> hi all,
>
> i am trying to authenticate users via eap md5 for just testing purposes. i
> use winxp supplicant (i know that after sp1 they dont support md5).
>
> i ran the radius server in the debug mode. here is the output.
>
> rad_recv: Access-Request packet from host 193.140.193.133:1084, id=43,
> length=176
> User-Name = "onur"
> Cisco-AVPair = "ssid=deneme1"
> NAS-IP-Address = 193.140.193.133
> Called-Station-Id = "00409658c568"
> Calling-Station-Id = "00601d23ac50"
> NAS-Identifier = "mobile1.mast.boun.edu.tr"
> NAS-Port = 37
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Service-Type = Authenticate-Only
> EAP-Message =
> 0x0276001a04105039fc16b3f07964ed389fdcb541b3d86f6e7572
> Message-Authenticator = 0x331a683c47109fa7665f3af45a3b83ff
> modcall: entering group authorize
> modcall[authorize]: module "preprocess" returns ok
> rlm_eap: EAP packet type notification id 118 length 26
> rlm_eap: EAP Start not found
> modcall[authorize]: module "eap" returns updated
> users: Matched onur at 9
> modcall[authorize]: module "files" returns ok
> modcall: group authorize returns updated
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate
> rlm_eap: EAP packet type notification id 118 length 26
> rlm_eap: EAP Start not found
> rlm_eap: NO State Attribute found: Cannot match EAP packet to any
> existing
> conversation.
> modcall[authenticate]: module "eap" returns invalid
> modcall: group authenticate returns invalid
> auth: Failed to validate the user.
> Delaying request 54 for 1 seconds
> Finished request 54
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 193.140.193.133:1084, id=43,
> length=176
> Sending Access-Reject of id 43 to 193.140.193.133:1084
> Reply-Message = "boo-3"
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 52 ID 41 with timestamp 407f0c20
> Cleaning up request 53 ID 42 with timestamp 407f0c20
> Cleaning up request 54 ID 43 with timestamp 407f0c20
> Nothing to do. Sleeping until we see a request.
>
> i am using cisco ap 350 and wavelan cards. the user is defined but i
> connot
> figure out where the problem is. in the users file i set the reply message
> to "boo-3" so i think it figures correctly the username password. and i
> have
> no idea what
> "rlm_eap: EAP Start not found
> rlm_eap: NO State Attribute found: Cannot match EAP packet to any
> existing
> conversation."
> means...
>
>
> thanks in advance
> onur simsek
>
> ps: the config file
> V
> *********************************************************************************************
> ##
> ## radiusd.conf -- FreeRADIUS server configuration file.
> ##
> prefix = /usr
> exec_prefix = /usr
> sysconfdir = /etc
> localstatedir = /var
> sbindir = /usr/sbin
> logdir = ${localstatedir}/log/radius
> raddbdir = ${sysconfdir}/raddb
> radacctdir = ${logdir}/radacct
>
> # Location of config and logfiles.
> confdir = ${raddbdir}
> run_dir = ${localstatedir}/run/radiusd
> log_file = ${logdir}/radius.log
> libdir = /usr/lib
> pidfile = ${run_dir}/radiusd.pid
> user = radiusd
> group = radiusd
> max_request_time = 30
> delete_blocked_requests = no
> cleanup_delay = 5
> max_requests = 1024
> bind_address = *
> port = 0
> hostname_lookups = no
> allow_core_dumps = no
> regular_expressions = yes
> extended_expressions = yes
> log_stripped_names = no
> log_auth = no
> log_auth_badpass = yes
> log_auth_goodpass = yes
> usercollide = no
> lower_user = no
> lower_pass = no
> nospace_user = no
> nospace_pass = no
> checkrad = ${sbindir}/checkrad
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = no
> }
> proxy_requests = yes
> $INCLUDE ${confdir}/proxy.conf
> $INCLUDE ${confdir}/clients.conf
> snmp = no
> $INCLUDE ${confdir}/snmp.conf
> thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
> }
> modules {
> pap {
> encryption_scheme = crypt
> }
> chap {
> authtype = CHAP
> }
> pam {
> pam_auth = radiusd
> }
> unix {
> cache = no
> cache_reload = 600
> shadow = /etc/shadow
> radwtmp = ${logdir}/radwtmp
> }
> eap {
>
> md5 {
> }
> }
> mschap {
> authtype = MS-CHAP
> }
> ldap {
> server = "ldap.your.domain"
> basedn = "o=My Org,c=UA"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> start_tls = no
> access_attr = "dialupAccess"
> dictionary_mapping = ${raddbdir}/ldap.attrmap
>
> ldap_connections_number = 5
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> timeout = 4
> timelimit = 3
> net_timeout = 1
> }
> realm realmslash {
> format = prefix
> delimiter = "/"
> }
> realm suffix {
> format = suffix
> delimiter = "@"
> }
> realm realmpercent {
> format = suffix
> delimiter = "%"
> }
> preprocess {
> huntgroups = ${confdir}/huntgroups
> hints = ${confdir}/hints
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> }
> files {
> usersfile = ${confdir}/users
> acctusersfile = ${confdir}/acct_users
> compat = no
> }
> detail {
> detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> detailperm = 0600
> }
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
> NAS-Port-Id"
> }
> $INCLUDE ${confdir}/sql.conf
> radutmp {
> filename = ${logdir}/radutmp
> username = %{User-Name}
> case_sensitive = yes
> check_with_nas = yes
> perm = 0600
>
> callerid = "yes"
> }
> radutmp sradutmp {
> filename = ${logdir}/sradutmp
> perm = 0644
> callerid = "no"
> }
> attr_filter {
> attrsfile = ${confdir}/attrs
> }
> counter daily {
> filename = ${raddbdir}/db.daily
> key = User-Name
> count-attribute = Acct-Session-Time
> reset = daily
> counter-name = Daily-Session-Time
> check-name = Max-Daily-Session
> allowed-servicetype = Framed-User
> cache-size = 5000
> }
> always fail {
> rcode = fail
> }
> always reject {
> rcode = reject
> }
> always ok {
> rcode = ok
> simulcount = 0
> mpp = no
> }
> expr {
> }
> digest {
> }
> exec {
> wait = yes
> input_pairs = request
> }
> exec echo {
> wait = yes
> program = "/bin/echo %{User-Name}"
> input_pairs = request
> output_pairs = reply
> }
> ippool main_pool {
> range-start = 192.168.1.1
> range-stop = 192.168.3.254
> netmask = 255.255.255.0
> cache-size = 800
> session-db = ${raddbdir}/db.ippool
> ip-index = ${raddbdir}/db.ipindex
> override = no
> }
>
> # ANSI X9.9 token support. Not included by default.
> # $INCLUDE ${confdir}/x99.conf
>
> }
>
> instantiate {
> expr
> }
> authorize {
>
> preprocess
>
> eap
>
> files
>
> }
> authenticate {
>
> eap
>
> }
> preacct {
> preprocess
> suffix
> files
> }
> accounting {
> acct_unique
>
> detail
>
> unix # wtmp file
>
> radutmp
> }
> session {
> radutmp
> }
> post-auth {
> }
> pre-proxy {
> }
> post-proxy {
> eap
> }
Hi,
Can you show me your supplicant authentication configuration ??
Fred
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
