In my clients.conf I have:
client apnetwork {
ipaddr = 10.155.2.0/24
secret = testing123
}
I am not getting "share secret is incorrect" message in FreeRADIUS
logs, so I am assuming AP is being authenticated.
I can't add @ at the end of username because the user-name is
automatically set (not by the user). I enabled NULL realm which fixes
the "No such realm NULL"
For hostap config, I just added macaddr_acl, wpa_psk_radius and radius
server info.
Thanks :)
On Thu, Nov 15, 2018 at 8:24 PM Michelle Sullivan <michelle@xxxxxxxxx> wrote:
>
> Michelle Sullivan wrote:
> > Carlito Nueno wrote:
> >> I am not trying to do wpa enterprise. I am trying to wpa-psk using
> >> radius with user authentication and also assign vlans.
> >> I haven't setup realm because I am not trying to group users.
> >>
> >> Here is what I am trying to do:
> >>
> >> For testing I removed Tunnel-Type = "VLAN".
> >> Based on what I understand, this type of authentication is mac address
> >> + password based.
> >> But when I try to connect to the network, freeRadius logs show:
> >>
> >> (1) User-Name = "a1438ecbea33"
> >> (1) User-Password = "a1438ecbea33"
> >>
> >> Both username and password are automatically sent to the radius server
> >> and are the same. So I am getting this error:
> >> (1) pap: Comparing with "known good" Cleartext-Password
> >> (1) pap: ERROR: Cleartext password does not match "known good" password
> >> (1) pap: Passwords don't match
> >>
> >> But I want to enter the password set in the users file to authenticate
> >> the device/user.
> >
> > Oh gotchya sorry was way to early for me to even contemplate answering
> > technical mails :P
> >
> > The Mac, is it from the AP or the connecting device. If from the AP
> > it will because you need to authenticate these to radius seperately.
> > If the device it won't be used instead of a username because usernames
> > are Enterprise.. that said, your authentication realm is NULL - which
> > is invalid in your config so is likely to be part of the issue.
> So just to followup, in FreeRADIUS you should have all your APs
> authenticated to the Radius Server to get anything from it.. You should
> have lines like this:
>
>
> client MR24-00-18-0A-26-9A-4A {
> ipaddr = 172.17.2.104
> secret = somesecretpassword
> shortname = LEDE-MR24-2-104
> nastype = other
> }
>
> If you don't have this you'll get prompted for a password when ever you
> try any config... and you'll get (for example when I connect my lappy to
> an AP without the right config and shared secret) "Invalid Password" and
> it prompts you again and again etc - and you never know why it's doing
> it... until you hit the debug logs on the radius server.
>
> When you have this correct, hostap (assuming you're using the full
> version) will be able to do vlaning etc... Now I'm going to go quiet
> because I haven't done dynamic PSKs as I just switched to Enterprise
> mode and bypassed the need completely.
>
> The point of my reply and post though is if you're not authenticating
> the AP (ie hostap) to the radius server in the clients.conf (default)
> file then nothing will work and you'll just see macs getting denied all
> the time and it's really infuriating..
>
> Next thing you should probably check is the realm because your radius is
> expecting an @ at the end of the username with the realm, and not having
> it it's defaulting to NULL - which doesn't exist... check your authorize
> {} section in your RADIUS config to ensure it's going to work by
> defaulting back to the users file and that is your intended mode of
> operation.
>
> If your all good RADIUS wise then you can look at the hostap config -
> but from experience majority of problems I have had and have seen are
> not hostap issues they're all RADIUS issues where RADIUS is involved.
>
> Best of luck,
>
> Regards,
>
> Michelle
>
> --
> Michelle Sullivan
> http://www.mhix.org/
>
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
