Michelle Sullivan wrote:
Carlito Nueno wrote:
I am not trying to do wpa enterprise. I am trying to wpa-psk using
radius with user authentication and also assign vlans.
I haven't setup realm because I am not trying to group users.
Here is what I am trying to do:
For testing I removed Tunnel-Type = "VLAN".
Based on what I understand, this type of authentication is mac address
+ password based.
But when I try to connect to the network, freeRadius logs show:
(1) User-Name = "a1438ecbea33"
(1) User-Password = "a1438ecbea33"
Both username and password are automatically sent to the radius server
and are the same. So I am getting this error:
(1) pap: Comparing with "known good" Cleartext-Password
(1) pap: ERROR: Cleartext password does not match "known good" password
(1) pap: Passwords don't match
But I want to enter the password set in the users file to authenticate
the device/user.
Oh gotchya sorry was way to early for me to even contemplate answering
technical mails :P
The Mac, is it from the AP or the connecting device. If from the AP
it will because you need to authenticate these to radius seperately.
If the device it won't be used instead of a username because usernames
are Enterprise.. that said, your authentication realm is NULL - which
is invalid in your config so is likely to be part of the issue.
So just to followup, in FreeRADIUS you should have all your APs
authenticated to the Radius Server to get anything from it.. You should
have lines like this:
client MR24-00-18-0A-26-9A-4A {
ipaddr = 172.17.2.104
secret = somesecretpassword
shortname = LEDE-MR24-2-104
nastype = other
}
If you don't have this you'll get prompted for a password when ever you
try any config... and you'll get (for example when I connect my lappy to
an AP without the right config and shared secret) "Invalid Password" and
it prompts you again and again etc - and you never know why it's doing
it... until you hit the debug logs on the radius server.
When you have this correct, hostap (assuming you're using the full
version) will be able to do vlaning etc... Now I'm going to go quiet
because I haven't done dynamic PSKs as I just switched to Enterprise
mode and bypassed the need completely.
The point of my reply and post though is if you're not authenticating
the AP (ie hostap) to the radius server in the clients.conf (default)
file then nothing will work and you'll just see macs getting denied all
the time and it's really infuriating..
Next thing you should probably check is the realm because your radius is
expecting an @ at the end of the username with the realm, and not having
it it's defaulting to NULL - which doesn't exist... check your authorize
{} section in your RADIUS config to ensure it's going to work by
defaulting back to the users file and that is your intended mode of
operation.
If your all good RADIUS wise then you can look at the hostap config -
but from experience majority of problems I have had and have seen are
not hostap issues they're all RADIUS issues where RADIUS is involved.
Best of luck,
Regards,
Michelle
--
Michelle Sullivan
http://www.mhix.org/
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
