Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP

Attou eric gouroueric at yahoo.fr
Thu Dec 11 15:16:52 CET 2008


Hi Everybody. 


We are having some issues in setting up freeradius to support EAP-TLS, EAP-TTLS and EAP-PEAP.
Our goal is to have our authentication server providing those three Auth-Type simultaneously.
To support EAP-TLS, we generate our CA and certificates via TinyCA.

Here are our configurations files :

######radiusd.conf##########
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
db_dir = $(raddbdir)
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
        type = auth
        ipaddr = *
        port = 0
}
listen {
        ipaddr = *
        port = 0
        type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log {
        destination = files
        file = ${logdir}/radius.log
        syslog_facility = daemon
        stripped_names = no
        auth = no
        auth_badpass = no
        auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
 max_attributes = 200
        reject_delay = 1
        status_server = yes
}
proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
snmp    = no
$INCLUDE snmp.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
modules {
        $INCLUDE ${confdir}/modules/
        $INCLUDE eap.conf
        $INCLUDE sql.conf
        $INCLUDE sql/mysql/counter.conf
}
instantiate {
        exec
        expr
        expiration
        logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/


#######sites-enabled/behanzin.uac.bj###############
authorize {
        preprocess
        chap
        mschap
        digest
        suffix
        eap {
                ok = return
        }
        unix
        expiration
        logintime
        pap
        passwd
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        digest
        unix
        eap
}
preacct {
        preprocess
        acct_unique
        suffix
        files
}
accounting {
        detail
        unix
        radutmp
        attr_filter.accounting_response
}
session {
        radutmp
}
post-auth {
        exec
        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
}
pre-proxy {
}
post-proxy {
        eap
}


We also add radius' log after an authentication attempt from  windows XP OS

using windows built in supplicant by supplying a username and password stored in 

our /etc/passwd file. But the authentication failed with this error message :
 
rlm_eap: identity does not match User-Name, setting from EAP identity
 
########Radius logs ################
...............Thu Dec 11 14:59:10 2008 : Debug: main {
Thu Dec 11 14:59:10 2008 : Debug:       prefix = "/usr/local"
Thu Dec 11 14:59:10 2008 : Debug:       localstatedir = "/usr/local/var"
Thu Dec 11 14:59:10 2008 : Debug:       logdir = "/usr/local/var/log/radius"
Thu Dec 11 14:59:10 2008 : Debug:       libdir = "/usr/local/lib"
Thu Dec 11 14:59:10 2008 : Debug:       radacctdir = "/usr/local/var/log/radius/radacct"
Thu Dec 11 14:59:10 2008 : Debug:       hostname_lookups = no
Thu Dec 11 14:59:10 2008 : Debug:       max_request_time = 30
Thu Dec 11 14:59:10 2008 : Debug:       cleanup_delay = 5
Thu Dec 11 14:59:10 2008 : Debug:       max_requests = 1024
Thu Dec 11 14:59:10 2008 : Debug:       allow_core_dumps = no
Thu Dec 11 14:59:10 2008 : Debug:       pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
Thu Dec 11 14:59:10 2008 : Debug:       checkrad = "/usr/local/sbin/checkrad"
Thu Dec 11 14:59:10 2008 : Debug:       debug_level = 0
Thu Dec 11 14:59:10 2008 : Debug:       proxy_requests = yes
Thu Dec 11 14:59:10 2008 : Debug:  log {
Thu Dec 11 14:59:10 2008 : Debug:       stripped_names = no
Thu Dec 11 14:59:10 2008 : Debug:       auth = no
Thu Dec 11 14:59:10 2008 : Debug:       auth_badpass = no
Thu Dec 11 14:59:10 2008 : Debug:       auth_goodpass = no
Thu Dec 11 14:59:10 2008 : Debug:  }
Thu Dec 11 14:59:10 2008 : Debug: }
Thu Dec 11 14:59:10 2008 : Debug:  client localhost {
Thu Dec 11 14:59:10 2008 : Debug:       ipaddr = 127.0.0.1
Thu Dec 11 14:59:10 2008 : Debug:       require_message_authenticator = no
Thu Dec 11 14:59:10 2008 : Debug:       secret = "testing123"
Thu Dec 11 14:59:10 2008 : Debug:       nastype = "other"
Thu Dec 11 14:59:10 2008 : Debug:  }
Thu Dec 11 14:59:10 2008 : Debug:  client 172.21.0.9 {
Thu Dec 11 14:59:10 2008 : Debug:       require_message_authenticator = no
Thu Dec 11 14:59:10 2008 : Debug:       secret = "testing123"
Thu Dec 11 14:59:10 2008 : Debug:       shortname = "Behanzin"
Thu Dec 11 14:59:10 2008 : Debug:       nastype = "other"
Thu Dec 11 14:59:10 2008 : Debug:  }
Thu Dec 11 14:59:10 2008 : Debug:  client 172.21.1.251 {
Thu Dec 11 14:59:10 2008 : Debug:       require_message_authenticator = no
Thu Dec 11 14:59:10 2008 : Debug:       secret = "testing123"
Thu Dec 11 14:59:10 2008 : Debug:       shortname = "TestingAP"
Thu Dec 11 14:59:10 2008 : Debug:       nastype = "other"
Thu Dec 11 14:59:10 2008 : Debug:  }
Thu Dec 11 14:59:10 2008 : Debug: radiusd: #### Loading Realms and Home Servers ####
Thu Dec 11 14:59:10 2008 : Debug:  proxy server {
Thu Dec 11 14:59:10 2008 : Debug:       retry_delay = 5
Thu Dec 11 14:59:10 2008 : Debug:       retry_count = 3
Thu Dec 11 14:59:10 2008 : Debug:       default_fallback = no
Thu Dec 11 14:59:10 2008 : Debug:       dead_time = 120
Thu Dec 11 14:59:10 2008 : Debug:       wake_all_if_all_dead = no
Thu Dec 11 14:59:10 2008 : Debug:  }
Thu Dec 11 14:59:10 2008 : Debug:  home_server localhost {
Thu Dec 11 14:59:10 2008 : Debug:       ipaddr = 127.0.0.1
Thu Dec 11 14:59:10 2008 : Debug:       port = 1812
Thu Dec 11 14:59:10 2008 : Debug:       type = "auth"
Thu Dec 11 14:59:10 2008 : Debug:       secret = "testing123"
Thu Dec 11 14:59:10 2008 : Debug:       response_window = 20
Thu Dec 11 14:59:10 2008 : Debug:       max_outstanding = 65536
Thu Dec 11 14:59:10 2008 : Debug:       zombie_period = 40
Thu Dec 11 14:59:10 2008 : Debug:       status_check = "status-server"
Thu Dec 11 14:59:10 2008 : Debug:       ping_check = "none"
Thu Dec 11 14:59:10 2008 : Debug:       ping_interval = 30
Thu Dec 11 14:59:10 2008 : Debug:       check_interval = 30
Thu Dec 11 14:59:10 2008 : Debug:       num_answers_to_alive = 3
Thu Dec 11 14:59:10 2008 : Debug:       num_pings_to_alive = 3
Thu Dec 11 14:59:10 2008 : Debug:       revive_interval = 120
Thu Dec 11 14:59:10 2008 : Debug:       status_check_timeout = 4
Thu Dec 11 14:59:10 2008 : Debug:  }
Thu Dec 11 14:59:10 2008 : Debug:  home_server_pool my_auth_failover {
Thu Dec 11 14:59:10 2008 : Debug:       type = fail-over
Thu Dec 11 14:59:10 2008 : Debug:       home_server = localhost
Thu Dec 11 14:59:10 2008 : Debug:  }
Thu Dec 11 14:59:10 2008 : Debug:  realm uac.bj {
Thu Dec 11 14:59:10 2008 : Debug:       auth_pool = my_auth_failover
Thu Dec 11 14:59:10 2008 : Debug:  }
Thu Dec 11 14:59:10 2008 : Debug:  realm LOCAL {
Thu Dec 11 14:59:10 2008 : Debug:  }
Thu Dec 11 14:59:10 2008 : Debug: radiusd: #### Instantiating modules ####
Thu Dec 11 14:59:10 2008 : Debug:  instantiate {
Thu Dec 11 14:59:10 2008 : Debug:     (Loaded rlm_exec, checking if it's valid)
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to module rlm_exec
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating exec
Thu Dec 11 14:59:10 2008 : Debug:   exec {
Thu Dec 11 14:59:10 2008 : Debug:       wait = no
Thu Dec 11 14:59:10 2008 : Debug:       input_pairs = "request"
Thu Dec 11 14:59:10 2008 : Debug:       shell_escape = yes
Thu Dec 11 14:59:10 2008 : Debug:   }
Thu Dec 11 14:59:10 2008 : Debug:     (Loaded rlm_expr, checking if it's valid)
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to module rlm_expr
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating expr
Thu Dec 11 14:59:10 2008 : Debug:     (Loaded rlm_expiration, checking if it's valid)
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to module rlm_expiration
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating expiration
Thu Dec 11 14:59:10 2008 : Debug:   expiration {
Thu Dec 11 14:59:10 2008 : Debug:       reply-message = "Password Has Expired  "
Thu Dec 11 14:59:10 2008 : Debug:   }
Thu Dec 11 14:59:10 2008 : Debug:     (Loaded rlm_logintime, checking if it's valid)
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to module rlm_logintime
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating logintime
Thu Dec 11 14:59:10 2008 : Debug:   logintime {
Thu Dec 11 14:59:10 2008 : Debug:       reply-message = "You are calling outside your allowed timespan  "
Thu Dec 11 14:59:10 2008 : Debug:       minimum-timeout = 60
Thu Dec 11 14:59:10 2008 : Debug:   }
Thu Dec 11 14:59:10 2008 : Debug:  }
Thu Dec 11 14:59:10 2008 : Debug: radiusd: #### Loading Virtual Servers ####
Thu Dec 11 14:59:10 2008 : Debug: server {
Thu Dec 11 14:59:10 2008 : Debug:  modules {
Thu Dec 11 14:59:10 2008 : Debug:  Module: Checking authenticate {...} for more modules to load
Thu Dec 11 14:59:10 2008 : Debug:     (Loaded rlm_pap, checking if it's valid)
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to module rlm_pap
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating pap
Thu Dec 11 14:59:10 2008 : Debug:   pap {
Thu Dec 11 14:59:10 2008 : Debug:       encryption_scheme = "auto"
Thu Dec 11 14:59:10 2008 : Debug:       auto_header = no
Thu Dec 11 14:59:10 2008 : Debug:   }
Thu Dec 11 14:59:10 2008 : Debug:     (Loaded rlm_chap, checking if it's valid)
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to module rlm_chap
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating chap
Thu Dec 11 14:59:10 2008 : Debug:     (Loaded rlm_mschap, checking if it's valid)
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to module rlm_mschap
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating mschap
Thu Dec 11 14:59:10 2008 : Debug:   mschap {
Thu Dec 11 14:59:10 2008 : Debug:       use_mppe = yes
Thu Dec 11 14:59:10 2008 : Debug:       require_encryption = no
Thu Dec 11 14:59:10 2008 : Debug:       require_strong = no
Thu Dec 11 14:59:10 2008 : Debug:       with_ntdomain_hack = no
Thu Dec 11 14:59:10 2008 : Debug:   }
Thu Dec 11 14:59:10 2008 : Debug:     (Loaded rlm_digest, checking if it's valid)
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to module rlm_digest
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating digest
Thu Dec 11 14:59:10 2008 : Debug:     (Loaded rlm_unix, checking if it's valid)
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to module rlm_unix
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating unix
Thu Dec 11 14:59:10 2008 : Debug:   unix {
Thu Dec 11 14:59:10 2008 : Debug:       radwtmp = "/usr/local/var/log/radius/radwtmp"
Thu Dec 11 14:59:10 2008 : Debug:   }
Thu Dec 11 14:59:10 2008 : Debug:     (Loaded rlm_eap, checking if it's valid)
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to module rlm_eap
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating eap
Thu Dec 11 14:59:10 2008 : Debug:   eap {
Thu Dec 11 14:59:10 2008 : Debug:       default_eap_type = "md5"
Thu Dec 11 14:59:10 2008 : Debug:       timer_expire = 60
Thu Dec 11 14:59:10 2008 : Debug:       ignore_unknown_eap_types = yes
Thu Dec 11 14:59:10 2008 : Debug:       cisco_accounting_username_bug = no
Thu Dec 11 14:59:10 2008 : Debug:   }
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to sub-module rlm_eap_md5
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating eap-md5
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to sub-module rlm_eap_leap
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating eap-leap
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to sub-module rlm_eap_gtc
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating eap-gtc
Thu Dec 11 14:59:10 2008 : Debug:    gtc {
Thu Dec 11 14:59:10 2008 : Debug:       challenge = "Password: "
Thu Dec 11 14:59:10 2008 : Debug:       auth_type = "PAP"
Thu Dec 11 14:59:10 2008 : Debug:    }
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to sub-module rlm_eap_tls
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating eap-tls
Thu Dec 11 14:59:10 2008 : Debug:    tls {
Thu Dec 11 14:59:10 2008 : Debug:       rsa_key_exchange = no
Thu Dec 11 14:59:10 2008 : Debug:       dh_key_exchange = yes
Thu Dec 11 14:59:10 2008 : Debug:       rsa_key_length = 512
Thu Dec 11 14:59:10 2008 : Debug:       dh_key_length = 512
Thu Dec 11 14:59:10 2008 : Debug:       verify_depth = 0
Thu Dec 11 14:59:10 2008 : Debug:       pem_file_type = yes
Thu Dec 11 14:59:10 2008 : Debug:       private_key_file = "/usr/local/etc/raddb/certs/behanzin at uac.bj-cert.pem"
Thu Dec 11 14:59:10 2008 : Debug:       certificate_file = "/usr/local/etc/raddb/certs/behanzin at uac.bj-cert.pem"
Thu Dec 11 14:59:10 2008 : Debug:       CA_file = "/usr/local/etc/raddb/certs/UAC_CA-cacert.pem"
Thu Dec 11 14:59:10 2008 : Debug:       private_key_password = "UacCertificate07"
Thu Dec 11 14:59:10 2008 : Debug:       dh_file = "/usr/local/etc/raddb/certs/dh"
Thu Dec 11 14:59:10 2008 : Debug:       random_file = "/usr/local/etc/raddb/certs/random"
Thu Dec 11 14:59:10 2008 : Debug:       fragment_size = 1024
Thu Dec 11 14:59:10 2008 : Debug:       include_length = yes
Thu Dec 11 14:59:10 2008 : Debug:       check_crl = no
Thu Dec 11 14:59:10 2008 : Debug:       cipher_list = "DEFAULT"
Thu Dec 11 14:59:10 2008 : Debug:    }
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to sub-module rlm_eap_ttls
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating eap-ttls
Thu Dec 11 14:59:10 2008 : Debug:    ttls {
Thu Dec 11 14:59:10 2008 : Debug:       default_eap_type = "md5"
Thu Dec 11 14:59:10 2008 : Debug:       copy_request_to_tunnel = no
Thu Dec 11 14:59:10 2008 : Debug:       use_tunneled_reply = no
Thu Dec 11 14:59:10 2008 : Debug:       virtual_server = "inner-tunnel"
Thu Dec 11 14:59:10 2008 : Debug:    }
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to sub-module rlm_eap_peap
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating eap-peap
Thu Dec 11 14:59:10 2008 : Debug:    peap {
Thu Dec 11 14:59:10 2008 : Debug:       default_eap_type = "mschapv2"
Thu Dec 11 14:59:10 2008 : Debug:       copy_request_to_tunnel = no
Thu Dec 11 14:59:10 2008 : Debug:       use_tunneled_reply = no
Thu Dec 11 14:59:10 2008 : Debug:       proxy_tunneled_request_as_eap = yes
Thu Dec 11 14:59:10 2008 : Debug:       virtual_server = "inner-tunnel"
Thu Dec 11 14:59:10 2008 : Debug:    }
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to sub-module rlm_eap_mschapv2
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating eap-mschapv2
Thu DThu Dec 11 14:59:10 2008 : Debug:       with_ntdomain_hack = no
Thu Dec 11 14:59:10 2008 : Debug:    }
Thu Dec 11 14:59:10 2008 : Debug:  Module: Checking authorize {...} for more modules to load
Thu Dec 11 14:59:10 2008 : Debug:     (Loaded rlm_preprocess, checking if it's valid)
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to module rlm_preprocess
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating preprocess
Thu Dec 11 14:59:10 2008 : Debug:   preprocess {
Thu Dec 11 14:59:10 2008 : Debug:       huntgroups = "/usr/local/etc/raddb/huntgroups"
Thu Dec 11 14:59:10 2008 : Debug:       hints = "/usr/local/etc/raddb/hints"
Thu Dec 11 14:59:10 2008 : Debug:       with_ascend_hack = no
Thu Dec 11 14:59:10 2008 : Debug:       ascend_channels_per_line = 23
Thu Dec 11 14:59:10 2008 : Debug:       with_ntdomain_hack = no
Thu Dec 11 14:59:10 2008 : Debug:       with_specialix_jetstream_hack = no
Thu Dec 11 14:59:10 2008 : Debug:       with_cisco_vsa_hack = no
Thu Dec 11 14:59:10 2008 : Debug:       with_alvarion_vsa_hack = no
Thu Dec 11 14:59:10 2008 : Debug:   }
Thu Dec 11 14:59:10 2008 : Debug:     (Loaded rlm_realm, checking if it's valid)
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to module rlm_realm
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating suffix
Thu Dec 11 14:59:10 2008 : Debug:   realm suffix {
Thu Dec 11 14:59:10 2008 : Debug:       format = "suffix"
Thu Dec 11 14:59:10 2008 : Debug:       delimiter = "@"
Thu Dec 11 14:59:10 2008 : Debug:       ignore_default = no
Thu Dec 11 14:59:10 2008 : Debug:       ignore_null = no
Thu Dec 11 14:59:10 2008 : Debug:   }
Thu Dec 11 14:59:10 2008 : Debug:     (Loaded rlm_passwd, checking if it's valid)
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to module rlm_passwd
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating passwd
Thu Dec 11 14:59:10 2008 : Debug:   passwd passwd {
Thu Dec 11 14:59:10 2008 : Debug:       filename = "/etc/shadow"
Thu Dec 11 14:59:10 2008 : Debug:       format = "*=User-Name:MD5-Password"
Thu Dec 11 14:59:10 2008 : Debug:       delimiter = ":"
Thu Dec 11 14:59:10 2008 : Debug:       ignorenislike = yes
Thu Dec 11 14:59:10 2008 : Debug:       ignoreempty = yes
Thu Dec 11 14:59:10 2008 : Debug:       allowmultiplekeys = yes
Thu Dec 11 14:59:10 2008 : Debug:       hashsize = 50
Thu Dec 11 14:59:10 2008 : Debug:   }
Thu Dec 11 14:59:10 2008 : Debug: rlm_passwd: nfields: 2 keyfield 0(User-Name) listable: no
Thu Dec 11 14:59:10 2008 : Debug:  Module: Checking preacct {...} for more modules to load
Thu Dec 11 14:59:10 2008 : Debug:     (Loaded rlm_acct_unique, checking if it's valid)
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to module rlm_acct_unique
Thu Dec 11 14:59:10 2008 : Debug:    mschapv2 {
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating acct_unique
Thu Dec 11 14:59:10 2008 : Debug:   acct_unique {
Thu Dec 11 14:59:10 2008 : Debug:       key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Thu Dec 11 14:59:10 2008 : Debug:   }
Thu Dec 11 14:59:10 2008 : Debug:     (Loaded rlm_files, checking if it's valid)
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to module rlm_files
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating files
Thu Dec 11 14:59:10 2008 : Debug:   files {
Thu Dec 11 14:59:10 2008 : Debug:       usersfile = "/usr/local/etc/raddb/users"
Thu Dec 11 14:59:10 2008 : Debug:       acctusersfile = "/usr/local/etc/raddb/acct_users"
Thu Dec 11 14:59:10 2008 : Debug:       preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
Thu Dec 11 14:59:10 2008 : Debug:       compat = "no"
Thu Dec 11 14:59:10 2008 : Debug:   }
Thu Dec 11 14:59:10 2008 : Debug:  Module: Checking accounting {...} for more modules to load
Thu Dec 11 14:59:10 2008 : Debug:     (Loaded rlm_detail, checking if it's valid)
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to module rlm_detail
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating detail
Thu Dec 11 14:59:10 2008 : Debug:   detail {
Thu Dec 11 14:59:10 2008 : Debug:       detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
Thu Dec 11 14:59:10 2008 : Debug:       header = "%t"
Thu Dec 11 14:59:10 2008 : Debug:       detailperm = 384
Thu Dec 11 14:59:10 2008 : Debug:       dirperm = 493
Thu Dec 11 14:59:10 2008 : Debug:       locking = no
Thu Dec 11 14:59:10 2008 : Debug:       log_packet_header = no
Thu Dec 11 14:59:10 2008 : Debug:   }
Thu Dec 11 14:59:10 2008 : Debug:     (Loaded rlm_radutmp, checking if it's valid)
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to module rlm_radutmp
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating radutmp
Thu Dec 11 14:59:10 2008 : Debug:   radutmp {
Thu Dec 11 14:59:10 2008 : Debug:       filename = "/usr/local/var/log/radius/radutmp"
Thu Dec 11 14:59:10 2008 : Debug:       username = "%{User-Name}"
Thu Dec 11 14:59:10 2008 : Debug:       case_sensitive = yes
Thu Dec 11 14:59:10 2008 : Debug:       check_with_nas = yes
Thu Dec 11 14:59:10 2008 : Debug:       perm = 384
Thu Dec 11 14:59:10 2008 : Debug:       callerid = yes
Thu Dec 11 14:59:10 2008 : Debug:   }
Thu Dec 11 14:59:10 2008 : Debug:     (Loaded rlm_attr_filter, checking if it's valid)
Thu Dec 11 14:59:10 2008 : Debug:  Module: Linked to module rlm_attr_filter
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating attr_filter.accounting_response
Thu Dec 11 14:59:10 2008 : Debug:   attr_filter attr_filter.accounting_response {
Thu Dec 11 14:59:10 2008 : Debug:       attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
Thu Dec 11 14:59:10 2008 : Debug:       key = "%{User-Name}"
Thu Dec 11 14:59:10 2008 : Debug:   }
Thu Dec 11 14:59:10 2008 : Debug:  Module: Checking session {...} for more modules to load
Thu Dec 11 14:59:10 2008 : Debug:  Module: Checking post-proxy {...} for more modules to load
Thu Dec 11 14:59:10 2008 : Debug:  Module: Checking post-auth {...} for more modules to load
Thu Dec 11 14:59:10 2008 : Debug:  Module: Instantiating attr_filter.access_reject
Thu Dec 11 14:59:10 2008 : Debug:   attr_filter attr_filter.access_reject {
Thu Dec 11 14:59:10 2008 : Debug:       attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
Thu Dec 11 14:59:10 2008 : Debug:       key = "%{User-Name}"
Thu Dec 11 14:59:10 2008 : Debug:   }
Thu Dec 11 14:59:10 2008 : Debug:  }
Thu Dec 11 14:59:10 2008 : Debug: }
Thu Dec 11 14:59:10 2008 : Debug: radiusd: #### Opening IP addresses and Ports ####
Thu Dec 11 14:59:10 2008 : Debug: listen {
Thu Dec 11 14:59:10 2008 : Debug:       type = "auth"
Thu Dec 11 14:59:10 2008 : Debug:       ipaddr = *
Thu Dec 11 14:59:10 2008 : Debug:       port = 0
Thu Dec 11 14:59:10 2008 : Debug: }
Thu Dec 11 14:59:10 2008 : Debug: listen {
Thu Dec 11 14:59:10 2008 : Debug:       type = "acct"
Thu Dec 11 14:59:10 2008 : Debug:       ipaddr = *
Thu Dec 11 14:59:10 2008 : Debug:       port = 0
Thu Dec 11 14:59:10 2008 : Debug: }
Thu Dec 11 14:59:10 2008 : Debug: Listening on authentication address * port 1812
Thu Dec 11 14:59:10 2008 : Debug: Listening on accounting address * port 1813
Thu Dec 11 14:59:10 2008 : Debug: Listening on proxy address * port 1814
Thu Dec 11 14:59:10 2008 : Debug: Ready to process requests.
rad_recv: Access-Request packet from host 172.21.1.251 port 1035, id=233, length=145
        User-Name = "toto at uac.bj"
        NAS-IP-Address = 172.21.1.251
        Connect-Info = "CONNECT 802.11"
        Called-Station-Id = "0060b33573b4"
        Calling-Station-Id = "000e35dfc4c9"
        NAS-Identifier = "ap"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 40
        NAS-Port-Id = "40"
        Framed-MTU = 1400
        EAP-Message = 0x0269001001746f746f407561632e626a
        Message-Authenticator = 0x4047d95682a4670d24da3c2fa434814e
Thu Dec 11 15:00:37 2008 : Debug: +- entering group authorize
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0
Thu Dec 11 15:00:37 2008 : Debug: ++[preprocess] returns ok
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling chap (rlm_chap) for request 0
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from chap (rlm_chap) for request 0
Thu Dec 11 15:00:37 2008 : Debug: ++[chap] returns noop
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling mschap (rlm_mschap) for request 0
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from mschap (rlm_mschap) for request 0
Thu Dec 11 15:00:37 2008 : Debug: ++[mschap] returns noop
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling digest (rlm_digest) for request 0
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from digest (rlm_digest) for request 0
Thu Dec 11 15:00:37 2008 : Debug: ++[digest] returns noop
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling suffix (rlm_realm) for request 0
Thu Dec 11 15:00:37 2008 : Debug:     rlm_realm: Looking up realm "uac.bj" for User-Name = "toto at uac.bj"
Thu Dec 11 15:00:37 2008 : Debug:     rlm_realm: Found realm "uac.bj"
Thu Dec 11 15:00:37 2008 : Debug:     rlm_realm: Adding Stripped-User-Name = "toto"
Thu Dec 11 15:00:37 2008 : Debug:     rlm_realm: Adding Realm = "uac.bj"
Thu Dec 11 15:00:37 2008 : Debug:     rlm_realm: Proxying request from user toto to realm uac.bj
Thu Dec 11 15:00:37 2008 : Debug:     rlm_realm: Preparing to proxy authentication request to realm "uac.bj"
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from suffix (rlm_realm) for request 0
Thu Dec 11 15:00:37 2008 : Debug: ++[suffix] returns updated
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling eap (rlm_eap) for request 0
Thu Dec 11 15:00:37 2008 : Debug:   rlm_eap: Request is supposed to be proxied to Realm uac.bj.  Not doing EAP.
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from eap (rlm_eap) for request 0
Thu Dec 11 15:00:37 2008 : Debug: ++[eap] returns noop
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling unix (rlm_unix) for request 0
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from unix (rlm_unix) for request 0
Thu Dec 11 15:00:37 2008 : Debug: ++[unix] returns updated
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling expiration (rlm_expiration) for request 0
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from expiration (rlm_expiration) for request 0
Thu Dec 11 15:00:37 2008 : Debug: ++[expiration] returns noop
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling logintime (rlm_logintime) for request 0
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from logintime (rlm_logintime) for request 0
Thu Dec 11 15:00:37 2008 : Debug: ++[logintime] returns noop
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling pap (rlm_pap) for request 0
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from pap (rlm_pap) for request 0
Thu Dec 11 15:00:37 2008 : Debug: ++[pap] returns noop
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling passwd (rlm_passwd) for request 0
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from passwd (rlm_passwd) for request 0
Thu Dec 11 15:00:37 2008 : Debug: ++[passwd] returns notfound
Thu Dec 11 15:00:37 2008 : Debug:  proxy: allocating destination 127.0.0.1 port 1812 - Id 200
Sending Access-Request of id 200 to 127.0.0.1 port 1812
        User-Name = "toto"
        NAS-IP-Address = 172.21.1.251
        Connect-Info = "CONNECT 802.11"
        Called-Station-Id = "0060b33573b4"
        Calling-Station-Id = "000e35dfc4c9"
        NAS-Identifier = "ap"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 40
        NAS-Port-Id = "40"
        Framed-MTU = 1400
        EAP-Message = 0x0269001001746f746f407561632e626a
        Message-Authenticator = 0x00000000000000000000000000000000
        Proxy-State = 0x323333
Thu Dec 11 15:00:37 2008 : Debug: Proxying request 0 to home server 127.0.0.1 port 1812
Sending Access-Request of id 200 to 127.0.0.1 port 1812
        User-Name = "toto"
        NAS-IP-Address = 172.21.1.251
        Connect-Info = "CONNECT 802.11"
        Called-Station-Id = "0060b33573b4"
        Calling-Station-Id = "000e35dfc4c9"
        NAS-Identifier = "ap"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 40
        NAS-Port-Id = "40"
        Framed-MTU = 1400
        EAP-Message = 0x0269001001746f746f407561632e626a
        Message-Authenticator = 0x00000000000000000000000000000000
        Proxy-State = 0x323333
Thu Dec 11 15:00:37 2008 : Debug: Going to the next request
Thu Dec 11 15:00:37 2008 : Debug: Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=200, length=143
        User-Name = "toto"
        NAS-IP-Address = 172.21.1.251
        Connect-Info = "CONNECT 802.11"
        Called-Station-Id = "0060b33573b4"
        Calling-Station-Id = "000e35dfc4c9"
        NAS-Identifier = "ap"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 40
        NAS-Port-Id = "40"
 Framed-MTU = 1400
        EAP-Message = 0x0269001001746f746f407561632e626a
        Message-Authenticator = 0x37c8e239d08fc96baa9a8711c785a234
        Proxy-State = 0x323333
Thu Dec 11 15:00:37 2008 : Debug: +- entering group authorize
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1
Thu Dec 11 15:00:37 2008 : Debug: ++[preprocess] returns ok
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling chap (rlm_chap) for request 1
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from chap (rlm_chap) for request 1
Thu Dec 11 15:00:37 2008 : Debug: ++[chap] returns noop
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling mschap (rlm_mschap) for request 1
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from mschap (rlm_mschap) for request 1
Thu Dec 11 15:00:37 2008 : Debug: ++[mschap] returns noop
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling digest (rlm_digest) for request 1
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from digest (rlm_digest) for request 1
Thu Dec 11 15:00:37 2008 : Debug: ++[digest] returns noop
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling suffix (rlm_realm) for request 1
Thu Dec 11 15:00:37 2008 : Debug:     rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
Thu Dec 11 15:00:37 2008 : Debug:     rlm_realm: No such realm "NULL"
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from suffix (rlm_realm) for request 1
Thu Dec 11 15:00:37 2008 : Debug: ++[suffix] returns noop
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling eap (rlm_eap) for request 1
Thu Dec 11 15:00:37 2008 : Debug:   rlm_eap: EAP packet type response id 105 length 16
Thu Dec 11 15:00:37 2008 : Debug:   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from eap (rlm_eap) for request 1
Thu Dec 11 15:00:37 2008 : Debug: ++[eap] returns updated
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling unix (rlm_unix) for request 1
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from unix (rlm_unix) for request 1
Thu Dec 11 15:00:37 2008 : Debug: ++[unix] returns updated
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling expiration (rlm_expiration) for request 1
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from expiration (rlm_expiration) for request 1
Thu Dec 11 15:00:37 2008 : Debug: ++[expiration] returns noop
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling logintime (rlm_logintime) for request 1
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from logintime (rlm_logintime) for request 1
Thu Dec 11 15:00:37 2008 : Debug: ++[logintime] returns noop
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling pap (rlm_pap) for request 1
Thu Dec 11 15:00:37 2008 : Debug: rlm_pap: Found existing Auth-Type, not changing it.
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from pap (rlm_pap) for request 1
Thu Dec 11 15:00:37 2008 : Debug: ++[pap] returns noop
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: calling passwd (rlm_passwd) for request 1
Thu Dec 11 15:00:37 2008 : Debug: rlm_passwd: Added MD5-Password: 'HsrtQesmWHodM:14211::::::' to config_items
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authorize]: returned from passwd (rlm_passwd) for request 1
Thu Dec 11 15:00:37 2008 : Debug: ++[passwd] returns ok
Thu Dec 11 15:00:37 2008 : Debug:   rad_check_password:  Found Auth-Type EAP
Thu Dec 11 15:00:37 2008 : Debug: auth: type "EAP"
Thu Dec 11 15:00:37 2008 : Debug: +- entering group authenticate
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authenticate]: calling eap (rlm_eap) for request 1
Thu Dec 11 15:00:37 2008 : Error: rlm_eap: Identity does not match User-Name, setting from EAP Identity.
Thu Dec 11 15:00:37 2008 : Debug:   rlm_eap: Failed in handler
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[authenticate]: returned from eap (rlm_eap) for request 1
Thu Dec 11 15:00:37 2008 : Debug: ++[eap] returns invalid
Thu Dec 11 15:00:37 2008 : Debug: auth: Failed to validate the user.
Thu Dec 11 15:00:37 2008 : Debug:   Found Post-Auth-Type Reject
Thu Dec 11 15:00:37 2008 : Debug: +- entering group REJECT
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 1
Thu Dec 11 15:00:37 2008 : Debug:       expand: %{User-Name} -> toto
Thu Dec 11 15:00:37 2008 : Debug:  attr_filter: Matched entry DEFAULT at line 11
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for reque
st 1
Thu Dec 11 15:00:37 2008 : Debug: ++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 200 to 127.0.0.1 port 1814
        Proxy-State = 0x323333
Thu Dec 11 15:00:37 2008 : Debug: Finished request 1.
Thu Dec 11 15:00:37 2008 : Debug: Going to the next request
Thu Dec 11 15:00:37 2008 : Debug: Waking up in 0.9 seconds.
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=200, length=25
        Proxy-State = 0x323333
Thu Dec 11 15:00:37 2008 : Debug: +- entering group post-proxy
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[post-proxy]: calling eap (rlm_eap) for request 0
Thu Dec 11 15:00:37 2008 : Debug:   rlm_eap: No pre-existing handler found
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[post-proxy]: returned from eap (rlm_eap) for request 0
Thu Dec 11 15:00:37 2008 : Debug: ++[eap] returns noop
Thu Dec 11 15:00:37 2008 : Debug:   Found Post-Auth-Type Reject
Thu Dec 11 15:00:37 2008 : Debug: +- entering group REJECT
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 0
Thu Dec 11 15:00:37 2008 : Debug:       expand: %{User-Name} -> toto at uac.bj
Thu Dec 11 15:00:37 2008 : Debug:  attr_filter: Matched entry DEFAULT at line 11
Thu Dec 11 15:00:37 2008 : Debug:   modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 0
Thu Dec 11 15:00:37 2008 : Debug: ++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 233 to 172.21.1.251 port 1035
Thu Dec 11 15:00:37 2008 : Debug: Finished request 0.
Thu Dec 11 15:00:37 2008 : Debug: Going to the next request
Thu Dec 11 15:00:37 2008 : Debug: Waking up in 4.9 seconds.
Thu Dec 11 15:00:42 2008 : Debug: Cleaning up request 1 ID 200 with timestamp +87
Thu Dec 11 15:00:42 2008 : Debug: Cleaning up request 0 ID 233 with timestamp +87
Thu Dec 11 15:00:42 2008 : Debug: Ready to process requests.

Is there something wrong in our configurations?
Is tit normal that there is no User-Password attribute in Access-Request packet?
Thanks very much to help us solve these problems.


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081211/21c03e72/attachment.html>


More information about the Freeradius-Users mailing list