HOWTO: Incremental Setup of FreeRADIUS Server for EAP Authentications

HOWTO: Incremental Setup of FreeRADIUS Server for EAP Authentications


Introduction

If you are like me and need to set up a FreeRADIUS server for EAP authentications every so often, each time do you also find yourself having a little hard time trying to refresh your memory? Well, after that happened to me for a couple of times, I found that a incremental and systematic way of setting up and testing FreeRADIUS server could make it easier to remember and easier to debug. Here is what I do and I hope it can benefit others as well.

Step 1. Set up and test local authentication without EAP, using radtest tool. Step 2. Set up and test remote authentication without EAP, using radtest tool. Step 3. Set up and test simple EAP method EAP-MD5 (without certificates), using radeapclient tool. Step 4. Install necessary certicates, set up and do full tests of more sophisticated EAP methods like EAP-TLS, PEAP and EAP-TTLS, using the eapol_test tool from the wpa_supplicant project.

If this approach seems to make sense to you, I have more details below on each step.

A Few Things First

Before going to the steps, there are a few things I'd like to set aside:

  • This guide is based on the latest FreeRADIUS version available at the time of writing: 2.0.2, and I installed it from source because most binary packages are still of 1.7 or other 1.x versions. Most of the things covered here should work just as well in older versions, and if anything is not, I will try to point it out to the best of my knowledge.

  • Usual location for installed files: /usr/local/sbin/radiusd is the main binary radtest, radeapclient could be found at /usr/local/bin/ /usr/local/etc/raddb/* for configuration files /usr/local/etc/raddb/certs/* for included certiciates

  • I generated my own certiciates using openssl, but I won't go into details on how to do that here: there are ample resources available on the Internet. You can also use FreeRADIUS's included certificates just for testing purposes (only on 2.x version, older versions certs might have expired), or use any other valid certificates.

  • On terminology's side, I am using the usual 3-party authentication model, and that is composed of: supplicant, authenticator and Authentication server/RADIUS server. This wikipedia page could be helpful on the background: http://en.wikipedia.org/wiki/802.1x

  • Configuration files that are relevant to this guide:

  • radiusd.conf: the main configuration file. We won't need to modify the default radiusd.conf file though, but you should know about it.
  • clients.conf: RADIUS clients/NAS configurations. Note that NAS is the term used in RADIUS terminology. To simpilify things, just think of it as authenticator in our 3-party model.
  • users: per user configurations. Think of users as supplicants in our 3-party model. Note that user configurations could reside in other places like a database instead of the users file, but that is out of the scope of this howto.
  • eap.conf: EAP related configurations

  • Some general suggestions

    • it is always good to save the original raddb directory as future reference, for example I do:

    cp -r raddb raddb.orig

    • Starting from the default configuration files is a good idea because a lot of basic scenariost have already been taken into considerations.

    • Always start your FreeRADIUS daemon in debug mode with -X during initial testing and trouble-shooting phase:

    /usr/local/sbin/radiusd -X

    And if there is any issues, look into the screen output of your radiusd's terminal window for clues.

    • Always remember to restart your daemon after making any configuration changes

    • A lot of commands here require you to have root access of the system, so you either need be root or need to use commands like sudo.

The Steps

Step 1. The most basic: Local authentication without EAP

In this step, all the configurations you need is to add a test user at the end of your users file with its password listed, like this:

testuser Cleartext-Password := "password"

We don't need to configure the clients.conf file because FreeRADIUS server's default clients.conf already has an entry for local authenticators: 127.0.0.1. For each authenticator/NAS in the file, a shared secret with the FreeRADIUS server needs to be provided too, and for 127.0.0.1 it is by default "testing123".

Now go ahead and restart your server.

There is a included tool in FreeRADIUS package (normally found in /usr/local/bin) called radtest that is very convenient. In Step 1, we invoke the radtest tool locally on the same host your FreeRADIUS daemon is running:

radtest testuser password 127.0.0.1 1812 testing123

The syntax is straightforward:

radtest <user name> <user password> <server IP address> <server UDP port> <shared secret>

You should see an output like this:

Sending Access-Request of id 11 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=11, length=20

It succeeds if an Access-Accept is received like the above.

There is something extra here for FreeRADIUS 1.x users: your default users file that you change upon might came with a line like

  DEFAULT Auth-Type = System

That line could ruin a simple radtest test like the above. What it means is that by default a user will use local Unix password system for authentication unless the "Auth-Type" is overwritten later with a different value. It does affect a request coming from radtest and will require your local Unix system to have a user named testuser and with password "passowrd" to make our test succeed. That is not very likely to be the case unless you create such a user. An easy solution is to comment out that line by putting a "#" at the beginning. You could also add a "Auth-Type := Local," in your testuser entry but you will have to remember removing that for the EAP tests we have later.

You might also see people use "User-Password :=" rather than using "Cleartext-Password". Both work for older versions but you should stick to the latter in latest versions.

Step 2. One step further: authenticate via a remote authenticator

Once you passed Step 1, we can go one step further by invoking radtest from another host. This does mean that you need to have a FreeRADIUS installed, preferably matching versions, on another host that is network reachable.

Before you fire your radtest on another host, you need one more configuration change: Add your test authenticator host at the end of your clients.conf and assign a shared-secret. This is what I use for a host at 192.168.1.100

  client 192.168.1.100 {
      secret = testing123
      shortname = 192.168.1.100
   }

Suppose the server itself is at 192.168.1.1, then all you need is to change 127.0.0.1 from previous test into 192.168.1.1 (I am using same shared secret here), and do it from 192.168.1.100:

radtest testuser password 192.168.1.100 1812 testing123

Again, it succeeds only if an Access-Accept is received.

Step 3. Getting the simplest EAP method into the picture: EAP-MD5

Now we are ready to try out the basic EAP functionality. EAP-MD5 is among the simplest EAP methods available, but it does allow you to exercise your FreeRADIUS server's EAP module without requiring things like certificates. You should be warned though that EAP-MD5 is not considered an secure authentication method. We only use it for testing here.

FreeRADIUS came with another tool that can be used to test EAP-MD5: radeapclient You can normally find it at /usr/local/bin too if you've installed FreeRADIUS.

For our purpose, the tool can be used like this:

This is what works:

( echo "User-Name = \"testuser\""; \
  echo "Cleartext-Password = \"password\""; \
  echo "EAP-Code = Response"; \
  echo "EAP-Id = 210"; \
  echo "EAP-Type-Identity = \"testuser\""; \
  echo "Message-Authenticator = 0x00"; ) | \
radeapclient -x 127.0.0.1 auth testing123

It is a command the accepts input from standard input which is generated from a series of echo commands printing RADIUS attributes.

The command succeeds if you see an Access-Accept packet with EAP-Code = Success.

You might have noticed that command is issued from local host. You could repeat the same test on a different host. Just change 127.0.0.1 to the server IP address, and make sure you have an entry for your authenticator in clients.conf, just like before.

Step 4. Full swing with EAP-TLS, EAP-TTLS and PEAP

We are almost ready for testing more sophisticated EAP methods, with two more preparations to be done.

Firstly, install your certificates and update your eap.conf to reflect the paths to necessary files. If you have your own certificate generation mechanism already in place, and in that case, you need to copy three files onto your FreeRADIUS server's host:

  • The Root CA (Certificate Authority) certificate file which lists the trusted root CAs
  • A certificate generated for your FreeRADIUS server
  • The matching private key for your FreeRADIUS server's certificate

    However, if you don't have your own certificates ready and just for testing purposes you could use the files came with the FreeRADIUS package if you are using 2.0 version. The files are at your raddb/certs: ca.pem, server.pem and server.key

    Unfortunately, for FreeRADIUS 1.x version users, the installed certificates are likely expired already. In that case, there are online resources instructing you how to be your own root CA and generate certs, for example using openssl.

    In any case, if you have your files ready, you will need to modify your default eap.conf file to reflect your actual file locations. In my case, I have the certs located at my home directory: /home/gcheng/myCA/, and here is the changes I made in eap.conf (using diff command):

diff -upNr /usr/local/etc/raddb.orig/eap.conf /usr/local/etc/raddb/eap.conf
--- /usr/local/etc/raddb.orig/eap.conf 2008-02-28 16:44:51.000000000 -0800
+++ /usr/local/etc/raddb/eap.conf 2008-02-28 18:10:26.000000000 -0800
@@ -145,7 +145,8 @@
cadir = ${confdir}/certs

private_key_password = whatever
- private_key_file = ${certdir}/server.pem
+ #private_key_file = ${certdir}/server.pem
+ private_key_file = /home/gcheng/myCA/radiusd_serverkey.pem

# If Private key & Certificate are located in
# the same file, then private_key_file &
@@ -157,7 +158,8 @@
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
- certificate_file = ${certdir}/server.pem
+ #certificate_file = ${certdir}/server.pem
+ certificate_file = /home/gcheng/myCA/radiusd_servercert.pem

# Trusted Root CA list
#
@@ -174,7 +176,8 @@
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
- CA_file = ${cadir}/ca.pem
+ #CA_file = ${cadir}/ca.pem
+ CA_file = /home/gcheng/myCA/cacert.pem

#
# For DH cipher suites to work, you have to

Once your certificate and eap.conf is ready, you can restart your FreeRADIUS server and it is ready for EAP testing. The tool I found very convenient is called eapol_test that came with the wpa_supplicant project. unfortunately, it is not included in a wpa_supplicant binary package. But not to worry, just building it from source is not that hard either, and the following is all I needed:

wget http://hostap.epitest.fi/releases/wpa_supplicant-0.5.10.tar.gz
tar xvf wpa_supplicant-0.5.10.tar.gz
cd wpa_supplicant-0.5.10/
cp defconfig .config
make eapol_test

A binary eapol_test will be generated if the build was successful, and I'd copy it to /usr/local/bin:

ls eapol_test
cp eapol_test /usr/local/bin/

Now that your eapol_test is installed, you need to prepare a configuration file for it for each EAP method you want to test. The file format is very simple, and if you are already family with the wpa_supplicant configuration file format, it will look familiar to you. For example, the following is for PEAP testing:

$ cat eapol_test.conf.peap
network={
eap=PEAP
eapol_flags=0
key_mgmt=IEEE8021X
identity="testuser"
password="password"
ca_cert="/home/gcheng/myCA/cacert.pem"
phase2="auth=MSCHAPV2"
anonymous_identity="anonymous"
}

And this is how you invoke the command to start the test:

eapol_test -c eapol_test.conf.peap -a127.0.0.1 -p1812 -stesting123 -r1

Like in all authentication tests, Access-Accept is the indication of authentication success.

You might have noticed a couple of things in the configuration file: - There is a ca_cert line. That is required for PEAP and it must be pointed to the same root CA file we used on the FreeRADIUS server's eap.conf file. If it is on a different host where you run your eapol_test, you will need to copy over the same file. - There are lines like phase2 and anonymous_identity. To explain them, we need to know some basic backgroud of PEAP. PEAP is one of those so-called two-phase or tunneled EAP methods: -- Phase 1 where a TLS tunneled is established for use of phase 2. In Phase 1, a "fake"/anonymous identity is used as a security feature. -- Phase 2 where some inside EAP method is used, protected by the TLS tunnel from phase 1. For PEAP, it is common to use EAP-MSCHAPv2 in phase 2. And the true identity is also used in phase 2 only. EAP-TTLS is another type of two phase EAP method with similiar design to PEAP.

Here are more eapol_test configuration files I use for the test user. Indicated by the suffix, they are for EAP-TLS, EAP-TTLS using EAP-MD5 as inside method, and EAP-TTLS using MSCHAPv2 as inside method:

$ cat eapol_test.conf.tls
network={
eap=TLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="testuser"
ca_cert="/home/gcheng/myCA/cacert.pem"
client_cert="/home/gcheng/myCA/testuser_cert.pem"
private_key="/home/gcheng/myCA/testuser_key.pem"
private_key_passwd="whatever"
}

$ cat eapol_test.conf.ttls_md5
network={
eap=TTLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="testuser"
password="password"
anonymous_identity="anonymous"
ca_cert="/home/gcheng/myCA/cacert.pem"
phase2="auth=MD5"
}

$ cat eapol_test.conf.ttls_mschapv2
network={
eap=TTLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="testuser"
password="password"
anonymous_identity="anonymous"
ca_cert="/home/gcheng/myCA/cacert.pem"
phase2="auth=MSCHAPV2"
}

It is worth mentioning that the configuration file of EAP-TLS has not only the ca_cert path like in PEAP and EAP-TTLS configuration files, it also has paths to client certificate and private key. This is because in EAP-TLS, not only does the supplicant verify the server's certificate, the RADIUS server usually verifies the supplicant's certificate too. Also the word "client" here is not to be confused with the "client" in FreeRADIUS configuration files: they are referring to supplicant and authenticator respectively. Please also note that the client's certificate must have been signed by (one of) the root CA listed in the root CA certificate file, otherwise it won't be accepted by the server.

For each of the above configuration file, just invoke the eapol_test command

eapol_test -c <eapol_test config file> -a127.0.0.1 -p1812 -stesting123 -r1

Again, instead of using 127.0.0.1 on the local machine, you can do the test from a different host.

About the tools

When we use radeapclient and eapol_test tools, an observant reader might wonder why there are only two parties involved in the 3-party model testing? The answer is that those tools are specially made to combine the supplicant and authenticator so they are co-located. However, that doesn't affect our testing of RADIUS server functionalities.

Conclusion

If you have passed all the above tests, congratulations! now you have some level of confidence that your freeRADIUS server can perform the basic functions of EAP authenticaitons. Of course, to get the server working with real authenticators and real supplicants, to get it support real world requirements for authentication and attribute assignements, to get it working with other applications like MySQL server, LDAP server, there are a lot more to do. But this is a start and can serve as a reference point. Thanks to its creators and maintainers, FreeRADIUS has become a nice, powerful and robust server, and I wish we all enjoy using it!

Finally, this is all the configuration changes we needed today for the single test user:

$ diff -upNr /usr/local/etc/raddb.orig/ /usr/local/etc/raddb/
diff -upNr /usr/local/etc/raddb.orig/clients.conf /usr/local/etc/raddb/clients.conf
--- /usr/local/etc/raddb.orig/clients.conf 2008-02-28 16:44:51.000000000 -0800
+++ /usr/local/etc/raddb/clients.conf 2008-02-28 17:00:45.000000000 -0800
@@ -227,3 +227,8 @@ client localhost {
# secret = testing123
# }
#}
+
+client 10.166.255.145 {
+ secret = testing123
+ shortname = 10.166.255.145
+}
diff -upNr /usr/local/etc/raddb.orig/eap.conf /usr/local/etc/raddb/eap.conf
--- /usr/local/etc/raddb.orig/eap.conf 2008-02-28 16:44:51.000000000 -0800
+++ /usr/local/etc/raddb/eap.conf 2008-02-28 18:10:26.000000000 -0800
@@ -145,7 +145,8 @@
cadir = ${confdir}/certs

private_key_password = whatever
- private_key_file = ${certdir}/server.pem
+ #private_key_file = ${certdir}/server.pem
+ private_key_file = /home/gcheng/myCA/radiusd_serverkey.pem

# If Private key & Certificate are located in
# the same file, then private_key_file &
@@ -157,7 +158,8 @@
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
- certificate_file = ${certdir}/server.pem
+ #certificate_file = ${certdir}/server.pem
+ certificate_file = /home/gcheng/myCA/radiusd_servercert.pem

# Trusted Root CA list
#
@@ -174,7 +176,8 @@
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
- CA_file = ${cadir}/ca.pem
+ #CA_file = ${cadir}/ca.pem
+ CA_file = /home/gcheng/myCA/cacert.pem

#
# For DH cipher suites to work, you have to
diff -upNr /usr/local/etc/raddb.orig/users /usr/local/etc/raddb/users
--- /usr/local/etc/raddb.orig/users 2008-02-28 16:44:51.000000000 -0800
+++ /usr/local/etc/raddb/users 2008-02-28 16:47:28.000000000 -0800
@@ -201,3 +201,5 @@ DEFAULT Hint == "SLIP"
# Service-Type = Administrative-User

# On no match, the user is denied access.
+
+testuser Cleartext-Password := "password"

#restart radiusd

# use eapol_test
Category: 
Tagging: 

Comments

siddiq's picture
Submitted by siddiq on

Hai Gong Cheng

I need your help...

I followed your steps to bring up Free Radius Server version 2.0.4. The first three test are pass. The Last Step 4. Full swing with EAP-TLS, EAP-TTLS and PEAP

In this I copied the default cert files (Server.pem, ca.pem, server.key) from /etc/raddb/certs to /home/siddiq/myCA/ and modified eap/conf file as below

private_key_password = whatever
- private_key_file = ${certdir}/server.pem
+ #private_key_file = ${certdir}/server.pem
+ private_key_file = /home/siddiq/myCA/server.key

# If Private key & Certificate are located in
# the same file, then private_key_file &
@@ -157,7 +158,8 @@
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
- certificate_file = ${certdir}/server.pem
+ #certificate_file = ${certdir}/server.pem
+ certificate_file = /home/siddiq/myCA/server.pem

# Trusted Root CA list
#
@@ -174,7 +176,8 @@
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
- CA_file = ${cadir}/ca.pem
+ #CA_file = ${cadir}/ca.pem
+ CA_file = /home/siddiq/myCA/CA.pem

If I run eapol_test for PEAP

I am not able to success. I am getting the following debug statement

rad_recv: Access-Request packet from host 127.0.0.1 port 33244, id=0, length=124
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000d017465737475736572
Message-Authenticator = 0xe5a9f190f1064283b18a44f0788c5ab9
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry testuser at line 139
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 33244
EAP-Message = 0x0101001604107474d895dff0602e1dc5dd36932c5388
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x25d4c0ab25d5c4571f8c2d74b2e6c795
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 33244, id=1, length=135
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100060319
State = 0x25d4c0ab25d5c4571f8c2d74b2e6c795
Message-Authenticator = 0xc0707c39d7a339022069596e81509e0d
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry testuser at line 139
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 127.0.0.1 port 33244
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x25d4c0ab24d6d9571f8c2d74b2e6c795
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 33244, id=2, length=235
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0202006a1900160301005f0100005b03014829fe0143247c2c8e89d5d6386a2039639b779f3fdae0aa932364c83a11f28100003400390038003500160013000a00330032002f006600050004006300620061001500120009006500640060001400110008000600030100
State = 0x25d4c0ab24d6d9571f8c2d74b2e6c795
Message-Authenticator = 0x3ab143c344058f47b4f8221fb8d94939
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 2 length 106
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 005f], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 084e], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
TLS_accept: SSLv3 write key exchange A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 127.0.0.1 port 33244
EAP-Message = 0x010403fc1940b44fc78411cc6b70be8401f0726f00049b308204973082037fa003020102020100300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303531323030333830315a170d3038303631313030333830315a308193310b300906035504061302465231
EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100bf6ddff8e9b3855a4ccaad02332fdb44517c5cefdf5a82231c22c302ecfa251c49cbe630048dc275bbbbe88d47ddd2448b94158d891d6662e0d24c281ebda133451fe9084d99062533020b29fccce21e009a2e583d1d13
EAP-Message = 0xbc519b75c7837be01bd13752fae309b66074a5d08cc8551eeedd4e998ee398d801b7a62430a025406d3a7a19a86ae752b9144ec69a4913e5836e7b8e126281e2755956c9935ddc227e7357780a62cf08cee60239bfb92c5d633bd884debc8448947b4d7e199689ce885bd5d3b891a765711ab0b6762a0745f0079835b7a61eefa897060e789b46643311b207368c159c1ec7ffa889ed554ded65e79d7a5282e0200db541db86574c290203010001a381f33081f0301d0603551d0e041604141401a0b92fe69af3fd85953bf4e5de695c8dcc193081c00603551d230481b83081b580141401a0b92fe69af3fd85953bf4e5de695c8dcc19a18199a48196
EAP-Message = 0x308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006a88994999307475276b2e48e691e0041cc59d6b11ecd5395e0f800b8ec4653d14ba3b2204d98af2b8e5071ec3575a379cc98199421c527cbdc85415ec93a61fe1e4
EAP-Message = 0x35c35e68a690f7ef
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x25d4c0ab26d0d9571f8c2d74b2e6c795
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 33244, id=4, length=135
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400061900
State = 0x25d4c0ab26d0d9571f8c2d74b2e6c795
Message-Authenticator = 0x7ba134599084f914ffcb4e2db2e7001b
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 127.0.0.1 port 33244
EAP-Message = 0x010502d71900163ca5c24d38b05dccd115f5ff90644f27b87236671016f421574a535ad460a2944331f59f92560cb8530fa4df4d082db1dceb63adfa77e547fb6981096eedd50c8e6dd36e5fce2ba9593899ab18f5b8d6e46fdeeaff6e90230b05cb1e49fe608a54f5496c2d2d6e9a58f46ee995dbab78ddab6978cbad60bc28b1932a905fd2edf40108a9efeecf596e232cd3e0ac736d0d425dad81b18cd46a677c37d41a0639484bde2662e6f1e663e47960db45684a0e21d1bcfe160301020d0c0002090080d72466c9f52b47658a16747a69274cc3be91ef30a47d9b72fb36c47394bd3309dc93cfa2827b596274e2e731050bb1f0ee74a8173975
EAP-Message = 0x55b8a07a2c173c9e40a00bd4cc3aeadfca4c034c6f7c687aaa27efe47ce6667f9e043bdf6752476617f1c2136ec69f83ddecbb0f5fc835ac041f25425638085904f98fd393ef046214fb0001020080254a2fe641a9db58fab69951d8cff6ce4f0acc0c2d5e7d3c3348a382ab4fd82e7b3a676078f67ae0ce88b14fe89ba4efb96d87129edbb8d6de5f5e25750e03ccb1768867144a4db766d30d39f38390dd1bd38e700c8bd7d7f74d39cc7164929232acf31419728b99ccfff096fce4afdfd28b4fd65d3752de4111cb2ecf371f7c01002f2a3966854bf62bf6038526f34097a6d26ffd6629491ded5eb3ed30f6a599c3b85226d545d57092a19ff013
EAP-Message = 0xfb814545e3d6a7721014b9878e9d7c07c98f8cb3d0aab36ef1c19540e2386a98d6663db167835967db77a76431c4593b332e1dc3a7a827a397862f176950a9c2b2556e1b5296aa7c839b1f0b16aa1b48ddeaa8b62b06505092fdb1fb9cf9a2ddbc36656a82fb22985d2af454fc2133e34a88ba180615154dc17abb5f1474ab4470575f66d27e1c915846930600a424d4841c15b43a115003f337724e86f3f76b42c7824cdccd2a7f80dcc0a8f13ccb2404b14e811e64c44002f257f87ef39e1b5a06f9a8f8e2d79243a745b09955773f013baeff16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x25d4c0ab21d1d9571f8c2d74b2e6c795
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 33244, id=5, length=333
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500cc1900160301008610000082008040489574e97f9dfac9ff46e793008a6b37f761cfa7411e4ff798670a7e899086c00fed6b4f5bf586d9d0ef16b0dcd6633a30600cc03408597c57f8170286ff7e2da47c73fe464f2a77f797436dd5cf543febf81c22f096fe3a5293894933cd9797f1802f2937052c86ab964f7d021c821569f76d685f91e88d4b8b4232e4a8ea1403010001011603010030e62430122aabd720ad60b9cffa7052344cb96fa808ad2c1836ca82934350b9e6d5425b86bb5c257f7f4e021b9d4ded0c
State = 0x25d4c0ab21d1d9571f8c2d74b2e6c795
Message-Authenticator = 0x5eb31b0f3a74ea7d50ee162b8fdd1c47
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 5 length 204
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 5 to 127.0.0.1 port 33244
EAP-Message = 0x010600411900140301000101160301003012a0472419a814369e65106b484b8f40e9f051e72a1f71fd9ff08201bdaa5a15a94be74d5929bab23f389083312c6598
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x25d4c0ab20d2d9571f8c2d74b2e6c795
Finished request 5.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 33244, id=6, length=135
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020600061900
State = 0x25d4c0ab20d2d9571f8c2d74b2e6c795
Message-Authenticator = 0x32e2251583c149e5e0dd5a2d1d819c48
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 6 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 6 to 127.0.0.1 port 33244
EAP-Message = 0x0107002b190017030100203fbd523ca0adb7b7177cae0e662d32f51601b619d36168b065bc93a1b99f9ca1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x25d4c0ab23d3d9571f8c2d74b2e6c795
Finished request 6.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 33244, id=7, length=209
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02070050190017030100208fc24c8474006a4993ee2d8f7bca83ee051b7ee79ad089c64b10267ce15862b31703010020e51b4ec6c4f32906f34148e833898294af02829e78ab3b4a4b33c9648a6e2bca
State = 0x25d4c0ab23d3d9571f8c2d74b2e6c795
Message-Authenticator = 0x52fd8cf6b199c3f735ab8f84a28ffce6
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 7 length 80
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - testuser
PEAP: Got tunneled EAP-Message
EAP-Message = 0x0207000d017465737475736572
PEAP: Got tunneled identity of testuser
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to testuser
PEAP: Sending tunneled request
EAP-Message = 0x0207000d017465737475736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser"
server inner-tunnel {
+- entering group authorize
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
rlm_eap: EAP packet type response id 7 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
PEAP: Got tunneled reply RADIUS code 11
EAP-Message = 0x010800221a0108001d10895c9341f4306d7c524791def93aa3747465737475736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0a790fba0a7115e3aa83a67fc6c0586d
PEAP: Processing from tunneled session code 0x81a05a8 11
EAP-Message = 0x010800221a0108001d10895c9341f4306d7c524791def93aa3747465737475736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0a790fba0a7115e3aa83a67fc6c0586d
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 7 to 127.0.0.1 port 33244
EAP-Message = 0x0108004b19001703010040f9376522c88a67f04537e96c8456d27b7667386f920cbf3f17e21c6b6a7da9062fd11d500aa2fa6cac107541754960f3867f914851d63c5a64c31a28f27d5727
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x25d4c0ab22dcd9571f8c2d74b2e6c795
Finished request 7.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 33244, id=8, length=273
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02080090190017030100204848d0fb1e9eb103ba11707814c1dd214388e8929aec19dbaf8f340305ca9d8a17030100609b589a0907ba16dd0e0b9e4001ba32a838b4dec4d431582a800ac3d70918b49f458cb899380a03244a59f8d443bd0bcb8815390393c3a842dc691a6547b4a9a4968083064c288d4a9b964e301f6038c019ddcaa07ce27b262d2219281fe9a5f6
State = 0x25d4c0ab22dcd9571f8c2d74b2e6c795
Message-Authenticator = 0x04ab3a0d8755fc19903b7fa00cf7c2d8
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 8 length 144
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
PEAP: Got tunneled EAP-Message
EAP-Message = 0x020800431a0208003e317f0d5379952a2f9677da270f4756151c0000000000000000ebd60209fe4dba946c453654d98590bcc5ff1c9f3ba7ed69007465737475736572
PEAP: Setting User-Name to testuser
PEAP: Sending tunneled request
EAP-Message = 0x020800431a0208003e317f0d5379952a2f9677da270f4756151c0000000000000000ebd60209fe4dba946c453654d98590bcc5ff1c9f3ba7ed69007465737475736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser"
State = 0x0a790fba0a7115e3aa83a67fc6c0586d
server inner-tunnel {
+- entering group authorize
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
rlm_eap: EAP packet type response id 8 length 67
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for testuser with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [testuser/] (from client localhost port 0 via TLS tunnel)
} # server inner-tunnel
PEAP: Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Processing from tunneled session code 0x81a2260 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
++[eap] returns handled
Sending Access-Challenge of id 8 to 127.0.0.1 port 33244
EAP-Message = 0x0109002b19001703010020ff35055008bd3da286154685ee9222fe7d3d587e9d0dc70f58aea78dc6f3183e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x25d4c0ab2dddd9571f8c2d74b2e6c795
Finished request 8.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 33244, id=9, length=209
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02090050190017030100206c355b3c47c7c3eae9cd4197123a34c646d9efde9ee5c4f8320b51ba2d995c041703010020b24577b840dddbcd636a5b695dc263bc0f161dcdfc438a38c726a133a3dbd714
State = 0x25d4c0ab2dddd9571f8c2d74b2e6c795
Message-Authenticator = 0x0eff184ac45c541649a24f866b20d52f
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 9 length 80
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [testuser/] (from client localhost port 0 cli 02-00-00-00-00-01)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 9 to 127.0.0.1 port 33244
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.5 seconds.
Cleaning up request 0 ID 0 with timestamp +9
Cleaning up request 1 ID 1 with timestamp +9
Cleaning up request 2 ID 2 with timestamp +10
Cleaning up request 3 ID 3 with timestamp +10
Cleaning up request 4 ID 4 with timestamp +

Please Help In this Regard...

Gong Cheng's picture
Submitted by Gong Cheng on

hi siddiq, sorry for the late response,

the following in the log shows the failure
=CODE_START=
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for testuser with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [testuser/] (from client localhost port 0 via TLS tunnel)
=CODE_END=

somehow your radiusd is not able to find a password for your inner/tunnelled identity. I am not sure if the trailing "/" after "testuser" has anything to do with it.

Could you double check your eapol_test's config file and your users file's matching entry (line 139?)?

thanks.

siddiq's picture
Submitted by siddiq on

Hi Gong,

Thanks for your reply.

I did the following modification in the eap.conf file. I commented the line Virtual_Server = "innner tunnel" under PEAP module

After that If I run the eapol_test, I got the "Access Accept". Now I am using Windows XP (SP 1) Laptop as a client. For this I am getting the same error. "Login Incorrect. What are the procedure need to do while using Windows clients to authenticate in to the Free Radius Server?. whether any certificates need to create and install in the Windows Vista Laptop?. or Need to configure any databases, if yes, how to configure that. Please help me. Thanks for your help in advance.

Thanks & Regards,
Siddiq

Gong Cheng's picture
Submitted by Gong Cheng on

Hi Siddiq, again sorry for the late response. (I did get a email notification each time there was an update on the post, however, when I click it right away at receiving the email, it was always too early or somehow and the update won't show up until later...)

As for windows clients, I could only speak from experience.

Yes,
- if you use any of EAP-TTLS/PEAP/EAP-TLS, you would at least need to install a root CA certificate on it.
- for EAP-TLS, you will also need the client cert and key. (note: windows native system doesn't accept .pem format, but accept a converted format of .der (which has both cert and key))
- when you use openssl to generate your certs, you will need to make sure both server certificate and client certificate are generated with xp extensions. (and server with server extension, client with client extension). The CA.all script provide that support. You can probably also google it on how to generate it with xpextensions.

- if you run some other supplicant like xsupplicant on your windows, it might be different story, and you may just be able to use the certs as if on a linux system, but I haven't tried that so can't say much.

alex_from_italy's picture

Hi

I've found your article quite interesting. I've followed all your instructions, but I can't use the TLS authentication.
I should generate client certificate, is it correct? Since, as you said, also the client have to show its credentials.
Surfing the net, I've seen that I should use the Makefile into /certs folder. But I cant'.

What's the correct procedure to create client certificate? The certificates I've to use in the eappol_test.conf.tls (something like this) in particular way in the private_key e client_cert field.

Thanks

Alessandro.

Gong Cheng's picture
Submitted by Gong Cheng on

Hi Alessandro,
I am again late for the responses. If you still have issues with this, I just posted a new script that can very easily generate certificates.
for basically, for TLS, you need both client cert/key and root CA cert on the eapol_test side, and both server cert/key and root CA cert on the RADIUS server side.

For TTLS/PEAP it is a little simpler, you won't need client cert/key on eapol_test side. (in theory, you won't need root CA cert on radius server side either, but it is ok just to put it there anyway)

alex_from_italy's picture

Hi. I've a Ubuntu 7.10 and a FreeRadius 2.0.5 installed on my machine. I've configured my environment according to your great article. When I test my server in local way (loopback address 127.0.0.1), all works (except for EAP-TLS, but I haven't tried so much to fix the problem).

Anyway, I need to test my server remotly. I've linked two different machines with Ubuntu 7.10 through a Ethernet cable. In the one when I'm testing the server I've installed only the FreeRadius Server, nothing else. The configuration passes all the first three steps. But when I try to test my server with eapol_test I catch a FAILURE. I've copied the dir (/home/alex/myCA) of the original server (the one which locally works) in (/home/francesco/myCA) in a dir into the remote server (the one which doesn't work) and modified all the references in eap.conf replacing alex with francesco. Notice that I've copied the etc/raddb from the server which locally worked to the one which now, remotly, doesn't work (adding one entry to the users file).

Here what I catch when I try to test my server remotly with a conf file which worked locally.

Server: Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.0.1 port 1449, id=0, length=118
User-Name = "steve"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000a017374657665
Message-Authenticator = 0x91793fd6287c7a590026ec8a56f91676
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "steve", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 10
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry steve at line 78
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 172.16.0.1 port 1449
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Framed-Filter-Id = "std.ppp"
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010100160410fff5221d5a3f5d7fc5ec4f5b6d5be733
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x69adaf1869acab9af45822a871805acf
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.0.1 port 1449, id=1, length=132
User-Name = "steve"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100060319
State = 0x69adaf1869acab9af45822a871805acf
Message-Authenticator = 0x3c18c00359cad04091c859546649a364
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "steve", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry steve at line 78
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: NAK asked for unsupported type 25
rlm_eap: No common EAP types found.
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> steve
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 1 to 172.16.0.1 port 1449
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +30
Cleaning up request 1 ID 1 with timestamp +30
Ready to process requests.

Client: alex@alex-desktop:/usr/local/freeradius/etc/conf_for_eap_pol_testing$
sudo eapol_test -c
/usr/local/freeradius/etc/conf_for_eap_pol_testing/eapol_test.conf.peap
-a172.16.0.2 -p1812 -subuntu -r1
[sudo] password for alex:
Reading configuration file
'/usr/local/freeradius/etc/conf_for_eap_pol_testing/eapol_test.conf.
peap'
Line: 1 - start of a new network block
eap methods - hexdump(len=16): 00 00 00 00 19 00 00 00 00 00 00 00 00
00 00 00
eapol_flags=0 (0x0)
key_mgmt: 0x8
identity - hexdump_ascii(len=5):
73 74 65 76 65
steve
password - hexdump_ascii(len=7):
74 65 73 74 69 6e 67
testing
ca_cert - hexdump_ascii(len=26):
2f 68 6f 6d 65 2f 61 6c 65 78 2f 6d 79 43 41 2f
/home/alex/myCA/
63 61 63 65 72 74 2e 70 65 6d cacert.
pem
phase2 - hexdump_ascii(len=13):
61 75 74 68 3d 4d 53 43 48 41 50 56 32
auth=MSCHAPV2
anonymous_identity - hexdump_ascii(len=5):
73 74 65 76 65
steve
Priority group 0
id=0 ssid=''
Authentication server 172.16.0.2:1812
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using anonymous identity - hexdump_ascii(len=5):
73 74 65 76 65
steve
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=10)
TX EAP -> RADIUS - hexdump(len=10): 02 00 00 0a 01 73 74 65 76 65
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=5): 73 74 65
76 65
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=118
Attribute 1 (User-Name) length=7
Value: 'steve'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=12
Value: 02 00 00 0a 01 73 74 65 76 65
Attribute 80 (Message-Authenticator) length=18
Value: 91 79 3f d6 28 7c 7a 59 00 26 ec 8a 56 f9 16 76
Next RADIUS client retransmit in 3 seconds

EAPOL: SUPP_BE entering state RECEIVE
Received 131 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=131
Attribute 6 (?Unknown?) length=6
Attribute 7 (?Unknown?) length=6
Attribute 8 (?Unknown?) length=6
Attribute 9 (?Unknown?) length=6
Attribute 10 (?Unknown?) length=6
Attribute 11 (?Unknown?) length=9
Attribute 12 (Framed-MTU) length=6
Value: 1500
Attribute 13 (?Unknown?) length=6
Attribute 79 (EAP-Message) length=24
Value: 01 01 00 16 04 10 ff f5 22 1d 5a 3f 5d 7f c5 ec 4f 5b 6d
5b e7 33
Attribute 80 (Message-Authenticator) length=18
Value: 0f 00 eb ab ce 42 48 33 cb 1c cb d5 44 de 7f f4
Attribute 24 (State) length=18
Value: 69 ad af 18 69 ac ab 9a f4 58 22 a8 71 80 5a cf
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=1 len=22) from RADIUS server: EAP-
Request-MD5 (4)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
EAP: configuration does not allow: vendor 0 method 4
EAP: vendor 0 method 4 not allowed
EAP: Building EAP-Nak (requested type 4 vendor=0 method=0 not allowed)
EAP: allowed methods - hexdump(len=1): 19
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 01 00 06 03 19
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=1 length=132
Attribute 1 (User-Name) length=7
Value: 'steve'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=8
Value: 02 01 00 06 03 19
Attribute 24 (State) length=18
Value: 69 ad af 18 69 ac ab 9a f4 58 22 a8 71 80 5a cf
Attribute 80 (Message-Authenticator) length=18
Value: 3c 18 c0 03 59 ca d0 40 91 c8 59 54 66 49 a3 64
Next RADIUS client retransmit in 3 seconds

EAPOL: SUPP_BE entering state RECEIVE
Received 44 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=1 length=44
Attribute 79 (EAP-Message) length=6
Value: 04 01 00 04
Attribute 80 (Message-Authenticator) length=18
Value: 9b 80 a5 d3 4a 83 07 61 be 85 18 df bf 96 7b 5f
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=4 id=1 len=4) from RADIUS server: EAP
Failure
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=0
MPPE keys OK: 0 mismatch: 2
FAILURE

If I try to modify the IP address with 127.0.0.1 and the secret with the one of the localhost, I get a SUCCESS.

I need to solve this problem before the first of September since I'm a student and my project is a stress testing of the FreeRadius Server. (I can't test it locally, since the same resources are used both for client and server). If I don't complete this task for the first of September, I lost all my work (relation above AAA protocols and relative testings).

Thanks a lot for any help

Alessandro

Gong Cheng's picture
Submitted by Gong Cheng on

hi, i assume you already passed eap-md5 test remotely?

can you post your output from freeradius side by running it in debug mode

radiusd -X

-gong

alex_from_italy's picture

Thanks a lot for your answers.

Anyway, just now I've seen that. I've resolved this problem. The one with TLS is instead still open :). Could you say me where is exactly the script for the generation of client and server cert\key you've added? Would be very appreciated also the specification of the modifications to the configuration file of eapol_test (the fields specified in the other comment I leaved) and to the eap.conf (in Freeradius).
I've tried also yesterday, but I've obtained no results.

I need that for a thesys inside an exam at the University for a stress test to the FreeRadius server with heavy authentications.

Thank you very much.

Alessandro.

P.S.: Really no kind of problem for your delay.

alex_from_italy's picture

Thanks a lot for your answers.

Anyway, just now I've seen that. I've resolved this problem. The one with TLS is instead still open :). Could you say me where is exactly the script for the generation of client and server cert\key you've added? Would be very appreciated also the specification of the modifications to the configuration file of eapol_test (the fields specified in the other comment I leaved) and to the eap.conf (in Freeradius).
I've tried also yesterday, but I've obtained no results.

I need that for a thesys inside an exam at the University for a stress test to the FreeRadius server with heavy authentications.

Thank you very much.

Alessandro.

P.S.: Really no kind of problem for your delay.

Gong Cheng's picture
Submitted by Gong Cheng on

The new script I created is in this post of mine:

http://www.freesoftwaremagazine.com/community_posts/generating_self_signed_test_certificates_using_one_single_shell_script

As for the TLS configurations, it is all in this post itself. I didn't need anything else.

If you still experience TLS problem, the log from radiusd side, especially the part with failure messages, would be very helpful in the diagnosis

-gong

alex_from_italy's picture

Thanks a lot.

It works great.

I've linked it in my thesys about secure configuration of Freeradius, in the section about the generation of Certificates.

Alessandro

domel90's picture
Submitted by domel90 on

I have configured freeradius2 server on CeontOS OS and Cisco Catalyst 2950 switch - which requires from clients (Windows xp) 802.1x authentication.

I have changed only /etc/raddb/clients.conf and /etc/raddb/users files.

All of tests which you described, I have performed and it's working well.

When Windows XP client is using MD5-challenge authentication, it's working properly and client is abble to connect to my network.

But i would like to use PEAP (EAP-MSCHAPv2) authentication.

J have configured clients like this:

http://212.191.88.2/~dwolnicki/kamiz/1.png
http://212.191.88.2/~dwolnicki/kamiz/2.png

But client can not be authenticated by the freeradius server.

I got this screen.

FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31 2010 at 00:25:31
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}

radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
:
}
client 192.168.0.0/16 {
require_message_authenticator = no
secret = "remote"
shortname = "private-network-1"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {

use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024 include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.

rad_recv: Access-Request packet from host 192.168.0.250 port 1812, id=230, length=100
NAS-IP-Address = 192.168.0.250
NAS-Port = 50012
NAS-Port-Type = Ethernet
User-Name = "domel"
Calling-Station-Id = "00-1C-25-1A-01-FB"
Service-Type = Framed-User
EAP-Message = 0x0201000a01646f6d656c
Message-Authenticator = 0x84ed781a5a3a6725cd4c26c882893200
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "domel", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry domel at line 207
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 230 to 192.168.0.250 port 1812
EAP-Message = 0x010200160410b9bd67a1ac50036116f1c32d8dda0436
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e8a17c65e8813bb06a5f383d0675698
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.0.250 port 1812, id=230, length=100
NAS-IP-Address = 192.168.0.250
NAS-Port = 50012
NAS-Port-Type = Ethernet
User-Name = "domel"
Calling-Station-Id = "00-1C-25-1A-01-FB"
Service-Type = Framed-User
EAP-Message = 0x0201000a01646f6d656c
Message-Authenticator = 0x84ed781a5a3a6725cd4c26c882893200
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "domel", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry domel at line 207
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 230 to 192.168.0.250 port 1812
EAP-Message = 0x010200160410b9bd67a1ac50036116f1c32d8dda0436
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e8a17c65e8813bb06a5f383d0675698
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.250 port 1812, id=231, length=114
NAS-IP-Address = 192.168.0.250
NAS-Port = 50012
NAS-Port-Type = Ethernet
User-Name = "domel"
Calling-Station-Id = "00-1C-25-1A-01-FB"
Service-Type = Framed-User
State = 0x5e8a17c65e8813bb06a5f383d0675698
EAP-Message = 0x020200060319
Message-Authenticator = 0xc722fae4c1fd0bb5921d749d3bbbed24
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "domel", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry domel at line 207
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 231 to 192.168.0.250 port 1812
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e8a17c65f890ebb06a5f383d0675698
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.250 port 1812, id=232, length=188
NAS-IP-Address = 192.168.0.250
NAS-Port = 50012
NAS-Port-Type = Ethernet
User-Name = "domel"
Calling-Station-Id = "00-1C-25-1A-01-FB"
Service-Type = Framed-User
State = 0x5e8a17c65f890ebb06a5f383d0675698
EAP-Message = 0x0203005019800000004616030100410100003d03014ec6358c27ae5accd26d068edf67f17505b8a4e13a29a36b11d087cc8f8b0c7500001600040005000a00090064006200030006001300120
0630100
Message-Authenticator = 0xea8b7896b47fd9d5e0d6dd9f79806d87
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "domel", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] processing EAP-TLS
TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 232 to 192.168.0.250 port 1812
EAP-Message = 0x0104040019c00000089b160301002a0200002603014ec635845f98121597d9fd47462332f24c1093e906a531065c08786f634fb6d900000400160301085e0b00085a0008570003a6308203a23
082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a
130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message = 0x301e170d3131313131383038313435315a170d3132313131373038313435315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c457
8616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06
092a864886f70d01010105000382010f003082010a0282010100a1fbf2f2eecc7ef17b2728a75ac2041a798e54bdc8f14533a7407ba71355e3efad3f80f47a2abea364573adc0a48df1a4bffe280cf1c5e0de78f64bcfbdb
EAP-Message = 0x5a0f2c68878d296c001a259dcf60c1c95cfa9b3df6c38c51a2bf7d6c286614d9309f44b08b8661706cc89783f2e49c5b48d3fb0f729cae7fb6a60325f8abdae67b0954ce2a31dc6eafa75ac47
1f06181b3d48a43a1e1b31510c058ddb1c6069c07e33b4e3fb15bccf3a593ae55983594b7173a0728965d3fe9003971d0aac93ac9bdb30aa90430648687284ed4c2c3d7955bae1adc6e4d8415d7d0ffd1b7ee948f0b10bfeb
28d04a0418df249e403446356a0b82226000b5d37b7365ca29d88eaa8d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101004c0e0b2043fc5a0c0a
EAP-Message = 0x3c3294216a4601bd8454fbc1ad0e272cedc1e8ae9e7294be24d13c2b424fe1d903e6e1a1446ba7b270378d6e3cb0d1a471397291d4ead59d4c1c7a4379aabe817d63f085d64bbb9e624913895
5bd8d3429e23d0d41956db8abda56cb7a14502c8648b2efb91eb17d4efd129e4292965d0f652b1766c668b1538b945e2f4aefa3906452ebbd883ca658a307df52ad359c84d7ce0a2c266d89bb51e65b5a3f848f8889b2ed04
9b584f1cbecbd3ef87a7dc229ea1a8f5a2b55711971833aef31c9a53254658ee10032c9dda5ba20f98fe87875c48683604199606afe70103e6ccf473d72a179ba43d20ba68924d5ca3fc9998be713ee1885d0004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e8a17c65c8e0ebb06a5f383d0675698
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 230 with timestamp +12
Cleaning up request 1 ID 231 with timestamp +12
Cleaning up request 2 ID 232 with timestamp +12
Ready to process requests.

So please tell me what is wrong??
Thank you very much.

Author information

Gong Cheng's picture

Biography

I am a software developer in computer networking areas, living in California, United States. I worked on routers, switches and Wi-Fi access-points. I am a father of one baby boy. In the limited spare time I have, I like jogging and reading non-fiction books.