Hi
I am using freeradius version 2.1.4 and I want to set up config to eap TTLS
using users and clients file but didnt work.Please help me.Thanks.
***************OUTPUT************************************Finished request
18.Going to the next requestWaking up in 2.0 seconds.Cleaning up request 17 ID
18 with timestamp +75Waking up in 2.9 seconds.rad_recv: Access-Request packet
from host 10.1.1.252 port 1206, id=20, length=183 User-Name = "deneme"
NAS-IP-Address = 10.1.1.252 NAS-Port = 0 Called-Station-Id =
"00-30-4F-44-3D-C1" Calling-Station-Id = "00-18-DE-88-62-77"
NAS-Identifier = "WirelessAccessPoint" Framed-MTU = 1380 NAS-Port-Type =
Wireless-802.11 EAP-Message =
0x0211002219001703010017a5491ed47f0de82246939132f8766cf3c1a85f8c211be5 State
= 0x56c2eb4850d3f233efbb27b16d1adb57 Message-Authenticator =
0x1ea576935b901d2c1f156615504ed0da+- entering group authorize
{...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns
noop[suffix] No '@' in User-Name = "deneme", looking up realm NULL[suffix] No
such realm "NULL"++[suffix] returns noop[eap] EAP packet type response id 17
length 34[eap] Continuing tunnel setu!
p.++[eap] returns okFound Auth-Type = EAP+- entering group authenticate
{...}[eap] Request found, released from the list[eap] EAP/peap[eap] processing
type peap[peap] processing EAP-TLS[peap] eaptls_verify returned 7 [peap] Done
initial handshake[peap] eaptls_process returned 7 [peap] EAPTLS_OK[peap]
Session established. Decoding tunneled attributes.[peap] Identity -
deneme[peap] Got tunneled request EAP-Message =
0x0211000b0164656e656d65server { PEAP: Got tunneled identity of deneme PEAP:
Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to
denemeSending tunneled request EAP-Message = 0x0211000b0164656e656d65
FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "deneme"server inner-tunnel
{No authenticate method (Auth-Type) configuration found for the request:
Rejecting the userFailed to authenticate the user.} # server inner-tunnel[peap]
Got tunneled reply code 3[peap] Got tunneled reply RADIUS code 3[peap] Tunneled
authentication was rejected.[peap!
] FAILURE++[eap] returns handledSending Access-Challenge of id 20 to 1
0.1.1.252 port 1206 EAP-Message =
0x011200261900170301001b3f825aee84e1fd23b0089c976f25f2f4054e5c93627e072882688f
Message-Authenticator = 0x00000000000000000000000000000000 State =
0x56c2eb4851d0f233efbb27b16d1adb57Finished request 19.Going to the next
requestWaking up in 1.9 seconds.Cleaning up request 18 ID 19 with timestamp
+78Waking up in 2.9 seconds.rad_recv: Access-Request packet from host
10.1.1.252 port 1206, id=21, length=187 User-Name = "deneme"
NAS-IP-Address = 10.1.1.252 NAS-Port = 0 Called-Station-Id =
"00-30-4F-44-3D-C1" Calling-Station-Id = "00-18-DE-88-62-77"
NAS-Identifier = "WirelessAccessPoint" Framed-MTU = 1380 NAS-Port-Type =
Wireless-802.11 EAP-Message =
0x021200261900170301001bd0f786fe5ec27d325f117cb1c6314a2fc09664e18d31038aaa2a5f
State = 0x56c2eb4851d0f233efbb27b16d1adb57 Message-Authenticator =
0xe4dd7f51a3fd9548338084267728d316+- entering group authorize
{...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns
noop[suffix] No '@' in User!
-Name = "deneme", looking up realm NULL[suffix] No such realm "NULL"++[suffix]
returns noop[eap] EAP packet type response id 18 length 38[eap] Continuing
tunnel setup.++[eap] returns okFound Auth-Type = EAP+- entering group
authenticate {...}[eap] Request found, released from the list[eap]
EAP/peap[eap] processing type peap[peap] processing EAP-TLS[peap] eaptls_verify
returned 7 [peap] Done initial handshake[peap] eaptls_process returned 7 [peap]
EAPTLS_OK[peap] Session established. Decoding tunneled attributes.[peap]
Received EAP-TLV response.[peap] Had sent TLV failure. User was rejected
earlier in this session.[eap] Handler failed in EAP/peap[eap] Failed in EAP
select++[eap] returns invalidFailed to authenticate the user.Using
Post-Auth-Type Reject+- entering group REJECT {...}[attr_filter.access_reject]
expand: %{User-Name} -> deneme attr_filter: Matched entry DEFAULT at line
11++[attr_filter.access_reject] returns updatedDelaying reject of request 20
for 1 secondsG!
oing to the next requestWaking up in 0.9 seconds.Sending delayed rejec
t for request 20Sending Access-Reject of id 21 to 10.1.1.252 port 1206
EAP-Message = 0x04120004 Message-Authenticator =
0x00000000000000000000000000000000Waking up in 0.9 seconds.Cleaning up request
19 ID 20 with timestamp +81Waking up in 3.9 seconds.
************EAP.conf********************# -*- text -*-#### eap.conf --
Configuration for EAP types (PEAP, TTLS, etc.)#### $Id$
########################################################################
eap { # default_eap_type = ttls
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a # configurable length
of time, entries in the list # expire, and are deleted.
# timer_expire = 60
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should. # # We can work around it
by configurably adding an extra # zero byte.
cisco_accounting_username_bug = no
# # Help prevent DoS attacks by limiting the
number of # sessions that the server is tracking. Most systems
# can handle ~30 EAP sessions/s, so the default limit # of 2048
is more than enough. max_sessions = 2048
# Supported EAP-types
# # We do NOT recommend using EAP-MD5
authentication # for wireless connections. It is insecure, and
does # not provide for dynamic WEP keys. #
md5 { }
# Cisco LEAP # leap { }
# Generic Token Card. gtc { # The
default challenge, which many clients # ignore..
#challenge = "Password: "
auth_type = PAP }
## EAP-TLS # # See
raddb/certs/README for additional comments # on certificates.
# http://www.dslreports.com/forum/remark,9286052~mode=flat
# tls { # # These is
used to simplify later configurations. #
certdir = ${confdir}/certs cadir = ${confdir}/certs
private_key_password = 123456
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem CA_file =
${cadir}/ca.pem dh_file = ${certdir}/dh
random_file = ${certdir}/random # fragment_size = 1024
# include_length = yes # check_crl = yes
# # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My
Company Ltd" # check_cert_cn = %{User-Name} #
cipher_list = "DEFAULT" # make_cert_command =
"${certdir}/bootstrap"
cache { # #
Enable it. The default is "no". # Deleting the
entire "cache" subsection # Also disables caching.
# # You can disallow resumption for a
# particular user by adding the following
# attribute to the control item list:
# # Allow-Session-Resumption = No
# # If "enable = no" below, you CANNOT
# enable resumption for just one user
# by setting the above attribute to "yes". #
enable = no
# # Lifetime of the cached
entries, in hours. # The sessions will be deleted
after this # time. #
lifetime = 24 # hours
# # The maximum number of
entries in the # cache. Set to "0" for "infinite".
# # This could be set to the
number of users # who are logged in... which can
be a LOT. # max_entries = 255
} }
ttls { # The tunneled EAP session needs a
default # EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the #
TTLS tunnel, we recommend using EAP-MD5. # If the request
does not contain an EAP # conversation, then this
configuration entry # is ignored.
default_eap_type = md5
# allowed values: {no, yes}
copy_request_to_tunnel = no
# allowed values: {no, yes}
use_tunneled_reply = no
virtual_server = "inner-tunnel" }
peap { # The tunneled EAP session needs a
default # EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the #
PEAP tunnel, we recommend using MS-CHAPv2, # as that is the
default type supported by # Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
copy_request_to_tunnel = no use_tunneled_reply = no
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled #
EAP-MSCHAP-V2 as normal MSCHAPv2. #
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel" }
mschapv2 { } }
***************** inner-tunnel ***********# -*- text
-*-########################################################################
This is a virtual server that handles *only* inner tunnel# requests for
EAP-TTLS and PEAP types.##
$Id$#######################################################################
server inner-tunnel {authorize { suffix unix update control {
Proxy-To-Realm := LOCAL } eap { ok = return }
files pap chap mschap# IPASS
# ntdomain
# See "Authorization Queries" in sql.conf# sql
# # If you are using /etc/smbpasswd, and are also doing #
mschap authentication, the un-comment this line, and # configure the
'etc_smbpasswd' module, above.# etc_smbpasswd
# # The ldap module will set Auth-Type to LDAP if it has not
# already been set# ldap
# # Enforce daily limits on time spent logged in.# daily
# # Use the checkval module# checkval
expiration logintime}
# Authentication.authenticate { # # PAP authentication, when a
back-end database listed # in the 'authorize' section supplies a password.
The # password can be clear-text, or encrypted. Auth-Type PAP { pap
}
# # Most people want CHAP authentication # A back-end database
listed in the 'authorize' section # MUST supply a CLEAR TEXT password.
Encrypted passwords # won't work. Auth-Type CHAP { chap
}
# # MSCHAP authentication. Auth-Type MS-CHAP {
mschap }
# # Pluggable Authentication Modules.# pam
# # See 'man getpwent' for information on how the 'unix' #
module checks the users password. Note that packets # containing
CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See
the FAQ for details. # #unix
# Uncomment it if you want to use ldap for authentication #
# Note that this means "check plain-text password against # the ldap
database", which means that EAP won't work, # as it does not supply a
plain-text password.# Auth-Type LDAP {# ldap# }
# # Allow EAP authentication. eap}
########################################################################
There are no accounting requests inside of EAP-TTLS or PEAP#
tunnels.#######################################################################
# Session database, used for checking Simultaneous-Use. Either the radutmp #
or rlm_sql module can handle this.# The rlm_sql module is *much* fastersession
{ radutmp
# # See "Simultaneous Use Checking Queries" in sql.conf# sql}
# Post-Authentication# Once we KNOW that the user has been authenticated,
there are# additional steps we can take.post-auth { # Note that we do
NOT assign IP addresses here. # If you try to assign IP addresses for EAP
authentication types, # it WILL NOT WORK. You MUST use DHCP.
# # If you want to have a log of authentication replies, #
un-comment the following line, and the 'detail reply_log' # section, above.
reply_log
# # After authenticating the user, do another SQL query. #
# See "Authentication Logging Queries" in sql.conf# sql
# # Instead of sending the query to the SQL server, #
write it into a log file. ## sql_log
# # Un-comment the following if you have set #
'edir_account_policy_check = yes' in the ldap module sub-section of # the
'modules' section. ## ldap
# # Access-Reject packets are sent through the REJECT
sub-section of the # post-auth section. # # Add the ldap module name
(or instance) if you have set # 'edir_account_policy_check = yes' in the
ldap module configuration # Post-Auth-Type REJECT {
attr_filter.access_reject }
}
## When the server decides to proxy a request to a home server,# the proxied
request is first passed through the pre-proxy# stage. This stage can re-write
the request, or decide to# cancel the proxy.## Only a few modules currently
have this method.#pre-proxy {# attr_rewrite
# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.# files
# Uncomment the following line if you want to filter requests # sent
to remote servers based on the rules defined in the # 'attrs.pre-proxy'
file.# attr_filter.pre-proxy
# If you want to have a log of packets proxied to a home #
server, un-comment the following line, and the # 'detail pre_proxy_log'
section, above. pre_proxy_log}
## When the server receives a reply to a request it proxied# to a home
server, the request may be massaged here, in the# post-proxy stage.#post-proxy
{
# If you want to have a log of replies from a home server, #
un-comment the following line, and the 'detail post_proxy_log' #
section, above. post_proxy_log
# attr_rewrite
# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.#
attr_filter.post-proxy
# # If you are proxying LEAP, you MUST configure the EAP #
module, and you MUST list it here, in the post-proxy # stage. # #
You MUST also use the 'nostrip' option in the 'realm' # configuration.
Otherwise, the User-Name attribute # in the proxied request will not match
the user name # hidden inside of the EAP packet, and the end server will
# reject the EAP request. # eap
## Post-Proxy-Type Fail {# detail# }
}
} # inner-tunnel server block
_________________________________________________________________
Windows Live Hotmail: Arkadaşlarınız Facebook'taki güncellemelerinizi doğrudan
Hotmail®'den alır.
http://www.microsoft.com/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:tr-tr:SI_SB_4:092009-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
