When connecting to a WPA Enterprise access point, operating systems like iOS and macOS display the server certificate to the user if it has not been seen before. However, on Linux, using wpa_supplicant, this prompt does not appear. I have configured wpa_supplicant using a .conf file, but I do not get the server certificate. Is there any way to obtain the certificate when connecting to the AP on linux? This is one of the configurations I have used: network={ ssid="ssid" key_mgmt=WPA-EAP eap=PEAP identity="your.username@example.com" password="yourpassword" phase1="peapver=0" phase2="auth=MSCHAPV2" ca_cert="/etc/ssl/certs/your_CA_cert.pem" } And the usage of wpa_supplicant: sudo wpa_supplicant -i wlan0 -c /etc/tmp/network.conf -D nl80211 -dd

I have a FreeBSD machine with an Atheros WiFi card and I want to use it as WPA Enterprise access point. I set up a RADIUS server on the FreeBSD machine and configure interface wlan0 and hostapd.conf, but I have no luck. My phone informs me that the MyWiFi network is password protected and refuses to accept my certificate. But I successfully use an access point (a white box with antennas and blue LEDs) as a WPA Enterprise access point from my phone. So I suppose I set up the RADIUS server correctly.

wlan0: flags=8843 metric 0 mtu 1500
        options=0
        ether 00:1a:cc:44:33:aa
        inet 192.168.12.1 netmask 0xffffff00 broadcast 192.168.12.255
        groups: wlan
        ssid "MyFiWi" channel 1 (2412 MHz 11g) bssid 00:1a:cc:44:33:aa
        regdomain NONE country DE ecm authmode 802.1x privacy MIXED
        deftxkey UNDEF txpower 30 scanvalid 60 protmode CTS wme burst
        dtimperiod 1 -dfs
        parent interface: ath0
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11g 
        status: running
        nd6 options=29

My /etc/hostapd.conf:

# GLOBAL PARAMETERS
interface=wlan0
debug=0
logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=0
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel

ssid=MyFiWi

# WPA/IEEE 802.11i PARAMETERS
wpa=WPA-RADIUS
wpa_key_mgmt=WPA-EAP
ieee8021x=1

# RADIUS CLIENT PARAMETERS
own_ip_addr=192.168.12.1
nas_identifier=FreeBSD
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=>

My /etc/wpa_supplicant.conf:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
#
# home network; allow all valid ciphers
 network={
        ssid="MyFiWi"
        key_mgmt=WPA-EAP
        eap=TLS
        ca_cert="/home/MyFiWi.pem"
 }

What I do wrong?

At this moment i have installed freeradius and PAM radius properly. When i create an account on the system and set a password in /etc/raddb/users.conf the user can login. Sudo also works great with PAM radius. What i want to achieve is when i create a user in /etc/raddb/users.conf and reload the config. That the account and home dir will be created if the authentication for Radius succeeds. I tried many things including session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 The last log lines from the login without a system user account. Feb 23 18:59:17 localhost sshd: pam_unix(sshd:auth): check pass; user unknown Feb 23 18:59:18 localhost sshd: Failed password for invalid user pop from 192.168.0.115 port 53608 ssh2 Feb 23 18:59:18 localhost sshd: Connection closed by 192.168.0.115 [preauth] Feb 23 18:59:18 localhost sshd: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=danys-mbp.fritz.box Feb 23 18:59:18 localhost sshd: PAM service(sshd) ignoring max retries; 4 > 3 Feb 23 18:59:18 localhost sshd: Invalid user pop from 192.168.0.115 Feb 23 18:59:18 localhost sshd: input_userauth_request: invalid user pop [preauth] Feb 23 18:59:21 localhost sshd: pam_unix(sshd:auth): check pass; user unknown Feb 23 18:59:21 localhost sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=danys-mbp.fritz.box Feb 23 18:59:22 localhost sshd: Failed password for invalid user pop from 192.168.0.115 port 53609 ssh2 My config for PAM sshd #%PAM-1.0 auth required pam_sepermit.so auth sufficient pam_radius_auth.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare #account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare Is it possible to create the system account and home directory on login when using freeradius and PAM radius? If so, how does this work? ps : I am using CentOS 7. Edit : I have tried with a bash script to check if the user exists. Then to create it if it does not exist, but this will not work and i do not see any log output for pam_exec.so failing. Edit : radtest tells me the username and password are correct

I'm looking to use SSSD to connect to Wifi WPA2 Enterprise (on Ubuntu 22.04). **Can nmcli (NetworkManager) use /etc/nsswitch.conf** to authenticate to Wifi without user action for on-site mode ? Thanks for your help

How can Implement accounting on a unix system using pam_radius ? pam_radius configuration is easy for authentication. But I confused to find a way for accounting. In accounting we send some AVP's to 1813 port of radius server. However how can I do this method on pam_radius ? For example I have following config on /etc/pam.d/radius :

auth        sufficient      pam_radius_auth.so
account     sufficient      pam_radius_auth.so
session     sufficient      pam_radius_auth.so
password    sufficient      pam_radius_auth.so

And test my config with pamtester :

pamtester radius ali authenticate
Password: 
pamtester: successfully authenticated

Radius server already running and authentication was successful. But where is accounting on pam_radius module ?

I'm currently running freeradius (on v2.1.22, don't shoot me) with sql backend. I need to accept *@randombroadband.co.uk and send an Access Accept. I have defined the realm in proxy.conf as below:

realm randombroadband.co.uk {
    authhost = LOCAL
    nostrip
}

in my users file I have the following:

DEFAULT User-Name =~ "@randombroadband.co.uk"
        Auth-Type := Accept

In the logs we have the following

rad_recv: Access-Request packet from host a.b.c.d port 61384, id=49, length=183
	User-Name = "moo@randombroadband.co.uk"
	User-Password = "moo"
	Service-Type = Framed-User
	Framed-Protocol = PPP
	Chargeable-User-Identity = ""
	Acct-Session-Id = "9277500"
	ERX-Dhcp-Mac-Addr = "abcd.0000.0001"
	NAS-Identifier = "LNS1"
	NAS-Port = 4095
	NAS-Port-Id = "-0/0/0.0"
	NAS-Port-Type = Ethernet
	ERX-Pppoe-Description = "pppoe ab:cd:00:00:00:01"
	NAS-IP-Address = a.b.c.d
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "randombroadband.co.uk" for User-Name = "moo@randombroadband.co.uk"
[suffix] Found realm "randombroadband.co.uk"
[suffix] Adding Realm = "randombroadband.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] 	expand: %{User-Name} -> moo@randombroadband.co.uk
[files] users: Matched entry DEFAULT at line 165
[files] 	expand: %{User-Name} -> moo@randombroadband.co.uk
++[files] returns ok
[sql] 	expand: %{User-Name} -> moo@randombroadband.co.uk
[sql] sql_set_user escaped user --> 'moo@randombroadband.co.uk'
rlm_sql (sql): Reserving sql socket id: 48
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'moo@randombroadband.co.uk'           ORDER BY id
[sql] 	expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'moo@randombroadband.co.uk'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 48
[sql] User moo@randombroadband.co.uk not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.

So it finds the realm and the user in the user file then seems to ignore the accept and decides to lookup the SQL table. Is there any way to get it to stop that once it gets to the accept?

I am trying to use the following at the top of my files authorize to test a new radius installation on default configs. head /etc/raddb/mods-config/files/authorize bob Cleartext-Password := "hello" Reply-Message := "Hello, %{User-Name}" test Cleartext-Password := "test" Reply-Message := "Hello, %{User-Name} # # Configuration file for the rlm_files module. # Please see rlm_files(5) manpage for more information. This fails to load at start up. With the last few lines of the logs looking like this. /sbin/radiusd -f -X -x ..... Wed Aug 16 16:37:38 2017 : Debug: reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" Wed Aug 16 16:37:38 2017 : Debug: } Wed Aug 16 16:37:38 2017 : Debug: (Loaded rlm_files, checking if it's valid) Wed Aug 16 16:37:38 2017 : Debug: # Loaded module rlm_files Wed Aug 16 16:37:38 2017 : Debug: # Instantiating module "files" from file /etc/raddb/mods-enabled/files Wed Aug 16 16:37:38 2017 : Debug: files { Wed Aug 16 16:37:38 2017 : Debug: filename = "/etc/raddb/mods-config/files/authorize" Wed Aug 16 16:37:38 2017 : Debug: usersfile = "/etc/raddb/mods-config/files/authorize" Wed Aug 16 16:37:38 2017 : Debug: acctusersfile = "/etc/raddb/mods-config/files/accounting" Wed Aug 16 16:37:38 2017 : Debug: preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" Wed Aug 16 16:37:38 2017 : Debug: compat = "cistron" Wed Aug 16 16:37:38 2017 : Debug: } Wed Aug 16 16:37:38 2017 : Debug: reading pairlist file /etc/raddb/mods-config/files/authorize Wed Aug 16 16:37:38 2017 : Error: /etc/raddb/mods-config/files/authorize: Parse error (reply) for entry test: Expected end of line or comma Wed Aug 16 16:37:38 2017 : Error: Failed reading /etc/raddb/mods-config/files/authorize Wed Aug 16 16:37:38 2017 : Error: /etc/raddb/mods-enabled/files: Instantiation failed for module "files"

I am trying to set up an AP with an external RADIUS server using two Linux hosts for each service,

and

, correspondingly. These hosts and the Wi-Fi client host are Raspberry Pi 4 units running Ubuntu 22.04.4 LTS (jammy). All hosts have an Ethernet connection to the common LAN (10.1.0.0/24): - hostA - Wi-Fi AP (10.1.0.22 Ethernet, 192.168.220.1 Wi-Fi) - hostB - RADIUS server (10.1.0.12 Ethernet) - hostC - Wi-Fi client (10.1.0.50 Ethernet, 192.168.220.101 Wi-Fi) I have configured the

server on the hostB and able to test it from the Wi-Fi client over the Ethernet LAN:

hostC:~$ radtest -x testUser1 testPassword1 10.1.0.12 0 testSecret1
Sent Access-Request Id 155 from 0.0.0.0:35529 to 10.1.0.12:1812 length 79
	User-Name = "testUser1"
	User-Password = "testPassword1"
	NAS-IP-Address = 10.1.0.50
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "testPassword1"
Received Access-Accept Id 155 from 10.1.0.12:1812 to 10.1.0.50:35529 length 20

Then I bring up the Wi-Fi AP (hostA) configured with the following

.conf

content:

logger_syslog=-1
    logger_syslog_level=0
    ctrl_interface=/var/run/hostapd/
    interface=wlp1s0
    driver=nl80211
    country_code=CA
    ieee80211n=1
    hw_mode=g
    channel=6
    beacon_int=100
    dtim_period=2
    disassoc_low_ack=0
    ssid=testAP
    ieee80211w=0
    auth_algs=1
    wpa=0
    ignore_broadcast_ssid=0
    
    eap_server=0
    
    own_ip_addr=10.1.0.22
    auth_server_addr=10.1.0.12 #hostB
    auth_server_port=1812
    auth_server_shared_secret=testSecret1

The

service is built from the latest code available in the main branch with the only modification below from the

file to disable the integrated RADIUS server:

# Integrated EAP server
CONFIG_EAP=n

I can see that the

service starting properly with RADIUS server configuration reported accordingly:

hostA:/usr/src/hostap/hostapd$ sudo ./hostapd /etc/hostapd/hostapd.conf -i wlp1s0
wlp1s0: interface state UNINITIALIZED->COUNTRY_UPDATE
wlp1s0: RADIUS Authentication server 10.1.0.12:1812
wlp1s0: interface state COUNTRY_UPDATE->ENABLED
wlp1s0: AP-ENABLED

I can successfully connect the Wi-Fi client (hostC) to the Wi-Fi AP (hostA). However, when I try to do the RADIUS test now over a Wi-Fi network (192.168.220.0/24) targeting Wi-Fi AP to process RADIUS requests, I get the failure:

hostC:~$ radtest -x testUser1 testPassword1 10.1.0.22 0 testSecret1
Sent Access-Request Id 235 from 0.0.0.0:59778 to 10.1.0.22:1812 length 79
	User-Name = "testUser1"
	User-Password = "testPassword1"
	NAS-IP-Address = 10.1.0.50
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "testPassword1"
Sent Access-Request Id 235 from 0.0.0.0:59778 to 10.1.0.22:1812 length 79
	User-Name = "testUser1"
	User-Password = "testPassword1"
	NAS-IP-Address = 10.1.0.50
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "testPassword1"
Sent Access-Request Id 235 from 0.0.0.0:59778 to 10.1.0.22:1812 length 79
	User-Name = "testUser1"
	User-Password = "testPassword1"
	NAS-IP-Address = 10.1.0.50
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "testPassword1"
(0) No reply from server for ID 235 socket 3

I captured the traffic on the Wi-Fi interface of the

and see that it responds with the ICMP packet saying that

unreachable (Port unreachable)

:

Frame 2: 155 bytes on wire (1240 bits), 155 bytes captured (1240 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr  2, 2024 18:18:11.473305000 PDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1712107091.473305000 seconds
    [Time delta from previous captured frame: 0.000101000 seconds]
    [Time delta from previous displayed frame: 0.000101000 seconds]
    [Time since reference or first frame: 0.000101000 seconds]
    Frame Number: 2
    Frame Length: 155 bytes (1240 bits)
    Capture Length: 155 bytes (1240 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:icmp:ip:udp:radius]
    [Coloring Rule Name: ICMP errors]
    [Coloring Rule String: icmp.type eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4]
Ethernet II, Src: IntelCor_05:02:62 (80:45:dd:05:02:62), Dst: IntelCor_de:58:55 (3c:9c:0f:de:58:55)
    Destination: IntelCor_de:58:55 (3c:9c:0f:de:58:55)
        Address: IntelCor_de:58:55 (3c:9c:0f:de:58:55)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: IntelCor_05:02:62 (80:45:dd:05:02:62)
        Address: IntelCor_05:02:62 (80:45:dd:05:02:62)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.220.1, Dst: 192.168.220.101
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
        1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 141
    Identification: 0xa48f (42127)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 64
    Protocol: ICMP (1)
    Header Checksum: 0x9b68 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.220.1
    Destination Address: 192.168.220.101
Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 3 (Port unreachable)
    Checksum: 0x3724 [correct]
    [Checksum Status: Good]
    Unused: 00000000
    Internet Protocol Version 4, Src: 192.168.220.101, Dst: 192.168.220.1
        0100 .... = Version: 4
        .... 0101 = Header Length: 20 bytes (5)
        Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
            0000 00.. = Differentiated Services Codepoint: Default (0)
            .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
        Total Length: 113
        Identification: 0xc1e8 (49640)
        Flags: 0x00
            0... .... = Reserved bit: Not set
            .0.. .... = Don't fragment: Not set
            ..0. .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment Offset: 0
        Time to Live: 64
        Protocol: UDP (17)
        Header Checksum: 0x7edb [validation disabled]
        [Header checksum status: Unverified]
        Source Address: 192.168.220.101
        Destination Address: 192.168.220.1
    User Datagram Protocol, Src Port: 40929, Dst Port: 1812
        Source Port: 40929
        Destination Port: 1812
        Length: 93
        Checksum: 0xbfa6 [unverified]
        [Checksum Status: Unverified]
        [Stream index: 0]
        UDP payload (85 bytes)
RADIUS Protocol
    Code: Access-Request (1)
    Packet identifier: 0x95 (149)
    Length: 85
    Authenticator: 2cc8f534dfcac17c947a03ced3daf62f
    Attribute Value Pairs
        AVP: t=User-Name(1) l=11 val=testUser1
            Type: 1
            Length: 11
            User-Name: testUser1
        AVP: t=User-Password(2) l=18 val=Encrypted
            Type: 2
            Length: 18
            User-Password (encrypted): 986ed23c9a832e3a98a328697e8fab38
        AVP: t=NAS-IP-Address(4) l=6 val=192.168.220.101
            Type: 4
            Length: 6
            NAS-IP-Address: 192.168.220.101
        AVP: t=NAS-Port(5) l=6 val=0
            Type: 5
            Length: 6
            NAS-Port: 0
        AVP: t=Message-Authenticator(80) l=18 val=b4669b2314a4738a956f683b59b645c4
            Type: 80
            Length: 18
            Message-Authenticator: b4669b2314a4738a956f683b59b645c4
        AVP: t=Framed-Protocol(7) l=6 val=PPP(1)
            Type: 7
            Length: 6
            Framed-Protocol: PPP (1)

What do I miss here?

i was trying to install radius server on our test server running AIX7.3 on it. i have perform following things: 1. Extract the tar file to /tmp where i have downloaded pam_radius-1.4.0.tar.gz. 2. Modify the pam_radius-1.4.0/src/pam_radius_auth.h On line 80, add #define __sun, just before #ifndef CONST 3. Configure and compile the changes > #./configure > # make on executing make command it gives me following error # make cc -Wall -fPIC -c src/pam_radius_auth.c -o pam_radius_auth.o cc: not found make: 1254-004 The error code from the last command is 1. on doing #make CC=gcc it gives me following error and i have no idea how to solve it. Better if anybody explain me error and have some latest Docs on installing r4adius on AIX7.3 # make CC=gcc gcc -Wall -fPIC -c src/pam_radius_auth.c -o pam_radius_auth.o src/pam_radius_auth.c: In function 'rad_converse': src/pam_radius_auth.c:1028:40: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type [-Wincompatible-pointer-types] 1028 | retval = pam_get_item(pamh, PAM_CONV, (CONST void **) &conv); | ^~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:196:10: note: expected 'void **' but argument is of type 'const void **' 196 | void ** item /* Address of place to put pointer */ | ~~~~~~~~^~~~ src/pam_radius_auth.c:1031:25: warning: passing argument 2 of 'conv->conv' from incompatible pointer type [-Wincompatible-pointer-types] 1031 | retval = conv->conv(1, msg, &resp,conv->appdata_ptr); | ^~~ | | | const struct pam_message ** src/pam_radius_auth.c:1031:25: note: expected 'struct pam_message **' but argument is of type 'const struct pam_message **' src/pam_radius_auth.c: In function 'pam_sm_authenticate': src/pam_radius_auth.c:1081:30: warning: passing argument 2 of 'pam_get_user' from incompatible pointer type [-Wincompatible-pointer-types] 1081 | retval = pam_get_user(pamh, &user, NULL); | ^~~~~ | | | const char ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:221:9: note: expected 'char **' but argument is of type 'const char **' 221 | char **user, /* User Name */ | ~~~~~~~^~~~ src/pam_radius_auth.c:1096:42: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type [-Wincompatible-pointer-types] 1096 | retval = pam_get_item(pamh, PAM_RUSER, (CONST void **) &userinfo); | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:196:10: note: expected 'void **' but argument is of type 'const void **' 196 | void ** item /* Address of place to put pointer */ | ~~~~~~~~^~~~ src/pam_radius_auth.c:1120:44: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type [-Wincompatible-pointer-types] 1120 | retval = pam_get_item(pamh, PAM_SERVICE, (CONST void **) &config.client_id); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:196:10: note: expected 'void **' but argument is of type 'const void **' 196 | void ** item /* Address of place to put pointer */ | ~~~~~~~~^~~~ src/pam_radius_auth.c:1136:44: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type [-Wincompatible-pointer-types] 1136 | retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password); | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:196:10: note: expected 'void **' but argument is of type 'const void **' 196 | void ** item /* Address of place to put pointer */ | ~~~~~~~~^~~~ src/pam_radius_auth.c:1170:41: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type [-Wincompatible-pointer-types] 1170 | retval = pam_get_item(pamh, PAM_RHOST, (CONST void **) &rhost); | ^~~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:196:10: note: expected 'void **' but argument is of type 'const void **' 196 | void ** item /* Address of place to put pointer */ | ~~~~~~~~^~~~ src/pam_radius_auth.c: In function 'pam_sm_setcred': src/pam_radius_auth.c:1290:43: warning: passing argument 3 of 'pam_get_data' from incompatible pointer type [-Wincompatible-pointer-types] 1290 | pam_get_data(pamh, "rad_setcred_return", (CONST void **) &pret); | ^~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:246:9: note: expected 'void **' but argument is of type 'const void **' 246 | void **data | ~~~~~~~^~~~ src/pam_radius_auth.c: In function 'pam_private_session': src/pam_radius_auth.c:1312:30: warning: passing argument 2 of 'pam_get_user' from incompatible pointer type [-Wincompatible-pointer-types] 1312 | retval = pam_get_user(pamh, &user, NULL); | ^~~~~ | | | const char ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:221:9: note: expected 'char **' but argument is of type 'const char **' 221 | char **user, /* User Name */ | ~~~~~~~^~~~ src/pam_radius_auth.c:1332:44: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type [-Wincompatible-pointer-types] 1332 | retval = pam_get_item(pamh, PAM_SERVICE, (CONST void **) &config.client_id); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:196:10: note: expected 'void **' but argument is of type 'const void **' 196 | void ** item /* Address of place to put pointer */ | ~~~~~~~~^~~~ src/pam_radius_auth.c:1300:6: warning: variable 'ctrl' set but not used [-Wunused-but-set-variable] 1300 | int ctrl; | ^~~~ src/pam_radius_auth.c: In function 'pam_sm_chauthtok': src/pam_radius_auth.c:1412:30: warning: passing argument 2 of 'pam_get_user' from incompatible pointer type [-Wincompatible-pointer-types] 1412 | retval = pam_get_user(pamh, &user, NULL); | ^~~~~ | | | const char ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:221:9: note: expected 'char **' but argument is of type 'const char **' 221 | char **user, /* User Name */ | ~~~~~~~^~~~ src/pam_radius_auth.c:1432:44: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type [-Wincompatible-pointer-types] 1432 | retval = pam_get_item(pamh, PAM_SERVICE, (CONST void **) &config.client_id); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:196:10: note: expected 'void **' but argument is of type 'const void **' 196 | void ** item /* Address of place to put pointer */ | ~~~~~~~~^~~~ src/pam_radius_auth.c:1441:46: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type [-Wincompatible-pointer-types] 1441 | retval = pam_get_item(pamh, PAM_OLDAUTHTOK, (CONST void **) &password); | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:196:10: note: expected 'void **' but argument is of type 'const void **' 196 | void ** item /* Address of place to put pointer */ | ~~~~~~~~^~~~ src/pam_radius_auth.c:1446:43: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type [-Wincompatible-pointer-types] 1446 | retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &new_password); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | const void ** In file included from src/pam_radius_auth.h:25, from src/pam_radius_auth.c:62: /usr/include/security/pam_appl.h:196:10: note: expected 'void **' but argument is of type 'const void **' 196 | void ** item /* Address of place to put pointer */ | ~~~~~~~~^~~~ gcc -Wall -fPIC -c src/md5.c -o md5.o gcc -shared pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so Target "all" is up to date.

I set up Freeradius with the Daloradius WebGUI to manage Users, NAS etc.. It works fine, I can login as admin, create users and those users can authenticate against the Radius Server (tested with radtest). However the user login, that allows users to change their password, accessed via http://domain.com/daloradius/daloradius-users/login.php doesn't work. When trying to login with a user account, I get the following error:

Database connection error
Error Message: DB Error: connect failed

I don't really get why, since the database connection obviously works, because I can login to the admin interface as admin. Has anyone an idea what is going wrong here? Thanks for all replies in advance.

I am attempting to connect to a wireless network that uses RADIUS and WPA2 enterprise with the wpa_supplicant tool in linux. Does anyone know the proper configuration for this type of connection? My wpa_supplicant.conf file is as followed:

ctrl_interface=/var/run/wpa_supplicant
fast_reauth=1
network={
	ssid="MySSID"
	key_mgmt=WPA-EAP
	pairwise=CCMP
	group=CCMP
	eap=TLS
	phase2="auth=MSCHAPV2"
	identity="MyUsername"
	password="MyPass"
}

Additionally, here is a log file containing the results of the command wpa_supplicant -Dnl80211 -iwlan0 -c/etc/wpa_supplicant.conf:

Successfully initialized wpa_supplicant
wlan0: SME: Trying to authenticate with b4:fb:e4:25:4c:72 (SSID='MySSID' freq=5200 MHz)
wlan0: SME: Trying to authenticate with b4:fb:e4:25:4c:73 (SSID='MySSID' freq=2412 MHz)
wlan0: SME: Trying to authenticate with b4:fb:e4:25:4f:12 (SSID='MySSID' freq=5200 MHz)
wlan0: SME: Trying to authenticate with b4:fb:e4:25:4f:13 (SSID='MySSID' freq=2437 MHz)
wlan0: SME: Trying to authenticate with b4:fb:e4:25:4f:12 (SSID='MySSID' freq=5200 MHz)
wlan0: SME: Trying to authenticate with b4:fb:e4:25:4f:13 (SSID='MySSID' freq=2437 MHz)
wlan0: SME: Trying to authenticate with b4:fb:e4:25:4c:73 (SSID='MySSID' freq=2412 MHz)
wlan0: SME: Trying to authenticate with b4:fb:e4:25:4c:72 (SSID='MySSID' freq=5200 MHz)
wlan0: SME: Trying to authenticate with b4:fb:e4:25:4f:12 (SSID='MySSID' freq=5200 MHz)
wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="MySSID" auth_failures=1 duration=10 reason=CONN_FAILED
wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="MySSID"
wlan0: SME: Trying to authenticate with b4:fb:e4:25:4f:13 (SSID='MySSID' freq=2437 MHz)
wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="MySSID" auth_failures=2 duration=23 reason=CONN_FAILED
nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
p2p-dev-wlan0: CTRL-EVENT-TERMINATING 
nl80211: deinit ifname=wlan0 disabled_11b_rates=0
wlan0: CTRL-EVENT-TERMINATING

Any information on what the correct configuration should be or debugging ideas would be greatly appreciated! Edit: The results of the wpa_supplicant command with the -dd option added.

wpa_supplicant v2.4
random: Trying to read entropy from /dev/random
Successfully initialized wpa_supplicant
Initializing interface 'wlan0' conf '/etc/wpa_supplicant.conf' driver 'nl80211' ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
fast_reauth=1
Line: 3 - start of a new network block
ssid - hexdump_ascii(len=5):
     77 65 6c 6c 73                                    wells           
key_mgmt: 0x1
pairwise: 0x10
group: 0x10
eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00
phase2 - hexdump_ascii(len=13):
     61 75 74 68 3d 4d 53 43 48 41 50 56 32            auth=MSCHAPV2   
identity - hexdump_ascii(len=5):
     77 65 6c 6c 73                                    wells           
password - hexdump_ascii(len=9): [REMOVED]
Priority group 0
   id=0 ssid='wells'
rfkill: initial event: idx=0 type=1 op=0 soft=0 hard=0
nl80211: Supported cipher 00-0f-ac:1
nl80211: Supported cipher 00-0f-ac:5
nl80211: Supported cipher 00-0f-ac:2
nl80211: Supported cipher 00-0f-ac:4
nl80211: Supported cipher 00-14-72:1
nl80211: Supports Probe Response offload in AP mode
nl80211: Using driver-based off-channel TX
nl80211: Supported vendor command: vendor_id=0x80028 subcmd=0
nl80211: Supported vendor command: vendor_id=0x80028 subcmd=1
nl80211: Supported vendor command: vendor_id=0x80028 subcmd=2
nl80211: Supported vendor event: vendor_id=0x80028 subcmd=0
nl80211: Supported vendor event: vendor_id=0x80028 subcmd=1
nl80211: Use separate P2P group interface (driver advertised support)
nl80211: Enable multi-channel concurrent (driver advertised support)
nl80211: use P2P_DEVICE support
nl80211: interface wlan0 in phy phy0
nl80211: Set mode ifindex 5 iftype 2 (STATION)
nl80211: Subscribe to mgmt frames with non-AP handle 0x55495490
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55495490 match=040a
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55495490 match=040b
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55495490 match=040c
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55495490 match=040d
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55495490 match=090a
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55495490 match=090b
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55495490 match=090c
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55495490 match=090d
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55495490 match=0409506f9a09
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55495490 match=7f506f9a09
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55495490 match=0801
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55495490 match=06
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55495490 match=0a07
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55495490 match=0a11
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55495490 match=1101
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55495490 match=1102
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55495490 match=0505
netlink: Operstate: ifindex=5 linkmode=1 (userspace-control), operstate=5 (IF_OPER_DORMANT)
nl80211: driver param='(null)'
Add interface wlan0 to a new radio phy0
nl80211: Regulatory information - country=00
nl80211: 2402-2472 @ 40 MHz 20 mBm
nl80211: 2457-2482 @ 20 MHz 20 mBm (no IR)
nl80211: 2474-2494 @ 20 MHz 20 mBm (no OFDM) (no IR)
nl80211: 5170-5250 @ 80 MHz 20 mBm (no IR)
nl80211: 5250-5330 @ 80 MHz 20 mBm (DFS) (no IR)
nl80211: 5490-5730 @ 160 MHz 20 mBm (DFS) (no IR)
nl80211: 5735-5835 @ 80 MHz 20 mBm (no IR)
nl80211: 57240-63720 @ 2160 MHz 0 mBm
nl80211: Added 802.11b mode based on 802.11g information
wlan0: Own MAC address: 0c:1c:57:ad:69:70
wpa_driver_nl80211_set_key: ifindex=5 (wlan0) alg=0 addr=(nil) key_idx=0 set_tx=0 seq_len=0 key_len=0
wpa_driver_nl80211_set_key: ifindex=5 (wlan0) alg=0 addr=(nil) key_idx=1 set_tx=0 seq_len=0 key_len=0
wpa_driver_nl80211_set_key: ifindex=5 (wlan0) alg=0 addr=(nil) key_idx=2 set_tx=0 seq_len=0 key_len=0
wpa_driver_nl80211_set_key: ifindex=5 (wlan0) alg=0 addr=(nil) key_idx=3 set_tx=0 seq_len=0 key_len=0
wpa_driver_nl80211_set_key: ifindex=5 (wlan0) alg=0 addr=(nil) key_idx=4 set_tx=0 seq_len=0 key_len=0
wpa_driver_nl80211_set_key: ifindex=5 (wlan0) alg=0 addr=(nil) key_idx=5 set_tx=0 seq_len=0 key_len=0
wlan0: RSN: flushing PMKID list in the driver
nl80211: Flush PMKIDs
TDLS: TDLS operation not supported by driver
TDLS: Driver uses internal link setup
TDLS: Driver does not support TDLS channel switching
wlan0: WPS: UUID based on MAC address: f7a7f89c-383f-5fbb-8ea3-89e2442e1fe7
ENGINE: Loading dynamic engine
ENGINE: Loading dynamic engine
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: Supplicant port status: Unauthorized
nl80211: Skip set_supp_port(unauthorized) while not associated
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
wlan0: Added interface wlan0
wlan0: State: DISCONNECTED -> DISCONNECTED
nl80211: Set wlan0 operstate 0->0 (DORMANT)
netlink: Operstate: ifindex=5 linkmode=-1 (no change), operstate=5 (IF_OPER_DORMANT)
nl80211: Create interface iftype 10 (P2P_DEVICE)
nl80211: New P2P Device interface p2p-dev-wlan0 (0x4) created
Initializing interface 'p2p-dev-wlan0' conf '/etc/wpa_supplicant.conf' driver 'nl80211' ctrl_interface '/var/run/wpa_supplicant' bridge 'N/A'
Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
fast_reauth=1
Line: 3 - start of a new network block
ssid - hexdump_ascii(len=5):
     77 65 6c 6c 73                                    wells           
key_mgmt: 0x1
pairwise: 0x10
group: 0x10
eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00
phase2 - hexdump_ascii(len=13):
     61 75 74 68 3d 4d 53 43 48 41 50 56 32            auth=MSCHAPV2   
identity - hexdump_ascii(len=5):
     77 65 6c 6c 73                                    wells           
password - hexdump_ascii(len=9): [REMOVED]
Priority group 0
   id=0 ssid='wells'
rfkill: initial event: idx=0 type=1 op=0 soft=0 hard=0
nl80211: Supported cipher 00-0f-ac:1
nl80211: Supported cipher 00-0f-ac:5
nl80211: Supported cipher 00-0f-ac:2
nl80211: Supported cipher 00-0f-ac:4
nl80211: Supported cipher 00-14-72:1
nl80211: Supports Probe Response offload in AP mode
nl80211: Using driver-based off-channel TX
nl80211: Supported vendor command: vendor_id=0x80028 subcmd=0
nl80211: Supported vendor command: vendor_id=0x80028 subcmd=1
nl80211: Supported vendor command: vendor_id=0x80028 subcmd=2
nl80211: Supported vendor event: vendor_id=0x80028 subcmd=0
nl80211: Supported vendor event: vendor_id=0x80028 subcmd=1
nl80211: Use separate P2P group interface (driver advertised support)
nl80211: Enable multi-channel concurrent (driver advertised support)
nl80211: use P2P_DEVICE support
nl80211: interface p2p-dev-wlan0 in phy phy0
nl80211: Set mode ifindex 0 iftype 10 (P2P_DEVICE)
nl80211: Failed to set interface 0 to mode 10: -22 (Invalid argument)
nl80211: Subscribe to mgmt frames with non-AP handle 0x554a5ed0
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x554a5ed0 match=040a
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x554a5ed0 match=040b
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x554a5ed0 match=040c
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x554a5ed0 match=040d
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x554a5ed0 match=090a
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x554a5ed0 match=090b
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x554a5ed0 match=090c
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x554a5ed0 match=090d
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x554a5ed0 match=0409506f9a09
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x554a5ed0 match=7f506f9a09
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x554a5ed0 match=0801
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x554a5ed0 match=06
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x554a5ed0 match=0a07
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x554a5ed0 match=0a11
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x554a5ed0 match=1101
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x554a5ed0 match=1102
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x554a5ed0 match=0505
nl80211: Start P2P Device p2p-dev-wlan0 (0x4): Success
nl80211: driver param='(null)'
Add interface p2p-dev-wlan0 to existing radio phy0
nl80211: Regulatory information - country=00
nl80211: 2402-2472 @ 40 MHz 20 mBm
nl80211: 2457-2482 @ 20 MHz 20 mBm (no IR)
nl80211: 2474-2494 @ 20 MHz 20 mBm (no OFDM) (no IR)
nl80211: 5170-5250 @ 80 MHz 20 mBm (no IR)
nl80211: 5250-5330 @ 80 MHz 20 mBm (DFS) (no IR)
nl80211: 5490-5730 @ 160 MHz 20 mBm (DFS) (no IR)
nl80211: 5735-5835 @ 80 MHz 20 mBm (no IR)
nl80211: 57240-63720 @ 2160 MHz 0 mBm
nl80211: Added 802.11b mode based on 802.11g information
p2p-dev-wlan0: Own MAC address: 0c:1c:57:ad:69:71
p2p-dev-wlan0: RSN: flushing PMKID list in the driver
nl80211: Flush PMKIDs
p2p-dev-wlan0: State: DISCONNECTED -> INACTIVE
p2p-dev-wlan0: WPS: UUID from the first interface: f7a7f89c-383f-5fbb-8ea3-89e2442e1fe7
ENGINE: Loading dynamic engine
ENGINE: Loading dynamic engine
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: Supplicant port status: Unauthorized
nl80211: Skip set_supp_port(unauthorized) while not associated
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
Using existing control interface directory.
P2P: Add operating class 81
P2P: Channels - hexdump(len=11): 01 02 03 04 05 06 07 08 09 0a 0b
P2P: Add operating class 115
P2P: Channels - hexdump(len=1): 28
P2P: Add operating class 124
P2P: Channels - hexdump(len=3): 95 99 a1
P2P: Add operating class 126
P2P: Channels - hexdump(len=1): 95
P2P: Add operating class 127
P2P: Channels - hexdump(len=1): 99
P2P: Own listen channel: 81:11
P2P: Random operating channel: 81:1
P2P: initialized
P2P: channels: 81:1,2,3,4,5,6,7,8,9,10,11 115:40 124:149,153,161 126:149 127:153
P2P: cli_channels:
p2p-dev-wlan0: Added interface p2p-dev-wlan0
p2p-dev-wlan0: State: INACTIVE -> DISCONNECTED
nl80211: Set p2p-dev-wlan0 operstate 0->0 (DORMANT)
netlink: Operstate: ifindex=0 linkmode=-1 (no change), operstate=5 (IF_OPER_DORMANT)
random: Got 20/20 bytes from /dev/random
RTM_NEWLINK: ifi_index=5 ifname=wlan0 operstate=2 linkmode=0 ifi_family=0 ifi_flags=0x1003 ([UP])
RTM_NEWLINK: ifi_index=5 ifname=wlan0 operstate=2 linkmode=1 ifi_family=0 ifi_flags=0x1003 ([UP])
wlan0: Starting delayed sched scan
wlan0: Use normal scan instead of sched_scan for initial scans (normal_scans=0)
wlan0: Setting scan request: 0.000000 sec
wlan0: State: DISCONNECTED -> SCANNING
wlan0: Starting AP scan for wildcard SSID
WPS: Building WPS IE for Probe Request
WPS:  * Version (hardcoded 0x10)
WPS:  * Request Type
WPS:  * Config Methods (3148)
WPS:  * UUID-E
WPS:  * Primary Device Type
WPS:  * RF Bands (3)
WPS:  * Association State
WPS:  * Configuration Error (0)
WPS:  * Device Password ID (0)
WPS:  * Manufacturer
WPS:  * Model Name
WPS:  * Model Number
WPS:  * Device Name
WPS:  * Version2 (0x20)
P2P: * P2P IE header
P2P: * Capability dev=25 group=00
P2P: * Listen Channel: Regulatory Class 81 Channel 11
wlan0: Add radio work 'scan'@0x554a9da8
wlan0: First radio work item in the queue - schedule start immediately
wlan0: Starting radio work 'scan'@0x554a9da8 after 0.000043 second wait
wlan0: nl80211: scan request
nl80211: Scan SSID - hexdump_ascii(len=0): [NULL]
nl80211: Scan extra IEs - hexdump(len=126): dd 69 00 50 f2 04 10 4a 00 01 10 10 3a 00 01 00 10 08 00 02 31 48 10 47 00 10 f7 a7 f8 9c 38 3f 5f bb 8e a3 89 e2 44 2e 1f e7 10 54 00 08 00 00 00 00 00 00 00 00 10 3c 00 01 03 10 02 00 02 00 00 10 09 00 02 00 00 10 12 00 02 00 00 10 21 00 01 20 10 23 00 01 20 10 24 00 01 20 10 11 00 01 20 10 49 00 06 00 37 2a 00 01 20 dd 11 50 6f 9a 09 02 02 00 25 00 06 05 00 58 58 04 51 0b
Scan requested (ret=0) - scan timeout 10 seconds
nl80211: Event message available
nl80211: Ignored event (cmd=33) for foreign interface (ifindex 5 wdev 0x0)
nl80211: Drv Event 33 (NL80211_CMD_TRIGGER_SCAN) received for wlan0
wlan0: nl80211: Scan trigger

Edit 2: Results of rkfill list command:

0: phy0: Wireless LAN
	Soft blocked: no
	Hard blocked: no

I tried to connect to WiFi with WPA2 enterprise authentication to default radius server configuration with Linux mint 19.2 but I can't. I set security to WPA2 enterprise, authentication to TTLS, I checked the No CA certification, Inner authentication MSCHAPv2 and correct username and password. I tried this with Ubuntu and fedora gnome version and there was no problem and They were successfully connected.

I have set up freeradius with authentication agains LDAP. I use a radius server to authenticate my users. The problem is I cannot make the radius server read md5 encrypted passwords, Any idea what to do to make it read md5 passwords?

Same problem that the other guys have had but with the difference that the procedure applied to them, are not working in my scenario. Lets make order: Freeradius on RasPi Netstat: root@raspberrypi:~# netstat -unpl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 0.0.0.0:59830 0.0.0.0:* 3574/freeradius udp 0 0 127.0.0.1:18120 0.0.0.0:* 3574/freeradius udp 0 0 0.0.0.0:1812 0.0.0.0:* 3574/freeradius udp 0 0 0.0.0.0:1813 0.0.0.0:* 3574/freeradius udp 0 0 0.0.0.0:1814 0.0.0.0:* 3574/freeradius Debug with freeradius-x Failed binding to authentication address * port 1812: Address already in use /etc/freeradius/radiusd.conf: Error binding to port for 0.0.0.0 port 1812 root@raspberrypi:~# ps aux | grep free freerad 3574 0.0 1.3 54088 6032 ? Ssl 16:32 0:00 /usr/sbin/freeradius root 3610 0.0 0.4 3548 1832 pts/0 S+ 16:35 0:00 grep free If I kill that process I get from freeradius debug ... adding new socket proxy address * port 50820 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. but radtest "John Doe" hello 127.0.0.1 0 test does not work because the service is not running. Any suggestions?

I'd like to authenticate and assign WiFi users to different VLANs determined by their Apple Open Directory group. FreeRADIUS has an Open Directory module , however I can't find much information about it. Is it possible to assign a VLAN from a user's group using Open Directory and FreeRADIUS?

I have installed a freeradius server on a debian machine and it is working correctly. I want to configure my freeradius server to provide IP addresses for the authenticated users! Can any one tell me how can I do that? what are the configuration files that I need to modify? Thank you!

I'm trying to set up a freeradius server on debian (LTS kernel 3.2.0.4amd64; Wheezy 7.10) it seems to want to use freeradius version 2.1.12 Installing the package wasn't a big deal (**apt-get install freeradius**) and I've tried following some guides for configuring it but none of my tested configurations worked, and I couldn't figure out how to test if the server was even working to begin with in my console. I saw some guides using commands to test the server from the host but these commands weren't available on my system... I did my best to try and follow this guide and also tried digging through the official how-to but I simply couldn't figure out why things weren't working... I'm trying to set it up for my wireless router's WPA2-Enterprise wlan security option. It is configured thusly: (I know the port is not the default, I did not forget to configure this in the settings files of course) So, how am I supposed to do this? I need to be able to connect from Windows and Linux clients. ifconfig: root@VAULT:~# ifconfig eth0 Link encap:Ethernet HWaddr c8:60:00:c0:43:54 inet addr:192.168.1.62 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:14879878 errors:0 dropped:0 overruns:0 frame:0 TX packets:11963411 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:15827735362 (14.7 GiB) TX bytes:13994998174 (13.0 GiB) Interrupt:43 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:12570 errors:0 dropped:0 overruns:0 frame:0 TX packets:12570 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1558356 (1.4 MiB) TX bytes:1558356 (1.4 MiB)

I have set up a solution where the login to our linux systems is regulated by microsoft active Directory and group memberships. Now i want the access time based so that the ad user will be kicked out of the system after a period of time. I read few Things about RADIUS and its possibilities to do so eventuelly. What i want to accomplish is... 1. ...that user a will be put into active directory login group but cannot login to the linux system. 2. ... user a can call a website to request access to server x for a few hours or days but only when user a is in this ad group. 3. ... user a will be activated for this Server using his/her ad credentials and if possible a second factor like one time password. 4. ... user a get kicked out of system and wont be able to login again after the persiod of time. Does anybody has experience with such a scenario or a similar one that could work here? Or knows some helpful Software to accomplish this Goal? Thank you!

I am using FreeRADIUS 3.0.13 on a CentOS 7 server for accounting data from a telephony device, and we want to simply drop certain record types - specifically, for this application, I want to only record Stop messages. We're specifically writing to a detail log, and then using the bufferedsql module to read from that log, and write to the database server. Everything is working normally, until I get a record such as an Accounting-On, or Start. I've worked around some of this by writing the unwanted records to a database that simply gets purged, but I'd prefer a more elegant solution. One of the things I saw in the documentation was to replace the query with a SELECT TRUE;, but since this doesn't update records, FreeRADIUS seems to choke on it. It reports "No response to request" and keeps the record in the detail file, attempting to re-process it every 30 seconds. When I run radiusd -X, I see output similar the following. This output is from a received Accounting-On packet, and I just want to discard the message: (22) accounting { (22) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query} (22) sql: --> type.accounting-on.query (22) sql: Using query template 'query' rlm_sql (sql): Reserved connection (0) (22) sql: EXPAND %{User-Name} (22) sql: --> (22) sql: SQL-User-Name set to '' (22) sql: EXPAND SELECT TRUE; (22) sql: --> SELECT TRUE; (22) sql: Executing query: SELECT TRUE; (22) sql: SQL query returned: success (22) sql: -1 record(s) updated (22) sql: No additional queries configured rlm_sql (sql): Released connection (0) (22) [sql] = noop (22) } # accounting = noop (22) detail (/var/log/radius/radacct/detail-ca-fallback/detail-ca-fallback-log): No response to request. Will retry in 30 seconds (22) Finished request (22) Cleaning up request packet ID 0 with timestamp +660 Ready to process requests How can I configure my dialup.conf to simply drop these types of accounting records? The device generating the accounting data does not support any kind of configuration to only send specific accounting messages. This is the relevant section of my custom dialup.conf file: accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { # This is a no-op. We don't log this anywhere. query = "SELECT TRUE;" } accounting-off { # This is a no-op. We don't log this anywhere. query = "SELECT TRUE;" } start { # This is a no-op. We don't log this anywhere. query = "INSERT INTO blackhole \ () \ VALUES ()" } interim-update { # This is a no-op. We don't log this anywhere. uery = "INSERT INTO blackhole \ () \ VALUES ()" } stop { query = "INSERT INTO ${....acct_table1} \ () \ VALUES ()" } # # No Acct-Status-Type == ignore the packet # none { query = "SELECT true" } } }

Was looking for PEAP tutorials for raspbian but didn't found any solution so far. In our manual for the LAN-connection to our network are following steps: 1. Activate IEEE 802.1X-authentification 2. Set Userauthentification as authentification-mode 3. Uncheck the option to check the identity of the server through Certificate 4. Select EAP-MSCHAP-V2 as authentification-method 5. Proceed and enter credentials: domainxxx\usernamexxx passwordxxx How can I reproduce these steps for raspbian? Edit (efforts so far): etc/wpa_supplicant/wpa_supplicant.conf: ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev update_config=1 network={ key_mgmt=IEEE8021X eap=PEAP identity="domainxxx\usernamexxx" password="passwordxxx" phase1="peaplabel=0" phase2="auth=MSCHAPV2" } edited the line "iface eth0 inet manual" from /etc/network/interfaces to: iface eth0 inet dhcp Currently following error: `eth0: CTRL-EVENT-EAP-STARTED EAP authentication started eth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 eth0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected eth0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/DC=de/DC=MyDcxxxx/DC=domainxxx/CN=CNxxx' eth0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/DC=de/DC=MyDcxxxx/DC=domainxxx/CN=CNxxx' eth0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/DC=de/DC=MyDcxxxx/DC=domainxxx/CN=CNxxx' SSL: SSL3 alert: write (local SSL3 detected an error):fatal:decrypt error OpenSSL: openssl_handshake - SSL_connect error:04091068:rsa routines:INT_RSA_VERIFY:bad signature OpenSSL: pending error: error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature eth0: CTRL-EVENT-EAP-FAILURE EAP authentication failed` Distro is Raspbian. OpenSSL version is 1.0.1t 3 May 2016