Hi folks,
Having managed to get freeradius 2.10 to run on Debian squeeze with a
username and password defined in /etc/freeradius/users, I was hoping
to take a step forward by getting it to authenticate users through
PAM. But, that's not working out as I had hoped.
Could sombody please tell me what's missing, or what I'm doing wrong?
So far I have done the following:
1.) Copied a set of 4096-bit MD5 SSL certificates that were used in
the previous configuration to the /etc/freeradius/certs directory. To
generate them, each time I used "LongStringNumberOne" for both the
input and output passwords.
Among the encryption files generated are ca.pem, dh, server.key and
server.pem. The ca.pem file was also copied to my laptop's /etc/certs
directory and is used with wpasupplicant for testing the system.
2.) Added the following lines to the end of /etc/freeradius/clients:
client 192.168.2.0/24 {
secret = LongStringNumberTwo
shortname = mynet
}
3.) Added the following line to the end of /etc/freeradius/users:
DEFAULT Auth-Type = Pam
4.) In /etc/freeradius/eap.conf I changed the values of the following
two attributes to:
default_eap_type = ttls
private_key_password = LongStringNumberOne
5.) In /etc/freeradius/radiusd.conf I changed the value of the
following attribute to:
user = root
6.) In both /etc/freeradius/sites-enabled/default and
/etc/freeradius/sites-enabled/inner-tunnel, I uncommented the "pam"
entry in section "authenticate".
7.) Some sources suggest changing it, but I chose to leave the
contents of /etc/pam.d/radiusd unmodified:
@include common-auth
@include common-account
@include common-password
@include common-session
8.) My NAS is a Linksys is a WRT54GS running DD-WRT v24 firmware and
is configured as follows:
Wireless Mode AP
Wireless Network Mode Mixed
Wireless Network Name (SSID) mynet
Wireless Channel 6 - 2.437 GHz
Wireless SSID Broadcast Enable
Network Configuration Bridged
Security Mode WPA2 Enterprise
WPA Algorithms TKIP+AES
RADIUS Server Address 192.168.2.12
RADIUS Server Port 1812
RADIUS Shared Secret LongStringNumberTwo
Key Renewal Interval (in sec.) 3600
Unfortunately, after starting the server in debugging mode with
"freeradius -X", my client's authentication attempts get rejected and
I get the following output from the freeradius server:
=========================================
rad_recv: Access-Request packet from host 192.168.2.2 port 1025, id=0,
length=245
Cleaning up request 6 ID 0 with timestamp +12
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x2ecb21dd28cc340c did not finish!
WARNING: !! Please read http://wiki.freeradius.org/
Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "jwinius"
NAS-IP-Address = 192.168.2.2
Called-Station-Id = "0014bf72f676"
Calling-Station-Id = "00110a81fb2b"
NAS-Identifier = "0014bf72f676"
NAS-Port = 17
Framed-MTU = 1400
State = 0x2ecb21dd28cc340c8873b5871c637572
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020700701500170301002073bdd7051dfb44f3caccd4c92...
Message-Authenticator = 0x6cbe906a70bc7ee95f9ad3365a0471b0
# Executing section authorize from file /etc/freeradius/sites-enabled/
default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "jwinius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x0201001604109f00ed2b3ff2dd5111997f0ba6cee99e
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
EAP-Message = 0x0201001604109f00ed2b3ff2dd5111997f0ba6cee99e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "jwinius"
State = 0xdbd7fca1dbd6f80c791225e3340ea6e4
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/
inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jwinius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 1 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 211
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
[eap] Handler failed in EAP/md5
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user jwinius
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> jwinius
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 0 to 192.168.2.2 port 1025
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
=========================================
Any idea what I'm doing wrong?
Thanks,
Jaap
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
