Date: Mon, 01 Mar 2004 15:38:46 +0100 To: [EMAIL PROTECTED] From: Basile Mathieu <[EMAIL PROTECTED]> Subject: eap_tls on cisco 1100 with xp and linux
i have a cisco AP 1100 laptop under xp and linux redhat 7.3 a freeradius server i want the eap_tls method for autenticate
here are the freeradius config files , the ap ( cisco 1100 ) config file and the xsupplicant config files
nothing works if someone can tell me what is wrong , i became crazy thanks a lot basile mathieu
ps
i did not put the radiusd.conf because my mail was reject
Radius is the log when the xp laptop try to connect
when the laptop under linux redhat 7.3 try to connect nothing happens ( the start EAPOL packet has destination 44:44:44:44:44:44 )
the wifi card on the laptop are cisco 350 series pcmcia
i use http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm to generate the certificats and configure xp
# # clients.conf - client configuration directives # #######################################################################
#######################################################################
#
# Definition of a RADIUS client (usually a NAS).
#
# The information given here over rides anything given in the
# 'clients' file, or in the 'naslist' file. The configuration here
# contains all of the information from those two files, and allows
# for more configuration items.
#
# The "shortname" is be used for logging. The "nastype", "login" and
# "password" fields are mainly used for checkrad and are optional.
#
#
# Defines a RADIUS client. The format is 'client [hostname|ip-address]'
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
client 127.0.0.1 {
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 32 characters in length.
#
secret = testing123
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
shortname = localhost
#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#
#
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
#
nastype = other # localhost isn't usually a NAS...
#
# The following two configurations are for future use.
# The 'naspasswd' file is currently used to store the NAS
# login name and password, which is used by checkrad.pl
# when querying the NAS for simultaneous use.
#
# login = !root
# password = someadminpas
}
#client some.host.org {
# secret = testing123
# shortname = localhost
#}
#
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
#
client <IP>/24 {
secret = basile
shortname = borne_siris
nastype = other
}
#
#client 192.168.0.0/16 {
# secret = testing123-2
# shortname = private-network-2
#}
client <IP>0/24 {
secret = basile
shortname = borne_siris
nastype = other
}
#client 10.10.10.10 {
# # secret and password are mapped through the "secrets" file.
# secret = testing123
# shortname = liv1
# # the following three fields are optional, but may be used by
# # checkrad.pl for simultaneous usage checks
# nastype = livingston
# login = !root
# password = someadminpas
#}
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: bind_address = <ip> IP address [ip]
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = yes
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/basile.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/basile.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 500
tls: include_length = yes
tls: check_crl = no
rlm_eap: Loaded and initialized type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address <ip>, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host <AP IP>:21645, id=39, length=142
User-Name = "sentinelle"
Framed-MTU = 1400
Called-Station-Id = "000e.38f7.63f0"
Calling-Station-Id = "000e.83eb.37fd"
Message-Authenticator = 0xfadcc31f1ae2b5b53f681c5770887e32
EAP-Message = 0x0202000f0173656e74696e656c6c65
NAS-Port-Type = Wireless-802.11
NAS-Port = 262
Service-Type = Framed-User
NAS-IP-Address = <IP>
NAS-Identifier = "borne_siris"
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_realm: No '@' in User-Name = "sentinelle", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 2 length 15
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched sentinelle at 80
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 39 to
<IP>:21645
EAP-Message = 0x010300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb1130daf92ba667a86803db3a6e14181
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host<IP>:21645, id=40, length=225
User-Name = "sentinelle"
Framed-MTU = 1400
Called-Station-Id = "000e.38f7.63f0"
Calling-Station-Id = "000e.83eb.37fd"
Message-Authenticator = 0xdabb3d4f6814d98ca9a5374d5a12a9b7
EAP-Message =
0x020300500d800000004616030100410100003d030140434047d2c2ba45d1e745059edae22a212c1200cc60eef2da060803aa941f9800001600040005000a000900640062000300060013001200630100
NAS-Port-Type = Wireless-802.11
NAS-Port = 262
State = 0xb1130daf92ba667a86803db3a6e14181
Service-Type = Framed-User
NAS-IP-Address = <IP>
NAS-Identifier = "borne_siris"
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
rlm_realm: No '@' in User-Name = "sentinelle", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 3 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched sentinelle at 80
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 029d], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0092], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 40 to
<IP>:21645
EAP-Message =
0x010401fe0dc000000388160301004a0200004603014043420027e206db96aedb79a4f6910adab74c984b8deea31309e91093a86e0220cfd9209035b642a136f2771877dad25d551cf565c6f515639d01aeca382a3b7b000400160301029d0b0002990002960002933082028f308201f8a003020102020101300d06092a864886f70d0101040500308180310b3009060355040613024672310e300c060355040813055061726973310e300c060355040713055061726973310e300c060355040a13057369726973310e300c060355040b13057369726973310f300d06035504031306626173696c653120301e06092a864886f70d010901161173697269
EAP-Message =
0x7340736f72626f6e6e652e6672301e170d3034303232303132333433365a170d3035303231393132333433365a308180310b3009060355040613024672310e300c060355040813055061726973310e300c060355040713055061726973310e300c060355040a13057369726973310e300c060355040b13057369726973310f300d06035504031306626173696c653120301e06092a864886f70d0109011611736972697340736f72626f6e6e652e667230819f300d06092a864886f70d010101050003818d0030818902818100a33406b1e236a12e23270704a9d6a380fc53861ad47777c9c37a2c4ab86d9375cd6729edc24d13cc2023c77a17f24c5c
EAP-Message = 0x8f534f4a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x584367600bc306ba0d51142fb81d6591
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host
<IP>:21645, id=41, length=151
User-Name = "sentinelle"
Framed-MTU = 1400
Called-Station-Id = "000e.38f7.63f0"
Calling-Station-Id = "000e.83eb.37fd"
Message-Authenticator = 0xfeec4be9e133101da3b07e9959116665
EAP-Message = 0x020400060d00
NAS-Port-Type = Wireless-802.11
NAS-Port = 262
State = 0x584367600bc306ba0d51142fb81d6591
Service-Type = Framed-User
NAS-IP-Address = <IP>
NAS-Identifier = "borne_siris"
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
rlm_realm: No '@' in User-Name = "sentinelle", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched sentinelle at 80
modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 41 to
<IP>:21645
EAP-Message =
0x0105019e0d8000000388408377cd5d4b6deffcf4ccbf9dab90464c28f4571e5ffdaaed0b170f5cb7b576593e679074212788244326f1683badd3b0ccb6695fa3ca39df6d6bb787f026d0ac7f027075b18f9d5dd53ebd0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181001ef77a3096faeee0ae4bb3d02bcee8d3b07714a6041efcc1f8b398c6f905a22fe68eb97f200bf013c6a87656a39359df0d145935971de87465d50153bafa8313dc462adc7e5823c24e2478a138c7535c8c13a05f046a835b66b82208e8957baacaa19d72ba12ce0ab77c6d5e835a34ebf3162964cf76
EAP-Message =
0x387d74dd1a809358266916030100920d00008a02010200850083308180310b3009060355040613024672310e300c060355040813055061726973310e300c060355040713055061726973310e300c060355040a13057369726973310e300c060355040b13057369726973310f300d06035504031306626173696c653120301e06092a864886f70d0109011611736972697340736f72626f6e6e652e66720e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x617b55fb9d14e9382adbdcf5b9d5c0df
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host
<IP>:21645, id=42, length=151
User-Name = "sentinelle"
Framed-MTU = 1400
Called-Station-Id = "000e.38f7.63f0"
Calling-Station-Id = "000e.83eb.37fd"
Message-Authenticator = 0xe5d98b9f6148cd08f7509c356d4af47b
EAP-Message = 0x020500060d00
NAS-Port-Type = Wireless-802.11
NAS-Port = 262
State = 0x617b55fb9d14e9382adbdcf5b9d5c0df
Service-Type = Framed-User
NAS-IP-Address = <IP>
NAS-Identifier = "borne_siris"
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
rlm_realm: No '@' in User-Name = "sentinelle", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched sentinelle at 80
modcall[authorize]: module "files" returns ok for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 3
modcall: group authenticate returns ok for request 3
Sending Access-Accept of id 42 to
<IP>:21645
MS-MPPE-Recv-Key =
0x04b281fa84f6084e5cb1c4144548cc0a9dd1ab2d0225f43bdf4af8a1bfca891a
MS-MPPE-Send-Key =
0x7f2ea4d7e04917986577f337e3515e5cfbcbc9af30e372892fd1c9ecc800287a
EAP-Message = 0x03050004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "sentinelle"
Finished request 3
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host
<IP>:21645, id=43, length=142
User-Name = "sentinelle"
Framed-MTU = 1400
Called-Station-Id = "000e.38f7.63f0"
Calling-Station-Id = "000e.83eb.37fd"
Message-Authenticator = 0x0239f9b5f2dba3a7fe8572936fe502c7
EAP-Message = 0x0203000f0173656e74696e656c6c65
NAS-Port-Type = Wireless-802.11
NAS-Port = 262
Service-Type = Framed-User
NAS-IP-Address =<IP>
NAS-Identifier = "borne_siris"
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
rlm_realm: No '@' in User-Name = "sentinelle", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 3 length 15
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched sentinelle at 80
modcall[authorize]: module "files" returns ok for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate for request 4
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 43 to
<IP>:21645
EAP-Message = 0x010400060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4276b89c17536027e32f46665aea7723
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 39 with timestamp 40434200
Cleaning up request 1 ID 40 with timestamp 40434200
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 41 with timestamp 40434201
Cleaning up request 3 ID 42 with timestamp 40434201
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 43 with timestamp 40434204
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host
<IP>:21645, id=44, length=160
User-Name = "sentinelle"
Framed-MTU = 1400
Called-Station-Id = "000e.38f7.63f0"
Calling-Station-Id = "000e.83eb.37fd"
Message-Authenticator = 0x2ea2626590f8694aacb6c38cf756cb45
EAP-Message = 0x0204000f0173656e74696e656c6c65
NAS-Port-Type = Wireless-802.11
NAS-Port = 262
State = 0x4276b89c17536027e32f46665aea7723
Service-Type = Framed-User
NAS-IP-Address = <IP>
NAS-Identifier = "borne_siris"
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
rlm_realm: No '@' in User-Name = "sentinelle", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: EAP packet type response id 4 length 15
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched sentinelle at 80
modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate for request 5
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
Sending Access-Challenge of id 44 to <IP>:21645
EAP-Message = 0x010500060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xed70be0fc1794fde75d00d9e700b2d39
Finished request 5
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 5 ID 44 with timestamp 40434223
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host
<IP>:21645, id=45, length=160
User-Name = "sentinelle"
Framed-MTU = 1400
Called-Station-Id = "000e.38f7.63f0"
Calling-Station-Id = "000e.83eb.37fd"
Message-Authenticator = 0xd84003139235ab473abaa5887b1da691
EAP-Message = 0x0205000f0173656e74696e656c6c65
NAS-Port-Type = Wireless-802.11
NAS-Port = 262
State = 0xed70be0fc1794fde75d00d9e700b2d39
Service-Type = Framed-User
NAS-IP-Address = <AP>
NAS-Identifier = "borne_siris"
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
rlm_realm: No '@' in User-Name = "sentinelle", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 5 length 15
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched sentinelle at 80
modcall[authorize]: module "files" returns ok for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate for request 6
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
Sending Access-Challenge of id 45 to
<IP>:21645
EAP-Message = 0x010600060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd9ddb85c76c7380194d3922ea8d1c0d5
Finished request 6
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 6 ID 45 with timestamp 40434241
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host
<IP>:21645, id=46, length=160
User-Name = "sentinelle"
Framed-MTU = 1400
Called-Station-Id = "000e.38f7.63f0"
Calling-Station-Id = "000e.83eb.37fd"
Message-Authenticator = 0xc2884c982686d07943c1bfc1b0715407
EAP-Message = 0x0206000f0173656e74696e656c6c65
NAS-Port-Type = Wireless-802.11
NAS-Port = 262
State = 0xd9ddb85c76c7380194d3922ea8d1c0d5
Service-Type = Framed-User
NAS-IP-Address = <AP>
NAS-Identifier = "borne_siris"
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
rlm_realm: No '@' in User-Name = "sentinelle", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_eap: EAP packet type response id 6 length 15
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
users: Matched sentinelle at 80
modcall[authorize]: module "files" returns ok for request 7
modcall: group authorize returns updated for request 7
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate for request 7
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 7
modcall: group authenticate returns handled for request 7
Sending Access-Challenge of id 46 to
<IP>:21645
EAP-Message = 0x010700060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1a567808d76bb9c6b466e0c974787a27
Finished request 7
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 7 ID 46 with timestamp 4043425f
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host
<IP>:21645, id=47, length=160
User-Name = "sentinelle"
Framed-MTU = 1400
Called-Station-Id = "000e.38f7.63f0"
Calling-Station-Id = "000e.83eb.37fd"
Message-Authenticator = 0x74c625aa8f832e256fb64f3e1f657656
EAP-Message = 0x0207000f0173656e74696e656c6c65
NAS-Port-Type = Wireless-802.11
NAS-Port = 262
State = 0x1a567808d76bb9c6b466e0c974787a27
Service-Type = Framed-User
NAS-IP-Address = <AP>
NAS-Identifier = "borne_siris"
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
rlm_realm: No '@' in User-Name = "sentinelle", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_eap: EAP packet type response id 7 length 15
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
users: Matched sentinelle at 80
modcall[authorize]: module "files" returns ok for request 8
modcall: group authorize returns updated for request 8
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate for request 8
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 8
modcall: group authenticate returns handled for request 8
Sending Access-Challenge of id 47 to
<IP>:21645
EAP-Message = 0x010800060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xab03d39ee6c259a366b28d2cc228f951
Finished request 8
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 8 ID 47 with timestamp 4043427e
Nothing to do. Sleeping until we see a request.
## This is a sample configuration file for xsupplicant that explains ## All currently configurable functionality. In general, this file is a ## series of tag-value pairs. In addition to a tag and a value, there is ## also a "network id" to group different tag-value pairs together. ## the file is parsed linearly, so redundant tags with the same network ## id will take the value of the last line. If no network name is provided ## on the command line (using the -n flag) then the network id "default" ## is parsed. # the id tag indicates what value to return for an EAP Identity request # in the case of EAP-SIM, this is the IMSI. tsunami:id = sentinelle #comment here ## spaces don't matter, this will work too # default : id = [EMAIL PROTECTED] ## the path to the certificate file to be used for the above user ## this option is only useful for TLS authentication ## this should be the path of your user-certifica tsunami : cert = /etc/1x/certs/cert.cer ## the path to the private key of the user for the user certificate ## this option is only useful for TLS authentication tsunami : key = /etc/1x/certs/key.pem ## the path to file containing all valid CAroots ## This option is needed for all TLS-based authentication types: ## TLS, TTLS, PEAP, etc... tsunami :root = /etc/1x/certs/root.pem ## I have no idea if this does anything #default :auth = none #tsunami:auth = eap ## Force this connection to wired or wireless. ## Needed in situations where wired drivers answer ioctls for wireless cards. ## Specifically, some intel cards with current drivers. ## YOU SHOULDN'T USE THIS WITH THE DEFAULT PROFILE! IT WILL PREVENT ## ANY WIRELESS CARDS FROM WORKING! USE THE -w SWITCH INSTEAD! tsunami:type = wireless #default:type = wired ## preferred auth type ## Valid types are: TLS, MD5, TTLS, MSCHAPV2, PEAP, and SIM* ## * - SIM requires --enable-eap-sim at configure time. tsunami : pref = TLS ## password for the connection. This is optional, if you want the supplicant ## to authenticate without prompting for a password. #default : password = <password> ## Phase 2 auth method for TTLS. (Currently, PAP, CHAP, MS-CHAP, or MS-CHAPv2) ## For PEAP, there is only MS-CHAPv2, so this does nothing. #tsunami : phase2auth = PAP ## Phase 2 username (for using anonymous in the phase 1 piece). ## If this isn't defined, it defaults to the same as the phase 1 piece. #default : phase2id = [EMAIL PROTECTED] ## chunk size tsunami : chunk_size = 500 ## random file to use tsunami : random_file = /dev/random ## Shell command to run after the FIRST successful authentication ## command MUST begin with a "/" (absolute path) tsunami : first_auth = "/bin/bash /sbin/ifup eth1" ## shell command to run after ALL successful authentications ## the current semantics are that if first_auth is also defined, ## only it is run the first time and after_auth is run ever other time ## if first_auth is not defined, after_auth is run after ALL authentications ## including the first. ## command MUST begin with a "/" (absolute path) tsunami : after_auth = "/bin/echo I authenticated"
# # Please read the documentation file ../doc/processing_users_file, # or 'man 5 users' (after installing the server) for more information. # # This file contains authentication security and configuration # information for each user. Accounting requests are NOT processed # through this file. Instead, see 'acct_users', in this directory. # # The first field is the user's name and can be up to # 253 characters in length. This is followed (on the same line) with # the list of authentication requirements for that user. This can # include password, comm server name, comm server port number, protocol # type (perhaps set by the "hints" file), and huntgroup name (set by # the "huntgroups" file). # # If you are not sure why a particular reply is being sent by the # server, then run the server in debugging mode (radiusd -X), and # you will see which entries in this file are matched. # # When an authentication request is received from the comm server, # these values are tested. Only the first match is used unless the # "Fall-Through" variable is set to "Yes". # # A special user named "DEFAULT" matches on all usernames. # You can have several DEFAULT entries. All entries are processed # in the order they appear in this file. The first entry that # matches the login-request will stop processing unless you use # the Fall-Through variable. # # If you use the database support to turn this file into a .db or .dbm # file, the DEFAULT entries _have_ to be at the end of this file and # you can't have multiple entries for one username. # # You don't need to specify a password if you set Auth-Type += System # on the list of authentication requirements. The RADIUS server # will then check the system password file. # # Indented (with the tab character) lines following the first # line indicate the configuration values to be passed back to # the comm server to allow the initiation of a user session. # This can include things like the PPP configuration values # or the host to log the user onto. # # You can include another `users' file with `$INCLUDE users.other' # # # For a list of RADIUS attributes, and links to their definitions, # see: # # http://www.freeradius.org/rfc/attributes.html # # # Deny access for a specific user. Note that this entry MUST # be before any other 'Auth-Type' attribute which results in the user # being authenticated. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #lameuser Auth-Type := Reject # Reply-Message = "Your account has been disabled." # # Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULT Group == "disabled", Auth-Type := Reject # Reply-Message = "Your account has been disabled." # # # This is a complete entry for "steve". Note that there is no Fall-Through # entry so that no DEFAULT entry will be used, and the user will NOT # get any attributes in addition to the ones listed here. # sentinelle Auth-Type := eap siris Auth-Type := eap , User-Password == "*********" Cisco Auth-Type := Local , User-Password == "********" # Service-Type = Framed-User, # Framed-Protocol = PPP, # Framed-IP-Address = 172.16.3.33, # Framed-IP-Netmask = 255.255.255.0, # Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = "std.ppp", # Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP # # This is an entry for a user with a space in their name. # Note the double quotes surrounding the name. # #"John Doe" Auth-Type := Local, User-Password == "hello" # Reply-Message = "Hello, %u" # # Dial user back and telnet to the default host for that port # #Deg Auth-Type := Local, User-Password == "ge55ged" # Service-Type = Callback-Login-User, # Login-IP-Host = 0.0.0.0, # Callback-Number = "9,5551212", # Login-Service = Telnet, # Login-TCP-Port = Telnet # # Another complete entry. After the user "dialbk" has logged in, the # connection will be broken and the user will be dialed back after which # he will get a connection to the host "timeshare1". # #dialbk Auth-Type := Local, User-Password == "callme" # Service-Type = Callback-Login-User, # Login-IP-Host = timeshare1, # Login-Service = PortMaster, # Callback-Number = "9,1-800-555-1212" # # user "swilson" will only get a static IP number if he logs in with # a framed protocol on a terminal server in Alphen (see the huntgroups file). # # Note that by setting "Fall-Through", other attributes will be added from # the following DEFAULT entries # #swilson Service-Type == Framed-User, Huntgroup-Name == "alphen" # Framed-IP-Address = 192.168.1.65, # Fall-Through = Yes # # If the user logs in as 'username.shell', then authenticate them # against the system database, give them shell access, and stop processing # the rest of the file. # #DEFAULT Suffix == ".shell", Auth-Type := System # Service-Type = Login-User, # Login-Service = Telnet, # Login-IP-Host = your.shell.machine # # The rest of this file contains the several DEFAULT entries. # DEFAULT entries match with all login names. # Note that DEFAULT entries can also Fall-Through (see first entry). # A name-value pair from a DEFAULT entry will _NEVER_ override # an already existing name-value pair. # # # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type = System Fall-Through = 1 # # Set up different IP address pools for the terminal servers. # Note that the "+" behind the IP address means that this is the "base" # IP address. The Port-Id (S0, S1 etc) will be added to it. # #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen" # Framed-IP-Address = 192.168.1.32+, # Fall-Through = Yes #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft" # Framed-IP-Address = 192.168.2.32+, # Fall-Through = Yes # # Defaults for all framed connections. # DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected # by the terminal server in which case there may not be a "P" suffix. # The terminal server sends "Framed-Protocol = PPP" for auto PPP. # DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULT Hint == "SLIP" Framed-Protocol = SLIP # # Last default: rlogin to our main server. # #DEFAULT # Service-Type = Login-User, # Login-Service = Rlogin, # Login-IP-Host = shellbox.ispdomain.com # # # # Last default: shell on the local terminal server. # # # DEFAULT # Service-Type = Shell-User # On no match, the user is denied access.
Current configuration : 2461 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname borne_siris
!
!
username Cisco privilege 15 password 7 070C2F4E5F0A10030E
ip subnet-zero
!
aaa new-model
!
!
aaa group server radius rad_eap
server <ip> auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
server <ip> auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 network-map
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode wep mandatory
!
broadcast-key change 1000
!
!
ssid tsunami
authentication network-eap eap_methods1
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
rts threshold 2312
channel 2422
station-role root
dot1x client-timeout 60
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address <ip> 255.255.255.0
no ip route-cache
!
ip default-gateway <ip>
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
/ivory/1100
ip http authentication aaa
ip radius source-interface BVI1
snmp-server community public RO
snmp-server enable traps tty
radius-server local
!
radius-server host <ip> auth-port 1812 acct-port 1813 key 7 1307160102
0001
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 route ip
!
!
line con 0
line vty 5 15
!
end
