Problem with Cisco-AVPair

Bertrand Poulet bertrand.poulet at pasteur-lille.fr
Sat Apr 15 11:18:18 CEST 2006


Hello all,

 i've followed the thread about  SSID and user authentication
and i'm wondering how FR check the Cisco-AVPair ?
when i write  "Cisco-AVPair == ..." in users file, the ms-chapv2 step 
reject authentication (if i unterstand output below)
but if i write  "Cisco-AVPair := ..." in users file, the ms-chapv2 step 
accept authentication.
i read some FR docs , and Cisco-AVPair == ..  is a comparison , and with 
:= it's an affectation ?
why the change of this attribute in users file makes that MS-CHAPv2 
check failed ?

tahnks for your help ?
Bertrand.



this is part of radiusd -X -A output, full output is at the bottom, as 
users file :

modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 6
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for bertrand with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 6

at line 66 of users files , i've got :
bertrand    Cisco-AVPair == "ssid=my_ssid", User-Password == "bertrand"


USERS FILE :
#
#    Please read the documentation file ../doc/processing_users_file,
#    or 'man 5 users' (after installing the server) for more information.
#
#    This file contains authentication security and configuration
#    information for each user.  Accounting requests are NOT processed
#    through this file.  Instead, see 'acct_users', in this directory.
#
#    The first field is the user's name and can be up to
#    253 characters in length.  This is followed (on the same line) with
#    the list of authentication requirements for that user.  This can
#    include password, comm server name, comm server port number, protocol
#    type (perhaps set by the "hints" file), and huntgroup name (set by
#    the "huntgroups" file).
#
#    If you are not sure why a particular reply is being sent by the
#    server, then run the server in debugging mode (radiusd -X), and
#    you will see which entries in this file are matched.
#
#    When an authentication request is received from the comm server,
#    these values are tested. Only the first match is used unless the
#    "Fall-Through" variable is set to "Yes".
#
#    A special user named "DEFAULT" matches on all usernames.
#    You can have several DEFAULT entries. All entries are processed
#    in the order they appear in this file. The first entry that
#    matches the login-request will stop processing unless you use
#    the Fall-Through variable.
#
#    If you use the database support to turn this file into a .db or .dbm
#    file, the DEFAULT entries _have_ to be at the end of this file and
#    you can't have multiple entries for one username.
#
#    You don't need to specify a password if you set Auth-Type += System
#    on the list of authentication requirements. The RADIUS server
#    will then check the system password file.
#
#    Indented (with the tab character) lines following the first
#    line indicate the configuration values to be passed back to
#    the comm server to allow the initiation of a user session.
#    This can include things like the PPP configuration values
#    or the host to log the user onto.
#
#    You can include another `users' file with `$INCLUDE users.other'
#

#
#    For a list of RADIUS attributes, and links to their definitions,
#    see:
#
#    http://www.freeradius.org/rfc/attributes.html
#

#
# Deny access for a specific user.  Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#lameuser    Auth-Type := Reject
#        Reply-Message = "Your account has been disabled."

#
bertrand    Cisco-AVPair == "ssid=my_ssid", User-Password == "bertrand"
#
#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT    Group == "disabled", Auth-Type := Reject
#        Reply-Message = "Your account has been disabled."
#

#
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
#steve    Auth-Type := Local, User-Password == "testing"
#    Service-Type = Framed-User,
#    Framed-Protocol = PPP,
#    Framed-IP-Address = 172.16.3.33,
#    Framed-IP-Netmask = 255.255.255.0,
#    Framed-Routing = Broadcast-Listen,
#    Framed-Filter-Id = "std.ppp",
#    Framed-MTU = 1500,
#    Framed-Compression = Van-Jacobsen-TCP-IP

#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#"John Doe"    Auth-Type := Local, User-Password == "hello"
#        Reply-Message = "Hello, %u"

#
# Dial user back and telnet to the default host for that port
#
#Deg    Auth-Type := Local, User-Password == "ge55ged"
#    Service-Type = Callback-Login-User,
#    Login-IP-Host = 0.0.0.0,
#    Callback-Number = "9,5551212",
#    Login-Service = Telnet,
#    Login-TCP-Port = Telnet

#
# Another complete entry. After the user "dialbk" has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host "timeshare1".
#
#dialbk    Auth-Type := Local, User-Password == "callme"
#    Service-Type = Callback-Login-User,
#    Login-IP-Host = timeshare1,
#    Login-Service = PortMaster,
#    Callback-Number = "9,1-800-555-1212"

#
# user "swilson" will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups 
file).
#
# Note that by setting "Fall-Through", other attributes will be added from
# the following DEFAULT entries
#
#swilson    Service-Type == Framed-User, Huntgroup-Name == "alphen"
#        Framed-IP-Address = 192.168.1.65,
#        Fall-Through = Yes

#
# If the user logs in as 'username.shell', then authenticate them
# against the system database, give them shell access, and stop processing
# the rest of the file.
#
#DEFAULT    Suffix == ".shell", Auth-Type := System
#        Service-Type = Login-User,
#        Login-Service = Telnet,
#        Login-IP-Host = your.shell.machine


#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#

#
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
#DEFAULT    Auth-Type = System
#    Fall-Through = 1

#
# Set up different IP address pools for the terminal servers.
# Note that the "+" behind the IP address means that this is the "base"
# IP address. The Port-Id (S0, S1 etc) will be added to it.
#
#DEFAULT    Service-Type == Framed-User, Huntgroup-Name == "alphen"
#        Framed-IP-Address = 192.168.1.32+,
#        Fall-Through = Yes

#DEFAULT    Service-Type == Framed-User, Huntgroup-Name == "delft"
#        Framed-IP-Address = 192.168.2.32+,
#        Fall-Through = Yes

#
# Defaults for all framed connections.
#
DEFAULT    Service-Type == Framed-User
    Framed-IP-Address = 255.255.255.254,
    Framed-MTU = 576,
    Service-Type = Framed-User,
    Fall-Through = Yes

#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
#    by the terminal server in which case there may not be a "P" suffix.
#    The terminal server sends "Framed-Protocol = PPP" for auto PPP.
#
DEFAULT    Framed-Protocol == PPP
    Framed-Protocol = PPP,
    Framed-Compression = Van-Jacobson-TCP-IP

#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT    Hint == "CSLIP"
    Framed-Protocol = SLIP,
    Framed-Compression = Van-Jacobson-TCP-IP

#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT    Hint == "SLIP"
    Framed-Protocol = SLIP

#
# Last default: rlogin to our main server.
#
#DEFAULT
#    Service-Type = Login-User,
#    Login-Service = Rlogin,
#    Login-IP-Host = shellbox.ispdomain.com

# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
#     Service-Type = Shell-User

# On no match, the user is denied access.





RADIUSD -X -A output :

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/eap.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/usr/local/var"
 main: logdir = "/usr/local/var/log/radius"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/usr/local/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/usr/local/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "peap"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
 tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
 tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
 tls: private_key_password = "whatever"
 tls: dh_file = "/usr/local/etc/raddb/certs/dh"
 tls: random_file = "/usr/local/etc/raddb/certs/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
 peap: default_eap_type = "mschapv2"
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
 peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/usr/local/etc/raddb/users"
 files: acctusersfile = "/usr/local/etc/raddb/acct_users"
 files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile = 
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = "/usr/local/var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.222.222:1645, id=154, 
length=163
    User-Name = "bertrand"
    Framed-MTU = 1400
    Called-Station-Id = "0014.1bb6.60b0"
    Calling-Station-Id = "0014.bf8f.b6df"
    Cisco-AVPair = "ssid=my_ssid"
    Service-Type = Login-User
    Message-Authenticator = 0x0b090b70bacab63905542845782812a8
    EAP-Message = 0x0201000d016265727472616e64
    NAS-Port-Type = Wireless-802.11
    Cisco-NAS-Port = "806"
    NAS-Port = 806
    NAS-IP-Address = 192.168.222.222
    NAS-Identifier = "TEST2"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "bertrand", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: EAP packet type response id 1 length 13
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
    users: Matched entry bertrand at line 66
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 154 to 192.168.222.222 port 1645
    EAP-Message = 0x010200061920
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x8fb2ccdd5019e93270087b063141d5af
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.222.222:1645, id=155, 
length=300
    User-Name = "bertrand"
    Framed-MTU = 1400
    Called-Station-Id = "0014.1bb6.60b0"
    Calling-Station-Id = "0014.bf8f.b6df"
    Cisco-AVPair = "ssid=my_ssid"
    Service-Type = Login-User
    Message-Authenticator = 0x8b467e90025d77ede55517d0ed0e50b6
    EAP-Message = 
0x0202008419800000007a16030100750100007103014440160a612d39fa4cbbe8ec3611d1da9c498de5d09339a622fdfbbca621602020dc8944fcbe653b706ff985c9dd9ac826713b52674f28b6264f2b7a5e4c06cb84002a00160013006600150012000a0005000400070009006300650060006200610064001400110003000600080100
    NAS-Port-Type = Wireless-802.11
    Cisco-NAS-Port = "806"
    NAS-Port = 806
    State = 0x8fb2ccdd5019e93270087b063141d5af
    NAS-IP-Address = 192.168.222.222
    NAS-Identifier = "TEST2"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '@' in User-Name = "bertrand", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: EAP packet type response id 2 length 132
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched entry bertrand at line 66
  modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0075], ClientHello 
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello 
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate 
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone 
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode 
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 155 to 192.168.222.222 port 1645
    EAP-Message = 
0x0103040a19c0000006f1160301004a02000046030144401acb6d68522c343ed086dd83751d0d2600bdaffa8b6bd636a44efb6920d4203d9da8f2840a310f8c92a76acbe37da446f065138811c053a1a84fef6a7f0bca000a0016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365
    EAP-Message = 
0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003
    EAP-Message = 
0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09
    EAP-Message = 
0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c
    EAP-Message = 0x652e636f6d301e170d3034303132353133323630375a
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xef29deb270b950d5552be85bcab32536
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.222.222:1645, id=156, 
length=174
    User-Name = "bertrand"
    Framed-MTU = 1400
    Called-Station-Id = "0014.1bb6.60b0"
    Calling-Station-Id = "0014.bf8f.b6df"
    Cisco-AVPair = "ssid=my_ssid"
    Service-Type = Login-User
    Message-Authenticator = 0x260f383301f169e0f7313dd628a2a6e0
    EAP-Message = 0x020300061900
    NAS-Port-Type = Wireless-802.11
    Cisco-NAS-Port = "806"
    NAS-Port = 806
    State = 0xef29deb270b950d5552be85bcab32536
    NAS-IP-Address = 192.168.222.222
    NAS-Identifier = "TEST2"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "bertrand", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
  rlm_eap: EAP packet type response id 3 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
    users: Matched entry bertrand at line 66
  modcall[authorize]: module "files" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 156 to 192.168.222.222 port 1645
    EAP-Message = 
0x010402f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8
    EAP-Message = 
0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010
    EAP-Message = 
0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e000000
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x0df5ff83ca504a8ae7c20ee6fdbe8ea5
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.222.222:1645, id=157, 
length=368
    User-Name = "bertrand"
    Framed-MTU = 1400
    Called-Station-Id = "0014.1bb6.60b0"
    Calling-Station-Id = "0014.bf8f.b6df"
    Cisco-AVPair = "ssid=my_ssid"
    Service-Type = Login-User
    Message-Authenticator = 0x687586994b5ebd22890f7b386605b532
    EAP-Message = 
0x020400c81980000000be16030100861000008200808a9f70d80c3ab440f093ad0754a0823a27078857863d4d437c8ba28e3f61ebc911d736e3596d2bbb65470a687ea1373b068e9a99a6a602675041a3977a70ec90954f28d58cf3a233610cdcad697ff1415da493b9df1a188364f22cf370de143f601d5ee8ce25b2159eec3f013267762e8ae16ebdf98acfaf105e161e68e718c314030100010116030100280f6f0559b83a5bf619df0162bc0beeee876205d600cb851ffd73ca97fa5698186c506101b5408411
    NAS-Port-Type = Wireless-802.11
    Cisco-NAS-Port = "806"
    NAS-Port = 806
    State = 0x0df5ff83ca504a8ae7c20ee6fdbe8ea5
    NAS-IP-Address = 192.168.222.222
    NAS-Identifier = "TEST2"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  modcall[authorize]: module "chap" returns noop for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
    rlm_realm: No '@' in User-Name = "bertrand", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 3
  rlm_eap: EAP packet type response id 4 length 200
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
    users: Matched entry bertrand at line 66
  modcall[authorize]: module "files" returns ok for request 3
modcall: leaving group authorize (returns updated) for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange 
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] 
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished 
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] 
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished 
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 157 to 192.168.222.222 port 1645
    EAP-Message = 
0x010500391900140301000101160301002895ce7488f360c33f451d0962d5dc404bba4f3e886d595424ac071c368639a0458128d6dd198ae589
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xcefece71adb88fc59bcaad77ba735ec7
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.222.222:1645, id=158, 
length=174
    User-Name = "bertrand"
    Framed-MTU = 1400
    Called-Station-Id = "0014.1bb6.60b0"
    Calling-Station-Id = "0014.bf8f.b6df"
    Cisco-AVPair = "ssid=my_ssid"
    Service-Type = Login-User
    Message-Authenticator = 0xe3db7d8708f16d6f98414fedd1915f28
    EAP-Message = 0x020500061900
    NAS-Port-Type = Wireless-802.11
    Cisco-NAS-Port = "806"
    NAS-Port = 806
    State = 0xcefece71adb88fc59bcaad77ba735ec7
    NAS-IP-Address = 192.168.222.222
    NAS-Identifier = "TEST2"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: No '@' in User-Name = "bertrand", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
  rlm_eap: EAP packet type response id 5 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
    users: Matched entry bertrand at line 66
  modcall[authorize]: module "files" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake is finished
  eaptls_verify returned 3
  eaptls_process returned 3
  rlm_eap_peap: EAPTLS_SUCCESS
  modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 158 to 192.168.222.222 port 1645
    EAP-Message = 
0x01060048190017030100181298ba7dd04993f0b4d1778f551c73b073f63e9b531f254517030100209df39ca2a634d6478400b2cf8946a2d19f523def319c8567cf8bc8e3bd4f1fc6
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x29d084efcab10345ee911ca34ba8baea
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.168.222.222:1645, id=159, 
length=211
    User-Name = "bertrand"
    Framed-MTU = 1400
    Called-Station-Id = "0014.1bb6.60b0"
    Calling-Station-Id = "0014.bf8f.b6df"
    Cisco-AVPair = "ssid=my_ssid"
    Service-Type = Login-User
    Message-Authenticator = 0xb182a9b0d1346d99f6cdd007f08d43fe
    EAP-Message = 
0x0206002b19001703010020617fc894ffc34f596aaaab02ec30432bbc709d7b7badcb285346c9970fc962eb
    NAS-Port-Type = Wireless-802.11
    Cisco-NAS-Port = "806"
    NAS-Port = 806
    State = 0x29d084efcab10345ee911ca34ba8baea
    NAS-IP-Address = 192.168.222.222
    NAS-Identifier = "TEST2"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  modcall[authorize]: module "chap" returns noop for request 5
  modcall[authorize]: module "mschap" returns noop for request 5
    rlm_realm: No '@' in User-Name = "bertrand", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 5
  rlm_eap: EAP packet type response id 6 length 43
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
    users: Matched entry bertrand at line 66
  modcall[authorize]: module "files" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Identity - bertrand
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Got tunneled identity of bertrand
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to bertrand
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  modcall[authorize]: module "chap" returns noop for request 5
  modcall[authorize]: module "mschap" returns noop for request 5
    rlm_realm: No '@' in User-Name = "bertrand", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 5
  rlm_eap: EAP packet type response id 6 length 13
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
  modcall[authorize]: module "files" returns notfound for request 5
modcall: leaving group authorize (returns updated) for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: EAP Identity
  rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
  modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
  PEAP: Got tunneled Access-Challenge
  modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 159 to 192.168.222.222 port 1645
    EAP-Message = 
0x01070060190017030100186894fc30f6e8884eae5fe43e6b5776353b58d3d74331e8631703010038736f00a2ed8f4edf519faae20e50ddbc3aaa996e520fb98fc6904bc17b8a68e4e117bc2df88a0d0ff50ad44ef78765138992df1f0d226e78
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x327825ca437bd0fb0effd08674021070
Finished request 5
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.168.222.222:1645, id=160, 
length=267
    User-Name = "bertrand"
    Framed-MTU = 1400
    Called-Station-Id = "0014.1bb6.60b0"
    Calling-Station-Id = "0014.bf8f.b6df"
    Cisco-AVPair = "ssid=my_ssid"
    Service-Type = Login-User
    Message-Authenticator = 0x67593211cc274df521e71a10df7f5ca7
    EAP-Message = 
0x02070063190017030100589fea530a8decd64a90af48d31036753899bf8a50571c043ff4e3261ca03d2e5064c67c27e903a2f18391851c26ce16cd6940437b37b4b9c11f85b9631f4f789ac90bc1eec2f84629bca2c1788ce8385560b4f9544375c2c9
    NAS-Port-Type = Wireless-802.11
    Cisco-NAS-Port = "806"
    NAS-Port = 806
    State = 0x327825ca437bd0fb0effd08674021070
    NAS-IP-Address = 192.168.222.222
    NAS-Identifier = "TEST2"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
  modcall[authorize]: module "chap" returns noop for request 6
  modcall[authorize]: module "mschap" returns noop for request 6
    rlm_realm: No '@' in User-Name = "bertrand", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 6
  rlm_eap: EAP packet type response id 7 length 99
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
    users: Matched entry bertrand at line 66
  modcall[authorize]: module "files" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Setting User-Name to bertrand
  PEAP: Adding old state with d9 58
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
  modcall[authorize]: module "chap" returns noop for request 6
  modcall[authorize]: module "mschap" returns noop for request 6
    rlm_realm: No '@' in User-Name = "bertrand", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 6
  rlm_eap: EAP packet type response id 7 length 67
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
  modcall[authorize]: module "files" returns notfound for request 6
modcall: leaving group authorize (returns updated) for request 6
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 6
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for bertrand with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 6
modcall: leaving group authenticate (returns reject) for request 6
auth: Failed to validate the user.
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
  modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
Sending Access-Challenge of id 160 to 192.168.222.222 port 1645
    EAP-Message = 
0x0108004819001703010018652f7ca2806d39988e64e654b6448f5a778569412b6f0b1e17030100208ec52b253352d560e2ab5308d17a376b9dec88bf1068b45fb7672b30209989b1
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xcd152c01c16cb13f6dbddf3e0c455cad
Finished request 6
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.168.222.222:1645, id=161, 
length=211
    User-Name = "bertrand"
    Framed-MTU = 1400
    Called-Station-Id = "0014.1bb6.60b0"
    Calling-Station-Id = "0014.bf8f.b6df"
    Cisco-AVPair = "ssid=my_ssid"
    Service-Type = Login-User
    Message-Authenticator = 0x75d268ac97a6edc05f3c470f5f249397
    EAP-Message = 
0x0208002b190017030100200ec5d0ef41841b05a7efc35bbe315dfff7b1ad2e767901dcc17c6524a7a839b7
    NAS-Port-Type = Wireless-802.11
    Cisco-NAS-Port = "806"
    NAS-Port = 806
    State = 0xcd152c01c16cb13f6dbddf3e0c455cad
    NAS-IP-Address = 192.168.222.222
    NAS-Identifier = "TEST2"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
  modcall[authorize]: module "preprocess" returns ok for request 7
  modcall[authorize]: module "chap" returns noop for request 7
  modcall[authorize]: module "mschap" returns noop for request 7
    rlm_realm: No '@' in User-Name = "bertrand", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 7
  rlm_eap: EAP packet type response id 8 length 43
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 7
    users: Matched entry bertrand at line 66
  modcall[authorize]: module "files" returns ok for request 7
modcall: leaving group authorize (returns updated) for request 7
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap:  Had sent TLV failure.  User was rejcted rejected 
earlier in this session.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 7
modcall: leaving group authenticate (returns invalid) for request 7
auth: Failed to validate the user.
Delaying request 7 for 1 seconds
Finished request 7







> I don't think you should be setting the Auth-Type.  Just let
> FreeRADIUS work that out.  What are you doing with your Cisco AP?  Are
> you doing PEAP/MS-CHAPv2?  If so, then you must have a User-Password
> == "foo" in your user database and you *must not* set Auth-Type :=
> EAP.
>
> You should do as Sergio says and use == in your Cisco-AVPair check
> item.  This is a comparison.
>
> Rgds,




More information about the Freeradius-Users mailing list