Re: I can't get 'access-accept' from Linux clients (SOLVED)
2008/1/10, [EMAIL PROTECTED] [EMAIL PROTECTED]:
Hi,
Hi,
I can't still figure it out why I can't access from Linux clients.
I use version 1.1.7 of freeradius. Linux client is a Fedora 8 system.
what is the linux client config?
i see the following in your debug
rlm_eap: Request found, released from the list
rlm_eap: EAP/md5
rlm_eap: processing type md5
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
rlm_eap: Handler failed in EAP/md5
rlm_eap: Failed in EAP select
modcall[authenticate]: module eap returns invalid for request 84
modcall: leaving group authenticate (returns invalid) for request 84
auth: Failed to validate the user.
i would also advise that you upgrade to 2.0.0 - not only could this
issue be resolves anyway - its a hell of a lof easier to debug - far
less EAP messages!
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Well, Finally I get the blessed Access-Accept for Linux clients too.
How I did that? Well, I upgraded to radius 2.0.1.
maybe it could be helpful for many people my settings, well I won't
hide as alchemy secret ;)
radiusd.conf
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = xxx.qq.yyy.pp
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
auto_header = yes
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
$INCLUDE ${confdir}/eap.conf
mschap {
use_mppe = no
require_encryption = yes
}
ldap {
server = ldap.cadorna.biz
port = 636
identity = cn=freeradius,ou=applications,dc=cadorna,dc=biz
password = sambombas
basedn = ou=people,dc=palermo,dc=edu
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap_debug = 0x0028
tls_cacertfile = /etc/raddb/cacert.pem
tls_randfile= /dev/urandom
tls_require_cert= allow
access_attr = radiusAllowed
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = /
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = %
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile =
Re: I can't get 'access-accept' from Linux clients (SOLVED)
Ooops, because of the emotion I pasted old config files. Well here are
the fresh files:
prefix = /usr/local2
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
db_dir = $(raddbdir)
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
ipaddr = zzz.zz.zz.zzz
port = 0
type = auth
}
listen {
ipaddr = zzz.zz.zz.zzz
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log {
destination = files
syslog_facility = daemon
file = ${logdir}/radius.log
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
snmp= no
$INCLUDE snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
auto_header = yes
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
radwtmp = ${logdir}/radwtmp
}
$INCLUDE eap.conf
mschap {
}
ldap {
server = ldap.cadorna.biz
port = 636
identity = cn=freeradius,ou=applications,dc=cadorna,dc=biz
password = sambombas
basedn = ou=people,dc=cadorna,dc=biz
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
cacertfile = /etc/raddb2/cacert.pem
randfile= /dev/urandom
require_cert= allow
}
access_attr = radiusAllowed
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
realm IPASS {
format = prefix
delimiter = /
}
realm suffix {
format = suffix
delimiter = @
}
realm realmpercent {
format = suffix
delimiter = %
}
realm ntdomain {
format = prefix
delimiter = \\
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
header = %t
}
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
}
$INCLUDE sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = yes
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = no
}
attr_filter attr_filter.post-proxy {
attrsfile = ${confdir}/attrs
}
attr_filter attr_filter.pre-proxy {
attrsfile = ${confdir}/attrs.pre-proxy
}
attr_filter attr_filter.access_reject {
key = %{User-Name}
attrsfile = ${confdir}/attrs.access_reject
}
attr_filter attr_filter.accounting_response {
key = %{User-Name}
attrsfile = ${confdir}/attrs.accounting_response
}
counter daily {
filename = ${db_dir}/db.daily
key
Re: I can't get 'access-accept' from Linux clients
2008/1/11, Arran Cudbard-Bell [EMAIL PROTECTED]:
[EMAIL PROTECTED] wrote:
Store cleartext passwords and all eap types will work. Real problem is
the encrypted password not the eap type.
Ivan Kalik
Kalik Informatika ISP
Dana 11/1/2008, Sergio Belkin [EMAIL PROTECTED] piše:
2008/1/10, Ivan Kalik [EMAIL PROTECTED]:
...
rlm_ldap: Added password
{SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items
...
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
...
You can't use encrypted passwords with EAP-MD5.
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik
Kalik Informatika ISP
Thanks Ivan! So what default eap type should I use in mixed
environment (I mean: Linux and Windows Clientes)?
EAP-TTLS with PAP inner encryption.
Though you'd need to use SecureW2 or the Open SEA supplicant for the
windows side.
Otherwise you'd need NT-Hashes for MSChap based methods
Sorry for the stupid and moron question, but how should I do that? Of
course I don't ask you that you tell me the step by step, only a clue
to follow...
thanks in advance
, or the password
stored in the clear.
TIA
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
2008/1/11, Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: Alan, Thanks for clear up the confusion about EAP and PAP. But still I don't understand this: Now I have a windows client working using securew2 with PAP. If PAP is not into the tunnel Then you are not using securew2. It was about a question not a statement :) When you use TTLS + PAP, the passwords go in the tunnel. Ok thanks for your answer, that it was I was asking :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
Store cleartext passwords and all eap types will work. Real problem is
the encrypted password not the eap type.
Ivan Kalik
Kalik Informatika ISP
Dana 11/1/2008, Sergio Belkin [EMAIL PROTECTED] piše:
2008/1/10, Ivan Kalik [EMAIL PROTECTED]:
...
rlm_ldap: Added password
{SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items
...
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
...
You can't use encrypted passwords with EAP-MD5.
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik
Kalik Informatika ISP
Thanks Ivan! So what default eap type should I use in mixed
environment (I mean: Linux and Windows Clientes)?
TIA
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
2008/1/10, Ivan Kalik [EMAIL PROTECTED]:
...
rlm_ldap: Added password
{SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items
...
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
...
You can't use encrypted passwords with EAP-MD5.
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik
Kalik Informatika ISP
Thanks Ivan! So what default eap type should I use in mixed
environment (I mean: Linux and Windows Clientes)?
TIA
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
Yes, but my beloved boss want to use encrypted password in ldap :(
2008/1/11, [EMAIL PROTECTED] [EMAIL PROTECTED]:
Store cleartext passwords and all eap types will work. Real problem is
the encrypted password not the eap type.
Ivan Kalik
Kalik Informatika ISP
Dana 11/1/2008, Sergio Belkin [EMAIL PROTECTED] piše:
2008/1/10, Ivan Kalik [EMAIL PROTECTED]:
...
rlm_ldap: Added password
{SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items
...
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
...
You can't use encrypted passwords with EAP-MD5.
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik
Kalik Informatika ISP
Thanks Ivan! So what default eap type should I use in mixed
environment (I mean: Linux and Windows Clientes)?
TIA
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
[EMAIL PROTECTED] wrote:
Store cleartext passwords and all eap types will work. Real problem is
the encrypted password not the eap type.
Ivan Kalik
Kalik Informatika ISP
Dana 11/1/2008, Sergio Belkin [EMAIL PROTECTED] piše:
2008/1/10, Ivan Kalik [EMAIL PROTECTED]:
...
rlm_ldap: Added password
{SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items
...
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
...
You can't use encrypted passwords with EAP-MD5.
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik
Kalik Informatika ISP
Thanks Ivan! So what default eap type should I use in mixed
environment (I mean: Linux and Windows Clientes)?
EAP-TTLS with PAP inner encryption.
Though you'd need to use SecureW2 or the Open SEA supplicant for the
windows side.
Otherwise you'd need NT-Hashes for MSChap based methods, or the password
stored in the clear.
TIA
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
Sergio Belkin wrote: EAP-TTLS with PAP inner encryption. But is is possible configure that so? If I tried default_eap_type = pap and radius didn't start. PAP is not an EAP type. The documentation makes this clear: # If the request does not contain an EAP # conversation, then this configuration entry # is ignored. In fact, you shouldn't have to do *anything* for PAP to work inside of a TTLS tunnel. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
2008/1/11, Arran Cudbard-Bell [EMAIL PROTECTED]:
[EMAIL PROTECTED] wrote:
Store cleartext passwords and all eap types will work. Real problem is
the encrypted password not the eap type.
Ivan Kalik
Kalik Informatika ISP
Dana 11/1/2008, Sergio Belkin [EMAIL PROTECTED] piše:
2008/1/10, Ivan Kalik [EMAIL PROTECTED]:
...
rlm_ldap: Added password
{SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items
...
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
...
You can't use encrypted passwords with EAP-MD5.
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik
Kalik Informatika ISP
Thanks Ivan! So what default eap type should I use in mixed
environment (I mean: Linux and Windows Clientes)?
EAP-TTLS with PAP inner encryption.
But is is possible configure that so? If I tried default_eap_type =
pap and radius didn't start.
In fact in Fedora 8 I have configured PAP as inner Authentication
(Wireless Network Secrets Required dialog box) with wpa_supplicant
running.
Though you'd need to use SecureW2 or the Open SEA supplicant for the
windows side.
Sure, i use securew3 for windows clients.
Otherwise you'd need NT-Hashes for MSChap based methods, or the password
stored in the clear.
Last option is not suitable for :(
TIA
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
Sergio Belkin wrote: Alan, Thanks for clear up the confusion about EAP and PAP. But still I don't understand this: Now I have a windows client working using securew2 with PAP. If PAP is not into the tunnel Then you are not using securew2. When you use TTLS + PAP, the passwords go in the tunnel. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
2008/1/11, Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: EAP-TTLS with PAP inner encryption. But is is possible configure that so? If I tried default_eap_type = pap and radius didn't start. PAP is not an EAP type. The documentation makes this clear: # If the request does not contain an EAP # conversation, then this configuration entry # is ignored. In fact, you shouldn't have to do *anything* for PAP to work inside of a TTLS tunnel. Alan DeKok. - Alan, Thanks for clear up the confusion about EAP and PAP. But still I don't understand this: Now I have a windows client working using securew2 with PAP. If PAP is not into the tunnel does mean that passwords goes unencrypted? TIA -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I can't get 'access-accept' from Linux clients
Hi,
I can't still figure it out why I can't access from Linux clients.
I use version 1.1.7 of freeradius. Linux client is a Fedora 8 system.
I use Freeradius+eap+ttls. Users accounts are stored in a LDAP server.
My eap.conf is:
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
md5 {
}
tls {
certificate_file =
/etc/pki/tls/certs/spectrum.xp-crt.pem
private_key_file =
/etc/pki/tls/certs/spectrum.xp-key.pem
CA_file = /etc/pki/tls/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
copy_request_to_tunnel = no
use_tunneled_reply = no
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
mschapv2 {
}
}
EOF
These are debugging messages:
rad_recv: Access-Request packet from host 10.30.1.151:2048, id=0, length=125
User-Name = jsmith
NAS-IP-Address = 10.30.1.151
Called-Station-Id = 000625f17036
Calling-Station-Id = 000e35bf5118
NAS-Identifier = 000625f17036
NAS-Port = 54
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020b016d6261726265
Message-Authenticator = 0x05f08581315f74a9365956e711d1adec
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 78
modcall[authorize]: module preprocess returns ok for request 78
rlm_eap: EAP packet type response id 0 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 78
modcall[authorize]: module files returns notfound for request 78
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsmith
radius_xlat: '(uid=jsmith)'
radius_xlat: 'ou=people,dc=foofoo,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=foofoo,dc=edu, with filter
(uid=jsmith)
request done: ld 0x557c59c0 msgid 91
rlm_ldap: checking if remote access for jsmith is allowed by radiusAllowed
rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jsmith authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 78
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module pap returns noop for request 78
modcall: leaving group authorize (returns updated) for request 78
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 78
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module eap returns handled for request 78
modcall: leaving group authenticate (returns handled) for request 78
Sending Access-Challenge of id 0 to 10.30.1.151 port 2048
EAP-Message = 0x010100061520
Message-Authenticator = 0x
State = 0xfc48a9d073781d46b58418c4b4cd9827
Finished request 78
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.30.1.151:2048, id=0, length=267
User-Name = jsmith
NAS-IP-Address = 10.30.1.151
Called-Station-Id = 000625f17036
Calling-Station-Id = 000e35bf5118
NAS-Identifier = 000625f17036
NAS-Port = 54
Framed-MTU = 1400
State = 0xfc48a9d073781d46b58418c4b4cd9827
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020100871500160301007c01780301478642113f068a6df0132c744c49958b45592615abb6622beddf19a8fa52510f20fd4cbc7f733120101175d6dd7f27f2585364c73af2b4d0f65332531e8c2d3c4b003000390038003500160013000a00330032002f006600050004006300620015001200090065006400140011000800060003020100
Message-Authenticator = 0xdfd8574e151c9d725b98e1d9f907aff5
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 79
modcall[authorize]: module preprocess returns ok for request 79
rlm_eap: EAP packet type response id 1 length 135
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 79
modcall[authorize]: module files returns notfound for request 79
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsmith
radius_xlat:
Re: I can't get 'access-accept' from Linux clients
Hi, Hi, I can't still figure it out why I can't access from Linux clients. I use version 1.1.7 of freeradius. Linux client is a Fedora 8 system. what is the linux client config? i see the following in your debug rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 84 modcall: leaving group authenticate (returns invalid) for request 84 auth: Failed to validate the user. i would also advise that you upgrade to 2.0.0 - not only could this issue be resolves anyway - its a hell of a lof easier to debug - far less EAP messages! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: I can't get 'access-accept' from Linux clients
...
rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check
items
...
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
...
You can't use encrypted passwords with EAP-MD5.
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
