Re: Problems getting eap-mschapv2 working.
I tested this morning, and now have it working. Previously I just had the mschapv2 outside of the peap section and it didn't work.However, I added the mschap stanza to the modules stanza outside of eap. I also added mschap to authorize and authenticate stanzas. Not sure if this was needed, so not entirely sure which bit did it, or whether all of it was required. Thank you all for your input in helping me get this resolved :-)RegardsIanOn 04/09/06, Alan DeKok [EMAIL PROTECTED] wrote:Ian Walker [EMAIL PROTECTED] wrote: however, there is no default/sample config that tells me how mschapv2 should be configured.The default configuration of mschapv2 works.Massive edits to the configuration will almost always break it. http://deployingradius.com/documents/configuration/setup.htmlSmall changes, with tests, will almost always get it to work Alan DeKok.--http://deployingradius.com - The web site of the bookhttp://deployingradius.com/blog/ - The blog -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
Did you generate the certificates that are mentioned
there? The one's that ship with the server are expired, you have to
generate your owncertificate.I generated the certificates myself, these are working fine. I can use md5 no problem, but peap complains about mschapv2.
What version of FreeRADIUS. Version
1.1.1 fixed alot
of little PEAP things.
Version 1.1.3 of course is what you should be
running.Using the latest version 1.1.3, compiled with all options enabled. Also, it looks like your actual problem is that you have
re-written the eap section... and missed a
ParenThey are all there, checked this morning, nothing missing.
This is Mine. In yours you have included mschapv2
inside of PEAP. It is its own section, outside of the PEAP
section.I did have it like this originally, and it still didn't work.Any ideas appreciated.
From:
freeradius-users-bounces+mking=[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
] On
Behalf Of Ian WalkerSent: Friday, September 01, 2006 8:36
AMTo: freeradius-users@lists.freeradius.orgSubject:
Problems getting eap-mschapv2 working.
Been trying to get eap working with peap/mschapv2 but it doesn't
seem to work.This is my radiusd.conf file:
prefix = /usr/localexec_prefix = ${prefix}sysconfdir = ${prefix}/etclocalstatedir = /var/runsbindir = ${exec_prefix}/sbinlogdir = /var/lograddbdir = ${sysconfdir}/raddbradacctdir = ${logdir}/radacct
confdir = ${raddbdir}run_dir = ${localstatedir}/radiusdlog_file = ${logdir}/radius.loglibdir = ${exec_prefix}/libpidfile = ${run_dir}/radiusd.pidmax_request_time = 30delete_blocked_requests = no
cleanup_delay = 5max_requests = 1024bind_address = *port = 0hostname_lookups = noallow_core_dumps = noregular_expressions = yesextended_expressions = yeslog_stripped_names = nolog_auth = no
log_auth_badpass = nolog_auth_goodpass = nousercollide = nolower_user = nolower_pass = nonospace_user = nonospace_pass = nocheckrad = ${sbindir}/checkradsecurity { max_attributes = 200
reject_delay = 1 status_server = no}$INCLUDE ${confdir}/clients.confthread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0
}modules { eap { default_eap_type = md5 timer_expire = 60 md5 { } tls { private_key_password = private_key_file = /usr/local/etc/raddb/new.cert.key certificate_file = /usr/local/etc/raddb/new.cert.cert
CA_file = /usr/local/etc/raddb/cacert.pem dh_file = /dev/urandom random_file = /dev/urandom fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2
mschapv2 {authtype = mschapv2use_mppe = yesrequire_encryption = yesrequire_strong = yes } } } files { usersfile = ${confdir}/users compat = no } exec cerb {
wait = yes program = /usr/local/bin/cerbauth -e freeradius input_pairs = request output_pairs = reply } preprocess { }}authorize { preprocess eap files
}authenticate { Auth-Type eap { eap } Auth-Type CERB { cerb }}as you can see, I'm currently working with md5 and this works
perfectly well. But when I set the client and configure the server to
default for peap/tls, then it fails saying:No such EAP type mschapv2
I believe if I can get passed this, that my system will authenticate
with peap/mschapv2 successfully.Hope you can
help.RegardsIan
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
You have some items misplaced. Check against the default configuration that came with the server. In particular, mschapv2 and the contents of that
stanza.I've now re-written the stanza and placed it correctly, so it appears like this:peap { default_eap_type=mschapv2}mschapv2 {}however, there is no default/sample config that tells me how mschapv2 should be configured. With this config, which I tried previously, it didn't work, which was why I thought maybe it should exist in the peap stanza.
Zoltan Ori-List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
On 9/4/06, Ian Walker [EMAIL PROTECTED] wrote:
however, there is no default/sample config that tells me how mschapv2 should
hmhm. the very default eap.conf says inter alia:
#
# This takes no configuration.
#
[...]
mschapv2 {
}
Do you still encounter problems? If so, would you please follow the
various FAQ, hints in doc etc. and provide a debug output.
Oh, and btw a quick test with 1.1.3 shows that at least with that, the
statement about the (unconditional) need for configuration of the main
mschap module doesn't hold.
regards
K. Hoercher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
- Original Message -
From: Ian Walker [EMAIL PROTECTED]
You have some items misplaced. Check against the default configuration
that
came with the server. In particular, mschapv2 and the contents of that
stanza.
I've now re-written the stanza and placed it correctly, so it appears like
this:
peap {
default_eap_type=mschapv2
}
mschapv2 {
}
Ok, that should be fine for eap.conf.
however, there is no default/sample config that tells me how mschapv2
should
be configured.
You will find default/sample configs in the source under raddb. Also, see
http://www.tldp.org/HOWTO/8021X-HOWTO/ which is mentioned on the home page
of www.freeradius.org. Especially section 3. There is probably plenty on the
wiki as well, though I can't seem to get to it at the moment.
With this config, which I tried previously, it didn't work,
which was why I thought maybe it should exist in the peap stanza.
You are still missing mschap? Debug output would help.
Zoltan Ori
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
Hi, just to avoid confusion: On 9/4/06, K. Hoercher [EMAIL PROTECTED] wrote: Oh, and btw a quick test with 1.1.3 shows that at least with that, the statement about the (unconditional) need for configuration of the main mschap module doesn't hold. That's nonsense, I just messed up different test setups. It looked strange, but I was in a hurry and so didn't check carefully, sorry for that. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
Ian Walker [EMAIL PROTECTED] wrote: however, there is no default/sample config that tells me how mschapv2 should be configured. The default configuration of mschapv2 works. Massive edits to the configuration will almost always break it. http://deployingradius.com/documents/configuration/setup.html Small changes, with tests, will almost always get it to work Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems getting eap-mschapv2 working.
Did you generate the certificates that are mentioned
there? The one's that ship with the server are expired, you have to
generate your owncertificate.
What version of FreeRADIUS. Version 1.1.1 fixed alot
of little PEAP things.
Version 1.1.3 of course is what you should be
running.
Mostversionsafter1.0.0havetheeapsectionbrokenouttoaseparatefile,thathaslotsofcommentsinitaboutgeneratingCerts.
Also, it looks like your actual problem is that you have
re-written the eap section... and missed a
Paren
This is Mine. In yours you have included mschapv2
inside of PEAP. It is its own section, outside of the PEAP
section.
peap
{
default_eap_type = mschapv2
copy_request_to_tunnel =
no
use_tunneled_reply = yes
# proxy_tunneled_request_as_eap =
yes
}
mschapv2
{
}
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ian WalkerSent: Friday, September 01, 2006 8:36
AMTo: freeradius-users@lists.freeradius.orgSubject:
Problems getting eap-mschapv2 working.
Been trying to get eap working with peap/mschapv2 but it doesn't
seem to work.This is my radiusd.conf file:
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var/run
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
$INCLUDE ${confdir}/clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
tls {
private_key_password =
private_key_file = /usr/local/etc/raddb/new.cert.key
certificate_file = /usr/local/etc/raddb/new.cert.cert
CA_file = /usr/local/etc/raddb/cacert.pem
dh_file = /dev/urandom
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
mschapv2 {
authtype = mschapv2
use_mppe = yes
require_encryption = yes
require_strong = yes
}
}
}
files {
usersfile = ${confdir}/users
compat = no
}
exec cerb {
wait = yes
program = "/usr/local/bin/cerbauth -e freeradius"
input_pairs = request
output_pairs = reply
}
preprocess {
}
}
authorize {
preprocess
eap
files
}
authenticate {
Auth-Type eap {
eap
}
Auth-Type CERB {
cerb
}
}
as you can see, I'm currently working with md5 and this works
perfectly well. But when I set the client and configure the server to
default for peap/tls, then it fails saying:"No such EAP type mschapv2"
I believe if I can get passed this, that my system will authenticate
with peap/mschapv2 successfully.Hope you can
help.RegardsIan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
On Friday 01 September 2006 08:36, Ian Walker wrote:
Been trying to get eap working with peap/mschapv2 but it doesn't seem to
work.
This is my radiusd.conf file:
}
peap {
default_eap_type = mschapv2
mschapv2 {
authtype = mschapv2
use_mppe = yes
require_encryption = yes
require_strong = yes
}
}
You have some items misplaced. Check against the default configuration that
came with the server. In particular, mschapv2 and the contents of that
stanza.
Zoltan Ori
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
