probleme freeradius eap-ttls mschapv2 - Réseaux - Réseaux grand public / SoHo
Marsh Posté le 12-04-2007 à 14:01:29
Bonjour, Je souhaite mettre en place une architecture Wifi à l'aide de freeradius. Je veux utiliser EAP-TTLS avec mschapv2. J'ai des messages d'erreurs. Voici mes fichiers de conf : clients.conf : Code: client 127.0.0.1 { secret = testing123 shortname = localhost nastype = other # localhost isn't usually a NAS... } client 192.168.1.1 { secret = secret shortname = APPROJET nastype = other } eap.conf : Code: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/srv-linux.wifi.local.pem certificate_file = ${raddbdir}/certs/srv-linux.wifi.local.pem CA_file = ${raddbdir}/certs/root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } ttls { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes } mschapv2 { } } users : Code: "test" Auth-Type := Local, User-Password =="test" "nico" Auth-Type := EAP, User-Password =="nico" radiusd.conf : Code: prefix = /usr/local exec_prefix = ${prefix} sysconfdir = /etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = /var/log raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = no $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAPv2 } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes callerid = "yes" perm = 0600 } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } instantiate { exec expr } authorize { preprocess mschap eap files } authenticate { Auth-Type MS-CHAP { mschap } eap } preacct { preprocess acct_unique files } accounting { detail radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap } Voici le message du mode debug (radius -X -A) : Code: rad_recv: Access-Request packet from host 192.168.1.1:32913, id=5, length=170 User-Name = "anonyme@monentreprise.fr" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-0D-54-FB-61-72:ttls" Calling-Station-Id = "00-0E-35-94-07-7B" NAS-Identifier = "" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0205001d01616e6f6e796d65406d6f6e656e74726570726973652e6672 Message-Authenticator = 0x666aab110a7c501e49b549313b3b4e1b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_eap: EAP packet type response id 5 length 29 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 156 users: Matched entry DEFAULT at line 175 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 5 to 192.168.1.1 port 32913 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010600061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd9db4cca54dd0b13a7c7fa510bd9e0ff Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:32914, id=6, length=261 User-Name = "anonyme@monentreprise.fr" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-0D-54-FB-61-72:ttls" Calling-Station-Id = "00-0E-35-94-07-7B" NAS-Identifier = "" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0xd9db4cca54dd0b13a7c7fa510bd9e0ff EAP-Message = 0x020600661500160301005b010000570301461e17b0860f09a447f4bb2bed3404b9137974e95339a16802e31318eea237dc00003000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100 Message-Authenticator = 0x4050c580de8aa3f3e9092010ba9a12de Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 rlm_eap: EAP packet type response id 6 length 102 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 156 users: Matched entry DEFAULT at line 175 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<<TLS>>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0652], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 6 to 192.168.1.1 port 32914 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0107040a15c0000006af160301004a020000460301461e185e2edb0d40717ad98dae29ac4dd387faa2a733ec3b80b1f5d14f22c0682024fd008921aac82c588875912b645c386dabb403828434eda81a1d240d36200200350016030106520b00064e00064b0002b1308202ad30820216a003020102020101300d06092a864886f70d010104050030818d310b3009060355040613024652310c300a06035504081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a6574207769666931193017060355040313104954494e20576972656c6573732043413120301e06092a86 EAP-Message = 0x4886f70d01090116116b61626f756e733231406d736e2e636f6d301e170d3037303430333134303930375a170d3038303430323134303930375a308191310b3009060355040613024652310c300a06035504081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a65742077696669311d301b060355040313147372762d6c696e75782e776966692e6c6f63616c3120301e06092a864886f70d01090116116b61626f756e733231406d736e2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d1b510926706128c8067125c73b6a20f4174 EAP-Message = 0x2945ef6be6863c51783f6271bc19948eb92bd875acdb905b5ec96cd0e98ab97ad018f88191174b80a0457d9a93f85dcbd0fbce44f12e3368dab89b92f135d5383fcee686ed91d740ab84ab0348917a5e6ab07f9a2ff5c3b0cd0d1b1887996e240fcd244643d2dfcf1a043f64d7a10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181009240590b0cfdd796feba0d9ba1d8773de354420836048972c3e1c8226adc706eb27048a71aad969bfb6c4509694e42a12303f5e734ba807be2fd8408800f7e7bc25c2dc64f686bfd3e2777e030025b19f959496d4521ada6eaf8d8fdbf4d EAP-Message = 0x1b98ddaa456f8bd0bff203a143704b41a8ad66665f16478408211905eca00f87e11c00039430820390308202f9a003020102020900b8b0a09b1aae01d3300d06092a864886f70d010105050030818d310b3009060355040613024652310c300a06035504081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a6574207769666931193017060355040313104954494e20576972656c6573732043413120301e06092a864886f70d01090116116b61626f756e733231406d736e2e636f6d301e170d3037303430333134303531365a170d3038303430323134303531365a30 EAP-Message = 0x818d310b3009060355040613024652310c300a060355 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa7e3d8a6b5fa1238dff6378c16da9c5b Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:32915, id=7, length=165 User-Name = "anonyme@monentreprise.fr" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-0D-54-FB-61-72:ttls" Calling-Station-Id = "00-0E-35-94-07-7B" NAS-Identifier = "" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0xa7e3d8a6b5fa1238dff6378c16da9c5b EAP-Message = 0x020700061500 Message-Authenticator = 0x85e033e552410493c017878f97832c58 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 rlm_eap: EAP packet type response id 7 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 156 users: Matched entry DEFAULT at line 175 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 7 to 192.168.1.1 port 32915 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010802b91580000006af04081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a6574207769666931193017060355040313104954494e20576972656c6573732043413120301e06092a864886f70d01090116116b61626f756e733231406d736e2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100b1c460fa5ccc002ae623a334b7a930caad26140ed69a51c283965c4465c44587bef3a1298875750497c9641a5e464b14d21d27dfa03c5322a627570db44778c6d201ed7ed0c4f76877e80ad73d9a908643bce0fcd03127d83b39541914 EAP-Message = 0x06cfd96469de5aca582b500395f9c2f02effd9bd1691ab105abd12b6d4b0cbbb32fbb30203010001a381f53081f2301d0603551d0e04160414d1f50866e2308f76cb9ee73142c2caf5081203813081c20603551d230481ba3081b78014d1f50866e2308f76cb9ee73142c2caf508120381a18193a4819030818d310b3009060355040613024652310c300a06035504081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a6574207769666931193017060355040313104954494e20576972656c6573732043413120301e06092a864886f70d01090116116b61626f756e73 EAP-Message = 0x3231406d736e2e636f6d820900b8b0a09b1aae01d3300c0603551d13040530030101ff300d06092a864886f70d01010505000381810072149ae8736f0f19aee0a152f9f088cf7f871465187fcfaea8ee80273d7e9286ed67986e4bf3fbeb9decf113cb1975041c3dd7627df2bd8e2e73a65158b5e7f62b1cac2879fe8033992728677080f38fb621502974c9a599f813a1fb0d4c556bfbef3ccbbdbaeeef2d9e194b38cc4fdb8462ef5ce216a25c24e720e1fb78ba6016030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc22c197ed0c4de73d2ca61134e8e5449 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:32916, id=8, length=363 User-Name = "anonyme@monentreprise.fr" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-0D-54-FB-61-72:ttls" Calling-Station-Id = "00-0E-35-94-07-7B" NAS-Identifier = "" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0xc22c197ed0c4de73d2ca61134e8e5449 EAP-Message = 0x020800cc1500160301008610000082008096e2e3a993f2b919ca3eb62f694e7e752cca96d34f34551fc442698c927a7efb696712859c72e1dea2817f003d7b98d26c03a7974c3f92e1ef9a8032f805ad19bc267280d4d03b39425463458c334912779ecc1d1c8ad4bc5c06566a72e7b8b09c6ce0ec2e97564067db60c2613e9b75ea353964cfdf98677d988e51b418f1ad140301000101160301003074348e8f0c082ef691585e0c32a19aad61f649b7a589c4415087f93e4e7437e8004e9bf854b70b8b4c653d0175935e5f Message-Authenticator = 0x74ba8ce2fa087d8d15b97e1f8486373f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 rlm_eap: EAP packet type response id 8 length 204 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 156 users: Matched entry DEFAULT at line 175 modcall[authorize]: module "files" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<<TLS>>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 8 to 192.168.1.1 port 32916 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0109004515800000003b1403010001011603010030743c5d3fe343697a29b0bbdcca319d01e493693d331d696ffad03dbb9c45699890a3bc83d7b62f6debe20ebcd037c093 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x90fbaf8d42552395fc4d98c8f730a2b2 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:32917, id=9, length=335 User-Name = "anonyme@monentreprise.fr" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-0D-54-FB-61-72:ttls" Calling-Station-Id = "00-0E-35-94-07-7B" NAS-Identifier = "" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0x90fbaf8d42552395fc4d98c8f730a2b2 EAP-Message = 0x020900b0150017030100208a8684fc9f210a1fa5b1c3ec51048469d6fe3a0a33239eb95e528db991379a781703010080130d3503d09e40709aa6f4865bb98ad8ced00d86919d22924280584cc3f4841fb678152fb366adb4538ace53a963d4b19e6dfc12086b98741f8f4989ed4975d738d967a224f190c5bfd827d9fa4ee8d7c4718f44af706ca23ab66e67f879f18c8fbe9828be897f2356cdf0482b8dd90152cf1611ec386d7d0858f21b07374278 Message-Authenticator = 0x9405349379b1bd2e9a4e5f699ac4ac7e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 rlm_eap: EAP packet type response id 9 length 176 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 156 users: Matched entry DEFAULT at line 175 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 4 users: Matched entry nico at line 90 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns ok) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: EAP-Message not found rlm_eap: Malformed EAP Message modcall[authenticate]: module "eap" returns fail for request 4 modcall: leaving group authenticate (returns fail) for request 4 auth: Failed to validate the user. TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user. Merci beaucoup de votre aide Kab
Make sure you enter the(*)required information where indicate.HTML code is not allowed
Marsh Posté le 12-04-2007 à 14:01:29
Bonjour,
Je souhaite mettre en place une architecture Wifi à l'aide de freeradius. Je veux utiliser EAP-TTLS avec mschapv2. J'ai des messages d'erreurs.
Voici mes fichiers de conf :
clients.conf :
Code:
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other # localhost isn't usually a NAS...
}
client 192.168.1.1 {
secret = secret
shortname = APPROJET
nastype = other
}
eap.conf :
Code:
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/srv-linux.wifi.local.pem
certificate_file = ${raddbdir}/certs/srv-linux.wifi.local.pem
CA_file = ${raddbdir}/certs/root.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
mschapv2 {
}
}
users :
Code:
"test" Auth-Type := Local, User-Password =="test"
"nico" Auth-Type := EAP, User-Password =="nico"
radiusd.conf :
Code:
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = no
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAPv2
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
callerid = "yes"
perm = 0600
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
instantiate {
exec
expr
}
authorize {
preprocess
mschap
eap
files
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
preprocess
acct_unique
files
}
accounting {
detail
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
Voici le message du mode debug (radius -X -A) :
Code:
rad_recv: Access-Request packet from host 192.168.1.1:32913, id=5, length=170
User-Name = "anonyme@monentreprise.fr"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "00-0D-54-FB-61-72:ttls"
Calling-Station-Id = "00-0E-35-94-07-7B"
NAS-Identifier = ""
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0205001d01616e6f6e796d65406d6f6e656e74726570726973652e6672
Message-Authenticator = 0x666aab110a7c501e49b549313b3b4e1b
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
rlm_eap: EAP packet type response id 5 length 29
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 156
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 5 to 192.168.1.1 port 32913
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010600061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd9db4cca54dd0b13a7c7fa510bd9e0ff
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.1:32914, id=6, length=261
User-Name = "anonyme@monentreprise.fr"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "00-0D-54-FB-61-72:ttls"
Calling-Station-Id = "00-0E-35-94-07-7B"
NAS-Identifier = ""
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0xd9db4cca54dd0b13a7c7fa510bd9e0ff
EAP-Message = 0x020600661500160301005b010000570301461e17b0860f09a447f4bb2bed3404b9137974e95339a16802e31318eea237dc00003000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100
Message-Authenticator = 0x4050c580de8aa3f3e9092010ba9a12de
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
rlm_eap: EAP packet type response id 6 length 102
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry DEFAULT at line 156
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<<TLS>>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0652], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 6 to 192.168.1.1 port 32914
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x0107040a15c0000006af160301004a020000460301461e185e2edb0d40717ad98dae29ac4dd387faa2a733ec3b80b1f5d14f22c0682024fd008921aac82c588875912b645c386dabb403828434eda81a1d240d36200200350016030106520b00064e00064b0002b1308202ad30820216a003020102020101300d06092a864886f70d010104050030818d310b3009060355040613024652310c300a06035504081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a6574207769666931193017060355040313104954494e20576972656c6573732043413120301e06092a86
EAP-Message = 0x4886f70d01090116116b61626f756e733231406d736e2e636f6d301e170d3037303430333134303930375a170d3038303430323134303930375a308191310b3009060355040613024652310c300a06035504081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a65742077696669311d301b060355040313147372762d6c696e75782e776966692e6c6f63616c3120301e06092a864886f70d01090116116b61626f756e733231406d736e2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d1b510926706128c8067125c73b6a20f4174
EAP-Message = 0x2945ef6be6863c51783f6271bc19948eb92bd875acdb905b5ec96cd0e98ab97ad018f88191174b80a0457d9a93f85dcbd0fbce44f12e3368dab89b92f135d5383fcee686ed91d740ab84ab0348917a5e6ab07f9a2ff5c3b0cd0d1b1887996e240fcd244643d2dfcf1a043f64d7a10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181009240590b0cfdd796feba0d9ba1d8773de354420836048972c3e1c8226adc706eb27048a71aad969bfb6c4509694e42a12303f5e734ba807be2fd8408800f7e7bc25c2dc64f686bfd3e2777e030025b19f959496d4521ada6eaf8d8fdbf4d
EAP-Message = 0x1b98ddaa456f8bd0bff203a143704b41a8ad66665f16478408211905eca00f87e11c00039430820390308202f9a003020102020900b8b0a09b1aae01d3300d06092a864886f70d010105050030818d310b3009060355040613024652310c300a06035504081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a6574207769666931193017060355040313104954494e20576972656c6573732043413120301e06092a864886f70d01090116116b61626f756e733231406d736e2e636f6d301e170d3037303430333134303531365a170d3038303430323134303531365a30
EAP-Message = 0x818d310b3009060355040613024652310c300a060355
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa7e3d8a6b5fa1238dff6378c16da9c5b
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.1:32915, id=7, length=165
User-Name = "anonyme@monentreprise.fr"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "00-0D-54-FB-61-72:ttls"
Calling-Station-Id = "00-0E-35-94-07-7B"
NAS-Identifier = ""
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0xa7e3d8a6b5fa1238dff6378c16da9c5b
EAP-Message = 0x020700061500
Message-Authenticator = 0x85e033e552410493c017878f97832c58
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
rlm_eap: EAP packet type response id 7 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry DEFAULT at line 156
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 7 to 192.168.1.1 port 32915
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010802b91580000006af04081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a6574207769666931193017060355040313104954494e20576972656c6573732043413120301e06092a864886f70d01090116116b61626f756e733231406d736e2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100b1c460fa5ccc002ae623a334b7a930caad26140ed69a51c283965c4465c44587bef3a1298875750497c9641a5e464b14d21d27dfa03c5322a627570db44778c6d201ed7ed0c4f76877e80ad73d9a908643bce0fcd03127d83b39541914
EAP-Message = 0x06cfd96469de5aca582b500395f9c2f02effd9bd1691ab105abd12b6d4b0cbbb32fbb30203010001a381f53081f2301d0603551d0e04160414d1f50866e2308f76cb9ee73142c2caf5081203813081c20603551d230481ba3081b78014d1f50866e2308f76cb9ee73142c2caf508120381a18193a4819030818d310b3009060355040613024652310c300a06035504081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a6574207769666931193017060355040313104954494e20576972656c6573732043413120301e06092a864886f70d01090116116b61626f756e73
EAP-Message = 0x3231406d736e2e636f6d820900b8b0a09b1aae01d3300c0603551d13040530030101ff300d06092a864886f70d01010505000381810072149ae8736f0f19aee0a152f9f088cf7f871465187fcfaea8ee80273d7e9286ed67986e4bf3fbeb9decf113cb1975041c3dd7627df2bd8e2e73a65158b5e7f62b1cac2879fe8033992728677080f38fb621502974c9a599f813a1fb0d4c556bfbef3ccbbdbaeeef2d9e194b38cc4fdb8462ef5ce216a25c24e720e1fb78ba6016030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc22c197ed0c4de73d2ca61134e8e5449
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.1:32916, id=8, length=363
User-Name = "anonyme@monentreprise.fr"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "00-0D-54-FB-61-72:ttls"
Calling-Station-Id = "00-0E-35-94-07-7B"
NAS-Identifier = ""
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0xc22c197ed0c4de73d2ca61134e8e5449
EAP-Message = 0x020800cc1500160301008610000082008096e2e3a993f2b919ca3eb62f694e7e752cca96d34f34551fc442698c927a7efb696712859c72e1dea2817f003d7b98d26c03a7974c3f92e1ef9a8032f805ad19bc267280d4d03b39425463458c334912779ecc1d1c8ad4bc5c06566a72e7b8b09c6ce0ec2e97564067db60c2613e9b75ea353964cfdf98677d988e51b418f1ad140301000101160301003074348e8f0c082ef691585e0c32a19aad61f649b7a589c4415087f93e4e7437e8004e9bf854b70b8b4c653d0175935e5f
Message-Authenticator = 0x74ba8ce2fa087d8d15b97e1f8486373f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
rlm_eap: EAP packet type response id 8 length 204
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched entry DEFAULT at line 156
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<<TLS>>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
SSL Connection Established
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 8 to 192.168.1.1 port 32916
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x0109004515800000003b1403010001011603010030743c5d3fe343697a29b0bbdcca319d01e493693d331d696ffad03dbb9c45699890a3bc83d7b62f6debe20ebcd037c093
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x90fbaf8d42552395fc4d98c8f730a2b2
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.1:32917, id=9, length=335
User-Name = "anonyme@monentreprise.fr"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "00-0D-54-FB-61-72:ttls"
Calling-Station-Id = "00-0E-35-94-07-7B"
NAS-Identifier = ""
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0x90fbaf8d42552395fc4d98c8f730a2b2
EAP-Message = 0x020900b0150017030100208a8684fc9f210a1fa5b1c3ec51048469d6fe3a0a33239eb95e528db991379a781703010080130d3503d09e40709aa6f4865bb98ad8ced00d86919d22924280584cc3f4841fb678152fb366adb4538ace53a963d4b19e6dfc12086b98741f8f4989ed4975d738d967a224f190c5bfd827d9fa4ee8d7c4718f44af706ca23ab66e67f879f18c8fbe9828be897f2356cdf0482b8dd90152cf1611ec386d7d0858f21b07374278
Message-Authenticator = 0x9405349379b1bd2e9a4e5f699ac4ac7e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
rlm_eap: EAP packet type response id 9 length 176
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched entry DEFAULT at line 156
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes.
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 4
users: Matched entry nico at line 90
modcall[authorize]: module "files" returns ok for request 4
modcall: leaving group authorize (returns ok) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: EAP-Message not found
rlm_eap: Malformed EAP Message
modcall[authenticate]: module "eap" returns fail for request 4
modcall: leaving group authenticate (returns fail) for request 4
auth: Failed to validate the user.
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 4
modcall: leaving group authenticate (returns invalid) for request 4
auth: Failed to validate the user.
Merci beaucoup de votre aide
Kab