Try by adding jwinius Cleartext-Password := xxx
On Fri, Feb 8, 2013 at 11:41 AM, Jaap Winius <[email protected]> wrote: > Hi folks, > > Having managed to get freeradius 2.10 to run on Debian squeeze with a > username and password defined in /etc/freeradius/users, I was hoping to > take a step forward by getting it to authenticate users through PAM. But, > that's not working out as I had hoped. > > Could sombody please tell me what's missing, or what I'm doing wrong? So > far I have done the following: > > 1.) Copied a set of 4096-bit MD5 SSL certificates that were used in the > previous configuration to the /etc/freeradius/certs directory. To generate > them, each time I used "LongStringNumberOne" for both the input and output > passwords. > Among the encryption files generated are ca.pem, dh, server.key and > server.pem. The ca.pem file was also copied to my laptop's /etc/certs > directory and is used with wpasupplicant for testing the system. > > 2.) Added the following lines to the end of /etc/freeradius/clients: > > client 192.168.2.0/24 { > secret = LongStringNumberTwo > shortname = mynet > } > > 3.) Added the following line to the end of /etc/freeradius/users: > > DEFAULT Auth-Type = Pam > > 4.) In /etc/freeradius/eap.conf I changed the values of the following two > attributes to: > > default_eap_type = ttls > private_key_password = LongStringNumberOne > > 5.) In /etc/freeradius/radiusd.conf I changed the value of the following > attribute to: > > user = root > > 6.) In both /etc/freeradius/sites-enabled/**default and > /etc/freeradius/sites-enabled/**inner-tunnel, I uncommented the "pam" > entry in section "authenticate". > > 7.) Some sources suggest changing it, but I chose to leave the contents of > /etc/pam.d/radiusd unmodified: > > @include common-auth > @include common-account > @include common-password > @include common-session > > 8.) My NAS is a Linksys is a WRT54GS running DD-WRT v24 firmware and is > configured as follows: > > Wireless Mode AP > Wireless Network Mode Mixed > Wireless Network Name (SSID) mynet > Wireless Channel 6 - 2.437 GHz > Wireless SSID Broadcast Enable > Network Configuration Bridged > > Security Mode WPA2 Enterprise > WPA Algorithms TKIP+AES > RADIUS Server Address 192.168.2.12 > RADIUS Server Port 1812 > RADIUS Shared Secret LongStringNumberTwo > Key Renewal Interval (in sec.) 3600 > > Unfortunately, after starting the server in debugging mode with > "freeradius -X", my client's authentication attempts get rejected and I get > the following output from the freeradius server: > > ==============================**=========== > > rad_recv: Access-Request packet from host 192.168.2.2 port 1025, id=0, > length=245 > Cleaning up request 6 ID 0 with timestamp +12 > WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!**!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!** > !!!!!!!!!! > WARNING: !! EAP session for state 0x2ecb21dd28cc340c did not finish! > WARNING: !! Please read http://wiki.freeradius.org/ > Certificate_Compatibility > WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!**!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!** > !!!!!!!!!! > User-Name = "jwinius" > NAS-IP-Address = 192.168.2.2 > Called-Station-Id = "0014bf72f676" > Calling-Station-Id = "00110a81fb2b" > NAS-Identifier = "0014bf72f676" > NAS-Port = 17 > Framed-MTU = 1400 > State = 0x2ecb21dd28cc340c8873b5871c63**7572 > NAS-Port-Type = Wireless-802.11 > EAP-Message = 0x020700701500170301002073bdd7** > 051dfb44f3caccd4c92... > Message-Authenticator = 0x6cbe906a70bc7ee95f9ad3365a04**71b0 > # Executing section authorize from file /etc/freeradius/sites-enabled/ > default > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop > ++[digest] returns noop > [suffix] No '@' in User-Name = "jwinius", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > [eap] EAP packet type response id 7 length 112 > [eap] Continuing tunnel setup. > ++[eap] returns ok > Found Auth-Type = EAP > # Executing group from file /etc/freeradius/sites-enabled/**default > +- entering group authenticate {...} > [eap] Request found, released from the list > [eap] EAP/ttls > [eap] processing type ttls > [ttls] Authenticate > [ttls] processing EAP-TLS > [ttls] eaptls_verify returned 7 > [ttls] Done initial handshake > [ttls] eaptls_process returned 7 > [ttls] Session established. Proceeding to decode tunneled attributes. > [ttls] Got tunneled request > EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e > FreeRADIUS-Proxied-To = 127.0.0.1 > [ttls] Sending tunneled request > EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e > FreeRADIUS-Proxied-To = 127.0.0.1 > User-Name = "jwinius" > State = 0xdbd7fca1dbd6f80c791225e3340e**a6e4 > server inner-tunnel { > # Executing section authorize from file /etc/freeradius/sites-enabled/ > inner-tunnel > +- entering group authorize {...} > ++[chap] returns noop > ++[mschap] returns noop > [suffix] No '@' in User-Name = "jwinius", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > ++[control] returns noop > [eap] EAP packet type response id 1 length 22 > [eap] No EAP Start, assuming it's an on-going EAP conversation > ++[eap] returns updated > [files] users: Matched entry DEFAULT at line 211 > ++[files] returns ok > ++[expiration] returns noop > ++[logintime] returns noop > ++[pap] returns noop > Found Auth-Type = EAP > # Executing group from file /etc/freeradius/sites-enabled/**inner-tunnel > +- entering group authenticate {...} > [eap] Request found, released from the list > [eap] EAP/md5 > [eap] processing type md5 > rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication > [eap] Handler failed in EAP/md5 > [eap] Failed in EAP select > ++[eap] returns invalid > Failed to authenticate the user. > } # server inner-tunnel > [ttls] Got tunneled reply code 3 > EAP-Message = 0x04010004 > Message-Authenticator = 0x0000000000000000000000000000**0000 > [ttls] Got tunneled Access-Reject > [eap] Handler failed in EAP/ttls > rlm_eap_ttls: Freeing handler for user jwinius > [eap] Failed in EAP select > ++[eap] returns invalid > Failed to authenticate the user. > Using Post-Auth-Type Reject > # Executing group from file /etc/freeradius/sites-enabled/**default > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> jwinius > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 7 for 1 seconds > Going to the next request > Waking up in 0.9 seconds. > Sending delayed reject for request 7 > Sending Access-Reject of id 0 to 192.168.2.2 port 1025 > EAP-Message = 0x04070004 > Message-Authenticator = 0x0000000000000000000000000000**0000 > > ==============================**=========== > > Any idea what I'm doing wrong? > > Thanks, > > Jaap > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/** > list/users.html <http://www.freeradius.org/list/users.html> >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
