Radius does not work... certificate issues?


#1

Hello,
I installed the Radius server component on UCS. I have a DD-WRT access point that I am trying to configure to use it.
It simply will not connect. When I go into the command line and use Freeradius in debug mode (freeradius -X) I get the following:

[code]rad_recv: Access-Request packet from host 192.168.1.7 port 32768, id=1, length=139
User-Name = “user1”
NAS-IP-Address = 192.168.1.7
Called-Station-Id = “c0c1c0474946”
Calling-Station-Id = “206e9c0ff2c5”
NAS-Identifier = “c0c1c0474946”
NAS-Port = 56
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020000120162737472696e6766656c6c6f77
Message-Authenticator = 0xb532875636a3da4bc652717dee2a4275

Executing section authorize from file /etc/freeradius/sites-enabled/default

± entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] No ‘’ in User-Name = “user1”, looking up realm NULL
[ntdomain] No such realm “NULL”
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 18
[eap] No EAP Start, assuming it’s an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for user1
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=user1)
[ldap] expand: dc=ldap,dc=company,dc=com -> dc=ldap,dc=company,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to dc.ldap.company.com:7389, authentication 0
[ldap] starting TLS
[ldap] bind as cn=dc,cn=dc,cn=computers,dc=ldap,dc=company,dc=com/wRSdNHNOfbqEteEZDqJ7 to dc.ldap.company.com:7389
[ldap] waiting for bind result …
[ldap] Bind was successful
[ldap] performing search in dc=ldap,dc=company,dc=com, with filter (uid=user1)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory…
[ldap] sambaNTPassword -> NT-Password == 0x4533384245373333354337463634464139324643463144454643333844464344
[ldap] looking for reply items in directory…
WARNING: No “known good” password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user user1 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP

Executing group from file /etc/freeradius/sites-enabled/default

± entering group authenticate {…}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.1.7 port 32768
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x40cb472f40ca5e44a1f9ec6e89b43f0d
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 1 with timestamp +27
WARNING: !!!
WARNING: !! EAP session for state 0x40cb472f40ca5e44 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!
Ready to process requests.
^C
root@dc:~#[/code]

Thanks in advance


#2

Hey,

please check the settings on the client side and compare them to the article in Univention’s wiki. You have to use WPA with PEAP and MSCHAPv2, otherwise the plain text password won’t be available to the FreeRadius server for authentication. It’s also called “WPA Enterprise” or “802.1x EAP” sometimes, and it’s definitely not WPA2.