FreeRadius Server installation and configuration on Linux system
Hi,
I've installed FreeRadius server on my Linux system and I could run the server with ./radiusd -X and it is ready to process Requests as given below: ----------------------------------------------------- Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. -------------------------------------------------------- As I want to configure and test the same system as its client, I've added following code to raddb/clients.conf: client localhost { secret = testing123 shortname = ldap } And I want to test for the root user, I have added the line: root Cleartext-Password := "nmsworks" to raddb/users file. Now when I give from a terminal the command, radtest root nmsworks localhost 1 testing123 I get: Sending Access-Request of id 164 to 127.0.0.1 port 1812 User-Name = "root" User-Password = "nmsworks" NAS-IP-Address = 192.168.9.26 NAS-Port = 1 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=164, length=20 and on the radius server terminal, I get: rad_recv: Access-Request packet from host 127.0.0.1 port 32791, id=164, length=56 User-Name = "root" User-Password = "nmsworks" NAS-IP-Address = 192.168.9.26 NAS-Port = 1 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> root attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 164 to 127.0.0.1 port 32791 Waking up in 4.9 seconds. Cleaning up request 0 ID 164 with timestamp +346 Ready to process requests. ------------------------------------------------------ I want to know what is wrong in this - Is it with configuration, or with command or something else? |
I had a hard time configuring that same server two years ago ! I wrote a 68 pages document about it for my degree, I can give it to you, if you want, but it's all in french.
Quote:
In raddb/users, you should try something like : Code:
root Auth-Type := EAP, Cleartext-Password := nmsworks |
Thanks Truboy,
But the solution u suggested also doesn't work. Sending Access-Request of id 220 to 127.0.0.1 port 1812 User-Name = "root" User-Password = "nmsworks" NAS-IP-Address = 192.168.9.26 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=220, length=20 At the server prompt, I get the following message: rad_recv: Access-Request packet from host 127.0.0.1 port 32798, id=220, length=56 User-Name = "root" User-Password = "nmsworks" NAS-IP-Address = 192.168.9.26 NAS-Port = 0 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default ------------------------------------------------------------------------------ Is there any thing I should do on password front as the WARNING says no "known good" password for the user? |
Quote:
Code:
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user |
Hi,
It is given as md5 as below within eap.conf: default_eap_type = md5 |
OK, not sure but try this :
- File raddb/eap.conf, add under section eap : Code:
default_eap_type = ttls Code:
default_eap_type = mschapv2 Code:
root Cleartext-Password := nmsworks - File raddb/eap.conf, add under section eap : Code:
default_eap_type = peap Code:
root Cleartext-Password := nmsworks |
Truman,
Still it doesn't work for both the changes you mentioned. Client side it is reported with Access-Reject packet as: rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=42, length=20 & Server side error message is (same for both the changes except the ids and timestamps): ----------------------------------------------------------------------------------- rad_recv: Access-Request packet from host 127.0.0.1 port 32799, id=42, length=56 User-Name = "root" User-Password = "nmsworks" NAS-IP-Address = 192.168.9.26 NAS-Port = 0 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> root attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 42 to 127.0.0.1 port 32799 Waking up in 4.9 seconds. Cleaning up request 0 ID 42 with timestamp +7 Ready to process requests. ---------------------------------------------------- |
Oh, and, I forgot to mention, you have to configure the user-ID, Cleartext-Password and method (TTLS or PEAP) on the machine that tries to connect !
I can help you with that if the machine is running Mac OS X, but don't know much on this for Linux/Windows. Anyway, it's somewhere in the network configuration. Cheers |
Truboy,
Please give me the instructions to configure user name and password on the calling machine (Note: Here I'm using the same system to give the call 'radtest root nmsworks localhost 0 testing123' using a different terminal) irrespective of the OS. I hope I can get the equivalent instructions for my Linux OS. Thank you very much for the support you're providing. |
Quote:
As I said, I know how to configure this in Mac OS X, but not in other OS. Are you trying to connect with CentOS ? I took a look at how to do this in Ubuntu and figured it out (it should be nealry the same with other distos) : - Right click the network manager (the icon should be at the right top of your screen) - Select Connections settings or anything meaning the same - Find your wireless connection and click Modify or anything meaning the same - In the Security tab, choose WPA/WPA2-Enterprise and configure the remaining depending on your FreeRADIUS configuration If I'm wrong, Google it ! Let me know ! Cheers. |
Hi,
I could get some information from the below site for setting the eap: http://www.freesoftwaremagazine.com/...uthentications As per this site I issued the command >>( echo "User-Name = \"root\""; echo "Cleartext-Password = \"nmsworks\""; echo "EAP-Code = Response"; echo "EAP-Id = 210"; echo "EAP-Type-Identity = \"root\""; echo "Message-Authenticator = 0x00"; ) | radeapclient -x 127.0.0.1 auth testing123 The output at the client terminal is: Sending Access-Request packet to host 127.0.0.1 port 1812, id=26, length=0 User-Name = "root" Cleartext-Password = "nmsworks" EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = "root" Message-Authenticator = 0x00 EAP-Message = 0x02d2000901726f6f74 Received Access-Challenge packet from host 127.0.0.1 port 1812, id=26, length=80 EAP-Message = 0x01d3001604105c882d850f96396a791350d192698369 Message-Authenticator = 0xd2c319108a1f3dc600a8d69f49bf4cce State = 0x2a5db9662a8ebdd12f55a7050a873063 EAP-Id = 211 EAP-Code = Request EAP-Type-MD5 = 0x105c882d850f96396a791350d192698369 Sending Access-Request packet to host 127.0.0.1 port 1812, id=27, length=55 User-Name = "root" Cleartext-Password = "nmsworks" EAP-Code = Response EAP-Id = 211 Message-Authenticator = 0x00000000000000000000000000000000 EAP-Type-MD5 = 0x10d3cbcd198e0d6406c6584ca74a191602 State = 0x2a5db9662a8ebdd12f55a7050a873063 EAP-Message = 0x02d300160410d3cbcd198e0d6406c6584ca74a191602 Received Access-Reject packet from host 127.0.0.1 port 1812, id=27, length=44 EAP-Message = 0x04d30004 Message-Authenticator = 0x5b57ebb4f5709e1339d5d0ae4dbe057f EAP-Id = 211 EAP-Code = Failure ----------------------------------------------------------- At the server terminal, I got the following: rad_recv: Access-Request packet from host 127.0.0.1 port 32785, id=244, length=55 User-Name = "root" Message-Authenticator = 0x4f8feac41d674e739f3c05c6204edf26 EAP-Message = 0x02d2000901726f6f74 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 210 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 244 to 127.0.0.1 port 32785 EAP-Message = 0x01d3001604107af6cc87d9f8173bfcc546ddb4dee4d8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7ec137667e1233d38b95d8e7dd966715 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32785, id=245, length=86 User-Name = "root" Message-Authenticator = 0x74adad66ba105d89618e792c223072cd State = 0x7ec137667e1233d38b95d8e7dd966715 EAP-Message = 0x02d3001604109af76b1473ece42e1ea6f2c587361cae # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 211 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication [eap] Handler failed in EAP/md5 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> root attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 10 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 10 Sending Access-Reject of id 245 to 127.0.0.1 port 32785 EAP-Message = 0x04d30004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 9 ID 244 with timestamp +744 Waking up in 1.0 seconds. Cleaning up request 10 ID 245 with timestamp +744 Ready to process requests. --------------------------------------------------------------- Am I need to change value of any of the parameters from the client on the command? |
Quote:
But what is annoying me is that the server still tries to anthenticate the user using md5. What do you have in raddb/eap.conf, section eap, for default_eap_type ? |
Hi,
All the lines having md5 within it of raddb/eap.conf are commented and default_eap_type is set to ttls. Same reply. But my system has radclient. I used it and got reply as below: >>echo "Message-Authenticator = 0x00" | radclient localhost status testing123 Received response ID 17, code 2, length = 20 Server side also: rad_recv: Status-Server packet from host 127.0.0.1 port 32785, id=17, length=38 Message-Authenticator = 0x8e48ffdd95efd05d6a63c4658ee1673e Sending Access-Accept of id 17 to 127.0.0.1 port 32785 Finished request 10. Cleaning up request 10 ID 17 with timestamp +318 Going to the next request Ready to process requests. Thank you Truboy. I need to go from here I believe. I may have to see other such commands from the client side to get proper responses. |
Great :D !
|
for Truboy
[QUOTE=truboy;4222881]I had a hard time configuring that same server two years ago ! I wrote a 68 pages document about it for my degree, I can give it to you, if you want, but it's all in french.
hi i think i having the same problem here .. can u please send me the document that u wrote ! this is my e-mail : ahmed.chelbi.alpha@gmail.com and thnx :) |
All times are GMT -5. The time now is 06:51 AM. |