Hi,

I've installed FreeRadius server on my Linux system and I could run the server with ./radiusd -X
and it is ready to process Requests as given below:
-----------------------------------------------------
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
--------------------------------------------------------

As I want to configure and test the same system as its client, I've added following code to raddb/clients.conf:

client localhost {
secret = testing123
shortname = ldap
}

And I want to test for the root user, I have added the line:
root Cleartext-Password := "nmsworks"
to raddb/users file.

Now when I give from a terminal the command,
radtest root nmsworks localhost 1 testing123

I get:
Sending Access-Request of id 164 to 127.0.0.1 port 1812
User-Name = "root"
User-Password = "nmsworks"
NAS-IP-Address = 192.168.9.26
NAS-Port = 1
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=164, length=20

and on the radius server terminal, I get:

rad_recv: Access-Request packet from host 127.0.0.1 port 32791, id=164, length=56
User-Name = "root"
User-Password = "nmsworks"
NAS-IP-Address = 192.168.9.26
NAS-Port = 1
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "root", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> root
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 164 to 127.0.0.1 port 32791
Waking up in 4.9 seconds.
Cleaning up request 0 ID 164 with timestamp +346
Ready to process requests.

------------------------------------------------------

I want to know what is wrong in this - Is it with configuration, or with command or something else?

I had a hard time configuring that same server two years ago ! I wrote a 68 pages document about it for my degree, I can give it to you, if you want, but it's all in french.

The server doesn't find an authenticate method for the root user.

In raddb/users, you should try something like :

Let me know what you got !

Thanks Truboy,

But the solution u suggested also doesn't work.
Sending Access-Request of id 220 to 127.0.0.1 port 1812
User-Name = "root"
User-Password = "nmsworks"
NAS-IP-Address = 192.168.9.26
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=220, length=20

At the server prompt, I get the following message:
rad_recv: Access-Request packet from host 127.0.0.1 port 32798, id=220, length=56
User-Name = "root"
User-Password = "nmsworks"
NAS-IP-Address = 192.168.9.26
NAS-Port = 0
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "root", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default

------------------------------------------------------------------------------

Is there any thing I should do on password front as the WARNING says no "known good" password for the user?

It might be this, but as it's just a warning, I would rather think that the problem comes from :

What is the default_eap_type in the section eap of raddb/eap.conf ?

Hi,
It is given as md5 as below within eap.conf:
default_eap_type = md5

OK, not sure but try this :

- File raddb/eap.conf, add under section eap :

- File raddb/eap.conf, add under section ttls :

- File raddb/users, change the user to :

If still not working, try :

- File raddb/eap.conf, add under section eap :

- File raddb/users, change the user to :

Let me know what you got !

Truman,

Still it doesn't work for both the changes you mentioned.
Client side it is reported with Access-Reject packet as:
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=42, length=20
&
Server side error message is (same for both the changes except the ids and timestamps):

-----------------------------------------------------------------------------------
rad_recv: Access-Request packet from host 127.0.0.1 port 32799, id=42, length=56
User-Name = "root"
User-Password = "nmsworks"
NAS-IP-Address = 192.168.9.26
NAS-Port = 0
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "root", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> root
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 42 to 127.0.0.1 port 32799
Waking up in 4.9 seconds.
Cleaning up request 0 ID 42 with timestamp +7
Ready to process requests.
----------------------------------------------------

Oh, and, I forgot to mention, you have to configure the user-ID, Cleartext-Password and method (TTLS or PEAP) on the machine that tries to connect !
I can help you with that if the machine is running Mac OS X, but don't know much on this for Linux/Windows. Anyway, it's somewhere in the network configuration.

Cheers

Truboy,

Please give me the instructions to configure user name and password on the calling machine (Note: Here I'm using the same system to give the call 'radtest root nmsworks localhost 0 testing123' using a different terminal) irrespective of the OS. I hope I can get the equivalent instructions for my Linux OS.

Thank you very much for the support you're providing.

Oh yeah I forgot that radtest thing. There must be a way you can simulate ttls and peap with radtest, but what I would do is use another machine to try to connect.

As I said, I know how to configure this in Mac OS X, but not in other OS. Are you trying to connect with CentOS ?
I took a look at how to do this in Ubuntu and figured it out (it should be nealry the same with other distos) :

- Right click the network manager (the icon should be at the right top of your screen)
- Select Connections settings or anything meaning the same
- Find your wireless connection and click Modify or anything meaning the same
- In the Security tab, choose WPA/WPA2-Enterprise and configure the remaining depending on your FreeRADIUS configuration

If I'm wrong, Google it ! Let me know !

Cheers.

Hi,
I could get some information from the below site for setting the eap:
http://www.freesoftwaremagazine.com/...uthentications

As per this site I issued the command
>>( echo "User-Name = \"root\""; echo "Cleartext-Password = \"nmsworks\""; echo "EAP-Code = Response"; echo "EAP-Id = 210"; echo "EAP-Type-Identity = \"root\""; echo "Message-Authenticator = 0x00"; ) | radeapclient -x 127.0.0.1 auth testing123

The output at the client terminal is:
Sending Access-Request packet to host 127.0.0.1 port 1812, id=26, length=0
User-Name = "root"
Cleartext-Password = "nmsworks"
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = "root"
Message-Authenticator = 0x00
EAP-Message = 0x02d2000901726f6f74
Received Access-Challenge packet from host 127.0.0.1 port 1812, id=26, length=80
EAP-Message = 0x01d3001604105c882d850f96396a791350d192698369
Message-Authenticator = 0xd2c319108a1f3dc600a8d69f49bf4cce
State = 0x2a5db9662a8ebdd12f55a7050a873063
EAP-Id = 211
EAP-Code = Request
EAP-Type-MD5 = 0x105c882d850f96396a791350d192698369
Sending Access-Request packet to host 127.0.0.1 port 1812, id=27, length=55
User-Name = "root"
Cleartext-Password = "nmsworks"
EAP-Code = Response
EAP-Id = 211
Message-Authenticator = 0x00000000000000000000000000000000
EAP-Type-MD5 = 0x10d3cbcd198e0d6406c6584ca74a191602
State = 0x2a5db9662a8ebdd12f55a7050a873063
EAP-Message = 0x02d300160410d3cbcd198e0d6406c6584ca74a191602
Received Access-Reject packet from host 127.0.0.1 port 1812, id=27, length=44
EAP-Message = 0x04d30004
Message-Authenticator = 0x5b57ebb4f5709e1339d5d0ae4dbe057f
EAP-Id = 211
EAP-Code = Failure

-----------------------------------------------------------

At the server terminal, I got the following:

rad_recv: Access-Request packet from host 127.0.0.1 port 32785, id=244, length=55
User-Name = "root"
Message-Authenticator = 0x4f8feac41d674e739f3c05c6204edf26
EAP-Message = 0x02d2000901726f6f74
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "root", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 210 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 244 to 127.0.0.1 port 32785
EAP-Message = 0x01d3001604107af6cc87d9f8173bfcc546ddb4dee4d8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7ec137667e1233d38b95d8e7dd966715
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32785, id=245, length=86
User-Name = "root"
Message-Authenticator = 0x74adad66ba105d89618e792c223072cd
State = 0x7ec137667e1233d38b95d8e7dd966715
EAP-Message = 0x02d3001604109af76b1473ece42e1ea6f2c587361cae
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "root", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 211 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
[eap] Handler failed in EAP/md5
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> root
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 10 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 10
Sending Access-Reject of id 245 to 127.0.0.1 port 32785
EAP-Message = 0x04d30004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 9 ID 244 with timestamp +744
Waking up in 1.0 seconds.
Cleaning up request 10 ID 245 with timestamp +744
Ready to process requests.

---------------------------------------------------------------

Am I need to change value of any of the parameters from the client on the command?

I unfortunately never used radeapclient, so I can't tell.

But what is annoying me is that the server still tries to anthenticate the user using md5.

What do you have in raddb/eap.conf, section eap, for default_eap_type ?

Hi,

All the lines having md5 within it of raddb/eap.conf are commented and default_eap_type is set to ttls. Same reply.

But my system has radclient. I used it and got reply as below:
>>echo "Message-Authenticator = 0x00" | radclient localhost status testing123
Received response ID 17, code 2, length = 20

Server side also:
rad_recv: Status-Server packet from host 127.0.0.1 port 32785, id=17, length=38
Message-Authenticator = 0x8e48ffdd95efd05d6a63c4658ee1673e
Sending Access-Accept of id 17 to 127.0.0.1 port 32785
Finished request 10.
Cleaning up request 10 ID 17 with timestamp +318
Going to the next request
Ready to process requests.

Thank you Truboy. I need to go from here I believe. I may have to see other such commands from the client side to get proper responses.

Great !

[QUOTE=truboy;4222881]I had a hard time configuring that same server two years ago ! I wrote a 68 pages document about it for my degree, I can give it to you, if you want, but it's all in french.


hi i think i having the same problem here .. can u please send me the document that u wrote !
this is my e-mail : ahmed.chelbi.alpha@gmail.com

and thnx