No Aoth Type problem again

Ivan Kalik tnt at kalik.net
Fri Jun 20 16:02:46 CEST 2008


What version is this? It looks like you are missing the inner-tunnel
virtual server config file. You should copy it from the download
dictionary to raddb/sites-enabled/.

Ivan Kalik
Kalik Informatika ISP


Dana 20/6/2008, "Jelle Langbroek" <jml at orkz.net> piše:

>Hi,
>I know it's plain English but I still can't figure out where the warning is
>comming from and what I have to change. It finds the password, but still
>gives the auth(failure):
>
> auth: No authenticate method (Auth-Type) configuration found for the
>request: Rejecting the user
> auth: Failed to validate the user.
>
>I'm using the default config-files with PEAP auth. Can somebody give me a
>hint in the right direction? Where/what config file should I look in and
>what to edit? THANKS!
>
>Here are my logs...
>
>Listening on authentication address 172.16.27.103 port 1812
>Ready to process requests.
>rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0,
>length=141
>        User-Name = "userX"
>        NAS-IP-Address = 172.16.27.37
>        Called-Station-Id = "001c1066a106"
>        Calling-Station-Id = "001cdf77bb4d"
>        NAS-Identifier = "001c1066a106"
>        NAS-Port = 1
>        Framed-MTU = 1400
>        NAS-Port-Type = Wireless-802.11
>        EAP-Message = 0x02000013016a656c6c656c616e6762726f656b
>        Message-Authenticator = 0x933439cddca44559a4ee3c2b327aaac5
>+- entering group authorize
>++[preprocess] returns ok
>        expand:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
>/usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620
>rlm_detail:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>expands to /usr/local/var/log/radius/radacct/
>172.16.27.37/auth-detail-20080620
>        expand: %t -> Fri Jun 20 15:25:59 2008
>++[auth_log] returns ok
>++[chap] returns noop
>++[mschap] returns noop
>    rlm_realm: No '@' in User-Name = "userX", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>++[suffix] returns noop
>  rlm_eap: EAP packet type response id 0 length 19
>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>++[eap] returns updated
>        expand: %{User-Name} -> userX
>rlm_sql (sql): sql_set_user escaped user --> 'userX'
>rlm_sql (sql): Reserving sql socket id: 4
>        expand: SELECT ownerid as id, username, 'Cleartext-Password' as
>attribute, passwd as value, ':=' as op           FROM nodes           WHERE
>username = '%{SQL-User-Name}'           ORDER BY id -> SELECT ownerid as id,
>username, 'Cleartext-Password' as attribute, passwd as value, ':=' as
>op           FROM nodes           WHERE username = 'userX'           ORDER
>BY id
>rlm_sql (sql): User found in radcheck table
>        expand: SELECT ownerid as id, username, 'Cleartext-Password' as
>attribute, passwd as value, ':=' as op           FROM nodes           WHERE
>username = '%{SQL-User-Name}'           ORDER BY id -> SELECT ownerid as id,
>username, 'Cleartext-Password' as attribute, passwd as value, ':=' as
>op           FROM nodes           WHERE username = 'userX'           ORDER
>BY id
>        expand: SELECT 'dynamic' as groupname           FROM
>customers           WHERE name = '%{SQL-User-Name}'           ORDER BY id ->
>SELECT 'dynamic' as groupname           FROM customers           WHERE name
>= 'userX'           ORDER BY id
>rlm_sql (sql): Released sql socket id: 4
>++[sql] returns ok
>++[expiration] returns noop
>++[logintime] returns noop
>rlm_pap: Found existing Auth-Type, not changing it.
>++[pap] returns noop
>  rad_check_password:  Found Auth-Type EAP
>auth: type "EAP"
>+- entering group authenticate
>  rlm_eap: EAP Identity
>  rlm_eap: processing type tls
>  rlm_eap_tls: Initiate
>  rlm_eap_tls: Start returned 1
>++[eap] returns handled
>Sending Access-Challenge of id 0 to 172.16.27.37 port 3072
>        EAP-Message = 0x010100061920
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x9baa2d299bab34161e655ea3ece36f0c
>Finished request 0.
>Going to the next request
>Waking up in 4.9 seconds.
>rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0,
>length=233
>Cleaning up request 0 ID 0 with timestamp +41
>        User-Name = "userX"
>        NAS-IP-Address = 172.16.27.37
>        Called-Station-Id = "001c1066a106"
>        Calling-Station-Id = "001cdf77bb4d"
>        NAS-Identifier = "001c1066a106"
>        NAS-Port = 1
>        Framed-MTU = 1400
>        State = 0x9baa2d299bab34161e655ea3ece36f0c
>        NAS-Port-Type = Wireless-802.11
>        EAP-Message =
>0x0201005d190016030100520100004e0301485baf3e8e15e57593e3e1819134ab3ad55c2a65dbdd6278dadce70ffee5409a00002600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100
>        Message-Authenticator = 0xda28b5bb86c975ef4fd3c5bf45e4bba5
>+- entering group authorize
>++[preprocess] returns ok
>        expand:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
>/usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620
>rlm_detail:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>expands to /usr/local/var/log/radius/radacct/
>172.16.27.37/auth-detail-20080620
>        expand: %t -> Fri Jun 20 15:25:59 2008
>++[auth_log] returns ok
>++[chap] returns noop
>++[mschap] returns noop
>    rlm_realm: No '@' in User-Name = "userX", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>++[suffix] returns noop
>  rlm_eap: EAP packet type response id 1 length 93
>  rlm_eap: Continuing tunnel setup.
>++[eap] returns ok
>  rad_check_password:  Found Auth-Type EAP
>auth: type "EAP"
>+- entering group authenticate
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/peap
>  rlm_eap: processing type peap
>  rlm_eap_peap: Authenticate
>  rlm_eap_tls: processing TLS
>  eaptls_verify returned 7
>  rlm_eap_tls: Done initial handshake
>    (other): before/accept initialization
>    TLS_accept: before/accept initialization
>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0052], ClientHello
>    TLS_accept: SSLv3 read client hello A
>  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
>    TLS_accept: SSLv3 write server hello A
>  rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate
>    TLS_accept: SSLv3 write certificate A
>  rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
>    TLS_accept: SSLv3 write key exchange A
>  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
>    TLS_accept: SSLv3 write server done A
>    TLS_accept: SSLv3 flush data
>    TLS_accept: Need to read more data: SSLv3 read client certificate A
>In SSL Handshake Phase
>In SSL Accept mode
>  eaptls_process returned 13
>  rlm_eap_peap: EAPTLS_HANDLED
>++[eap] returns handled
>Sending Access-Challenge of id 0 to 172.16.27.37 port 3072
>        EAP-Message =
>0x0102040019c000000acd160301004a020000460301485bafe7c5b0d88a48309c43edcd95ad1a7074078f255e9ae50b996f1652ccb920a16607e93eaa7110ee032225ce8e42a2f268a83d10b15c608aaa906a0983b761003901160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
>        EAP-Message =
>0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303631383134323133315a170d3039303631383134323133315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e51de7b82469cbac2af9f14199eb4c8ebc3f2c3102c669d669d474b3c8a9
>        EAP-Message =
>0x10af6d0ed5e1d33fdca7a6fd55b046f135a4d7fce70cce39f1e2378ef0e137638ba9fa1dc376347d313f64f63d5955437faad9f0898028cd6386e91cc7305583103b82f4614092c960a0a0bced39a7cbdfc2267da2ffc5e29b607d9f47169ca043d4aa054efccb590ee0f0eb0c3825d5d72595f3afc15a59b39c3eaebee214108bbfdd4a5f3787b9d434219b11a62e59fdbeb53e2d962333c53483821af4d69d282dabeb36117b5b99cedb3800652d4901f44ae12e9eedd6e5d77513831376822f2fd03ff4f0236abbc6eaf831d4838909a263a0673f7ac176673eff4506db30bf950203010001a317301530130603551d25040c300a06082b06010505
>        EAP-Message =
>0x070301300d06092a864886f70d01010405000382010100996af82a8524e81fa2070413fa3bc07ef4d1acc88e96ee8f90b412dcd1564de0280bd3bc8eb8f024c7753ee0fb3a1d9c9e7e1fc60e87aa7309ba76e44ac083788079b800f28c46bf4cdbc8423c40b6c897ec4a2ccaa95c4b59d0c035a00725cc5e943ec10dac7cf1669995ec20a26ffaedf7c0e7bdc2acc11882ecb3e9f9e06e8597dfc4c30a9d69210cdf2872ed848af5e1c89e2ed34a6db012129685b12f56d4bec3f6e13e7b43b6e00a81545a38f28090f1ff3ceca37a107ea01898d2269f7156ca7c74c8b20ead294a6a7d1d32eb70065bda7bcfe009a070c6f01a9b0b9674fa3cff08a1
>        EAP-Message = 0xd8bf0854f4d5920b817066b8
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x9baa2d299aa834161e655ea3ece36f0c
>Finished request 1.
>Going to the next request
>Waking up in 4.9 seconds.
>rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0,
>length=146
>Cleaning up request 1 ID 0 with timestamp +41
>        User-Name = "userX"
>        NAS-IP-Address = 172.16.27.37
>        Called-Station-Id = "001c1066a106"
>        Calling-Station-Id = "001cdf77bb4d"
>        NAS-Identifier = "001c1066a106"
>        NAS-Port = 1
>        Framed-MTU = 1400
>        State = 0x9baa2d299aa834161e655ea3ece36f0c
>        NAS-Port-Type = Wireless-802.11
>        EAP-Message = 0x020200061900
>        Message-Authenticator = 0x6ae87b9fa610cc290341c3c8721eab9c
>+- entering group authorize
>++[preprocess] returns ok
>        expand:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
>/usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620
>rlm_detail:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>expands to /usr/local/var/log/radius/radacct/
>172.16.27.37/auth-detail-20080620
>        expand: %t -> Fri Jun 20 15:25:59 2008
>++[auth_log] returns ok
>++[chap] returns noop
>++[mschap] returns noop
>    rlm_realm: No '@' in User-Name = "userX", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>++[suffix] returns noop
>  rlm_eap: EAP packet type response id 2 length 6
>  rlm_eap: Continuing tunnel setup.
>++[eap] returns ok
>  rad_check_password:  Found Auth-Type EAP
>auth: type "EAP"
>+- entering group authenticate
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/peap
>  rlm_eap: processing type peap
>  rlm_eap_peap: Authenticate
>  rlm_eap_tls: processing TLS
>rlm_eap_tls: Received EAP-TLS ACK message
>  rlm_eap_tls: ack handshake fragment handler
>  eaptls_verify returned 1
>  eaptls_process returned 13
>  rlm_eap_peap: EAPTLS_HANDLED
>++[eap] returns handled
>Sending Access-Challenge of id 0 to 172.16.27.37 port 3072
>        EAP-Message =
>0x010303fc19401cd7c4c2a6889ffa64eb3b48b32b0004ab308204a73082038fa003020102020900d0b321af3f5e6edb300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303631383134323133305a170d3038303731383134323133305a308193310b30090603
>        EAP-Message =
>0x55040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c61affd9b5606d309f732b738a593c3adc04fc3cd9d9b4b974c83e330b98f92eb01c54c4a73ba87e32181239a999468e387accc8edac79fe1d61b7331b3a4d5d658858ecdaa0e0119b6d2a958f7bf3
>        EAP-Message =
>0x6c05b684d836361612e031a7c863de56c0c2eecea221506078f4f991d6f7f1b40882d1981e6be282cc6ca1e5555309375397dfc7b6a379cf23f9780841d540d83ac4a89847ec588c84073f1d8e4be9c2fc955cc79d12fc8e4e51a0bc388854a5fd8d19f7bf36495cdeade9dc373fdde84b6b4e452109c95785f65e663bdce3543241b34c49b8d41b1fe44362998a782bc18398a00b8261b303f9a6b025cb8165e6a107967a5f823a135c83611b99f5c0c30203010001a381fb3081f8301d0603551d0e0416041442ba48fa03771a044de938b92a0ac80bd48b46c83081c80603551d230481c03081bd801442ba48fa03771a044de938b92a0ac80bd48b
>        EAP-Message =
>0x46c8a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900d0b321af3f5e6edb300c0603551d13040530030101ff300d06092a864886f70d010105050003820101009271c64430e33a20e02c5c3ea887afbda2e892a25f633961c5b13d6df2461f7675b2d3ef317087b1eeeef20c6855c4208c7d
>        EAP-Message = 0x22dbf87ea84011c3
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x9baa2d2999a934161e655ea3ece36f0c
>Finished request 2.
>Going to the next request
>Waking up in 4.9 seconds.
>rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0,
>length=146
>Cleaning up request 2 ID 0 with timestamp +41
>        User-Name = "userX"
>        NAS-IP-Address = 172.16.27.37
>        Called-Station-Id = "001c1066a106"
>        Calling-Station-Id = "001cdf77bb4d"
>        NAS-Identifier = "001c1066a106"
>        NAS-Port = 1
>        Framed-MTU = 1400
>        State = 0x9baa2d2999a934161e655ea3ece36f0c
>        NAS-Port-Type = Wireless-802.11
>        EAP-Message = 0x020300061900
>        Message-Authenticator = 0x55eb06fdd249f58d4b098d211ef699db
>+- entering group authorize
>++[preprocess] returns ok
>        expand:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
>/usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620
>rlm_detail:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>expands to /usr/local/var/log/radius/radacct/
>172.16.27.37/auth-detail-20080620
>        expand: %t -> Fri Jun 20 15:25:59 2008
>++[auth_log] returns ok
>++[chap] returns noop
>++[mschap] returns noop
>    rlm_realm: No '@' in User-Name = "userX", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>++[suffix] returns noop
>  rlm_eap: EAP packet type response id 3 length 6
>  rlm_eap: Continuing tunnel setup.
>++[eap] returns ok
>  rad_check_password:  Found Auth-Type EAP
>auth: type "EAP"
>+- entering group authenticate
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/peap
>  rlm_eap: processing type peap
>  rlm_eap_peap: Authenticate
>  rlm_eap_tls: processing TLS
>rlm_eap_tls: Received EAP-TLS ACK message
>  rlm_eap_tls: ack handshake fragment handler
>  eaptls_verify returned 1
>  eaptls_process returned 13
>  rlm_eap_peap: EAPTLS_HANDLED
>++[eap] returns handled
>Sending Access-Challenge of id 0 to 172.16.27.37 port 3072
>        EAP-Message =
>0x010402e71900589c274af17f1a494850cb1028aea864d133e063ba83420b4e3c091030cb4a0c5e5913181a57a0ef4e965b1a1490eb20c705bfc44603e0e52aa98d2f47831b1e88e8cb4149a777c58356b40fcb237ad48b79a1e61a5a02e245b071293b2b25d6b3bbc2e1eb5e26db78735d8172015a39ae2ab6d93382ef0be94f0419a5a7101b93f3f91c7a124f75d5884e225990d032bb21374f62ebdca5a3add90be36aa926a41695835c2eb3f7e88337da950eb5394a9ffb5f63412909f5e387762b4bc9607be7d5871e1c160301020d0c0002090080d98dfb21f227dd0de0112a4e02b14ba70211061c5b376bb17b336613f8dc7867bf69d166fa9a
>        EAP-Message =
>0x06947948dc5a2a0bb67aece8a2eb6ec595b94459607661010ebd873c133571818cf379124cde39be0e869e24c60c3ecaf1faaf1d96b46cb542c1a8207a4a2c8114788241b433bbe70a1c9ba7e56a3e27932254db2290c295e28300010200801e2c86c4785eeb02a0bb6dd6aa890202b7e118a106a5c230c576d7030939045bb009c2ac440005c74fe3659e3fd5b15f4554226f7dcd0131dc636b3d8b2152b63efc1cb23b6e8b0b3bd2960488c73b9bf499434d44629b813ff423fcf0580858aa6473354cce503e27925a2b5493fad07897a8f9ee105c4b949d6277b0ffa75d010034c14143a28ad289e2d0a39f498063167f73fcbf4000caa9c70a3905
>        EAP-Message =
>0x71a008d47f3651cca5a115167ccf4c3990bbaf3507e2b958546eb5e323c7fe857e8394a68251ad5404da26810c662052e242961cb37eafcab475f322a740a0abd48178f31bed95df9004fb37f667282bdbaa9db8402640ffad48ecb15a49ea5db0ace40026026cd5ab50949ade5c903144779999672f88dd7885fcf946ed5c01779571173271d8503a0c3e43791e06a2c4400ff0553c76e15bf7624cf432dd2d44643827b4d29a8763738b073e09b1bbb3c6f2d411391976badabf00cd6ccbb57627e315142009a49e948f5911cf3873557dc60adfebd10a8892d1ac71109fb9cf9a3e6416030100040e000000
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x9baa2d2998ae34161e655ea3ece36f0c
>Finished request 3.
>Going to the next request
>Waking up in 4.9 seconds.
>rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0,
>length=344
>Cleaning up request 3 ID 0 with timestamp +41
>        User-Name = "userX"
>        NAS-IP-Address = 172.16.27.37
>        Called-Station-Id = "001c1066a106"
>        Calling-Station-Id = "001cdf77bb4d"
>        NAS-Identifier = "001c1066a106"
>        NAS-Port = 1
>        Framed-MTU = 1400
>        State = 0x9baa2d2998ae34161e655ea3ece36f0c
>        NAS-Port-Type = Wireless-802.11
>        EAP-Message =
>0x020400cc190016030100861000008200804316d20c6a7c178058561a988cd4c857a1818bca9d6381d259ad888eb8590fb37aa41737e0465ed1c8645c4b84abd506a7d30c4bb7a7a10f909b9feb1f8a51b8430d748d87f03c7df6a01a3bb99c178da207b3a19c540469709f2845ba90768f8ec804175b2e9afaa80dccc2107919f7580b1953431922cdeda4f877c91e174f14030100010116030100300f7ef3899514ebb34daa12ac552eb8f9eb8841016f046ea3a63e53aadfb3e3397a93e73456cc41e1135861707733b220
>        Message-Authenticator = 0xdea135864ef03eb8674379a35331fd5f
>+- entering group authorize
>++[preprocess] returns ok
>        expand:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
>/usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620
>rlm_detail:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>expands to /usr/local/var/log/radius/radacct/
>172.16.27.37/auth-detail-20080620
>        expand: %t -> Fri Jun 20 15:25:59 2008
>++[auth_log] returns ok
>++[chap] returns noop
>++[mschap] returns noop
>    rlm_realm: No '@' in User-Name = "userX", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>++[suffix] returns noop
>  rlm_eap: EAP packet type response id 4 length 204
>  rlm_eap: Continuing tunnel setup.
>++[eap] returns ok
>  rad_check_password:  Found Auth-Type EAP
>auth: type "EAP"
>+- entering group authenticate
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/peap
>  rlm_eap: processing type peap
>  rlm_eap_peap: Authenticate
>  rlm_eap_tls: processing TLS
>  eaptls_verify returned 7
>  rlm_eap_tls: Done initial handshake
>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
>    TLS_accept: SSLv3 read client key exchange A
>  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
>    TLS_accept: SSLv3 read finished A
>  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
>    TLS_accept: SSLv3 write change cipher spec A
>  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
>    TLS_accept: SSLv3 write finished A
>    TLS_accept: SSLv3 flush data
>    (other): SSL negotiation finished successfully
>SSL Connection Established
>  eaptls_process returned 13
>  rlm_eap_peap: EAPTLS_HANDLED
>++[eap] returns handled
>Sending Access-Challenge of id 0 to 172.16.27.37 port 3072
>        EAP-Message =
>0x0105004119001403010001011603010030e6a2e4f9f396f695728dfc74be50459b34dea2ec026e3b041e64ad32a19bfc01ce00a4f39422c30e86d83059c040853f
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x9baa2d299faf34161e655ea3ece36f0c
>Finished request 4.
>Going to the next request
>Waking up in 4.9 seconds.
>rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0,
>length=146
>Cleaning up request 4 ID 0 with timestamp +41
>        User-Name = "userX"
>        NAS-IP-Address = 172.16.27.37
>        Called-Station-Id = "001c1066a106"
>        Calling-Station-Id = "001cdf77bb4d"
>        NAS-Identifier = "001c1066a106"
>        NAS-Port = 1
>        Framed-MTU = 1400
>        State = 0x9baa2d299faf34161e655ea3ece36f0c
>        NAS-Port-Type = Wireless-802.11
>        EAP-Message = 0x020500061900
>        Message-Authenticator = 0xaa2e2ed89ffe2379528536376d6b3678
>+- entering group authorize
>++[preprocess] returns ok
>        expand:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
>/usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620
>rlm_detail:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>expands to /usr/local/var/log/radius/radacct/
>172.16.27.37/auth-detail-20080620
>        expand: %t -> Fri Jun 20 15:25:59 2008
>++[auth_log] returns ok
>++[chap] returns noop
>++[mschap] returns noop
>    rlm_realm: No '@' in User-Name = "userX", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>++[suffix] returns noop
>  rlm_eap: EAP packet type response id 5 length 6
>  rlm_eap: Continuing tunnel setup.
>++[eap] returns ok
>  rad_check_password:  Found Auth-Type EAP
>auth: type "EAP"
>+- entering group authenticate
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/peap
>  rlm_eap: processing type peap
>  rlm_eap_peap: Authenticate
>  rlm_eap_tls: processing TLS
>rlm_eap_tls: Received EAP-TLS ACK message
>  rlm_eap_tls: ack handshake is finished
>  eaptls_verify returned 3
>  eaptls_process returned 3
>  rlm_eap_peap: EAPTLS_SUCCESS
>++[eap] returns handled
>Sending Access-Challenge of id 0 to 172.16.27.37 port 3072
>        EAP-Message =
>0x0106002b190017030100203d19543fef6a354b15802fa24ac6be930472a2bb2963b2cd40acb8569178208b
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x9baa2d299eac34161e655ea3ece36f0c
>Finished request 5.
>Going to the next request
>Waking up in 4.9 seconds.
>rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0,
>length=236
>Cleaning up request 5 ID 0 with timestamp +41
>        User-Name = "userX"
>        NAS-IP-Address = 172.16.27.37
>        Called-Station-Id = "001c1066a106"
>        Calling-Station-Id = "001cdf77bb4d"
>        NAS-Identifier = "001c1066a106"
>        NAS-Port = 1
>        Framed-MTU = 1400
>        State = 0x9baa2d299eac34161e655ea3ece36f0c
>        NAS-Port-Type = Wireless-802.11
>        EAP-Message =
>0x020600601900170301002006f9c4c30ed6970d17049ecab64a52b6bd0147e5e8aa1632efba5d9bc17ad65517030100307342716fd8fa732607a62a93a4ea9d0be8cd1c9717af27bb67b840bc0a308060563c313805c8b9810e19ba7a0485738a
>        Message-Authenticator = 0x8aa405f4d2a413e1dfdf4f6019925a83
>+- entering group authorize
>++[preprocess] returns ok
>        expand:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
>/usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620
>rlm_detail:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>expands to /usr/local/var/log/radius/radacct/
>172.16.27.37/auth-detail-20080620
>        expand: %t -> Fri Jun 20 15:25:59 2008
>++[auth_log] returns ok
>++[chap] returns noop
>++[mschap] returns noop
>    rlm_realm: No '@' in User-Name = "userX", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>++[suffix] returns noop
>  rlm_eap: EAP packet type response id 6 length 96
>  rlm_eap: Continuing tunnel setup.
>++[eap] returns ok
>  rad_check_password:  Found Auth-Type EAP
>auth: type "EAP"
>+- entering group authenticate
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/peap
>  rlm_eap: processing type peap
>  rlm_eap_peap: Authenticate
>  rlm_eap_tls: processing TLS
>  eaptls_verify returned 7
>  rlm_eap_tls: Done initial handshake
>  eaptls_process returned 7
>  rlm_eap_peap: EAPTLS_OK
>  rlm_eap_peap: Session established.  Decoding tunneled attributes.
>  rlm_eap_peap: Identity - userX
>  PEAP: Got tunneled identity of userX
>  PEAP: Setting default EAP type for tunneled EAP session.
>  PEAP: Setting User-Name to userX
>auth: No authenticate method (Auth-Type) configuration found for the
>request: Rejecting the user
>auth: Failed to validate the user.
>  PEAP: Tunneled authentication was rejected.
>  rlm_eap_peap: FAILURE
>++[eap] returns handled
>Sending Access-Challenge of id 0 to 172.16.27.37 port 3072
>        EAP-Message =
>0x0107003b1900170301003083a87eb6970e9d00f7463517385ede5e1301a3788b857b995947b8b8ab618a56ac5422ade8ea7d08e6be181deb19075e
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x9baa2d299dad34161e655ea3ece36f0c
>Finished request 6.
>Going to the next request
>Waking up in 4.9 seconds.
>rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0,
>length=236
>Cleaning up request 6 ID 0 with timestamp +41
>        User-Name = "userX"
>        NAS-IP-Address = 172.16.27.37
>        Called-Station-Id = "001c1066a106"
>        Calling-Station-Id = "001cdf77bb4d"
>        NAS-Identifier = "001c1066a106"
>        NAS-Port = 1
>        Framed-MTU = 1400
>        State = 0x9baa2d299dad34161e655ea3ece36f0c
>        NAS-Port-Type = Wireless-802.11
>        EAP-Message =
>0x0207006019001703010020e1e6a5669a6e1f2fad8b18557490b2a36580caac37130035ec533f519aa058651703010030ea09edd1a98107005cbbefece6de1029da93fab2b2f14456b2a2728ff91532a35d075fb23197f925da6206a6e1ee5db1
>        Message-Authenticator = 0xd2a2e7d67cd0ea7f1d069d4ebf3731cc
>+- entering group authorize
>++[preprocess] returns ok
>        expand:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
>/usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620
>rlm_detail:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>expands to /usr/local/var/log/radius/radacct/
>172.16.27.37/auth-detail-20080620
>        expand: %t -> Fri Jun 20 15:25:59 2008
>++[auth_log] returns ok
>++[chap] returns noop
>++[mschap] returns noop
>    rlm_realm: No '@' in User-Name = "userX", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>++[suffix] returns noop
>  rlm_eap: EAP packet type response id 7 length 96
>  rlm_eap: Continuing tunnel setup.
>++[eap] returns ok
>  rad_check_password:  Found Auth-Type EAP
>auth: type "EAP"
>+- entering group authenticate
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/peap
>  rlm_eap: processing type peap
>  rlm_eap_peap: Authenticate
>  rlm_eap_tls: processing TLS
>  eaptls_verify returned 7
>  rlm_eap_tls: Done initial handshake
>  eaptls_process returned 7
>  rlm_eap_peap: EAPTLS_OK
>  rlm_eap_peap: Session established.  Decoding tunneled attributes.
>  rlm_eap_peap: Received EAP-TLV response.
>  rlm_eap_peap:  Had sent TLV failure.  User was rejected earlier in this
>session.
> rlm_eap: Handler failed in EAP/peap
>  rlm_eap: Failed in EAP select
>++[eap] returns invalid
>auth: Failed to validate the user.
>  Found Post-Auth-Type Reject
>+- entering group REJECT
>        expand: %{User-Name} -> userX
> attr_filter: Matched entry DEFAULT at line 11
>++[attr_filter.access_reject] returns updated
>Sending Access-Reject of id 0 to 172.16.27.37 port 3072
>        EAP-Message = 0x04070004
>        Message-Authenticator = 0x00000000000000000000000000000000
>Finished request 7.
>Going to the next request
>Waking up in 4.9 seconds.
>Cleaning up request 7 ID 0 with timestamp +41
>Ready to process requests.
>
>
>
>
>
>2008/6/20 Alan DeKok <aland at deployingradius.com>:
>
>> Andy An wrote:
>> > Hi Ivan:
>> > The password is in the ldap server as one of attributes binded to the
>> > user (userPassword: {CRYPT}something).
>> ...
>> > rlm_ldap: performing search in ou=People,dc=eciad,dc=ca, with filter
>> > (uid=andyan)
>> ...
>> > WARNING: No "known good" password was found in LDAP.  Are you sure that
>> > the user is configured correctly?
>>
>>   The debug output disagrees with you.
>>
>>  There is no known good password available.
>>
>>  Again, it helps to READ the debug output yourself.  The warning
>> messages are clear, and are written in simple English.
>>
>>  Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>




More information about the Freeradius-Users mailing list