Perl/Peap-MSChapV2 Issues

Adam W. Sewell awsewell at catawba.edu
Thu Mar 19 16:18:34 CET 2009


In my proxy.conf file, I have

Realm LOCAL {
}

I noticed right above that, that it suggest to add "DEFAULT EAP-TYPE == 
PEAP, Proxy-To-Realm := LOCAL to the users file. So I added that to the 
users file. Is realm Local {} not correct? If not, what should it be?

In the sites-enabled/default I had eap { ok = return} before I had the 
statement calling perl, so I moved the eap {} to after the perl 
statement. This is in the authorize function.


I did hardcode the Auth-Type perl because the wiki said to in the users 
file. I've taken that out now.

I know that perl is being initiated because this is in the log file, 

Module: Instantiating perl
  perl {
        module = "/etc/raddb/perl/authorize.pl"
        func_authorize = "authorize"
        func_authenticate = "authenticate"

and I do call perl in the authorize section of the sites-enabled/default 
file.

Thanks for your help.

-Adam

New Log:
------------------------------------------------------------------------
-----

Listening on authentication address 192.168.214.119 port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.240.78 port 2435, 
id=224, length=152
        Message-Authenticator = 0xb681fb7cb43023dfa88fdf7c84c72173
        User-Name = "testUser"
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-16-D3-30-E5-74"
        EAP-Message = 0x0201000d016c6a61636b736f6e
        Framed-MTU = 1000
        Called-Station-Id = "0001F4-B6-1B-80\0004"
        NAS-Identifier = "HOKDORM_01953_M48"
        NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
++? if (EAP-Message)
? Evaluating (EAP-Message) -> TRUE
++? if (EAP-Message) -> TRUE
++- entering if (EAP-Message)
+++[noop] returns noop
++- if (EAP-Message) returns noop
++ ... skipping elsif for request 0: Preceding "if" was taken
++ ... skipping elsif for request 0: Preceding "if" was taken
  rlm_eap: EAP packet type response id 1 length 13
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 224 to 192.168.240.78 port 2435
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4729b2a0472bab8876dd9daf2a9b0548
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.240.78 port 2435, 
id=225, length=249
        Message-Authenticator = 0xcb9007ad59f00da438e5b5f58606ae9d
        User-Name = "testUser"
        State = 0x4729b2a0472bab8876dd9daf2a9b0548
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-16-D3-30-E5-74"
        Called-Station-Id = "00-01-F4-B6-1B-80"
        Framed-MTU = 1000
        EAP-Message = 
0x0202005c190016030100510100004d030149c261cf4866425b9fb5f855a3b6cf3e448f
a79400bdae2cd5c064fe096c57a100002600390038003500160013000a00330032002f00
050004001500120009001400110008000600030100
        NAS-Identifier = "HOKDORM_01953_M48"
        NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
++? if (EAP-Message)
? Evaluating (EAP-Message) -> TRUE
++? if (EAP-Message) -> TRUE
++- entering if (EAP-Message)
+++[noop] returns noop
++- if (EAP-Message) returns noop
++ ... skipping elsif for request 1: Preceding "if" was taken
++ ... skipping elsif for request 1: Preceding "if" was taken
  rlm_eap: EAP packet type response id 2 length 92
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0051], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
    TLS_accept: SSLv3 write key exchange A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 225 to 192.168.240.78 port 2435
        EAP-Message = 
0x010303e419c000000acd160301004a02000046030149c24cdaa169ca3d3a6669aac71f
727b0b3851d2623352c341da5a50031feaa420e98cd4bf8a1a07fccb1773270380546562
1a5292d44e84d92a287a6bace07f47003900160301085e0b00085a0008570003a6308203
a23082028aa003020102020101300d06092a864886f70d0101040500308193310b300906
0355040613024652310f300d060355040813065261646975733112301006035504071309
536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e
06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603
5504
        EAP-Message = 
0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e17
0d3039303232363138313530335a170d3130303232363138313530335a307c310b300906
0355040613024652310f300d0603550408130652616469757331153013060355040a130c
4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665
722043657274696669636174653120301e06092a864886f70d010901161161646d696e40
6578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f0030
82010a0282010100af91ce4cc96ce447a1b9ce6a3c8d5cee06559ffe5d6c58649c8af10c
f4d8
        EAP-Message = 
0x2196a122f04a957a7ca72043e3f61c0e4149a18d32bea21f5807e44e710762d5ede33f
41f89e5238ba8ec146775ec45f90335564a0ccdf9d7332b714993b527776d70068a939f5
8c7475e677850446ef1de2427a39b1469d4707f59723cc3c5c432426f51d899e3df16df4
8641151eb1a34b9aacf00fb3380f43db62d6efe38255abd22667ba5a4a4d0de897d955eb
54532c642b009994eb1d4353ab340852d9a2db429111f08e31dc5a5c063a1b4625023d21
496f55717d44b2ef1638b6cce64bf716e719d885f20b305fed4e6d94a8ecb1201d43389c
bbd9e48328d7f8850641d50203010001a317301530130603551d25040c300a06082b0601
0505
        EAP-Message = 
0x070301300d06092a864886f70d010104050003820101005e3f3bed588f5e438581d8ab
df869d6e5b9751c0407043ba804bae8a935f2ccfda3e106c7b9bd3c41e3baa1e6bea239a
7878a67fa523f76e9207640ce1900a71ee645e0a200007826520944b15177a2d855ba97f
35b5484cc4476b4c49bbcc55fa40b919506eb73e3f6f35c87ed3d38fca2b33a82d541a10
8e60a54b958ebab48dbcbed264380c05df5c4e8839169ade9bed2cde41faa08755b53dfe
9a4a8fe7417795f1149529d9e2ad6c0c6f610a12772c3a5b1dca9826bc8e55ba4d17bd2e
60db88e70bb9f66b22433be9a9d28522870278805bab
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4729b2a0462aab8876dd9daf2a9b0548
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.240.78 port 2435, 
id=226, length=163
        Message-Authenticator = 0x388d469a46b320847d396bb997b5e248
        User-Name = "testUser"
        State = 0x4729b2a0462aab8876dd9daf2a9b0548
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-16-D3-30-E5-74"
        Called-Station-Id = "00-01-F4-B6-1B-80"
        Framed-MTU = 1000
        EAP-Message = 0x020300061900
        NAS-Identifier = "HOKDORM_01953_M48"
        NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
++? if (EAP-Message)
? Evaluating (EAP-Message) -> TRUE
++? if (EAP-Message) -> TRUE
++- entering if (EAP-Message)
+++[noop] returns noop
++- if (EAP-Message) returns noop
++ ... skipping elsif for request 2: Preceding "if" was taken
++ ... skipping elsif for request 2: Preceding "if" was taken
  rlm_eap: EAP packet type response id 3 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 226 to 192.168.240.78 port 2435
        EAP-Message = 
0x010403e01940192b141d954ba5dad16f574bfa9c6f1069e1fda082afc3ba1fc97a0d15
1f664e5dd53aed97cf332119fe0004ab308204a73082038fa003020102020900bad26bfd
4ce6479b300d06092a864886f70d0101050500308193310b300906035504061302465231
0f300d060355040813065261646975733112301006035504071309536f6d657768657265
31153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d01
0901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d
706c6520436572746966696361746520417574686f72697479301e170d30393032323631
3831
        EAP-Message = 
0x3530315a170d3039303332383138313530315a308193310b3009060355040613024652
310f300d060355040813065261646975733112301006035504071309536f6d6577686572
6531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d
010901161161646d696e406578616d706c652e636f6d312630240603550403131d457861
6d706c6520436572746966696361746520417574686f7269747930820122300d06092a86
4886f70d01010105000382010f003082010a0282010100c005918d15156e31de5cad4be4
3bcee9a30544cbd7814d9e8b125c6aefc9a71a5c8d815d1cc12b0f37be7b2b30abd5cb4c
696e
        EAP-Message = 
0x9f5aa45dd330796a68c9440b1114f9181342ef7006f2ca01e8805e580f4505da0d6b20
c3e5ec1c85ac9473c4ce52cbba3917612d45f3d2ddcd0a7da895a57d4ef7defd41353010
449e124599e5d3115874e99c358e6448a5b78d84626d9b4479134e2fe45407e7088bf193
0a59b64aa4d17dc992cd317ea3ace04b31064a61647847ad710d6f458d128810e2152bc4
60182cf327c63cf30639c3072fbd5ac302e525319efdb02c7e3a33026e7228186d464695
aa1e00e461fc004d86f4aabb8be9f06db98714d5ef63b51c433d0203010001a381fb3081
f8301d0603551d0e04160414d00f03b207edebc2780daafc959d2c27157dcad13081c806
0355
        EAP-Message = 
0x1d230481c03081bd8014d00f03b207edebc2780daafc959d2c27157dcad1a18199a481
96308193310b3009060355040613024652310f300d060355040813065261646975733112
301006035504071309536f6d65776865726531153013060355040a130c4578616d706c65
20496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e
636f6d312630240603550403131d4578616d706c65204365727469666963617465204175
74686f72697479820900bad26bfd4ce6479b300c0603551d13040530030101ff300d0609
2a864886f70d01010505000382010100183c
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4729b2a0452dab8876dd9daf2a9b0548
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.240.78 port 2435, 
id=227, length=163
        Message-Authenticator = 0xf324d706ef4ecc346f70e82c2665e56f
        User-Name = "testUser"
        State = 0x4729b2a0452dab8876dd9daf2a9b0548
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-16-D3-30-E5-74"
        Called-Station-Id = "00-01-F4-B6-1B-80"
        Framed-MTU = 1000
        EAP-Message = 0x020400061900
        NAS-Identifier = "HOKDORM_01953_M48"
        NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
++? if (EAP-Message)
? Evaluating (EAP-Message) -> TRUE
++? if (EAP-Message) -> TRUE
++- entering if (EAP-Message)
+++[noop] returns noop
++- if (EAP-Message) returns noop
++ ... skipping elsif for request 3: Preceding "if" was taken
++ ... skipping elsif for request 3: Preceding "if" was taken
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 227 to 192.168.240.78 port 2435
        EAP-Message = 
0x0105031f19005647775d06a03ebb8b89c3256914ceac4171e7ee41b3bb5f8497c3f7ee
a643ac0637116e282046f3611e910dcf39d779ad13a14a68e75e9c416af68cb8474782e1
d77d20cbb4785c40d8b36de0f2caca1c5a477b3a09c488d3065b0865e63b546965fa1bc7
0c89f578eb1c88bcd329c3afb49730d0af199bf022be1f0cb74f71fde6d6be2f23af396c
883b5411c107b4d6fc51bc2bc07534c6d6d352c9afde1cb48565b9b669489403d0940d0d
a70125b2073f724b7d1e3cd7cf5f31432eb7a659105af9fb92e5f67d36ad6c15321a218a
34f89235844c88cc09f44d39151cbbc12c70d4f6dba5f9e80cbfb2af15bb644c7749a3b3
4a57
        EAP-Message = 
0x50b8f96e2da78c160301020d0c000209008095c28ea954c729df2931ea0e63d9b9ab25
cdacbad88a7ded24c19ae298dddfd9b9b2dfba285398d544e1aebe2e6fd4302399a2a156
a1be615d6b7579973fe3323c4f65428282088b141e06ee2d99144c7b458bb1da4ec85778
a8806b2e9183475abdc4707fd70974a7bfeb9068894e5b15a6a576a266a6ccf9e439a224
28445300010200803b2009f31e812a26375be2145065e7a66a8b81664c93c8b937914b9a
9ead3f992f900bdb40a4e0b643fb0f7e53535e350b0f4af48639f2f7806ec4b1b2dde599
7ec1961a8567b68535c53fe87b23845a5ad9241c3a6be5848a31b4765a16593668256cef
3773
        EAP-Message = 
0xeab2fa285daf7aa8f62fd36398bb147a69ec61898e1776b72b0e010031da9feecc99d0
06689b78288db21b0453a9e825b52fccfcf0b2d8d78dc07b20038c02853e7746112fe005
8bf8ce45b2da12fd6e05686fe952350a2959b22e53aa20b41f4a7eb573573fb8ec561d4b
01ebb53618818f55c2a0711652a0c5fb933fd2dfb48096b38c85d4e40a2e4f07d58177a8
4c98892bf917f0a7c7f7935b9f8a9c37b194e399876ec1c4b6f54f2fe1a1a1a92d198e2d
c48568df40ae1dd385462357fadcd86f49f0aab31d60f04bf9a82b71ca45b2131f677fe3
11302116732ea45e9bd7807b8be3a8c422ddd9ccfdfcdb90f135d631cb75495351a2835c
2a7e
        EAP-Message = 
0x558fc4bf96b7f7fa3dad44ecb9bb64915dcb7474d65f2b1155b18a514f1ec116030100
040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4729b2a0442cab8876dd9daf2a9b0548
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.240.78 port 2435, 
id=228, length=361
        Message-Authenticator = 0xc2ec7e0e35f2af546055bc8ab6ce72ae
        User-Name = "testUser"
        State = 0x4729b2a0442cab8876dd9daf2a9b0548
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-16-D3-30-E5-74"
        Called-Station-Id = "00-01-F4-B6-1B-80"
        Framed-MTU = 1000
        EAP-Message = 
0x020500cc19001603010086100000820080327bccc59960afdfbffbc3ea54dd761b956d
4a0627e14d53d9f0a99168dbc274980e992c11080644e2df2f6123825453b93340725c53
43ec0958b8a7039423db548d654463b6f1c5a696045b30e04e9d434e15e9629e7f73f26f
8d6986fe7deff09ae0f96ca52a5ccbd041b6614bd4cfe41090588f96eff7656607c843e6
7d6e14030100010116030100305cd27961643013446263982fe4f250da27cdd22ce007cb
bca8e85bdf3c713b35e9dfc2e3511c6f9589011d5b46ddb091
        NAS-Identifier = "HOKDORM_01953_M48"
        NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
++? if (EAP-Message)
? Evaluating (EAP-Message) -> TRUE
++? if (EAP-Message) -> TRUE
++- entering if (EAP-Message)
+++[noop] returns noop
++- if (EAP-Message) returns noop
++ ... skipping elsif for request 4: Preceding "if" was taken
++ ... skipping elsif for request 4: Preceding "if" was taken
  rlm_eap: EAP packet type response id 5 length 204
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 228 to 192.168.240.78 port 2435
        EAP-Message = 
0x0106004119001403010001011603010030288f5a1a33632738112553c48f095f48a5c6
b62dd29ad292103b06aed5e7066326c5c6045394b899a96107790f687390
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4729b2a0432fab8876dd9daf2a9b0548
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.240.78 port 2435, 
id=229, length=163
        Message-Authenticator = 0xf7881d1e61842e0ad6147bcf63dd46bc
        User-Name = "testUser"
        State = 0x4729b2a0432fab8876dd9daf2a9b0548
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-16-D3-30-E5-74"
        Called-Station-Id = "00-01-F4-B6-1B-80"
        Framed-MTU = 1000
        EAP-Message = 0x020600061900
        NAS-Identifier = "HOKDORM_01953_M48"
        NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
++? if (EAP-Message)
? Evaluating (EAP-Message) -> TRUE
++? if (EAP-Message) -> TRUE
++- entering if (EAP-Message)
+++[noop] returns noop
++- if (EAP-Message) returns noop
++ ... skipping elsif for request 5: Preceding "if" was taken
++ ... skipping elsif for request 5: Preceding "if" was taken
  rlm_eap: EAP packet type response id 6 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake is finished
  eaptls_verify returned 3
  eaptls_process returned 3
  rlm_eap_peap: EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 229 to 192.168.240.78 port 2435
        EAP-Message = 
0x0107002b190017030100204cf0c6d00e903af6d9bc6afda2cf11086959d8897fdab282
1f5d04962a770e24
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4729b2a0422eab8876dd9daf2a9b0548
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.240.78 port 2435, 
id=230, length=237
        Message-Authenticator = 0xf12d32407558e9c12a5dfb01fd327299
        User-Name = "testUser"
        State = 0x4729b2a0422eab8876dd9daf2a9b0548
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-16-D3-30-E5-74"
        Called-Station-Id = "00-01-F4-B6-1B-80"
        Framed-MTU = 1000
        EAP-Message = 
0x0207005019001703010020f0dad26f2a83c4df79c48f23d2834322365ef67c95e52485
909cb1e77a16f31d1703010020804107dab5a6e1693455ef5564cdd0582c9d81e386cc72
e0796a6b09cad23837
        NAS-Identifier = "HOKDORM_01953_M48"
        NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
++? if (EAP-Message)
? Evaluating (EAP-Message) -> TRUE
++? if (EAP-Message) -> TRUE
++- entering if (EAP-Message)
+++[noop] returns noop
++- if (EAP-Message) returns noop
++ ... skipping elsif for request 6: Preceding "if" was taken
++ ... skipping elsif for request 6: Preceding "if" was taken
  rlm_eap: EAP packet type response id 7 length 80
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Identity - testUser
  PEAP: Got tunneled identity of testUser
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to testUser
+- entering group authorize
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "testUser", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
  rlm_eap: Request is supposed to be proxied to Realm LOCAL.  Not doing 
EAP.
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! 
 Cancelling invalid proxy request.
auth: No authenticate method (Auth-Type) configuration found for the 
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [testUser] (from client DORMTEST2_M80 port 0 via TLS 
tunnel)
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
++[eap] returns handled
Sending Access-Challenge of id 230 to 192.168.240.78 port 2435
        EAP-Message = 
0x0108002b19001703010020ece80cc5c7f409dd5c4f15994546592e373a054226d5e1f5
8166049a203e835c
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4729b2a04121ab8876dd9daf2a9b0548
Finished request 6.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.240.78 port 2435, 
id=231, length=237
        Message-Authenticator = 0x2182c5c53cfbbd289bd90ceee4c4498f
        User-Name = "testUser"
        State = 0x4729b2a04121ab8876dd9daf2a9b0548
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-16-D3-30-E5-74"
        Called-Station-Id = "00-01-F4-B6-1B-80"
        Framed-MTU = 1000
        EAP-Message = 
0x0208005019001703010020bf9daf98961e669b4dd1c66f5f6bb4a1aecae6bd206b148d
3e0f78d1a5de2df517030100209db46e6f4313575af773ec994eca4514fa1786c7ee4cf8
54b11d17df897c359a
        NAS-Identifier = "HOKDORM_01953_M48"
        NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
++? if (EAP-Message)
? Evaluating (EAP-Message) -> TRUE
++? if (EAP-Message) -> TRUE
++- entering if (EAP-Message)
+++[noop] returns noop
++- if (EAP-Message) returns noop
++ ... skipping elsif for request 7: Preceding "if" was taken
++ ... skipping elsif for request 7: Preceding "if" was taken
  rlm_eap: EAP packet type response id 8 length 80
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap:  Had sent TLV failure.  User was rejected earlier in 
this session.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [testUser] (from client DORMTEST2_M80 port 4 cli 
00-16-D3-30-E5-74)
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> testUser
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 231 to 192.168.240.78 port 2435
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 0 ID 224 with timestamp +6
Cleaning up request 1 ID 225 with timestamp +6
Cleaning up request 2 ID 226 with timestamp +6
Cleaning up request 3 ID 227 with timestamp +6
Waking up in 0.1 seconds.
Cleaning up request 4 ID 228 with timestamp +6
Cleaning up request 5 ID 229 with timestamp +6
Cleaning up request 6 ID 230 with timestamp +6
Cleaning up request 7 ID 231 with timestamp +6
Ready to process requests.

-----Original Message-----
From: A.L.M.Buxey at lboro.ac.uk [mailto:A.L.M.Buxey at lboro.ac.uk] 
Sent: Thursday, March 19, 2009 10:26 AM
To: FreeRadius users mailing list
Subject: Re: Perl/Peap-MSChapV2 Issues

Hi,

you dont have a LOCAL defined in proxy.conf - set that.

you are allowing EAP to come before perl, it seems, in your
auth or post-auth sections. 

also, are you hardcoding Auth-Type ? it appears that you are.
that is bad in general. 

if the PERL isnt being called check that you have enabled
PERL functionality - ie in 2.x check that the perl module
is configured correctly in modules/perl and that the function
you want to call (auth, or post-auth) is enabled in that module.

check that you call 'perl' in the Authorise section, for example,
in your sites-enabled/$VIRTUAL-HOST-YOU-USE

alan
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html






More information about the Freeradius-Users mailing list