hello everyone,
first off, i'm kinda new to freeradius and the wlan topic in general so i apologize in advance if this has been asked here before but my googling/researching didn't yield any conclusive answers to the problem i'm facing at this time so i would appreciate any input/pointers or help anyone could provide me with :)
setup:
-windows xp (sp1) notebook with wlan adapter and plain peap without any
certificate checks or anything (is this possible at all?)
-cisco aironet1200 (IOS C1200 Software (C1200-K9W7-M), Version
12.2(15)JA) access point using open authentication with eap
-debian box with freeradius (0.9.3-1), freeradius -X output at the bottom of this email
what i am trying to do:
use the client to do a peap username/password authentication forwarded through the access point and having the logins accepted or denied. this works fine with mac-address authentication but as said, soon as eap comes into play it's a no go :(
the result i'm getting so far is a logfile that keeps growing. the following is getting to the client i believe and somehow there's a proper answer missing if i'm not mistaken.
Fri May 21 02:10:55 2004 : Info: rlm_eap_md5: Issuing Challenge
Fri May 21 02:10:55 2004 : Auth: Login OK: [test] (from client ap port 435 cli 000e.3502.a7cb)
debugging output from the -X switch:
rad_recv: Access-Request packet from host 213.178.67.253:21719, id=195, length=156
User-Name = "test"
Framed-MTU = 1400
Called-Station-Id = "000d.6548.7bb4"
Calling-Station-Id = "000e.3502.a7cb"
Service-Type = Login-User
Message-Authenticator = 0x6c2da4f62bdf41533377363c607bd995
EAP-Message = 0x028000060319
NAS-Port-Type = Wireless-802.11
NAS-Port = 436
State = 0x8c3ad2e482613d0daabb48ee4a6de9fc7150ad409957c0bddd619790cd057768f7a1d30d
NAS-IP-Address = 213.178.67.253
NAS-Identifier = "ap"
modcall: entering group authorize for request 4734
modcall[authorize]: module "preprocess" returns ok for request 4734
modcall[authorize]: module "chap" returns noop for request 4734
rlm_eap: EAP packet type notification id 128 length 6
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated for request 4734
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4734
users: Matched test at 75
modcall[authorize]: module "files" returns ok for request 4734
modcall[authorize]: module "mschap" returns noop for request 4734
modcall: group authorize returns updated for request 4734
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 4734
rlm_eap: EAP packet type notification id 128 length 6
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: Unknown EAP type 25, reverting to default_eap_type
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns ok for request 4734
modcall: group authenticate returns ok for request 4734
Login OK: [test] (from client ap port 436 cli 000e.3502.a7cb)
Sending Access-Challenge of id 195 to 213.178.67.253:21719
EAP-Message = 0x018100160410047cb1de29d802461ac05ef182709afa
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaec79fbfd2e2c4c8fe5bbacb4a1e2cbe7150ad4021acf1f9bf76ee11b97e9ac97efc20dd
Finished request 4734
this is what keeps getting spammed and i honestly can't make sense from it. from what i can tell the supplicant doesn't respond to the challenge but i might be wrong and probably am.
apparently the 'rlm_eap: EAP Start not found' is the thing that makes all of this fail but why? if there is any additional data needed, logfiles, configurations please let me know. feel also free to bash me if i didn't get a basic concept but at least try to tell me what i've missed ;) thank you in advance for any clues or hints.
cheers,
sven juergensen
attachments: freeradius -X output
moonlight:/usr/sbin# freeradius -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/freeradius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/freeradius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/freeradius/radius.log"
main: log
auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = "/var/run/freeradius/freeradius.pid"
main: user = "freerad"
main: group = "freerad"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/freeradius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
rlm_eap: Loaded and initialized the type leap
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/freeradius/huntgroups"
preprocess: hints = "/etc/freeradius/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/freeradius/users"
files: acctusersfile = "/etc/freeradius/acct_users"
files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/freeradius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
