RE: framedipaddress
We worked with Meru as Access Point, but not as NAS. If you want to autrhenticate users, then it is not the correct device; use another one. Anyway I think there is other better devices in the market at he same cost. Date: Tue, 11 May 2010 17:16:31 +0200 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: framedipaddress Paweł Pogorzelski wrote: Unfortunately Meru claims that the client IP address is not sent to the radius in any other attribute either. Buy a NAS that works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Diseñar aplicaciones tiene premio. ¡Si eres desarrollador no esperes más! http://www.imaginemobile.es- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to implement EAP-TLS with freeradius and wpa_supplicant?
Sorry, I forgot the subject.
Zheng, Jiajia wrote:
Hi,
I hope it is the right place to ask questions about EAP-TLS with
radius server.
I installed freeradius-2.1.6 rpm package on my Fedora 10 system.
EAP_PEAP, EAP_TTLS_CHAP, TTLS_MD5, TTLS_MSCHAP, etc. work fine.
However, EAP-TLS handshake failed. Here are my steps to implement
EAT-TLS with radius server.
1. on server: yum install freeradius
2. on server: cd /etc/raddb
3. on server: edit users and clients.conf (see attachments)
4. on server: radiusd -X
5. I configured the AP which is wired connected to the server using
WPA-TKIP
6. copy ca.pem from server to my wireless machine.
6. I tried EAP_PEAP, EAP_TTLS_CHAP, TTLS_MD5, TTLS_MSCHAP on my
wireless machine, which all worked fine.
7. on server: cd /etc/raddb/certs
8. on server: make client.pem
9. copy client.pem from server to my wireless machine
10. run wpa_supplicant on my wireless machine: wpa_supplicant -Dwext
-iwlan0 -c WPA_EAP_TLS.conf WPA_EAP_TLS.conf as below,
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
network={
ssid=ASUS-2.4G
scan_ssid=1
key_mgmt=WPA-EAP
eap=TLS
identity=root
ca_cert=./ca.pem
client_cert=./client.pem
private_key=./client.pem
private_key_passwd=whatever
}
11. EAP-TLS failed, see the attached tls.log for the output of radiusd
Could you help me out on this issue?
Is there anything I did wrong? Let me know if you need more debugging
info.
Thanks,
jiajia
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: framedipaddress
Hi, We worked with Meru as Access Point, but not as NAS. but an Access Point IS a NAS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-server-2.1.8
Hi, and ther is nothing ! in the output of radiusd -X nothing at all? or do you mean its quiet after the 'ready to process requests' line? if so, check your firewall on the servermake sure UDP 1812-1824 are allowed in to the daemon! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: framedipaddress
Listen we've already bought complete meru sytem to eduroam project and there is no turning back. There are many great feature which only meru have. Right now i must find solution for this sytem. -- Pozdrawiam/Best regards Paweł Pogorzelski e-mail: ppogorzel...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: framedipaddress
Hi, Listen we've already bought complete meru sytem to eduroam project and there is no turning back. There are many great feature which only meru have. Right now i must find solution for this sytem. I'm uncertain to your tone here - but fundamentally, if the hardware doesnt send an attribute then theres nothing that ANY RADIUS server can do about it! ask your vendor why they dont support it perhaps? ask for a feature improvement? they might have an alternative attribute or VSA that you can use or rewrite... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: framedipaddress
What are you authenticating? Where is the radius debug logs? Chances are you are more than likely authenticating a Wireless Association to the Access Point - not a PPP type of service where IP addresses are involved. Debug your radius logs a bit and perhaps post a bit more detail 2010/5/12 Paweł Pogorzelski ppogorzel...@gmail.com Listen we've already bought complete meru sytem to eduroam project and there is no turning back. There are many great feature which only meru have. Right now i must find solution for this sytem. -- Pozdrawiam/Best regards Paweł Pogorzelski e-mail: ppogorzel...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: framedipaddress
I manage a large Meru instalation. If you want to get an IP address logged with a user name or Mac address like Aruba does you can't do it unless you use the captive portal. And the captive portal only sends this info via syslog as u...@1.2.3.4. For the auditors at our site, we send the auth response and end-station identifier from radius via syslog and DHCP log to a Splunk box and then they are happy and can block MAC addresses. Meru is OK, but hoastapd on a RedHat appliance as a NAS can be annoying at times. Sent via Verizon Wireless -Original Message- From: Alan Buxey a.l.m.bu...@lboro.ac.uk Date: Wed, 12 May 2010 11:33:46 To: FreeRadius users mailing listfreeradius-users@lists.freeradius.org Subject: Re: framedipaddress Hi, Listen we've already bought complete meru sytem to eduroam project and there is no turning back. There are many great feature which only meru have. Right now i must find solution for this sytem. I'm uncertain to your tone here - but fundamentally, if the hardware doesnt send an attribute then theres nothing that ANY RADIUS server can do about it! ask your vendor why they dont support it perhaps? ask for a feature improvement? they might have an alternative attribute or VSA that you can use or rewrite... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to implement EAP-TLS with freeradius and wpa_supplicant?
Zheng, Jiajia wrote: 11. EAP-TLS failed, see the attached tls.log for the output of radiusd Could you help me out on this issue? Paste the debug output into the self-help form at: http://networkradius.com/freeradius.html Look for red text. Is there anything I did wrong? Let me know if you need more debugging info. The debug log already shows everything you need to know. The CA used by the client is *not* the same as the CA used by the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
When to ldap?
I am working on a new radius config and have been trying to avoid the lookup in
LDAP I have been seeing for the outer identity.
I have moved to 2.1.8 with the inner-tunnel virtual host enabled.
I have an authorise section for the relevant virtual server that has:
authorize {
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
if (!EAP-Message) {
ldap
}
expiration
logintime
pap
}
The if(!EAP-Message) works a treat at preventing an LDAP lookup for the outer
identity, but if I want to send a basic User-Name/User-Password type auth
request after checking with LDAP and returning Remote access is permitted, I
then see:
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
What am I missing to tell the authenticate section below what I want to do
next?
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
Auth-Type EAP {
eap
}
eap
}
I presume:
if (!EAP-Message) {
ldap
}
Fails to set Auth-Type LDAP?
--
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
Tel: 0151 795 9540
attachment: h1_a.png
---
Nice boy, but about as sharp as a sack of wet mice.
-- Foghorn Leghorn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can proxy packet be configured to be resent in case no response from the home server
Hi, Do anyone know whether we can configure to resend proxy packet in case no response is received? Thanks, Gina Zhang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuration trouble (2.1.8 for use with WiMAX)
Dear all,
I am trying to use FreeRadius 2.1.8 for AAA in a wimax network. The problem
I am facing is that the WiMAX-MSK keys are not generated by FreeRadius. Can
someone help me figure out what I am not doing OR doing incorrectly?
I have configured the raddb/sites-available/default and
raddb/modules/wimax files per instructions included in the files
themselves. For reference, here are the configuration stanzas in the
post-auth section of default:
update request {
WiMAX-MN-NAI = %{User-Name}
}
update reply {
WiMAX-FA-RK-Key = 0x00
WiMAX-MSK = %{EAP-MSK}
}
wimax
Run-log from radiusd -X is also included at the end of this message. Here
is the message that indicates that EAP is not computing MSK and EMSK:
[wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys.
Thank you in advance, and I apologize if this question has been answered
before -- I did not find answers/pointers in the FAQ or the Wiki.
Best Regards,
Sumedh
--
FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May
11 2010 at 23:50:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail
including configuration
file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration
file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration
file /usr/local/etc/raddb/sites-enabled/control-socket
main {
RE: Configuration trouble (2.1.8 for use with WiMAX)
Which product are you using? Some WiMax NAS do not send the proper keys to
Freeradius. I have gotten FR to work with pretty much all of the major
brands of WiMax we sell.
David
From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu
s.org] On Behalf Of Sumedh Sathaye
Sent: Wednesday, May 12, 2010 2:50 PM
To: FreeRadius users mailing list
Subject: Configuration trouble (2.1.8 for use with WiMAX)
Dear all,
I am trying to use FreeRadius 2.1.8 for AAA in a wimax network. The problem
I am facing is that the WiMAX-MSK keys are not generated by FreeRadius. Can
someone help me figure out what I am not doing OR doing incorrectly?
I have configured the raddb/sites-available/default and
raddb/modules/wimax files per instructions included in the files
themselves. For reference, here are the configuration stanzas in the
post-auth section of default:
update request {
WiMAX-MN-NAI = %{User-Name}
}
update reply {
WiMAX-FA-RK-Key = 0x00
WiMAX-MSK = %{EAP-MSK}
}
wimax
Run-log from radiusd -X is also included at the end of this message. Here
is the message that indicates that EAP is not computing MSK and EMSK:
[wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys.
Thank you in advance, and I apologize if this question has been answered
before -- I did not find answers/pointers in the FAQ or the Wiki.
Best Regards,
Sumedh
--
FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May 11
2010 at 23:50:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file
RE: Configuration trouble (2.1.8 for use with WiMAX)
David, thanks for your reply. I am using a simulated WIMAX ASN gateway from
the BOC-WiMAX distribution. It's available at:
http://opensource.bolloretelecom.eu/projects/boc-wimax/
Sounds like you have insights into keys that NAS equipment does not send to
FreeRadius. Can you share that information with me?
Best Regards,
Sumedh
|
| From: |
|
--|
|David Peterson dav...@wirelessconnections.net
|
--|
|
| To:|
|
--|
|'FreeRadius users mailing list' freeradius-users@lists.freeradius.org
|
--|
|
| Date: |
|
--|
|05/12/2010 03:23 PM
|
--|
|
| Subject: |
|
--|
|RE: Configuration trouble (2.1.8 for use with WiMAX)
|
--|
|
| Sent by: |
|
--|
|freeradius-users-bounces+sathaye=us.ibm@lists.freeradius.org
|
--|
Which product are you using? Some WiMax NAS do not send the proper keys to
Freeradius. I have gotten FR to work with pretty much all of the major
brands of WiMax we sell.
David
From: freeradius-users-bounces
+david.peterson=acc-corp@lists.freeradius.org [
mailto:freeradius-users-bounces
+david.peterson=acc-corp@lists.freeradius.org] On Behalf Of Sumedh
Sathaye
Sent: Wednesday, May 12, 2010 2:50 PM
To: FreeRadius users mailing list
Subject: Configuration trouble (2.1.8 for use with WiMAX)
Dear all,
I am trying to use FreeRadius 2.1.8 for AAA in a wimax network. The problem
I am facing is that the WiMAX-MSK keys are not generated by FreeRadius. Can
someone help me figure out what I am not doing OR doing incorrectly?
I have configured the raddb/sites-available/default and
raddb/modules/wimax files per instructions included in the files
themselves. For reference, here are the configuration stanzas in the
post-auth section of default:
update request {
WiMAX-MN-NAI = %{User-Name}
}
update reply {
WiMAX-FA-RK-Key = 0x00
WiMAX-MSK = %{EAP-MSK}
}
wimax
Run-log from radiusd -X is also included at the end of this message. Here
is the message that indicates that EAP is not computing MSK and EMSK:
[wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys.
Thank you in advance, and I apologize if this question has been answered
before -- I did not find answers/pointers in the FAQ or the Wiki.
Best Regards,
Sumedh
--
FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May
11 2010 at 23:50:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file
RE: Configuration trouble (2.1.8 for use with WiMAX)
I have looked into BOC-WIMAX and it looks interesting but fairly incomplete.
I have not tried to get it working 100% so I have only a little experience.
Some of the NAS simply want to talk to FR via EAP-TTLS and receive only a
Framed-Filter-Id response. Is there a manufacturer you are looking to work
with in particular or is this an attempt to get BOC-WiMax working as your
ASN?
David
From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu
s.org] On Behalf Of Sumedh Sathaye
Sent: Wednesday, May 12, 2010 3:43 PM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: RE: Configuration trouble (2.1.8 for use with WiMAX)
David, thanks for your reply. I am using a simulated WIMAX ASN gateway from
the BOC-WiMAX distribution. It's available at:
http://opensource.bolloretelecom.eu/projects/boc-wimax/
Sounds like you have insights into keys that NAS equipment does not send to
FreeRadius. Can you share that information with me?
Best Regards,
Sumedh
Inactive hide details for David Peterson ---05/12/2010 03:23:47 PM---Which
product are you using? Some WiMax NAS do not sendDavid Peterson
---05/12/2010 03:23:47 PM---Which product are you using? Some WiMax NAS do
not send the proper keys to Freeradius. I have gott
From:
David Peterson dav...@wirelessconnections.net
To:
'FreeRadius users mailing list' freeradius-users@lists.freeradius.org
Date:
05/12/2010 03:23 PM
Subject:
RE: Configuration trouble (2.1.8 for use with WiMAX)
Sent by:
freeradius-users-bounces+sathaye=us.ibm@lists.freeradius.org
_
Which product are you using? Some WiMax NAS do not send the proper keys to
Freeradius. I have gotten FR to work with pretty much all of the major
brands of WiMax we sell.
David
From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu
s.org] On Behalf Of Sumedh Sathaye
Sent: Wednesday, May 12, 2010 2:50 PM
To: FreeRadius users mailing list
Subject: Configuration trouble (2.1.8 for use with WiMAX)
Dear all,
I am trying to use FreeRadius 2.1.8 for AAA in a wimax network. The problem
I am facing is that the WiMAX-MSK keys are not generated by FreeRadius. Can
someone help me figure out what I am not doing OR doing incorrectly?
I have configured the raddb/sites-available/default and
raddb/modules/wimax files per instructions included in the files
themselves. For reference, here are the configuration stanzas in the
post-auth section of default:
update request {
WiMAX-MN-NAI = %{User-Name}
}
update reply {
WiMAX-FA-RK-Key = 0x00
WiMAX-MSK = %{EAP-MSK}
}
wimax
Run-log from radiusd -X is also included at the end of this message. Here
is the message that indicates that EAP is not computing MSK and EMSK:
[wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys.
Thank you in advance, and I apologize if this question has been answered
before -- I did not find answers/pointers in the FAQ or the Wiki.
Best Regards,
Sumedh
--
FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May 11
2010 at 23:50:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file
sending Access-request, Access-Reject
hi can someone help me in that i add a users : abc cleartext-password:=123 and i run freeradius -X after that i do: r...@pfe-laptop:/home/pfe# radtest abc 123 localhost 1812 testing123 Sending Access-Request of id 48 to 127.0.0.1 port 1812 User-Name = abc User-Password = 123 NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=48, length=20 and this is the output of deamon: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:41804, id=48, length=55 User-Name = abc User-Password = 123 NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = abc, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry abc at line 216 modcall[authorize]: module files returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 48 to 127.0.0.1 port 41804 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 48 with timestamp 4beb3ff9 Nothing to do. Sleeping until we see a request. _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sending Access-request, Access-Reject
On 05/12/2010 08:01 PM, dorra aa wrote: hi can someone help me in that i add a users : abc cleartext-password:=123 It's right there in the debug output users: Matched entry DEFAULT at line 153 users: Matched entry abc at line 216 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rlm_pap: Found existing Auth-Type, not changing it. rad_check_password: Found Auth-Type System modcall[authenticate]: module unix returns notfound for request 0 It shouldn't be using an auth-type of System, that means to lookup the user in the /etc/passwd (/etc/shadow) file. But you don't have a user on your system named abc so the not found result makes sense, right? Why is it trying to find abc amongst the unix users on your system? The answer is right above, look at the lines labeled users:, that's your users file, also look at the line that says Found Auth-Type, not changing it. So somthing in your users file forced the user abc to have an Auth-Type of system or unix, it also tells you which lines in the users files it matched. Go fix your users file so it doesn't do that. I'm guessing in your attempts to get things working you may have mangled the example users file, you might want to start with the unaltered users file and just add your test user. All this is documented in the link I sent you a week ago: http://deployingradius.com/documents/configuration/pap.html -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to implement EAP-TLS with freeradius and wpa_supplicant?
检查一下时间系统,要求在证书的有效期内
CA的事情有点难说,你再检查下配置
On Thu, May 13, 2010 at 10:53 AM, Zheng, Jiajia jiajia.zh...@intel.comwrote:
Alan DeKok wrote:
Zheng, Jiajia wrote:
11. EAP-TLS failed, see the attached tls.log for the output of
radiusd Could you help me out on this issue?
Paste the debug output into the self-help form at:
http://networkradius.com/freeradius.html
Look for red text.
Is there anything I did wrong? Let me know if you need more
debugging info.
The debug log already shows everything you need to know.
The CA used by the client is *not* the same as the CA used by the
server.
Yes, from the debug log, we can tell that the CA is wrong.
But as I mentioned that the same CA works fine with EAP-TTLS. Why it goes
wrong with EAP-TLS?
Here is my configure file for EAP-TTLS which works.
WPA_EAP_TTLS_CHAP.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
network={
ssid=ASUS-2.4G
scan_ssid=1
key_mgmt=WPA-EAP
eap=TTLS
identity=root
password=wireless
ca_cert=./ca.pem
phase2=auth=CHAP
}
Here is my configure file for EAP-TLS which fails authentication.
WPA_EAP_TLS.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
network={
ssid=ASUS-2.4G
scan_ssid=1
key_mgmt=WPA-EAP
eap=TLS
identity=root
ca_cert=./ca.pem
client_cert=./client.pem
private_key=./client.pem
private_key_passwd=whatever
}
The client.pem used by client was also copied from server.
Is there anything wrong with my configure file? I also attached the *.pem.
Thanks,
jiajia
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clark Wang has invited you to Dropbox
Dropbox has been defeated by the GreatFireWall, we are so sorry On Wed, May 5, 2010 at 1:39 PM, Dropbox no-re...@dropbox.com wrote: We're excited to let you know that Clark Wang has invited you to Dropbox! Clark Wang has been using Dropbox to sync and share files online and across computers, and thought you might want it too. Visit www.dropbox.comhttp://www.dropbox.com/link/20.CqkpaxwNh3/NjE2MzQ0ODgxNwto get started. - The Dropbox Team To stop receiving invites from Dropbox, click herehttp://www.dropbox.com/bl/28952efc12b9/freeradius-users%40lists.freeradius.org © 2010 Dropbox - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
