Page 3 of 4 FirstFirst 1234 LastLast
Results 31 to 45 of 51

Thread: Chance for RADIUS Server on the router itself!

  1. #31
    OK. Well, I figured it out mostly. My latest issue was that it would not notice or log authentication attempts at all (it wasn't getting them). I assume I did some SSL certificate stuff incorrectly. What a total pain. I didn't know XP SP2 supported no automatic authentication without a certificate. Ridiculous. I'm happier with a secure password...

    Or an easier way like tinypeap and a simple XP client :-D

  2. #32
    Well, I've been unable to give up. I actually got PEAP fully working about twice, but it was extremely difficult to do so. For the majority of the time, the requests never even get through to freeradius.

    [admin@AsusRouter root]$ radiusd -y -z -X -A
    Starting - reading configuration files ...
    reread_config: reading radiusd.conf
    Config: including file: /opt/etc/raddb/proxy.conf
    Config: including file: /opt/etc/raddb/clients.conf
    Config: including file: /opt/etc/raddb/snmp.conf
    Config: including file: /opt/etc/raddb/eap.conf
    Config: including file: /opt/etc/raddb/sql.conf
    main: prefix = "/opt"
    main: localstatedir = "/opt/var"
    main: logdir = "/var/spool/radius/log"
    main: libdir = "/opt/lib"
    main: radacctdir = "/var/spool/radius/radacct"
    main: hostname_lookups = no
    main: max_request_time = 30
    main: cleanup_delay = 5
    main: max_requests = 1024
    main: delete_blocked_requests = 0
    main: port = 0
    main: allow_core_dumps = no
    main: log_stripped_names = no
    main: log_file = "/var/spool/radius/log/radius.log"
    main: log_auth = no
    main: log_auth_badpass = no
    main: log_auth_goodpass = no
    main: pidfile = "/var/run/"
    main: user = "(null)"
    main: group = "(null)"
    main: usercollide = no
    main: lower_user = "no"
    main: lower_pass = "no"
    main: nospace_user = "no"
    main: nospace_pass = "no"
    main: checkrad = "/opt/sbin/checkrad"
    main: proxy_requests = yes
    proxy: retry_delay = 5
    proxy: retry_count = 3
    proxy: synchronous = no
    proxy: default_fallback = yes
    proxy: dead_time = 120
    proxy: post_proxy_authorize = yes
    proxy: wake_all_if_all_dead = no
    security: max_attributes = 200
    security: reject_delay = 1
    security: status_server = no
    main: debug_level = 0
    read_config_files: reading dictionary
    read_config_files: reading naslist
    Using deprecated naslist file. Support for this will go away soon.
    read_config_files: reading clients
    read_config_files: reading realms
    radiusd: entering modules setup
    Module: Library search path is /opt/lib
    Module: Loaded exec
    exec: wait = yes
    exec: program = "(null)"
    exec: input_pairs = "request"
    exec: output_pairs = "(null)"
    exec: packet_type = "(null)"
    rlm_exec: Wait=yes but no output defined. Did you mean output=none?
    Module: Instantiated exec (exec)
    Module: Loaded expr
    Module: Instantiated expr (expr)
    Module: Loaded PAP
    pap: encryption_scheme = "crypt"
    Module: Instantiated pap (pap)
    Module: Loaded CHAP
    Module: Instantiated chap (chap)
    Module: Loaded MS-CHAP
    mschap: use_mppe = yes
    mschap: require_encryption = yes
    mschap: require_strong = yes
    mschap: with_ntdomain_hack = no
    mschap: passwd = "(null)"
    mschap: authtype = "MS-CHAP"
    mschap: ntlm_auth = "(null)"
    Module: Instantiated mschap (mschap)
    Module: Loaded System
    unix: cache = no
    unix: passwd = "(null)"
    unix: shadow = "(null)"
    unix: group = "(null)"
    unix: radwtmp = "/var/spool/radius/log/radwtmp"
    unix: usegroup = no
    unix: cache_reload = 600
    Module: Instantiated unix (unix)
    Module: Loaded eap
    eap: default_eap_type = "peap"
    eap: timer_expire = 60
    eap: ignore_unknown_eap_types = no
    eap: cisco_accounting_username_bug = no
    rlm_eap: Loaded and initialized type md5
    rlm_eap: Loaded and initialized type leap
    gtc: challenge = "Password: "
    gtc: auth_type = "PAP"
    rlm_eap: Loaded and initialized type gtc
    tls: rsa_key_exchange = no
    tls: dh_key_exchange = yes
    tls: rsa_key_length = 512
    tls: dh_key_length = 512
    tls: verify_depth = 0
    tls: CA_path = "(null)"
    tls: pem_file_type = yes
    tls: private_key_file = "/opt/etc/raddb/certs/cert-srv.pem"
    tls: certificate_file = "/opt/etc/raddb/certs/cert-srv.pem"
    tls: CA_file = "/opt/etc/raddb/certs/demoCA/cacert.pem"
    tls: private_key_password = "whatever"
    tls: dh_file = "/opt/etc/raddb/certs/dh"
    tls: random_file = "/dev/urandom"
    tls: fragment_size = 1024
    tls: include_length = yes
    tls: check_crl = no
    tls: check_cert_cn = "(null)"
    rlm_eap: Loaded and initialized type tls
    peap: default_eap_type = "mschapv2"
    peap: copy_request_to_tunnel = no
    peap: use_tunneled_reply = no
    peap: proxy_tunneled_request_as_eap = yes
    rlm_eap: Loaded and initialized type peap
    mschapv2: with_ntdomain_hack = no
    rlm_eap: Loaded and initialized type mschapv2
    Module: Instantiated eap (eap)
    Module: Loaded preprocess
    preprocess: huntgroups = "/opt/etc/raddb/huntgroups"
    preprocess: hints = "/opt/etc/raddb/hints"
    preprocess: with_ascend_hack = no
    preprocess: ascend_channels_per_line = 23
    preprocess: with_ntdomain_hack = no
    preprocess: with_specialix_jetstream_hack = no
    preprocess: with_cisco_vsa_hack = no
    Module: Instantiated preprocess (preprocess)
    Module: Loaded realm
    realm: format = "suffix"
    realm: delimiter = "@"
    realm: ignore_default = no
    realm: ignore_null = no
    Module: Instantiated realm (suffix)
    Module: Loaded files
    files: usersfile = "/opt/etc/raddb/users"
    files: acctusersfile = "/opt/etc/raddb/acct_users"
    files: preproxy_usersfile = "/opt/etc/raddb/preproxy_users"
    files: compat = "no"
    Module: Instantiated files (files)
    Module: Loaded Acct-Unique-Session-Id
    acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
    Module: Instantiated acct_unique (acct_unique)
    Module: Loaded detail
    detail: detailfile = "/var/spool/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
    detail: detailperm = 384
    detail: dirperm = 493
    detail: locking = no
    Module: Instantiated detail (detail)
    Module: Loaded radutmp
    radutmp: filename = "/var/spool/radius/log/radutmp"
    radutmp: username = "%{User-Name}"
    radutmp: case_sensitive = yes
    radutmp: check_with_nas = yes
    radutmp: perm = 384
    radutmp: callerid = yes
    Module: Instantiated radutmp (radutmp)
    Listening on authentication *:1812
    Listening on accounting *:1813
    Listening on proxy *:1814
    Ready to process requests.

  3. #33
    OK. Um. I worked that out, but I don't think anybody cares how (and it wasn't something simple that would make somebody go "duh" either, unfortunately).

    I'm now trying to get authentication using etc_smbpasswd working. When I have the Windows XP computers automatically send their user names and passwords with NTLM encryption, they send their "domains" too ("THOMAS\Tommy", "CYNTHIA\Cindy"). With with_ntdomain_hack on (or with hints), etc_smbpasswd locates the user correctly and finds everything to be in order. With it off, it doesn't. Having the DEFAULT realm redirect everything to local and having realm ntdomain on in radiusd.conf, it successfully seems to strip the domain, but etc_smbpasswd apparently does not received the stripped version because it can't find it.

    Of course, using THOMAS\Tommy in smbpasswd, it works. This is undesirable.

    Oh boy. It shouldn't have been so difficult. Anyway, my final solution was to format smbpasswd more simply (User:NTLM Password) and update etc_smbpasswd to reflect that (I had done that MUCH earlier because etc_smbpasswd was having no luck at all without doing that). For my latest big issue, I decided to make a second etc_smbpasswd: etc_smbpasswd_with_domain. So it looks like this:

    passwd etc_smbpasswd {
    filename = /opt/etc/smbpasswd
    format = "*User-Name:NT-Password"
    authtype = MS-CHAP
    hashsize = 100
    ignorenislike = no
    allowmultiplekeys = no

    passwd etc_smbpasswd_with_domain {
    filename = /opt/etc/smbpasswd
    format = "*Stripped-User-Name:NT-Password"
    authtype = MS-CHAP
    hashsize = 100
    ignorenislike = no
    allowmultiplekeys = no

    My "smbpasswd" (far from it now) looks like this:

    # Sample smbpasswd file.
    # To use this, set 'encrypt passwords = yes' in the [global]-section
    # of /etc/smb.conf

    I'll write up a full guide on everything I had to do to get PEAP-MSCHAPv2 working eventually. It's nice though.
    Last edited by tomilius; 01-04-2005 at 07:34.

  4. #34
    Join Date
    Dec 2003
    Russian Federation
    Quote Originally Posted by Oleg
    I've sent him an email. Let's wait for the reply.
    I've sent two emails to And I've got no reply so far. He is probably not interested in this, so he is decided to ignore my mails.
    For me it looks like I should not spend my time anymore trying to get an answer... If anyone needs this - try contacting this guy...

  5. #35
    I've tried contacting him once before. No reply. I thought maybe your famousness would knudge him, Oleg. Maybe he's just a silent type who has already begun working on a WL-500g version... but I doubt it.

    NOTE: Freeradius has been proven to work functionally--for me . There have been some troubles getting it to work in anything other than the "debug" single process mode, but it may just be my newbieness. Point is, we've got a fully-working RADIUS server for the WL-500g with client certificates and happiness or PEAP with MSCHAPv2 for those who want to use Windows XP with it... and junk. Yay.
    Last edited by tomilius; 05-04-2005 at 01:09.

  6. #36
    Quote Originally Posted by tomilius
    I'll write up a full guide on everything I had to do to get PEAP-MSCHAPv2 working eventually. It's nice though.
    Any luck on that?

    I have been working on it FreeRADIUS too, but not with much luck.
    First, I installed the freeradius ipk and started working on things.

    I now came to the point where my WinXP notebook switching forth and back between: "Verifying identity" and "Obtaining network address"

    Both, the screen output of "radiusd -X" and the WinXP behaviour tell me that authentication succeeds:

      modcall[authenticate]: module "eap" returns ok for request 30
    modcall: group authenticate returns ok for request 30
      PEAP: Tunneled authentication was successful.
      rlm_eap_peap: SUCCESS
      modcall[authenticate]: module "eap" returns handled for request 30
    modcall: group authenticate returns handled for request 30
    However, for some reason WinXP tries to authenticate again after a couple of seconds of trying to DHCP into my network.

    Edit: well, chaning my WinXP to use TKIP instead of AES did the trick. It now sais "Connected" and it's actually working

  7. #37
    How very unusual... TKIP works but not AES? That sounds odd.

    I would help you but sounds like you solved the problem--plus I don't deal with wireless much more except for with my Pocket PC which can only use TKIP anyway. I had plenty of problems with freeradius and Windows XP SP2 until I started using Odyssey Client (a trial), but then later I tried it with Windows XP SP2's built-in stuff again and it worked. Hmmmm. "Dodgy."

  8. #38

    problem: freeradius not working as daemon (wl500gx)

    Quote Originally Posted by tomilius
    Well, I've been unable to give up. I actually got PEAP fully working about twice, but it was extremely difficult to do so. For the majority of the time, the requests never even get through to freeradius.
    WL500gx, 128M usb storage, 64m loop mounted ext, freeradius_1.0.2-2_mipsel.ipk
    Everything working/authenting fine when in foreground or debugging, PEAP working, NTradPing working, but in daemon mode no listens:

    [admin@(none) /]$ /opt/etc/init.d/S55freeradius

    134 admin 528 S -sh
    176 admin 3000 S /opt/sbin/radiusd
    177 admin 3000 S /opt/sbin/radiusd
    178 admin 3000 S /opt/sbin/radiusd
    184 admin 384 R ps

    cat /var/spool/radius/log/radius.log
    Thu Jun 16 13:29:43 2005 : Info: Using deprecated naslist file. Support for thi
    s will go away soon.
    Thu Jun 16 13:29:43 2005 : Info: rlm_exec: Wait=yes but no output defined. Did y
    ou mean output=none?

    .. ends here, no secess line

    Can somebody help?

  9. #39
    I never did get that working. I just run it in debug mode with & at the end... I use a lot of switches actually.

    /opt/sbin/radiusd -y -z -X -A > /opt/radiusd.log &
    But you can take out the "> /opt/radiusd.log " if you want.

  10. #40
    log is exactly same as your's previously posted in this thread.

  11. #41
    I updated my S55freeradius to make the last line look like this:
    /opt/sbin/radiusd -s &

  12. #42
    TNX, phedny

  13. #43

    radius 802.1x problem AIR led freeze

    I configured a freeradius server (on an USB memory stick and also externally on a server);
    Then I chosen radius 802.1x as authentication method by passing the IP of the radius server,
    port and secret; after rebooting wl-500g box the led AIR doesn't blinking (it is always on) and wireless does not respond. Then even the IP is not dynamically allocated and of course no radius
    authentication ...

    I'm trying to use radius auth with wl-500g. Was somebody able to do that ?

    Thanks a lot for any suggestion

  14. #44
    Yes, they were... Some searching would have done you some good, I'd think.

    I haven't messed with my router in days now. And I feel at least a little happier overall . I'll give you some clues as to what to search for in relation to freeradius:

    Searching for some of those in relation to freeradius should help you find out what needs to be done... or maybe somebody can explain it (again) if not.

  15. #45


    tomilius thanks a lot for your help

    in fact, the AIR led is working now after I added WEP-encryption.
    But I still have problems to set up PEAP under windows XP. I guess it is a certificate problem. This is not obvious for me. But I will try to find out a documentation ...

    I have 2 questions:

    1) isn't there a simple way (no WEP, no certificates ) to setup a simple radius authentication based on username/password?

    2) is there any disconnection mechanism (an authenticated user is forced to get out after a time interval)? If yes, where can I find the radius attributes supported by wl500g?

Page 3 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. SANE (Scanner server) - Any chance for WL-500g?
    By Dante_ in forum WL-500g Custom Development
    Replies: 107
    Last Post: 31-08-2012, 10:41
  2. Replies: 21
    Last Post: 01-12-2006, 13:45
  3. Alternative router/print server
    By darrellr in forum WL-500g Q&A
    Replies: 1
    Last Post: 13-11-2004, 12:04
  4. Replies: 11
    Last Post: 17-08-2004, 08:22
  5. Radius settings and 802.1x
    By i-beast-a in forum WL-500g Q&A
    Replies: 2
    Last Post: 30-06-2004, 14:58

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts