I'm trying to do WDS WPA2-EAP TLS authentication of 2 RB600
Simple WDS AP+station without EAP is working.
I've already searched forum for related topics. but they didn't help me.
So what do i have:
2x RB600
CentOS 5.5 => freeradius2-2.1.7-7.el5 + mysql Ver 14.12 Distrib 5.0.77, + daloRADIUS 0.9.8 (SVN 0.9.9)
This setup works perfectly with Ubiquiti Nanobridge M5 EAP-TTLS.
What i've done on RB's:
Wireless interface: WDS static, AP bridge + station on other RB. SSID,FQ,Band = same
Time and date adjusted for proper cert authentication.
Most things i'm doing through winbox gui.
AP bridge security profile and rad. server:
Code: Select all
[admin@RB600_test1] > /radius print
Flags: X - disabled
# SERVICE CALLED-ID DOMAIN ADDRESS SECRET
0 wireless 192.168.0.29 secret
So how should i configure WDS station ??? here what i have on it:
Here's debug of radius:
It's says that it can't identify username. what should i write in db as username? as i knew EAP-TLS is using certificate authentication without usernames and passwords like EAP-TTLS is doing.
Also i've attached full freeradius debug with initial radius boot log, loaded modules and rad configurations.
Code: Select all
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.22 port 41953, id=93, length=201
Service-Type = Framed-User
Framed-MTU = 1400
Acct-Session-Id = "82100859"
Acct-Multi-Session-Id = "00-0C-42-31-5C-70-00-0C-42-23-48-0A-82-10-00-00-00-00-08-59"
Calling-Station-Id = "00-0C-42-23-48-0A"
Called-Station-Id = "00-0C-42-31-5C-70:MikroTik-test"
EAP-Message = 0x0200000501
Message-Authenticator = 0x99441f609c780c7b28d234de47b36283
NAS-Identifier = "RB600_test1"
NAS-IP-Address = 192.168.0.22
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Proxy reply, or no User-Name. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 5
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns noop
++[files] returns noop
[sql] expand: %{User-Name} ->
[sql] sql_set_user escaped user --> ''
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
[b]Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] UserIdentity Unknown
[eap] Identity Unknown, authentication failed
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [<no User-Name attribute>] (from client RB600_test1 port 0 cli 00-0C-42-23-48-0A)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
++[attr_filter.access_reject] returns noop
Delaying reject of request 0 for 1 seconds[/b]
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.22 port 41953, id=93, length=201
Waiting to send Access-Reject to client RB600_test1 port 41953 - ID: 93
Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host 192.168.0.22 port 41953, id=93, length=201
Waiting to send Access-Reject to client RB600_test1 port 41953 - ID: 93
Sending delayed reject for request 0
Sending Access-Reject of id 93 to 192.168.0.22 port 41953
Waking up in 4.9 seconds.
Cleaning up request 0 ID 93 with timestamp +35
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.22 port 54462, id=94, length=201
Service-Type = Framed-User
Framed-MTU = 1400
Acct-Session-Id = "8210085a"
Acct-Multi-Session-Id = "00-0C-42-31-5C-70-00-0C-42-23-48-0A-82-10-00-00-00-00-08-5A"
Calling-Station-Id = "00-0C-42-23-48-0A"
Called-Station-Id = "00-0C-42-31-5C-70:MikroTik-test"
EAP-Message = 0x0200000501
Message-Authenticator = 0xed7b325c353b295032cd7532f1b225cb
NAS-Identifier = "RB600_test1"
NAS-IP-Address = 192.168.0.22
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Proxy reply, or no User-Name. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 5
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns noop
++[files] returns noop
[sql] expand: %{User-Name} ->
[sql] sql_set_user escaped user --> ''
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '' ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
[sql] User not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] UserIdentity Unknown
[eap] Identity Unknown, authentication failed
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [<no User-Name attribute>] (from client RB600_test1 port 0 cli 00-0C-42-23-48-0A)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
++[attr_filter.access_reject] returns noop
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.22 port 54462, id=94, length=201
Waiting to send Access-Reject to client RB600_test1 port 54462 - ID: 94
Waking up in 0.4 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 94 to 192.168.0.22 port 54462
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.22 port 54462, id=94, length=201
Sending duplicate reply to client RB600_test1 port 54462 - ID: 94
Sending Access-Reject of id 94 to 192.168.0.22 port 54462
Waking up in 4.9 seconds.
Cleaning up request 1 ID 94 with timestamp +73
Ready to process requests.
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] UserIdentity Unknown
[eap] Identity Unknown, authentication failed
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [<no User-Name attribute>] (from client RB600_test1 port 0 cli 00-0C-42-23-48-0A)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
++[attr_filter.access_reject] returns noop