MAC auth won't work with SQL

Eric Geier me at egeier.com
Tue Mar 31 22:10:25 CEST 2009


Hi, I've setup two different Linux machines with FR and still can't get MAC
authentication working with Calling-Station-Id in the radchk table. I've
checked FAQ and have googled for hours. I've tried a hosted and local mySQL
server.

Right now I'm using FR 2.1.1 on openSUSE. I didn't install freeradius-mysql
on this new Linux machine, because I can't find it. However, I can still do
802.1X/PEAP authentication against my MySQL DB if I don't have the
Calling-Station-Id entry in the radchk table.

I can't get SQL xlat to work in the Clients file either.

I appreciate your help! Thanks!

Associated entries in the radchk table:

DEFAULT              Fall-Through       =             yes          
egeier at skynets               Cleartext-Password        :=            XXXX
egeier at skynets               Calling-Station-Id             ==
00-1C-B3-B1-3E-07 (if I remove this entry, I can get authenticated)

Here's most of the debug:
 

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns notfound

++[files] returns noop

[sql]   expand: %{User-Name} -> egeier at skynets

[sql] sql_set_user escaped user --> 'egeier at skynets'

rlm_sql (sql): Reserving sql socket id: 4

[sql]   expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM radcheck
WHERE username = 'egeier at skynets'           ORDER BY id

[sql] User found in radcheck table

[sql]   expand: SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM radreply
WHERE username = 'egeier at skynets'           ORDER BY id

[sql]   expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username =
'egeier at skynets'           ORDER BY priority

rlm_sql (sql): Released sql socket id: 4

++[sql] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] Found existing Auth-Type, not changing it.

++[pap] returns noop

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] EAP Identity

[eap] processing type tls

[tls] Initiate

[tls] Start returned 1

++[eap] returns handled

Sending Access-Challenge of id 190 to 192.168.0.1 port 41576

        EAP-Message = 0x016600061920

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x887600b0881019123d77eed9ad3cef65

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.0.1 port 41576, id=191,
length=230

        User-Name = "egeier at skynets"

        NAS-IP-Address = 192.168.0.1

        NAS-Port-Type = Wireless-802.11

        Calling-Station-Id = "00-1C-B3-B1-3E-07"

        State = 0x887600b0881019123d77eed9ad3cef65

        EAP-Message =
0x0266007d198000000073160301006e0100006a030149d245f8cc2cbd4fe33cdb07dc35b6c8
7acfcc21da980a70fa466c6e819bf491000018002f00350005000ac009c00ac013c014003200
38001300040100002900000013001101000e65676569657240736b796e657473000a00080006
001700180019000b00020100

        Message-Authenticator = 0x15b99d469f497dd1de41e19b04d463d9

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] Looking up realm "skynets" for User-Name = "egeier at skynets"

[suffix] No such realm "skynets"

++[suffix] returns noop

[eap] EAP packet type response id 102 length 125

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

  TLS Length 115

[peap] Length Included

[peap] eaptls_verify returned 11

[peap]     (other): before/accept initialization

[peap]     TLS_accept: before/accept initialization

[peap] <<< TLS 1.0 Handshake [length 006e], ClientHello

[peap]     TLS_accept: SSLv3 read client hello A

[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello

[peap]     TLS_accept: SSLv3 write server hello A

[peap] >>> TLS 1.0 Handshake [length 085e], Certificate

[peap]     TLS_accept: SSLv3 write certificate A

[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone

[peap]     TLS_accept: SSLv3 write server done A

[peap]     TLS_accept: SSLv3 flush data

[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate
A

In SSL Handshake Phase

In SSL Accept mode

[peap] eaptls_process returned 13

[peap] EAPTLS_HANDLED

++[eap] returns handled

Sending Access-Challenge of id 191 to 192.168.0.1 port 41576

        EAP-Message =
0x0167040019c00000089b160301002a02000026030149d245fcb6267b990aa260afc7ea5b36
69e5ee697512f85665761dad0e9b077600002f00160301085e0b00085a0008570003a6308203
a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355
040613024652310f300d060355040813065261646975733112301006035504071309536f6d65
776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886
f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d457861
6d706c6520436572746966696361746520417574686f72697479

        EAP-Message =
0x301e170d3039303332393034333235325a170d3130303332393034333235325a307c310b30
09060355040613024652310f300d0603550408130652616469757331153013060355040a130c
4578616d706c6520496e632e312330210603550403131a4578616d706c652053657276657220
43657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d
706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a028201
0100afd25d67da8ccffe4763fb564786b51a38065630484af7bdfabce1d2c494a9178693a0d3
7c5d8bb0f184839f8700e87e464a3fd3664d6c82da999d3a6fd4

        EAP-Message =
0x03feced789fe0bc58ac735ea394fff75c1e3723d9badf8045fea760ba15017ca23cd28c633
e2ff2c55f19fe853ccee89390c60abe5c8b5be7cce9fd2e1efe34086fc578e9cd3dca650e261
2444f21a4f7c80eb794132fad70261a3da7c63ccf56dcd931ffc1e0912c82313121e4197edad
3ed70eef62995f2b051615c0a6de7e1168c58814bdff90876a6bbe2f55a41646fed7b11f207f
ee2afc6978da691d65c8b11a4cfef4d7e0e095aba4a8a1262c4021bc738930d2fae12d48353e
f49abbe6a30203010001a317301530130603551d25040c300a06082b06010505070301300d06
092a864886f70d010104050003820101006f3167466476eee8e8

        EAP-Message =
0x1d9bc9ff6179df282ac7c7ae44de229478cd5ff080afc57bae410b221f2f63cb5d55a2132e
76ba5e5ec0e020a0cb789746cf6af20a26bfca7f4c46dfeedb0db3800fdf3daae1ac08590294
64cb8bea159c1a7803a6a1f048eb694a038d7185a020b995a4c41034221925550e1b59ab8426
4f300de6287dabe959c111739cb6c0857b9229a2556880b70ff453d6eb68e17fdee42c7daa43
d531d49796ee7c824bad36e71a56a23e697f734db8f5196d53cade8e8c58f086e37c343efa9f
544bd5182c285c2eb1f14316c3a0c7ecce1440131b7345dbb21c5b50fbdf1f7fbb919a8c5ebb
c7b8306ed89ddf179b89734df0983f59ab3078370004ab308204

        EAP-Message = 0xa73082038fa0030201020209

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x887600b0891119123d77eed9ad3cef65

Finished request 1.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.0.1 port 41576, id=192,
length=111

        User-Name = "egeier at skynets"

        NAS-IP-Address = 192.168.0.1

        NAS-Port-Type = Wireless-802.11

        Calling-Station-Id = "00-1C-B3-B1-3E-07"

        State = 0x887600b0891119123d77eed9ad3cef65

        EAP-Message = 0x026700061900

        Message-Authenticator = 0x8eba19bccc5e69b9f216eb1aa5d622ec

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] Looking up realm "skynets" for User-Name = "egeier at skynets"

[suffix] No such realm "skynets"

++[suffix] returns noop

[eap] EAP packet type response id 103 length 6

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] Received TLS ACK

[peap] ACK handshake fragment handler

[peap] eaptls_verify returned 1

[peap] eaptls_process returned 13

[peap] EAPTLS_HANDLED

++[eap] returns handled

Sending Access-Challenge of id 192 to 192.168.0.1 port 41576

        EAP-Message =
0x016803fc194000a663d4bcfa59435a300d06092a864886f70d0101050500308193310b3009
060355040613024652310f300d06035504081306526164697573311230100603550407130953
6f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a
864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d
4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303332
393034333235325a170d3039303432383034333235325a308193310b30090603550406130246
52310f300d060355040813065261646975733112301006035504

        EAP-Message =
0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120
301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603
550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122
300d06092a864886f70d01010105000382010f003082010a0282010100a07b3f7d03db9d9063
8bb2fe00a7bee1499ce3357164fcca2ae55636c68b591031c54a32b71db07a0fc4648f64ac0f
3e42fb6e1eb213d1a857ecc05855716d79e27df2253e3200d2edae7859d688ed4ee1bf9b187f
0eafa0f9f938caea97793b222d0f48fb61d261bc7c0d951d958b

        EAP-Message =
0x919afcca2e94aa848668316e70519c9a02150d8108761a132572fb411b6a9ee027b60f528e
8225c76eb4a961a27207042995695d6fe7c4f46357ca7157ca753aa662a643fc56bb211be0c5
913cdc4db159a4ed1cde0c57bbdbf36a6fe4c41cf2049e652697dc5e7c25cbee83191c8498fd
bdc7c920750dff86943ffbaa91391b3aa2cf4a7d9b47bcd5a3d66f64f26c02bf0203010001a3
81fb3081f8301d0603551d0e04160414190087aa851c8abf07d58793670b07dc0f281afb3081
c80603551d230481c03081bd8014190087aa851c8abf07d58793670b07dc0f281afba18199a4
8196308193310b3009060355040613024652310f300d06035504

        EAP-Message =
0x0813065261646975733112301006035504071309536f6d6577686572653115301306035504
0a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e40
6578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963
61746520417574686f72697479820900a663d4bcfa59435a300c0603551d13040530030101ff
300d06092a864886f70d01010505000382010100873e551255bc752b4c131e4a95863d8b6a80
cb2d7586d71fb4e2e6c5495e054570666e6ac56c1c696bd6b836fc9f091472be94cc2eb4d0f7
e5361541d47e0f6cef294c6c371b3cba08216b3b23d4eecd1a43

        EAP-Message = 0xbf0e3675fb3f585c

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x887600b08a1e19123d77eed9ad3cef65

Finished request 2.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.0.1 port 41576, id=193,
length=111

        User-Name = "egeier at skynets"

        NAS-IP-Address = 192.168.0.1

        NAS-Port-Type = Wireless-802.11

        Calling-Station-Id = "00-1C-B3-B1-3E-07"

        State = 0x887600b08a1e19123d77eed9ad3cef65

        EAP-Message = 0x026800061900

        Message-Authenticator = 0x4a18ffde3fd54458709082acc41f3d7f

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] Looking up realm "skynets" for User-Name = "egeier at skynets"

[suffix] No such realm "skynets"

++[suffix] returns noop

[eap] EAP packet type response id 104 length 6

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] Received TLS ACK

[peap] ACK handshake fragment handler

[peap] eaptls_verify returned 1

[peap] eaptls_process returned 13

[peap] EAPTLS_HANDLED

++[eap] returns handled

Sending Access-Challenge of id 193 to 192.168.0.1 port 41576

        EAP-Message =
0x016900b519000ac1781ba6b83678764615af96a16b9e8de4d9b113c26bb2c31ade4edb2b68
22bbb18d7f91bc56bb4488583f3d505689b6679adc328619eb21a7daf1af07872aac89e203b2
7a66d85397274bc951dc0046c7fb8c7c295405b50ddf9a215e56983d429c6b3880a926b90bd7
068106ee1acc4bb6338265a98d87358fe9150ee5c23194a513e978793898b6e635d3fd5e055d
7af2cde4f8e0eedf75aa077bcb6f304894f85b4c2f16030100040e000000

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x887600b08b1f19123d77eed9ad3cef65

Finished request 3.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.0.1 port 41576, id=194,
length=443

        User-Name = "egeier at skynets"

        NAS-IP-Address = 192.168.0.1

        NAS-Port-Type = Wireless-802.11

        Calling-Station-Id = "00-1C-B3-B1-3E-07"

        State = 0x887600b08b1f19123d77eed9ad3cef65

        EAP-Message =
0x02690150198000000146160301010610000102010023b2893885fd70080592f9f1436edd78
1ef99c8de7e15d281fc9e0cb48e5bc031012f493c8c0ec5db3f86b6d30af49d9802cabd8b2c6
bfc33aacf0bdbc772d6ec72fa854774550353bd846ffb9c343e6cabb3ddb76f9ee01b9a7521c
860bef148d1d4eb1b8b899333c0969bdda4a9696b3ba755e681a8605ece35cb2f45c79206a48
10c1e9ace4a13174888ead4afc6072c4bb7dc181b8901660fe2b7a1efe22976f5002e38c86a8
add81006330cfd3f2cbdd5c2e76bb81c4846ea52f4aef3af45cce2a86b849237500eb9d1c6d6
7bdbfc9836e26fbda7ae864fde76b74984d59aedb730cba46565

        EAP-Message =
0xa20dc51aeb625c90ed25b9e40eba2e117eb2997a2d04bbec1403010001011603010030b651
eef1062359b260318bb1dd249762365351efbf979e7ef0c70337855c0be3525be8a1d9f2de75
96e29aeb12db9ea0                                     
        Message-Authenticator = 0x23d1e19846a4ea99d34d9f1a1bf02ad3

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] Looking up realm "skynets" for User-Name = "egeier at skynets"

[suffix] No such realm "skynets"

++[suffix] returns noop

[eap] EAP packet type response id 105 length 253

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

  TLS Length 326

[peap] Length Included

[peap] eaptls_verify returned 11

[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange

[peap]     TLS_accept: SSLv3 read client key exchange A

[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]

[peap] <<< TLS 1.0 Handshake [length 0010], Finished

[peap]     TLS_accept: SSLv3 read finished A

[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]

[peap]     TLS_accept: SSLv3 write change cipher spec A

[peap] >>> TLS 1.0 Handshake [length 0010], Finished

[peap]     TLS_accept: SSLv3 write finished A

[peap]     TLS_accept: SSLv3 flush data

[peap]     (other): SSL negotiation finished successfully

SSL Connection Established

[peap] eaptls_process returned 13

[peap] EAPTLS_HANDLED

++[eap] returns handled

Sending Access-Challenge of id 194 to 192.168.0.1 port 41576

        EAP-Message =
0x016a004119001403010001011603010030265d5beb57a7f13839215fa229455a84bed0bfc5
f273c5c0535713ccf5aa89e1df349a61abbbfe8f1b76f83d2644755d

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x887600b08c1c19123d77eed9ad3cef65

Finished request 4.

Going to the next request

Waking up in 4.8 seconds.

rad_recv: Access-Request packet from host 192.168.0.1 port 41576, id=195,
length=111

        User-Name = "egeier at skynets"

        NAS-IP-Address = 192.168.0.1

        NAS-Port-Type = Wireless-802.11

        Calling-Station-Id = "00-1C-B3-B1-3E-07"

        State = 0x887600b08c1c19123d77eed9ad3cef65

        EAP-Message = 0x026a00061900

        Message-Authenticator = 0xf532a3f5a4dcdd4ed4cd71b5cce532e4

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] Looking up realm "skynets" for User-Name = "egeier at skynets"

[suffix] No such realm "skynets"

++[suffix] returns noop

[eap] EAP packet type response id 106 length 6

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] Received TLS ACK

[peap] ACK handshake is finished

[peap] eaptls_verify returned 3

[peap] eaptls_process returned 3

[peap] EAPTLS_SUCCESS

++[eap] returns handled

Sending Access-Challenge of id 195 to 192.168.0.1 port 41576

        EAP-Message =
0x016b002b19001703010020b112cf49ce3a72e40dc7e9d2e94fef07b74cfac248dd3f4e6e30
9db3b1b05606

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x887600b08d1d19123d77eed9ad3cef65

Finished request 5.

Going to the next request

Waking up in 4.7 seconds.

rad_recv: Access-Request packet from host 192.168.0.1 port 41576, id=196,
length=164

        User-Name = "egeier at skynets"

        NAS-IP-Address = 192.168.0.1

        NAS-Port-Type = Wireless-802.11

        Calling-Station-Id = "00-1C-B3-B1-3E-07"

        State = 0x887600b08d1d19123d77eed9ad3cef65

        EAP-Message =
0x026b003b19001703010030aee967824d4e7846b6a3c5c2c6b17ab847f7b1fbcdb0fef31637
10a16b7bc351909a7bfbce7b8d60894766b4b01ab6d2

        Message-Authenticator = 0xfa8e5924d5d9b80b3b1eb528d3513560

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] Looking up realm "skynets" for User-Name = "egeier at skynets"

[suffix] No such realm "skynets"

++[suffix] returns noop

[eap] EAP packet type response id 107 length 59

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] eaptls_verify returned 7

[peap] Done initial handshake

[peap] eaptls_process returned 7

[peap] EAPTLS_OK

[peap] Session established.  Decoding tunneled attributes.

[peap] Identity - egeier at skynets

[peap] Got tunnled request

        EAP-Message = 0x026b00130165676569657240736b796e657473

server (null) {

  PEAP: Got tunneled identity of egeier at skynets

  PEAP: Setting default EAP type for tunneled EAP session.

  PEAP: Setting User-Name to egeier at skynets

Sending tunneled request

        EAP-Message = 0x026b00130165676569657240736b796e657473

        FreeRADIUS-Proxied-To = 127.0.0.1

        User-Name = "egeier at skynets"

server inner-tunnel {

+- entering group authorize {...}

++[chap] returns noop

++[mschap] returns noop

++[unix] returns notfound

[suffix] Looking up realm "skynets" for User-Name = "egeier at skynets"

[suffix] No such realm "skynets"

++[suffix] returns noop

++[control] returns noop

[eap] EAP packet type response id 107 length 19

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[files] returns noop

[sql]   expand: %{User-Name} -> egeier at skynets

[sql] sql_set_user escaped user --> 'egeier at skynets'

rlm_sql (sql): Reserving sql socket id: 3

[sql]   expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM radcheck
WHERE username = 'egeier at skynets'           ORDER BY id

[sql]   expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username =
'egeier at skynets'           ORDER BY priority

rlm_sql (sql): Released sql socket id: 3

[sql] User egeier at skynets not found

++[sql] returns notfound

++[expiration] returns noop

++[logintime] returns noop

++[pap] returns noop

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] EAP Identity

[eap] processing type mschapv2

rlm_eap_mschapv2: Issuing Challenge

++[eap] returns handled

} # server inner-tunnel

[peap] Got tunneled reply code 11

        EAP-Message =
0x016c00281a016c0023106185c5d30b26df47aaac5835af87854b65676569657240736b796e
657473

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x8433f2b7845fe8463016d60fe5b8c67e

[peap] Got tunneled reply RADIUS code 11

        EAP-Message =
0x016c00281a016c0023106185c5d30b26df47aaac5835af87854b65676569657240736b796e
657473

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x8433f2b7845fe8463016d60fe5b8c67e

[peap] Got tunneled Access-Challenge

++[eap] returns handled

Sending Access-Challenge of id 196 to 192.168.0.1 port 41576

        EAP-Message =
0x016c004b1900170301004067569516e09b50992249a0bac4306d551611bcdb09de427286d5
1a142ec500855f624a955aca6ce7ae6c5a4c306e7b00579d350b7066fc9b799899f54327558c

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x887600b08e1a19123d77eed9ad3cef65

Finished request 6.

Going to the next request

Waking up in 4.6 seconds.

rad_recv: Access-Request packet from host 192.168.0.1 port 41576, id=197,
length=212

        User-Name = "egeier at skynets"

        NAS-IP-Address = 192.168.0.1

        NAS-Port-Type = Wireless-802.11

        Calling-Station-Id = "00-1C-B3-B1-3E-07"

        State = 0x887600b08e1a19123d77eed9ad3cef65

        EAP-Message =
0x026c006b19001703010060d41722535ff45cf717b4f40c141ecfcdad9962074ea118036098
59c2ea68c930bce1856c23eb1bc5c0625068f4ebcaba06ff1b3558ec28f435bcec2cdb75d736
3a9a77334da514d01e43e12bf757ff038bb0f37084a82213a93a6303c2ac4539

        Message-Authenticator = 0x620d57d70597d1e4d0364a17ab00182f

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] Looking up realm "skynets" for User-Name = "egeier at skynets"

[suffix] No such realm "skynets"

++[suffix] returns noop

[eap] EAP packet type response id 108 length 107

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] eaptls_verify returned 7

[peap] Done initial handshake

[peap] eaptls_process returned 7

[peap] EAPTLS_OK

[peap] Session established.  Decoding tunneled attributes.

[peap] EAP type mschapv2

[peap] Got tunnled request

        EAP-Message =
0x026c00491a026c00443177f318d460fc36f9cc77a41c0a4b3656000000000000000010538d
55c2badfcc4a85b41f875a5521f978d255be29a7d20065676569657240736b796e657473

server (null) {

  PEAP: Setting User-Name to egeier at skynets

Sending tunneled request

        EAP-Message =
0x026c00491a026c00443177f318d460fc36f9cc77a41c0a4b3656000000000000000010538d
55c2badfcc4a85b41f875a5521f978d255be29a7d20065676569657240736b796e657473

        FreeRADIUS-Proxied-To = 127.0.0.1

        User-Name = "egeier at skynets"

        State = 0x8433f2b7845fe8463016d60fe5b8c67e

server inner-tunnel {

+- entering group authorize {...}

++[chap] returns noop

++[mschap] returns noop

++[unix] returns notfound

[suffix] Looking up realm "skynets" for User-Name = "egeier at skynets"

[suffix] No such realm "skynets"

++[suffix] returns noop

++[control] returns noop

[eap] EAP packet type response id 108 length 73

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[files] returns noop

[sql]   expand: %{User-Name} -> egeier at skynets

[sql] sql_set_user escaped user --> 'egeier at skynets'

rlm_sql (sql): Reserving sql socket id: 2

[sql]   expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM radcheck
WHERE username = 'egeier at skynets'           ORDER BY id

[sql]   expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username =
'egeier at skynets'           ORDER BY priority

rlm_sql (sql): Released sql socket id: 2

[sql] User egeier at skynets not found

++[sql] returns notfound

++[expiration] returns noop

++[logintime] returns noop

++[pap] returns noop

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/mschapv2

[eap] processing type mschapv2

[mschapv2] +- entering group MS-CHAP {...}

[mschap] No Cleartext-Password configured.  Cannot create LM-Password.

[mschap] No Cleartext-Password configured.  Cannot create NT-Password.

[mschap] Told to do MS-CHAPv2 for egeier at skynets with NT-Password

[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.

[mschap] FAILED: MS-CHAP2-Response is incorrect

++[mschap] returns reject

[eap] Freeing handler

++[eap] returns reject

Failed to authenticate the user.

} # server inner-tunnel

[peap] Got tunneled reply code 3

        MS-CHAP-Error = "lE=691 R=1"

        EAP-Message = 0x046c0004

        Message-Authenticator = 0x00000000000000000000000000000000

[peap] Got tunneled reply RADIUS code 3

        MS-CHAP-Error = "lE=691 R=1"

        EAP-Message = 0x046c0004

        Message-Authenticator = 0x00000000000000000000000000000000

[peap] Tunneled authentication was rejected.

[peap] FAILURE

++[eap] returns handled

Sending Access-Challenge of id 197 to 192.168.0.1 port 41576

        EAP-Message =
0x016d002b1900170301002050851be7730cf2433442d5288ae299103964d96aca2e00a9a20a
8172328618ee

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x887600b08f1b19123d77eed9ad3cef65

Finished request 7.

Going to the next request

Waking up in 4.5 seconds.

rad_recv: Access-Request packet from host 192.168.0.1 port 41576, id=198,
length=148

        User-Name = "egeier at skynets"

        NAS-IP-Address = 192.168.0.1

        NAS-Port-Type = Wireless-802.11

        Calling-Station-Id = "00-1C-B3-B1-3E-07"

        State = 0x887600b08f1b19123d77eed9ad3cef65

        EAP-Message =
0x026d002b190017030100202fe95f0a379156a0d8b5c8e2ce3aac1e190037397df3a685ea59
cb4fd6e0e6f2
        Message-Authenticator = 0xf374de61a4af8301e8ca7954dd356a7f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "skynets" for User-Name = "egeier at skynets"
[suffix] No such realm "skynets"
++[suffix] returns noop
[eap] EAP packet type response id 109 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap]  Had sent TLV failure.  User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> egeier at skynets
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 198 to 192.168.0.1 port 41576
        EAP-Message = 0x046d0004
        Message-Authenticator = 0x00000000000000000000000000000000




More information about the Freeradius-Users mailing list