freeradius 2.0.4 and peap
Hello all,
I have installed freeradius 2.0.4 and now I'm trying to configure peap.
When I try to connect using a Windows XP laptop, the server rejects the
user.
The log shows this information:
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for lolo with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [lolo/via Auth-Type = EAP] (from client dame-ap port
0 via TLS tunnel)
PEAP: Tunneled authentication was rejected.
The configuration files are the following:
* eap.conf
eap {
default_eap_type = peap
. . .
tls {
private_key_password = srvpwd
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
. . .
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
}
mschapv2 {
}
* users
lolo Cleartext-Password := password
* sites-enabled/default
authorize {
eap {
ok = return
}
...
}
authenticate {
eap
...
}
...
Can anybody help me?
Thanks in advance.
--
-
Manuel Sanchez Cuenca
Departamento de Ingenieria de la Informacion y las Comunicaciones
Departamento de Ingeniería y Tecnología de Computadores
Facultad de Informatica. Universidad de Murcia
Campus de Espinardo - 30080 Murcia (SPAIN)
Tel.: +34-968-364644Fax: +34-968-364151
email: [EMAIL PROTECTED] | [EMAIL PROTECTED]
url: http://webs.um.es/manuelsc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.0.4 and peap
Ivan Kalik escribió: You have experlty deleted all the relevant information from the debug and your configuration. Post the complete debug. I solved the problem commenting the line virtual_server = inner-tunnel in the peap section of eap.conf -- - Manuel Sanchez Cuenca Departamento de Ingenieria de la Informacion y las Comunicaciones Departamento de Ingeniería y Tecnología de Computadores Facultad de Informatica. Universidad de Murcia Campus de Espinardo - 30080 Murcia (SPAIN) Tel.: +34-968-364644Fax: +34-968-364151 email: [EMAIL PROTECTED] | [EMAIL PROTECTED] url: http://webs.um.es/manuelsc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP access configuration
Hello all,
I have a scenario where a first radius server (R1) proxies the
authentication request to another radius server (R2). Later, when the
user is authenticated, R1 must access to a LDAP server to recover some
network parameters, such as session-timeout or framed-ip-address, and
enforce them in the Access Point (AP). Currently, R1 is configured to
access to the LDAP server using the user name as filter (filter =
(uid=%{Stripped-User-Name:-%{User-Name}}) in radiusd.conf). My
question is, it is possible to configure this filter to use a radius
attribute received in the response from R2? I mean, R2 returns in the
response an attribute called attr1=val1, and then R1 must use this
attribute to search in the LDAP server (¿filter=(uid=%{attr1}) or
something similar?)
Internet
/
User AP -- R1 R2
\
LDAP
User AP R1 LDAP R2
(authn req.)
-
(authn response + attr1=val1)
(search uid=attr1)
--
(network params)
--
(params)
(Success)
Thanks in advance.
--
-
Manuel Sanchez Cuenca
Departamento de Ingenieria de la Informacion y las Comunicaciones
Facultad de Informatica. Universidad de Murcia
Campus de Espinardo - 30080 Murcia (SPAIN)
Tel.: +34-968-364644Fax: +34-968-364151
email: [EMAIL PROTECTED] | [EMAIL PROTECTED]
url: http://libra.inf.um.es/~lolo
--
-
Manuel Sanchez Cuenca
Departamento de Ingenieria de la Informacion y las Comunicaciones
Facultad de Informatica. Universidad de Murcia
Campus de Espinardo - 30080 Murcia (SPAIN)
Tel.: +34-968-364644Fax: +34-968-364151
email: [EMAIL PROTECTED] | [EMAIL PROTECTED]
url: http://libra.inf.um.es/~lolo
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP authentication + LDAP attribute recovery
Hi all, It is possible to configure freeradius to authenticate users using PEAP and then, for authenticated users, return some RADIUS attributes recovered from a LDAP server, such as Session-Timeout or Framed-IP-Address?. And in that case, how can I configure it? Thanks in adavance -- - Manuel Sanchez Cuenca Departamento de Ingenieria de la Informacion y las Comunicaciones Facultad de Informatica. Universidad de Murcia Campus de Espinardo - 30080 Murcia (SPAIN) Tel.: +34-968-364644Fax: +34-968-364151 email: [EMAIL PROTECTED] | [EMAIL PROTECTED] url: http://libra.inf.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius attributes and APs
Alan DeKok escribió: David Mitton wrote: The problem with compiling such a list is acquiring the equipment to test. Adding up everyone on this list, we can probably account for most networking equipment sold in the past 10 years. The problem is getting that information out, and into the public arena. I discovered that the Linksys didn't honor Session-Timeouts when I captured it screwing up EAP-POTP sessions in progress, despite our RADIUS server providing Session-Timeout values in every EAP exchange. I think it's actually not properly implementing the 802.1x state machine in it's timeout behavior. I've updated the Wiki with a pointer to this message. :) I can't this link in the wiki. Can you put here the link to the specific url in the wiki? Thanks. The only AP that I know that works for everything I throw at it, during development, is the Cisco Aironet 1200 series. The only problem is that it's not cheap. But it works for me, so I don't try others. I've updated the Wiki with that information, too. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Manuel Sanchez Cuenca Departamento de Ingenieria de la Informacion y las Comunicaciones Facultad de Informatica. Universidad de Murcia Campus de Espinardo - 30080 Murcia (SPAIN) Tel.: +34-968-364644Fax: +34-968-364151 email: [EMAIL PROTECTED] | [EMAIL PROTECTED] url: http://libra.inf.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius attributes and APs
Can anybody tell me any Access Point which understand and enforce some radius attributes returned by freeradius, such as Session-Timeout. Thanks in advance. -- - Manuel Sanchez Cuenca Departamento de Ingenieria de la Informacion y las Comunicaciones Facultad de Informatica. Universidad de Murcia Campus de Espinardo - 30080 Murcia (SPAIN) Tel.: +34-968-364644Fax: +34-968-364151 email: [EMAIL PROTECTED] | [EMAIL PROTECTED] url: http://libra.inf.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RadSec
Hello all, is RadSec implemented in FreeRadius? or it is planned to be done? Thanks in advance. -- - Manuel Sanchez Cuenca Departamento de Ingenieria de la Informacion y las Comunicaciones Facultad de Informatica. Universidad de Murcia Campus de Espinardo - 30080 Murcia (SPAIN) Tel.: +34-968-364644Fax: +34-968-364151 email: [EMAIL PROTECTED] | [EMAIL PROTECTED] url: http://libra.inf.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AP and radius attributes
Hello all, does anybody knows if the linksys wrt54g AP support any radius attribute, such as Session-Timeout. Anyway, can anybody tell me which APs applies the radius attributes sent by the freeradius server after a successful authentication? Thanks in advance. -- - Manuel Sanchez Cuenca Departamento de Ingenieria de la Informacion y las Comunicaciones Facultad de Informatica. Universidad de Murcia Campus de Espinardo - 30080 Murcia (SPAIN) Tel.: +34-968-364644Fax: +34-968-364151 email: [EMAIL PROTECTED] | [EMAIL PROTECTED] url: http://libra.inf.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Attributes
Hello all, How must I configure my freeradius server to include in the Access-Accept response to the AP several radius attributes such as Session-Timeout or Framed-IP-Address? Thanks in advance. -- - Manuel Sanchez Cuenca Departamento de Ingenieria de la Informacion y las Comunicaciones Facultad de Informatica. Universidad de Murcia Campus de Espinardo - 30080 Murcia (SPAIN) Tel.: +34-968-364644Fax: +34-968-364151 email: [EMAIL PROTECTED] | [EMAIL PROTECTED] url: http://libra.inf.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP Version
Hello all, can anybody tell me which version of PEAP is implemented in FreeRadius? is the PEAP version 2 implemented? Thanks in advance. -- == Manuel Sanchez Cuenca Dept. Ingenieria de la Informacion y las Comunicaciones Universidad de Murcia - Espana Tlf: +34 968364311 - Fax: 968364151 email: [EMAIL PROTECTED] www: http://skywalker.dif.um.es/~lolo www: http://livia.dif.um.es/~irisgrid - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP failure
Hello all, Can anybody tell me which means this error when using peap: rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: doing MS-CHAPv2 for lolo with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Thanks in advance. -- == Manuel Sanchez Cuenca Dept. Ingenieria de la Informacion y las Comunicaciones Universidad de Murcia - Espana Tlf: +34 968364311 - Fax: 968364151 email: [EMAIL PROTECTED] www: http://skywalker.dif.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP failure
Alan DeKok escribió: =?ISO-8859-1?Q?Manuel_S=E1nchez_Cuenca?= [EMAIL PROTECTED] wrote: rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: doing MS-CHAPv2 for lolo with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. PEAP (and mschap) needs access to a good clear-text password, or an nt-password to compare against the request. I have this in my users configuratin file: lolo User-Password == entrar Reply-Message = Hola, lolo ¿Is this correct? If the server doesn't have a password for the user, then it can't check the password the user supplied. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- == Manuel Sanchez Cuenca Dept. Ingenieria de la Informacion y las Comunicaciones Universidad de Murcia - Espana Tlf: +34 968364311 - Fax: 968364151 email: [EMAIL PROTECTED] www: http://skywalker.dif.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap failure
Alan DeKok escribió: =?ISO-8859-1?Q?Manuel_S=E1nchez_Cuenca?= [EMAIL PROTECTED] wrote: Hello all, I have insalled the CVS version of Freeradius and I have configured it to use peap. I'm using Xsupplicant as client and a DWL-900AP+ as Access Point. Upgrade xsupplicant. They had a bug in an older version. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I'm using the latest xsupplicant version (0.8b) -- == Manuel Sanchez Cuenca Dept. Ingenieria de la Informacion y las Comunicaciones Universidad de Murcia - Espana Tlf: +34 968364311 - Fax: 968364151 email: [EMAIL PROTECTED] www: http://skywalker.dif.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap failure
Michael Griego escribió: Are you using the latest CVS snapshot? An issue causing the same symptoms that you are seeing was recently fixed. Try compiling the latest snapshot and see if that fixes the error. I get the same error with the freeradius-snapshot-20040509. --Mike On Fri, 2004-05-07 at 08:55, Manuel Sánchez Cuenca wrote: Hello all, I have insalled the CVS version of Freeradius and I have configured it to use peap. I'm using Xsupplicant as client and a DWL-900AP+ as Access Point. The problem is that the connect proccess fails, and lookig the radius log I have seen that the first phase is correct, but in the second phase I get this error: = rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Response contains contradictory length 49 54 rlm_eap: Handler failed in EAP/mschapv2 rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 7 modcall: group authenticate returns invalid for request 7 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x818afd0 3 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE === Can anybody tell me what is happening? Thanks in advance. -- == Manuel Sanchez Cuenca Dept. Ingenieria de la Informacion y las Comunicaciones Universidad de Murcia - Espana Tlf: +34 968364311 - Fax: 968364151 email: [EMAIL PROTECTED] www: http://skywalker.dif.um.es/~lolo -- == Manuel Sanchez Cuenca Dept. Ingenieria de la Informacion y las Comunicaciones Universidad de Murcia - Espana Tlf: +34 968364311 - Fax: 968364151 email: [EMAIL PROTECTED] www: http://skywalker.dif.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap failure
Hello all, I have insalled the CVS version of Freeradius and I have configured it to use peap. I'm using Xsupplicant as client and a DWL-900AP+ as Access Point. The problem is that the connect proccess fails, and lookig the radius log I have seen that the first phase is correct, but in the second phase I get this error: = rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Response contains contradictory length 49 54 rlm_eap: Handler failed in EAP/mschapv2 rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 7 modcall: group authenticate returns invalid for request 7 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x818afd0 3 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE === Can anybody tell me what is happening? Thanks in advance. -- == Manuel Sanchez Cuenca Dept. Ingenieria de la Informacion y las Comunicaciones Universidad de Murcia - Espana Tlf: +34 968364311 - Fax: 968364151 email: [EMAIL PROTECTED] www: http://skywalker.dif.um.es/~lolo -- == Manuel Sanchez Cuenca Dept. Ingenieria de la Informacion y las Comunicaciones Universidad de Murcia - Espana Tlf: +34 968364311 - Fax: 968364151 email: [EMAIL PROTECTED] www: http://skywalker.dif.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
