EAP-TLS/PEAP authentication problem(can not reply correct attribute)

gary gary.yang at browan.com
Fri Sep 2 09:52:45 CEST 2011 

Hi Alan
Thank you,it can reply correct attribute.
some more question pls.
1.sometimes it can login while sometimes failure, it is random. I am using 
the same user/password for PEAP authentication and totally the same 
configuration both server and client PC/user.
2.after user success login, sometimes it will re-authentication 
automatically. It seems client issue the authentication itself but I wonder.
3.looking for the log below,it seems finish authentication by FR but the 
result is failure. why sending Access-Challenge to NAS(192.168.21.223) after 
success?

*****************************************************************
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
} # server inner-tunnel
[peap] Got tunneled reply code 2
        Auth-Type := Local
        Service-Type := Framed-User
        Framed-IP-Address := 255.255.255.254
        Framed-IP-Netmask := 255.255.255.0
        Bandwidth-Max-Up := 2097152
        Bandwidth-Max-Down := 2097152
        Redirection-URL := "http://speedtest.net"
        Idle-Timeout := 60
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        MS-MPPE-Send-Key = 0xe8e6189faa5581198681e65eab0a0270
        MS-MPPE-Recv-Key = 0x0ea859d9cf1789a14e71ea9f41cfa8e0
        EAP-Message = 0x030c0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "gary"
[peap] Got tunneled reply RADIUS code 2
        Auth-Type := Local
        Service-Type := Framed-User
        Framed-IP-Address := 255.255.255.254
        Framed-IP-Netmask := 255.255.255.0
        Bandwidth-Max-Up := 2097152
        Bandwidth-Max-Down := 2097152
        Redirection-URL := "http://speedtest.net"
        Idle-Timeout := 60
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        MS-MPPE-Send-Key = 0xe8e6189faa5581198681e65eab0a0270
        MS-MPPE-Recv-Key = 0x0ea859d9cf1789a14e71ea9f41cfa8e0
        EAP-Message = 0x030c0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "gary"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 117 to 192.168.21.223 port 1812
        EAP-Message = 
0x010d00261900170301001bb702fe1896d6726825ec785647a34e3d8126e49337f16e73596446
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x2f1a077a27171e8af826d2444a0b0c36
Finished request 79.
Going to the next request
Waking up in 2.8 seconds.
Cleaning up request 71 ID 109 with timestamp +1967
Cleaning up request 72 ID 110 with timestamp +1967
Cleaning up request 73 ID 111 with timestamp +1967
Cleaning up request 74 ID 112 with timestamp +1967
Cleaning up request 75 ID 113 with timestamp +1967
Cleaning up request 76 ID 114 with timestamp +1967
Waking up in 0.8 seconds.
Cleaning up request 77 ID 115 with timestamp +1968
Cleaning up request 78 ID 116 with timestamp +1968
Waking up in 1.0 seconds.
Cleaning up request 79 ID 117 with timestamp +1969
WARNING: 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x2f1a077a27171e8a did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
***********************************************************************

Best Regards
Gary

----- Original Message ----- 
From: "Alan DeKok" <aland at deployingradius.com>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Thursday, September 01, 2011 8:48 PM
Subject: Re: EAP-TLS/PEAP authentication problem(can notreply 
correctattribute)


> gary wrote:
>> I do not define my private attribute while I follow the WISPr such as
>> "Bandwidth-Max-Up" and "Bandwidth-Max-Down".
>> It is no problem that I use UAM method(user login with login page by
>> user name/password) and freeradius can reply correct attribute.
>> But when I use PEAP authentication,after user login it can not reply
>> correct attribute that I configure in the radgroupreply table.
>> Can anyone give some idea?
>
>  See "use_tunneled_reply" in raddb/eap.conf.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list