
I don't really know which syntax is good according to peap
authentication..maybe my problem is here?
Thank you for your help!
there are my logs :
...
auth: type "EAP"
modcall: entering group authenticate for request 15
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Proceeding to decode tunneled
attributes.
rlm_eap_peap: Identity - NOMADE\ourson
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x02810012014e4f4d4144455c6f7572736f6e
PEAP: Got tunneled identity of NOMADE\ourson
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Sending tunneled request
EAP-Message = 0x02810012014e4f4d4144455c6f7572736f6e
Freeradius-Proxied-To = 127.0.0.1
User-Name = "NOMADE\\ourson"
modcall: entering group authorize for request 15
modcall[authorize]: module "preprocess" returns ok for request 15
radius_xlat:
'/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215
modcall[authorize]: module "auth_log" returns ok for request 15
rlm_eap: EAP packet type response id 129 length 18
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 15
rlm_realm: No '@' in User-Name = "NOMADE\ourson", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 15
modcall[authorize]: module "files" returns notfound for request 15
modcall: group authorize returns updated for request 15
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 15
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 15
modcall: group authenticate returns handled for request 15
PEAP: Got tunneled reply RADIUS code 11
EAP-Message =
0x018200271a01820022104c50168820c00ade9de928725f57b2964e4f4d4144455c6f7572736f6e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc2efbd051aa877ec625ee103a4a76b76
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 15
modcall: group authenticate returns handled for request 15
Sending Access-Challenge of id 158 to 192.168.1.2:2462
EAP-Message =
0x0182003e19001703010033d078dd9a67221656dce0acbb5519d8b9af452bb0eaf5f600fcabafd63a385dfe8b1d076837f1798de3ca6d5b2a0d7269ad9f2f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x55cbafd5eafc1a8c249ad219c5d26a3b
Finished request 15
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.2:2463, id=159,
length=250
User-Name = "NOMADE\\ourson"
Cisco-AVPair = "ssid=bebe"
NAS-IP-Address = 192.168.1.2
Called-Station-Id = "00409656deff"
Calling-Station-Id = "000af49c507f"
NAS-Identifier = "AP350-56deff"
NAS-Port = 37
Framed-MTU = 1400
State = 0x55cbafd5eafc1a8c249ad219c5d26a3b
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x028200581900170301004d7375a04660bd286865a528793617699cb52551682fc670d49518765d8d8c78754448d9e3eea2d3d4c05fe1367daa485f6e915eebd1fa6d301bb4996dac7906667fa1013b41e11f29e367
Message-Authenticator = 0x63157043cdd0b024b172ecaf24dfb290
modcall: entering group authorize for request 16
modcall[authorize]: module "preprocess" returns ok for request 16
radius_xlat:
'/usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215
modcall[authorize]: module "auth_log" returns ok for request 16
rlm_eap: EAP packet type response id 130 length 88
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 16
rlm_realm: No '@' in User-Name = "NOMADE\ourson", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 16
modcall[authorize]: module "files" returns notfound for request 16
modcall: group authorize returns updated for request 16
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 16
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Proceeding to decode tunneled
attributes.
rlm_eap_peap: EAP type 26
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message =
0x028200411a0282003c318aeaba373dac9c2ef69fc6c42320d3430000000000000000f84afb06512d915703e8c9edb89426583adbfa1de8661f9c006f7572736f6e
PEAP: Adding old state with c2 ef
PEAP: Sending tunneled request
EAP-Message =
0x028200411a0282003c318aeaba373dac9c2ef69fc6c42320d3430000000000000000f84afb06512d915703e8c9edb89426583adbfa1de8661f9c006f7572736f6e
Freeradius-Proxied-To = 127.0.0.1
User-Name = "NOMADE\\ourson"
State = 0xc2efbd051aa877ec625ee103a4a76b76
modcall: entering group authorize for request 16
modcall[authorize]: module "preprocess" returns ok for request 16
radius_xlat:
'/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215
modcall[authorize]: module "auth_log" returns ok for request 16
rlm_eap: EAP packet type response id 130 length 65
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 16
rlm_realm: No '@' in User-Name = "NOMADE\ourson", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 16
modcall[authorize]: module "files" returns notfound for request 16
modcall: group authorize returns updated for request 16
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 16
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
modcall: entering group Auth-Type for request 16
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: No LM-Password or NT-Password attribute found. Cannot
perform MS-CHAP authentication.
modcall[authenticate]: module "mschap" returns fail for request 16
modcall: group Auth-Type returns fail for request 16
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 16
modcall: group authenticate returns reject for request 16
auth: Failed to validate the user.
Login incorrect: [NOMADE\\ourson/<no User-Password attribute>] (from
client localhost port 0)
PEAP: Got tunneled reply RADIUS code 3
EAP-Message = 0x04820004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 16
modcall: group authenticate returns handled for request 16
Sending Access-Challenge of id 159 to 192.168.1.2:2463
EAP-Message =
0x018300261900170301001b35008b805474371d397f9d38552c6bcfe9a59d564e07444ccd56e5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xce57cd5b6391787a93b48e9f4aaeb15b
Finished request 16
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.2:2464, id=160,
length=200
User-Name = "NOMADE\\ourson"
Cisco-AVPair = "ssid=bebe"
NAS-IP-Address = 192.168.1.2
Called-Station-Id = "00409656deff"
Calling-Station-Id = "000af49c507f"
NAS-Identifier = "AP350-56deff"
NAS-Port = 37
Framed-MTU = 1400
State = 0xce57cd5b6391787a93b48e9f4aaeb15b
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x028300261900170301001ba26f62a94e05145c31ca1f5fa86230cb636ac8ac4997fd7d7e2796
Message-Authenticator = 0xeac18aa0cb5ea510a6408925ad118eb7
modcall: entering group authorize for request 17
modcall[authorize]: module "preprocess" returns ok for request 17
radius_xlat:
'/usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215
modcall[authorize]: module "auth_log" returns ok for request 17
rlm_eap: EAP packet type response id 131 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 17
rlm_realm: No '@' in User-Name = "NOMADE\ourson", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 17
modcall[authorize]: module "files" returns notfound for request 17
modcall: group authorize returns updated for request 17
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 17
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Proceeding to decode tunneled
attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 17
modcall: group authenticate returns invalid for request 17
auth: Failed to validate the user.
Login incorrect: [NOMADE\\ourson/<no User-Password attribute>] (from
client AP1 port 37 cli 000af49c507f)
Delaying request 17 for 1 seconds
Finished request 17
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.2:2464, id=160,
length=200
Sending Access-Reject of id 160 to 192.168.1.2:2464
EAP-Message = 0x04830004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
