Re: Problems getting eap-mschapv2 working.
I tested this morning, and now have it working. Previously I just had the mschapv2 outside of the peap section and it didn't work.However, I added the mschap stanza to the modules stanza outside of eap. I also added mschap to authorize and authenticate stanzas. Not sure if this was needed, so not entirely sure which bit did it, or whether all of it was required. Thank you all for your input in helping me get this resolved :-)RegardsIanOn 04/09/06, Alan DeKok [EMAIL PROTECTED] wrote:Ian Walker [EMAIL PROTECTED] wrote: however, there is no default/sample config that tells me how mschapv2 should be configured.The default configuration of mschapv2 works.Massive edits to the configuration will almost always break it. http://deployingradius.com/documents/configuration/setup.htmlSmall changes, with tests, will almost always get it to work Alan DeKok.--http://deployingradius.com - The web site of the bookhttp://deployingradius.com/blog/ - The blog -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
Did you generate the certificates that are mentioned there? The one's that ship with the server are expired, you have to generate your owncertificate.I generated the certificates myself, these are working fine. I can use md5 no problem, but peap complains about mschapv2. What version of FreeRADIUS. Version 1.1.1 fixed alot of little PEAP things. Version 1.1.3 of course is what you should be running.Using the latest version 1.1.3, compiled with all options enabled. Also, it looks like your actual problem is that you have re-written the eap section... and missed a ParenThey are all there, checked this morning, nothing missing. This is Mine. In yours you have included mschapv2 inside of PEAP. It is its own section, outside of the PEAP section.I did have it like this originally, and it still didn't work.Any ideas appreciated. From: freeradius-users-bounces+mking=[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Ian WalkerSent: Friday, September 01, 2006 8:36 AMTo: freeradius-users@lists.freeradius.orgSubject: Problems getting eap-mschapv2 working. Been trying to get eap working with peap/mschapv2 but it doesn't seem to work.This is my radiusd.conf file: prefix = /usr/localexec_prefix = ${prefix}sysconfdir = ${prefix}/etclocalstatedir = /var/runsbindir = ${exec_prefix}/sbinlogdir = /var/lograddbdir = ${sysconfdir}/raddbradacctdir = ${logdir}/radacct confdir = ${raddbdir}run_dir = ${localstatedir}/radiusdlog_file = ${logdir}/radius.loglibdir = ${exec_prefix}/libpidfile = ${run_dir}/radiusd.pidmax_request_time = 30delete_blocked_requests = no cleanup_delay = 5max_requests = 1024bind_address = *port = 0hostname_lookups = noallow_core_dumps = noregular_expressions = yesextended_expressions = yeslog_stripped_names = nolog_auth = no log_auth_badpass = nolog_auth_goodpass = nousercollide = nolower_user = nolower_pass = nonospace_user = nonospace_pass = nocheckrad = ${sbindir}/checkradsecurity { max_attributes = 200 reject_delay = 1 status_server = no}$INCLUDE ${confdir}/clients.confthread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 }modules { eap { default_eap_type = md5 timer_expire = 60 md5 { } tls { private_key_password = private_key_file = /usr/local/etc/raddb/new.cert.key certificate_file = /usr/local/etc/raddb/new.cert.cert CA_file = /usr/local/etc/raddb/cacert.pem dh_file = /dev/urandom random_file = /dev/urandom fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 mschapv2 {authtype = mschapv2use_mppe = yesrequire_encryption = yesrequire_strong = yes } } } files { usersfile = ${confdir}/users compat = no } exec cerb { wait = yes program = /usr/local/bin/cerbauth -e freeradius input_pairs = request output_pairs = reply } preprocess { }}authorize { preprocess eap files }authenticate { Auth-Type eap { eap } Auth-Type CERB { cerb }}as you can see, I'm currently working with md5 and this works perfectly well. But when I set the client and configure the server to default for peap/tls, then it fails saying:No such EAP type mschapv2 I believe if I can get passed this, that my system will authenticate with peap/mschapv2 successfully.Hope you can help.RegardsIan -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
You have some items misplaced. Check against the default configuration that came with the server. In particular, mschapv2 and the contents of that stanza.I've now re-written the stanza and placed it correctly, so it appears like this:peap { default_eap_type=mschapv2}mschapv2 {}however, there is no default/sample config that tells me how mschapv2 should be configured. With this config, which I tried previously, it didn't work, which was why I thought maybe it should exist in the peap stanza. Zoltan Ori-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
On 9/4/06, Ian Walker [EMAIL PROTECTED] wrote: however, there is no default/sample config that tells me how mschapv2 should hmhm. the very default eap.conf says inter alia: # # This takes no configuration. # [...] mschapv2 { } Do you still encounter problems? If so, would you please follow the various FAQ, hints in doc etc. and provide a debug output. Oh, and btw a quick test with 1.1.3 shows that at least with that, the statement about the (unconditional) need for configuration of the main mschap module doesn't hold. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
- Original Message - From: Ian Walker [EMAIL PROTECTED] You have some items misplaced. Check against the default configuration that came with the server. In particular, mschapv2 and the contents of that stanza. I've now re-written the stanza and placed it correctly, so it appears like this: peap { default_eap_type=mschapv2 } mschapv2 { } Ok, that should be fine for eap.conf. however, there is no default/sample config that tells me how mschapv2 should be configured. You will find default/sample configs in the source under raddb. Also, see http://www.tldp.org/HOWTO/8021X-HOWTO/ which is mentioned on the home page of www.freeradius.org. Especially section 3. There is probably plenty on the wiki as well, though I can't seem to get to it at the moment. With this config, which I tried previously, it didn't work, which was why I thought maybe it should exist in the peap stanza. You are still missing mschap? Debug output would help. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
Hi, just to avoid confusion: On 9/4/06, K. Hoercher [EMAIL PROTECTED] wrote: Oh, and btw a quick test with 1.1.3 shows that at least with that, the statement about the (unconditional) need for configuration of the main mschap module doesn't hold. That's nonsense, I just messed up different test setups. It looked strange, but I was in a hurry and so didn't check carefully, sorry for that. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
Ian Walker [EMAIL PROTECTED] wrote: however, there is no default/sample config that tells me how mschapv2 should be configured. The default configuration of mschapv2 works. Massive edits to the configuration will almost always break it. http://deployingradius.com/documents/configuration/setup.html Small changes, with tests, will almost always get it to work Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems getting eap-mschapv2 working.
Did you generate the certificates that are mentioned there? The one's that ship with the server are expired, you have to generate your owncertificate. What version of FreeRADIUS. Version 1.1.1 fixed alot of little PEAP things. Version 1.1.3 of course is what you should be running. Mostversionsafter1.0.0havetheeapsectionbrokenouttoaseparatefile,thathaslotsofcommentsinitaboutgeneratingCerts. Also, it looks like your actual problem is that you have re-written the eap section... and missed a Paren This is Mine. In yours you have included mschapv2 inside of PEAP. It is its own section, outside of the PEAP section. peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = yes # proxy_tunneled_request_as_eap = yes } mschapv2 { } From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ian WalkerSent: Friday, September 01, 2006 8:36 AMTo: freeradius-users@lists.freeradius.orgSubject: Problems getting eap-mschapv2 working. Been trying to get eap working with peap/mschapv2 but it doesn't seem to work.This is my radiusd.conf file: prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var/run sbindir = ${exec_prefix}/sbin logdir = /var/log raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } $INCLUDE ${confdir}/clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { eap { default_eap_type = md5 timer_expire = 60 md5 { } tls { private_key_password = private_key_file = /usr/local/etc/raddb/new.cert.key certificate_file = /usr/local/etc/raddb/new.cert.cert CA_file = /usr/local/etc/raddb/cacert.pem dh_file = /dev/urandom random_file = /dev/urandom fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 mschapv2 { authtype = mschapv2 use_mppe = yes require_encryption = yes require_strong = yes } } } files { usersfile = ${confdir}/users compat = no } exec cerb { wait = yes program = "/usr/local/bin/cerbauth -e freeradius" input_pairs = request output_pairs = reply } preprocess { } } authorize { preprocess eap files } authenticate { Auth-Type eap { eap } Auth-Type CERB { cerb } } as you can see, I'm currently working with md5 and this works perfectly well. But when I set the client and configure the server to default for peap/tls, then it fails saying:"No such EAP type mschapv2" I believe if I can get passed this, that my system will authenticate with peap/mschapv2 successfully.Hope you can help.RegardsIan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
On Friday 01 September 2006 08:36, Ian Walker wrote: Been trying to get eap working with peap/mschapv2 but it doesn't seem to work. This is my radiusd.conf file: } peap { default_eap_type = mschapv2 mschapv2 { authtype = mschapv2 use_mppe = yes require_encryption = yes require_strong = yes } } You have some items misplaced. Check against the default configuration that came with the server. In particular, mschapv2 and the contents of that stanza. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html