<div dir="ltr"><div>Hi stephan,</div><div><br></div><div>As you suggested i tried to connect freeradous to active directory.</div><div>Freeradius is able to join the active directory and below command also succeeded.</div><div><br></div><div><span style="color:rgb(64,64,64);font-family:courier;font-size:11px;line-height:18.2399997711182px">radtest -t mschap <user> <password> localhost 0 <sharedsecret></span><br></div><div><span style="color:rgb(64,64,64);font-family:courier;font-size:11px;line-height:18.2399997711182px"><br></span></div><div><span style="color:rgb(64,64,64);font-family:courier;font-size:11px;line-height:18.2399997711182px">But station failed to connect to AP. </span></div><div><span style="color:rgb(64,64,64);font-family:courier;font-size:11px;line-height:18.2399997711182px">I got the below error on freeradius:</span></div><div><br></div><div><br></div><div><div>EAP-FAST: Add EAP-Payload TLV</div><div>EAP-FAST: Encrypting Phase 2 TLVs - hexdump(len=9): [REMOVED]</div><div>EAP-FAST: Piggyback Phase 2 data (len=74) with last Phase 1 Message (len=59 used=0)</div><div>SSL: Generating Request</div><div>SSL: Sending out 133 bytes (message sent completely)</div><div>EAP: EAP entering state SEND_REQUEST</div><div>EAP: EAP entering state IDLE</div><div>EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)</div><div>Wed Sep 17 12:06:41 2014 : Debug: ==> Request</div><div>Wed Sep 17 12:06:41 2014 : Info: ++[eap2] = handled</div><div>Wed Sep 17 12:06:41 2014 : Info: +} # group EAP = handled</div><div>Sending Access-Challenge of id 0 to 10.10.2.21 port 32769</div><div><span class="" style="white-space:pre"> </span>EAP-Message = 0x0103008b2b011403010001011603010030ecbaeb0cb34edb4b5a2ba664ee29b3bc10415f193eea62b87aec7010764b27c9214f353e257ba45d088db01395af31921703010020553bf7bacca0e0deaaab76ced600289fa3cfd5e554f12194366f6daebb9457461703010020bfa25876dc10a3be2823cc57da70dacc00ba36be10cac7d3fab63abc9568da76</div><div><span class="" style="white-space:pre"> </span>State = 0x168e1d8b4946cac447e29a10af5f74ab</div><div><span class="" style="white-space:pre"> </span>Message-Authenticator = 0x00000000000000000000000000000000</div><div>Wed Sep 17 12:06:41 2014 : Info: Finished request 2.</div><div>Wed Sep 17 12:06:41 2014 : Debug: Going to the next request</div><div>Wed Sep 17 12:06:41 2014 : Debug: Waking up in 4.9 seconds.</div><div>rad_recv: Access-Request packet from host 10.10.2.21 port 32769, id=0, length=198</div><div>Wed Sep 17 12:06:41 2014 : Info: Cleaning up request 2 ID 0 with timestamp +4</div><div><span class="" style="white-space:pre"> </span>User-Name = "Administrator"</div><div><span class="" style="white-space:pre"> </span>NAS-IP-Address = 10.10.2.21</div><div><span class="" style="white-space:pre"> </span>Called-Station-Id = "00904c0dc3c0"</div><div><span class="" style="white-space:pre"> </span>Calling-Station-Id = "b0df3a213196"</div><div><span class="" style="white-space:pre"> </span>NAS-Identifier = "00904c0dc3c0"</div><div><span class="" style="white-space:pre"> </span>NAS-Port = 6</div><div><span class="" style="white-space:pre"> </span>Framed-MTU = 1400</div><div><span class="" style="white-space:pre"> </span>State = 0x168e1d8b4946cac447e29a10af5f74ab</div><div><span class="" style="white-space:pre"> </span>NAS-Port-Type = Wireless-802.11</div><div><span class="" style="white-space:pre"> </span>EAP-Message = 0x0203003b2b01170301003095d9ea11cd8534ccc15833857d3abf3d4cde7bcfd6452e90a6376d38a1fbca5cd8866df13873ced31bcddb01b763a05a</div><div><span class="" style="white-space:pre"> </span>Message-Authenticator = 0x8436f303447ef2fb778d130a29cde1fe</div><div>Wed Sep 17 12:06:41 2014 : Info: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default</div><div>Wed Sep 17 12:06:41 2014 : Info: +group authorize {</div><div>Wed Sep 17 12:06:41 2014 : Info: ++[preprocess] = ok</div><div>Wed Sep 17 12:06:41 2014 : Info: ++[chap] = noop</div><div>Wed Sep 17 12:06:41 2014 : Info: ++[mschap] = noop</div><div>Wed Sep 17 12:06:41 2014 : Info: ++[digest] = noop</div><div>Wed Sep 17 12:06:41 2014 : Info: [suffix] No '@' in User-Name = "Administrator", looking up realm NULL</div><div>Wed Sep 17 12:06:41 2014 : Info: [suffix] No such realm "NULL"</div><div>Wed Sep 17 12:06:41 2014 : Info: ++[suffix] = noop</div><div>Wed Sep 17 12:06:41 2014 : Info: [eap] EAP packet type response id 3 length 59</div><div>Wed Sep 17 12:06:41 2014 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation</div><div>Wed Sep 17 12:06:41 2014 : Info: ++[eap] = updated</div><div>Wed Sep 17 12:06:41 2014 : Info: [files] users: Matched entry DEFAULT at line 1</div><div>Wed Sep 17 12:06:41 2014 : Info: ++[files] = ok</div><div>Wed Sep 17 12:06:41 2014 : Info: ++[expiration] = noop</div><div>Wed Sep 17 12:06:41 2014 : Info: ++[logintime] = noop</div><div>Wed Sep 17 12:06:41 2014 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.</div><div>Wed Sep 17 12:06:41 2014 : Info: ++[pap] = noop</div><div>Wed Sep 17 12:06:41 2014 : Info: +} # group authorize = updated</div><div>Wed Sep 17 12:06:41 2014 : Info: Found Auth-Type = EAP</div><div>Wed Sep 17 12:06:41 2014 : Info: # Executing group from file /usr/local/etc/raddb/sites-enabled/default</div><div>Wed Sep 17 12:06:41 2014 : Info: +group EAP {</div><div>Wed Sep 17 12:06:41 2014 : Info: [eap2] Request found, released from the list</div><div>EAP: EAP entering state RECEIVED</div><div>EAP: parseEapResp: rxResp=1 respId=3 respMethod=43 respVendor=0 respVendorMethod=0</div><div>EAP: EAP entering state INTEGRITY_CHECK</div><div>EAP: EAP entering state METHOD_RESPONSE</div><div>SSL: Received packet(len=59) - Flags 0x01</div><div>SSL: Received packet: Flags 0x1 Message Length 0</div><div>EAP-FAST: Received 53 bytes encrypted data for Phase 2</div><div>EAP-FAST: Decrypted Phase 2 TLVs - hexdump(len=22): [REMOVED]</div><div>EAP-FAST: Received Phase 2: TLV type 9 length 18 (mandatory)</div><div>EAP-FAST: EAP-Payload TLV - hexdump(len=18): 02 03 00 12 01 41 64 6d 69 6e 69 73 74 72 61 74 6f 72</div><div>EAP-FAST: Received Phase 2: code=2 identifier=3 length=18</div><div>EAP-Identity: Peer identity - hexdump_ascii(len=13):</div><div> 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 Administrator </div><div>EAP-FAST: PHASE2_ID -> PHASE2_METHOD</div><div>EAP-FAST: try EAP type 26</div><div>EAP: EAP entering state METHOD_REQUEST</div><div>EAP: building EAP-Request: Identifier 4</div><div>EAP-MSCHAPV2: Challenge - hexdump(len=16): 3f 59 4c c5 b1 d1 bc 71 62 df c1 49 70 6a 03 b7</div><div>EAP-FAST: Phase 2 EAP-Request - hexdump(len=33): [REMOVED]</div><div>EAP-FAST: Add EAP-Payload TLV</div><div>EAP-FAST: Encrypting Phase 2 TLVs - hexdump(len=37): [REMOVED]</div><div>SSL: Generating Request</div><div>SSL: Sending out 106 bytes (message sent completely)</div><div>EAP: EAP entering state SEND_REQUEST</div><div>EAP: EAP entering state IDLE</div><div>EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)</div><div>Wed Sep 17 12:06:41 2014 : Debug: ==> Request</div><div>Wed Sep 17 12:06:41 2014 : Info: ++[eap2] = handled</div><div>Wed Sep 17 12:06:41 2014 : Info: +} # group EAP = handled</div><div>Sending Access-Challenge of id 0 to 10.10.2.21 port 32769</div><div><span class="" style="white-space:pre"> </span>EAP-Message = 0x010400702b011703010020e4317e67f52197b376755f279b5e6623bba4be4333673a365d6162ddb21e5ba8170301004034291c01a1da6602565ad1e7ed03b4dd5f7a0f12d7f081fbd12e2fffdb304e1c5294279384159b5c2d8d003b3ef0dbfb15cf87af4db208b7259979816ada26c3</div><div><span class="" style="white-space:pre"> </span>State = 0x9dd8b50daabbda5628fd760dd6fc5d4c</div><div><span class="" style="white-space:pre"> </span>Message-Authenticator = 0x00000000000000000000000000000000</div><div>Wed Sep 17 12:06:41 2014 : Info: Finished request 3.</div><div>Wed Sep 17 12:06:41 2014 : Debug: Going to the next request</div><div>Wed Sep 17 12:06:41 2014 : Debug: Waking up in 4.9 seconds.</div><div>Wed Sep 17 12:06:46 2014 : Info: Cleaning up request 3 ID 0 with timestamp +4</div><div>Wed Sep 17 12:06:46 2014 : Info: Ready to process requests.</div></div><div><br></div><div><br></div><div>Please find the attached complete console log for freeradius.</div><div>Please help me to make it work.</div><div><br></div><div><br></div><div>Regards</div><div>Ammu</div><div><br></div><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 8, 2014 at 3:30 PM, <span dir="ltr"><<a href="mailto:freeradius-devel-request@lists.freeradius.org" target="_blank">freeradius-devel-request@lists.freeradius.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Send Freeradius-Devel mailing list submissions to<br>
<a href="mailto:freeradius-devel@lists.freeradius.org">freeradius-devel@lists.freeradius.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.freeradius.org/mailman/listinfo/freeradius-devel" target="_blank">http://lists.freeradius.org/mailman/listinfo/freeradius-devel</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:freeradius-devel-request@lists.freeradius.org">freeradius-devel-request@lists.freeradius.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:freeradius-devel-owner@lists.freeradius.org">freeradius-devel-owner@lists.freeradius.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Freeradius-Devel digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. RE: EAP-FAST phase2 failed (Stefan Paetow)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Thu, 7 Aug 2014 21:25:46 +0000<br>
From: Stefan Paetow <<a href="mailto:Stefan.Paetow@ja.net">Stefan.Paetow@ja.net</a>><br>
To: FreeRadius developers mailing list<br>
<<a href="mailto:freeradius-devel@lists.freeradius.org">freeradius-devel@lists.freeradius.org</a>><br>
Subject: RE: EAP-FAST phase2 failed<br>
Message-ID: <C072996E0B81144DBB9426B44462540C0D6935BF@EXC001><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
The log says this:<br>
<br>
EAP-MSCHAPV2: eap_server Password not configured<br>
EAP-FAST: Phase2 method failed<br>
EAP-FAST: PHASE2_METHOD -> FAILURE<br>
<br>
Leads me to believe you either need to configure EAP-FAST to use EAP-GTC or PAP as the second phase, or connect FR to SAMBA or Active Directory (which both speak MSCHAPv2).<br>
<br>
Stefan<br>
<br>
________________________________<br>
From: freeradius-devel-bounces+stefan.paetow=<a href="mailto:ja.net@lists.freeradius.org">ja.net@lists.freeradius.org</a> [freeradius-devel-bounces+stefan.paetow=<a href="mailto:ja.net@lists.freeradius.org">ja.net@lists.freeradius.org</a>] on behalf of Ammu Argh [<a href="mailto:ammu3634@gmail.com">ammu3634@gmail.com</a>]<br>
Sent: 07 August 2014 17:16<br>
To: <a href="mailto:freeradius-devel@lists.freeradius.org">freeradius-devel@lists.freeradius.org</a><br>
Subject: EAP-FAST phase2 failed<br>
<br>
Hi,<br>
<br>
I was trying to connect to AP using EAP-FAST authentication.<br>
But Freeradius EAP-FAST failed with below error:<br>
<br>
State = 0x97d5bb340dc1cb0c525e6b44738f3553<br>
Message-Authenticator = 0xdce2fb540845c5ee76a5f48b505bb4eb<br>
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default<br>
+group authorize {<br>
++[preprocess] = ok<br>
++[chap] = noop<br>
++[mschap] = noop<br>
++[digest] = noop<br>
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] = noop<br>
[eap] EAP packet type response id 4 length 107<br>
[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] = updated<br>
[files] users: Matched entry DEFAULT at line 202<br>
++[files] = ok<br>
++[expiration] = noop<br>
++[logintime] = noop<br>
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>
++[pap] = noop<br>
+} # group authorize = updated<br>
Found Auth-Type = EAP<br>
# Executing group from file /usr/local/etc/raddb/sites-enabled/default<br>
+group EAP {<br>
[eap2] Request found, released from the list<br>
EAP: EAP entering state RECEIVED<br>
EAP: parseEapResp: rxResp=1 respId=4 respMethod=43 respVendor=0 respVendorMethod=0<br>
EAP: EAP entering state INTEGRITY_CHECK<br>
EAP: EAP entering state METHOD_RESPONSE<br>
SSL: Received packet(len=107) - Flags 0x01<br>
SSL: Received packet: Flags 0x1 Message Length 0<br>
EAP-FAST: Received 101 bytes encrypted data for Phase 2<br>
EAP-FAST: Decrypted Phase 2 TLVs - hexdump(len=67): [REMOVED]<br>
EAP-FAST: Received Phase 2: TLV type 9 length 63 (mandatory)<br>
EAP-FAST: EAP-Payload TLV - hexdump(len=63): 02 04 00 3f 1a 02 04 00 3a 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 67 a5 fd 37 80 a6 91 10 ed 46 97 b2 70 75 aa cc 57 27 17 4e dc 0c 6c 00 77 69 66 69<br>
EAP-FAST: Received Phase 2: code=2 identifier=4 length=63<br>
EAP-MSCHAPV2: eap_server Password not configured<br>
EAP-FAST: Phase2 method failed<br>
EAP-FAST: PHASE2_METHOD -> FAILURE<br>
EAP: EAP entering state SELECT_ACTION<br>
EAP: getDecision: method failed -> FAILURE<br>
EAP: EAP entering state FAILURE<br>
EAP: Building EAP-Failure (id=4)<br>
==> Fail<br>
[eap2] Freeing handler<br>
EAP: Server state machine removed<br>
++[eap2] = reject<br>
+} # group EAP = reject<br>
Failed to authenticate the user.<br>
Using Post-Auth-Type REJECT<br>
# Executing group from file /usr/local/etc/raddb/sites-enabled/default<br>
+group REJECT {<br>
[attr_filter.access_reject] expand: %{User-Name} -> anonymous<br>
attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] = updated<br>
+} # group REJECT = updated<br>
Delaying reject of request 4 for 1 seconds<br>
Going to the next request<br>
Waking up in 0.9 seconds.<br>
Sending delayed reject for request 4<br>
Sending Access-Reject of id 117 to 10.10.2.2 port 46531<br>
EAP-Message = 0x04040004<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
Waking up in 3.9 seconds.<br>
<br>
<br>
Other details are as below"<br>
<br>
Users file"<br>
wifi Auth-Type := EAP, Cleartext-Password := "welcome123"<br>
<br>
eap.conf<br>
eap2 {<br>
fast {<br>
pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f<br>
eap_fast_a_id = tjsys<br>
eap_fast_a_id_info = my_server<br>
eap_fast_prov = 3<br>
pac_key_lifetime = 604800 # 7 days<br>
pac_key_refresh_tim = 86400<br>
}<br>
<br>
tls {<br>
ca_cert = /usr/local/etc/raddb/certs/ca.pem<br>
server_cert = /usr/local/etc/raddb/certs/server.pem<br>
private_key_file = /usr/local/etc/raddb/certs/server.key<br>
private_key_password = whatever<br>
dh_file = /usr/local/etc/raddb/certs/dh<br>
random_file = /usr/local/etc/raddb/certs/random<br>
}<br>
}<br>
<br>
<br>
Sites-enabled/default:<br>
Added in authenticate block<br>
Auth-Type EAP {<br>
eap2<br>
}<br>
<br>
<br>
<br>
wpa_supplicant.conf<br>
update_config=1<br>
ap_scan=1<br>
fast_reauth=1<br>
<br>
network={<br>
ssid="WiFi-11g"<br>
key_mgmt=WPA-EAP<br>
proto=WPA<br>
pairwise=TKIP<br>
group=TKIP<br>
eap=FAST<br>
anonymous_identity="fast"<br>
identity="fast"<br>
password="koro"<br>
phase1="fast_provisioning=3"<br>
pac_file="/data/misc/wifi/eap_fast.pac"<br>
}<br>
<br>
<br>
<br>
FreeRADIUS Version 2.2.5,<br>
OpenSSL 1.0.1e 11<br>
Ubuntu 14.04.1<br>
<br>
Please help me to get it work.<br>
<br>
Regards<br>
Ammu<br>
<br>
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a<br>
not-for-profit company which is registered in England under No. 2881024<br>
and whose Registered Office is at Lumen House, Library Avenue,<br>
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238<br>
<br>
<br>
<br>
------------------------------<br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/devel.html" target="_blank">http://www.freeradius.org/list/devel.html</a><br>
<br>
<br>
End of Freeradius-Devel Digest, Vol 112, Issue 6<br>
************************************************<br>
</blockquote></div><br></div></div>