We've got a Debian Lenny + FreeRadius and cannot seem to authenticate a wireless laptop.
At this point, all I want is the users file entries to work, with ClearText passwords. Eventually we'll use LDAP but we want this up first with ClearText passwords and MD5.
1. FreeRadius installed, 2.1.10+dfsg-2~bpo50+1 from Debian Backports
2. AirPort v7.5.1, set up for WPA2 Enterprise, ip 10.10.10.75
3. Apple OSX laptop, 10.5.8
When running 'freeradius -Xxx' from the Debian cli I can see the authentication fail as though the OSX machine (or the AirPort router?) isn't passing along the password (from the FreeRadius cli run):
Code:
Info: [pap] No clear-text password in the request. Not performing PAP.
Additionally, the OSX machine always prompts me for an SSL Cert to use, but with MD5 checkmarked as the only option in the 802.1x networking screen, this shouldn't be happening, making it more difficult to tell where this problem lies.
The OSX machine keeps cycling through "Authenticating" and "Authenticating with MD5", and then settles on "AirPort has a self-assigned IP Address..." (meaning the laptop, not the AirPort wifi router).
The AirPort router (10.10.10.75) gives this info:
Code:
Dec 6 14:52:41 5 Clock synchronized to network time server time.apple.com (adjusted -2 seconds).
Dec 6 15:50:25 5 Rotated CCMP group key.
Dec 6 15:52:41 5 Clock synchronized to network time server time.apple.com (adjusted +0 seconds).
Dec 6 15:55:04 5 Associated with station 00:1c:b3:c6:35:57
Dec 6 15:55:04 4 Authenticating station 00:1c:b3:c6:35:57 to RADIUS.
Dec 6 15:56:12 5 Disassociated with station 00:1c:b3:c6:35:57
Dec 6 15:56:21 5 Connection accepted from [::ffff:10.10.11.133]:1086.
It seems to continually loop through 'Associated/Authenticating/Disassociated' messages.
The FreeRadius (freeradius -Xxx) run gives this after the initial config (I can provide that if required):
Code:
rad_recv: Access-Request packet from host 10.10.10.75 port 58147, id=29, length=154
User-Name = "testing"
NAS-IP-Address = 10.10.10.75
NAS-Port = 0
Called-Station-Id = "60-33-4B-E3-DF-00:SBC-test"
Calling-Station-Id = "00-1C-B3-C6-35-57"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x02b7000c0174657374696e67
Message-Authenticator = 0x3c500be68ce946eabb733245870e1759
Mon Dec 6 16:21:29 2010 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Mon Dec 6 16:21:29 2010 : Info: +- entering group authorize {...}
Mon Dec 6 16:21:29 2010 : Info: ++[preprocess] returns ok
Mon Dec 6 16:21:29 2010 : Info: [files] users: Matched entry testing at line 78
Mon Dec 6 16:21:29 2010 : Info: ++[files] returns ok
Mon Dec 6 16:21:29 2010 : Info: [files] users: Matched entry testing at line 78
Mon Dec 6 16:21:29 2010 : Info: ++[files] returns ok
Mon Dec 6 16:21:29 2010 : Info: ++[expiration] returns noop
Mon Dec 6 16:21:29 2010 : Info: ++[logintime] returns noop
Mon Dec 6 16:21:29 2010 : Info: [pap] No clear-text password in the request. Not performing PAP.
Mon Dec 6 16:21:29 2010 : Info: ++[pap] returns noop
Mon Dec 6 16:21:29 2010 : Info: WARNING: Please update your configuration, and remove 'Auth-Type = Local'
Mon Dec 6 16:21:29 2010 : Info: WARNING: Use the PAP or CHAP modules instead.
Mon Dec 6 16:21:29 2010 : Info: No User-Password or CHAP-Password attribute in the request.
Mon Dec 6 16:21:29 2010 : Info: Cannot perform authentication.
Mon Dec 6 16:21:29 2010 : Info: Failed to authenticate the user.
Mon Dec 6 16:21:29 2010 : Auth: Login incorrect: [testing/<no User-Password attribute>] (from client SBC-test port 0 cli 00-1C-B3-C6-35-57)
Mon Dec 6 16:21:29 2010 : Info: Using Post-Auth-Type Reject
Mon Dec 6 16:21:29 2010 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Mon Dec 6 16:21:29 2010 : Info: +- entering group REJECT {...}
Mon Dec 6 16:21:29 2010 : Info: [attr_filter.access_reject] expand: %{User-Name} -> testing
Mon Dec 6 16:21:29 2010 : Debug: attr_filter: Matched entry DEFAULT at line 11
Mon Dec 6 16:21:29 2010 : Info: ++[attr_filter.access_reject] returns updated
Mon Dec 6 16:21:29 2010 : Info: Delaying reject of request 0 for 1 seconds
Mon Dec 6 16:21:29 2010 : Debug: Going to the next request
Mon Dec 6 16:21:29 2010 : Debug: Waking up in 0.9 seconds.
Mon Dec 6 16:21:30 2010 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 29 to 10.10.10.75 port 58147
Mon Dec 6 16:21:30 2010 : Debug: Waking up in 4.9 seconds.
Mon Dec 6 16:21:35 2010 : Info: Cleaning up request 0 ID 29 with timestamp +98
Mon Dec 6 16:21:35 2010 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 10.10.10.75 port 58147, id=30, length=154
User-Name = "testing"
NAS-IP-Address = 10.10.10.75
NAS-Port = 0
Called-Station-Id = "60-33-4B-E3-DF-00:SBC-test"
Calling-Station-Id = "00-1C-B3-C6-35-57"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x028d000c0174657374696e67
Message-Authenticator = 0x38aead4bfe3255183b1835bf927c5bb7
Mon Dec 6 16:22:31 2010 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Mon Dec 6 16:22:31 2010 : Info: +- entering group authorize {...}
Mon Dec 6 16:22:31 2010 : Info: ++[preprocess] returns ok
Mon Dec 6 16:22:31 2010 : Info: [files] users: Matched entry testing at line 78
Mon Dec 6 16:22:31 2010 : Info: ++[files] returns ok
Mon Dec 6 16:22:31 2010 : Info: [files] users: Matched entry testing at line 78
Mon Dec 6 16:22:31 2010 : Info: ++[files] returns ok
Mon Dec 6 16:22:31 2010 : Info: ++[expiration] returns noop
Mon Dec 6 16:22:31 2010 : Info: ++[logintime] returns noop
Mon Dec 6 16:22:31 2010 : Info: [pap] No clear-text password in the request. Not performing PAP.
Mon Dec 6 16:22:31 2010 : Info: ++[pap] returns noop
Mon Dec 6 16:22:31 2010 : Info: WARNING: Please update your configuration, and remove 'Auth-Type = Local'
Mon Dec 6 16:22:31 2010 : Info: WARNING: Use the PAP or CHAP modules instead.
Mon Dec 6 16:22:31 2010 : Info: No User-Password or CHAP-Password attribute in the request.
Mon Dec 6 16:22:31 2010 : Info: Cannot perform authentication.
Mon Dec 6 16:22:31 2010 : Info: Failed to authenticate the user.
Mon Dec 6 16:22:31 2010 : Auth: Login incorrect: [testing/<no User-Password attribute>] (from client SBC-test port 0 cli 00-1C-B3-C6-35-57)
Mon Dec 6 16:22:31 2010 : Info: Using Post-Auth-Type Reject
Mon Dec 6 16:22:31 2010 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Mon Dec 6 16:22:31 2010 : Info: +- entering group REJECT {...}
Mon Dec 6 16:22:31 2010 : Info: [attr_filter.access_reject] expand: %{User-Name} -> testing
Mon Dec 6 16:22:31 2010 : Debug: attr_filter: Matched entry DEFAULT at line 11
Mon Dec 6 16:22:31 2010 : Info: ++[attr_filter.access_reject] returns updated
Mon Dec 6 16:22:31 2010 : Info: Delaying reject of request 1 for 1 seconds
Mon Dec 6 16:22:31 2010 : Debug: Going to the next request
Mon Dec 6 16:22:31 2010 : Debug: Waking up in 0.9 seconds.
Mon Dec 6 16:22:32 2010 : Info: Sending delayed reject for request 1
Sending Access-Reject of id 30 to 10.10.10.75 port 58147
Mon Dec 6 16:22:32 2010 : Debug: Waking up in 4.9 seconds.
Mon Dec 6 16:22:37 2010 : Info: Cleaning up request 1 ID 30 with timestamp +160
Mon Dec 6 16:22:37 2010 : Info: Ready to process requests.
Please note the warning
Code:
Info: WARNING: Please update your configuration, and remove 'Auth-Type = Local'
has been looked into and there is nowhere in the configs that string, nor the string "auth_type = Local"
The users file has this string in it:
Code:
testing Cleartext-Password := "hello"
The eap.conf file only has this in it to try to remove complexity:
Can anyone assist me or show me where to look next? Most of my research discusses SSL certs which we want to avoid.