Switch sends EAP-Fail after Radius Access-Accept

Preyas Kamath p.kamath at cornet.com
Mon Aug 10 19:35:13 CEST 2015


Is there a way to disable ntlm authorization when using PEAP. I added the
following entry in user

"testuser"      Cleartext-Password := "password", MS-CHAP-Use-NTLM-Auth := 0
                Reply-Message = "Hello, %{User-Name}"

Below is the radius log

 # Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap] processing
type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK
handshake fragment handler [peap] eaptls_verify returned 1 [peap]
eaptls_process returned 13 [peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 199 to 10.1.2.12 port 1645
	EAP-Message =
0x010403fc194000fd4f6b26b546151e300d06092a864886f70d010105050030818a310b3009
060355040613025553310b30090603550408130256413112301006035504071309536f6d6577
68657265310f300d060355040a1306436f726e65743122302006092a864886f70d0109011613
702e6b616d61746840636f726e65742e636f6d312530230603550403131c436f726e65742043
6572746966696361746520417574686f72697479301e170d3135303830363137333635375a17
0d3135313030353137333635375a30818a310b3009060355040613025553310b300906035504
08130256413112301006035504071309536f6d65776865726531
	EAP-Message =
0x0f300d060355040a1306436f726e65743122302006092a864886f70d0109011613702e6b61
6d61746840636f726e65742e636f6d312530230603550403131c436f726e6574204365727469
66696361746520417574686f7269747930820122300d06092a864886f70d0101010500038201
0f003082010a0282010100d47bc9d476a963ae8b2bc54602dd3ec02a9a61d503388bf03325b1
e036a1b3c3789185a1d8db84c8318ecde367d201f5f8f186a25c865840c9b23e65b37266df1a
43bdfaa22e27984d0daf81e92cbd5bb794eb44f54ccbcaded32f178128ddeb7dde5d9f792c3f
93178dd67e64b7f680b12d86b1b6115f870f8762466c30ebd4eb
	EAP-Message =
0x7ad6cdf30f95d684e080b4b24048b2df4170bd0a8f33c7c07fa980178288903c8185444061
ed2e387840db38ff3f59a4a27854a83bfae7b97080e3ba2b2ec08038fa54583f58420b1f8586
00ed63c7541e5a0a284bbe67f1a21f8cbb5c6a483ab0bd815401b1554e5bee024db9311b9228
634ca8b32f43f0dc55959a8bbc510203010001a381f23081ef301d0603551d0e04160414a7d9
5ae87b9322fd7c72f4cb8447da70a44858a93081bf0603551d230481b73081b48014a7d95ae8
7b9322fd7c72f4cb8447da70a44858a9a18190a4818d30818a310b3009060355040613025553
310b30090603550408130256413112301006035504071309536f
	EAP-Message =
0x6d657768657265310f300d060355040a1306436f726e65743122302006092a864886f70d01
09011613702e6b616d61746840636f726e65742e636f6d312530230603550403131c436f726e
657420436572746966696361746520417574686f72697479820900fd4f6b26b546151e300c06
03551d13040530030101ff300d06092a864886f70d010105050003820101002deab51a55b190
8fe4dd333b9beaab737dbe396a12d17f5856e98eb03f3de18677805ca6033d52cd621cb24771
d3f909d8c35b011d51dadd980e80bb8cb25e98f04d9575fd64fc3d689f3729f648011aa51ed3
c9f3a13c90e690353fe84514c0a9d4f2a6654e90af9cd54c7da1
	EAP-Message = 0x73c22dbad3d8ccd2
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa3e091d2a1e48827dc72cc968a436b25
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=200,
length=167
	User-Name = "testuser"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "24-B6-57-D3-2C-8C"
	Calling-Station-Id = "5C-B9-01-B2-4A-15"
	EAP-Message = 0x020400061900
	Message-Authenticator = 0xe2fbaee84c14daebca49cfa615ef8ded
	NAS-Port-Type = Ethernet
	NAS-Port = 50112
	NAS-Port-Id = "GigabitEthernet1/0/12"
	State = 0xa3e091d2a1e48827dc72cc968a436b25
	NAS-IP-Address = 10.1.2.12
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap] processing
type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK
handshake fragment handler [peap] eaptls_verify returned 1 [peap]
eaptls_process returned 13 [peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 200 to 10.1.2.12 port 1645
	EAP-Message =
0x0105009a1900f6f1b234409a3067f2946a561c41d329e2d754a68f1c93f8f22c8a79524218
ede2f7357366f533057d0d2af98920702c1d5e0c8ba3a69b9dd4cf8490a6c3c85804bead2421
de19ca57155d7a7df921695c5819a6c3561c8f7a5531960f3f4635175d18752884a7789c8bf2
7866237835c61daa0b744b20f5bb6504022beae99c3abaaa7a5af11fe44e7c1f16030100040e
000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa3e091d2a0e58827dc72cc968a436b25
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=201,
length=499
	User-Name = "testuser"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "24-B6-57-D3-2C-8C"
	Calling-Station-Id = "5C-B9-01-B2-4A-15"
	EAP-Message =
0x0205015019800000014616030101061000010201006473f4b19800a13a9c5c7b01b3c265ea
10349366de65e2161d5b2c91fdbe8cefe2f3dc20824d20a4ccea304433ee4f644c1be1606b5c
58d8f5eab7b3fbd6325e35903642aefe1ed49c6abc70659b0320d46939ccdee65bb7f1886999
33027510e90b50d550c2bbbbc1253ae3defb82d7cfaf8f2dabe2417d84c49351ba04b6f93435
cca2124f5223c73b1aeb00680810ee17ab8f78db16768b38e6d99d44ab04985665bf5f7406eb
3baa28092d43fedefa54b114154161dc45c83ef6a5edee18978a5c75e4b38d9ce32ff1af0545
6c5c1a953eb4b074fa3fa8aa8e6f68cfb94aeb34c0a757d67b8a
	EAP-Message =
0x387ed8c044da03f5d7406be6e7fd97cafb2444dabc0d77441403010001011603010030820a
5d69190d3d35413bd788bcd9f65f7d2b22c2ca536887f0d789165fb645ca844b6936df7fdaf7
01bd12390e8cdbd7
	Message-Authenticator = 0x16d00ab524c96631a6b287c799aae583
	NAS-Port-Type = Ethernet
	NAS-Port = 50112
	NAS-Port-Id = "GigabitEthernet1/0/12"
	State = 0xa3e091d2a0e58827dc72cc968a436b25
	NAS-IP-Address = 10.1.2.12
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel
setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap] processing
type peap [peap] processing EAP-TLS
  TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange  
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0
Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 201 to 10.1.2.12 port 1645
	EAP-Message =
0x01060041190014030100010116030100300d9b14780e1f41191472b86a2fd4214ac11ce309
a2e5ac57ec848f6615f78666d5c745305aeb0bbd1cf6cfc958e3a140
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa3e091d2a7e68827dc72cc968a436b25
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=202,
length=167
	User-Name = "testuser"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "24-B6-57-D3-2C-8C"
	Calling-Station-Id = "5C-B9-01-B2-4A-15"
	EAP-Message = 0x020600061900
	Message-Authenticator = 0xefaefb3a513154371bb7663ec7e046ff
	NAS-Port-Type = Ethernet
	NAS-Port = 50112
	NAS-Port-Id = "GigabitEthernet1/0/12"
	State = 0xa3e091d2a7e68827dc72cc968a436b25
	NAS-IP-Address = 10.1.2.12
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap] processing
type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK
handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process
returned 3 [peap] EAPTLS_SUCCESS [peap] Session established.  Decoding
tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 202 to 10.1.2.12 port 1645
	EAP-Message =
0x0107002b190017030100209e946f4b1c969f5d313d2103e294794df2bdcd4a4dae649fbcee
eb26a155c94b
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa3e091d2a6e78827dc72cc968a436b25
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=203,
length=204
	User-Name = "testuser"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "24-B6-57-D3-2C-8C"
	Calling-Station-Id = "5C-B9-01-B2-4A-15"
	EAP-Message =
0x0207002b1900170301002080698631153c58f752969b90367cc7bb69ac4b399ebf69911b8e
a80d378b4ce4
	Message-Authenticator = 0x698eabce7651b9a3d79e14a8a99a03c1
	NAS-Port-Type = Ethernet
	NAS-Port = 50112
	NAS-Port-Id = "GigabitEthernet1/0/12"
	State = 0xa3e091d2a6e78827dc72cc968a436b25
	NAS-IP-Address = 10.1.2.12
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap] processing
type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap]
Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - testuser
[peap] Got inner identity 'testuser'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
	EAP-Message = 0x0207000d017465737475736572 server  { [peap] Setting
User-Name to testuser Sending tunneled request
	EAP-Message = 0x0207000d017465737475736572
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "testuser"
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 13 [eap] No EAP Start, assuming
it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
	EAP-Message =
0x010800221a0108001d105ce8326e9114d3a2dec5900608214ee17465737475736572
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x7aa966307aa17c542ff595d55e7d6a15
[peap] Got tunneled reply RADIUS code 11
	EAP-Message =
0x010800221a0108001d105ce8326e9114d3a2dec5900608214ee17465737475736572
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x7aa966307aa17c542ff595d55e7d6a15
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 203 to 10.1.2.12 port 1645
	EAP-Message =
0x0108004b19001703010040be266c6bc8bf3236c7e1700ce1539cf2905fa2d9a5c93fbc53ad
267876efcf31c6f1d3df428d9db9de49ec9cd07e95a7f06233e489a467a2676163512422c03f
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa3e091d2a5e88827dc72cc968a436b25
Finished request 6.
Going to the next request
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=204,
length=268
	User-Name = "testuser"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "24-B6-57-D3-2C-8C"
	Calling-Station-Id = "5C-B9-01-B2-4A-15"
	EAP-Message =
0x0208006b1900170301006053c7440846571f5c9208d31294e6a0d5b8dbbdfc0bbc0ec2f0d0
98d24e8079f3dc59fe3f778fa7fc4ec47f37ef3565f42e7ace8c13bb6ab3d5293a7275cfcd49
fa4d577a520df55a5a4950dbfc6608eb927bdac98356c7287449eabe75ac774d
	Message-Authenticator = 0x1d5978dcfe28a322fa85f581541a4d61
	NAS-Port-Type = Ethernet
	NAS-Port = 50112
	NAS-Port-Id = "GigabitEthernet1/0/12"
	State = 0xa3e091d2a5e88827dc72cc968a436b25
	NAS-IP-Address = 10.1.2.12
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 107 [eap] Continuing tunnel
setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap] processing
type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap]
Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
	EAP-Message =
0x020800431a0208003e31c0591f7fb2f2511bc7c7a39941cb7ca1000000000000000056dc0e
e4ef5fc8898def1758e6aa29ac06cd681d7fd35106007465737475736572
server  {
[peap] Setting User-Name to testuser
Sending tunneled request
	EAP-Message =
0x020800431a0208003e31c0591f7fb2f2511bc7c7a39941cb7ca1000000000000000056dc0e
e4ef5fc8898def1758e6aa29ac06cd681d7fd35106007465737475736572
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "testuser"
	State = 0x7aa966307aa17c542ff595d55e7d6a15
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 67 [eap] No EAP Start, assuming
it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/mschapv2 [eap]
processing type mschapv2 [mschapv2] # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash
with username: testuser [mschap] Told to do MS-CHAPv2 for testuser with
NT-Password
[mschap] 	expand: %{Stripped-User-Name} -> 
[mschap] 	... expanding second conditional
[mschap] 	expand: %{User-Name} -> testuser
[mschap] 	expand: %{%{User-Name}:-None} -> testuser
[mschap] 	expand:
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} ->
--username=testuser
[mschap] Creating challenge hash with username: testuser
[mschap] 	expand: %{mschap:Challenge} -> f9a36aa3aa275bf0
[mschap] 	expand: --challenge=%{%{mschap:Challenge}:-00} ->
--challenge=f9a36aa3aa275bf0
[mschap] 	expand: %{mschap:NT-Response} ->
56dc0ee4ef5fc8898def1758e6aa29ac06cd681d7fd35106
[mschap] 	expand: --nt-response=%{%{mschap:NT-Response}:-00} ->
--nt-response=56dc0ee4ef5fc8898def1758e6aa29ac06cd681d7fd35106
Exec-Program output: Exec-Program: FAILED to execute /path/to/ntlm_auth: No
such file or directory
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute
/path/to/ntlm_auth: No such file or directory
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
	MS-CHAP-Error = "\010E=691 R=1"
	EAP-Message = 0x04080004
	Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
	MS-CHAP-Error = "\010E=691 R=1"
	EAP-Message = 0x04080004
	Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 204 to 10.1.2.12 port 1645
	EAP-Message =
0x0109002b19001703010020126279bbbe9350880386e85c413ca97f91ee0deaf67387bfb865
27c4952dc155
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa3e091d2a4e98827dc72cc968a436b25
Finished request 7.
Going to the next request
Waking up in 3.7 seconds.
rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=205,
length=204
	User-Name = "testuser"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "24-B6-57-D3-2C-8C"
	Calling-Station-Id = "5C-B9-01-B2-4A-15"
	EAP-Message =
0x0209002b190017030100205e8ff15f68aa5877d0da372e553dea37fa5131380a857a89c766
11d30c77d468
	Message-Authenticator = 0x5f64a4462e35c1f883f2fbbaf2d3b957
	NAS-Port-Type = Ethernet
	NAS-Port = 50112
	NAS-Port-Id = "GigabitEthernet1/0/12"
	State = 0xa3e091d2a4e98827dc72cc968a436b25
	NAS-IP-Address = 10.1.2.12
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap] processing
type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap]
Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug
output [peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell
you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds Going to the next request Waking
up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 205 to 10.1.2.12 port 1645
	EAP-Message = 0x04090004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1.8 seconds.


Thanks
Preyas
-----Original Message-----
From: Freeradius-Users
[mailto:freeradius-users-bounces+p.kamath=cornet.com at lists.freeradius.org]
On Behalf Of A.L.M.Buxey at lboro.ac.uk
Sent: Thursday, August 06, 2015 9:29 AM
To: FreeRadius users mailing list
Subject: Re: Switch sends EAP-Fail after Radius Access-Accept

Hi,

> [preyask at localhost controller-ned]$ cat /etc/raddb/small.conf listen {
>     type = auth
>     ipaddr = *
>     port = 1812
> }
> client 10.1.2.0/24 { # allow packets from 10.1.2.0/24    
>     secret = testing123
>     shortname = 10.1.2.12
> }
> modules { # We don't use any modules
> }
> authorize { # return Access-Accept for PAP and CHAP
>     update control {
>         Auth-Type := Accept
>     }
> }

yeh. that wont work....start with the default configuration and THEN start
slimming it down

big hints - you are using EAP thus you ARE using modules....in fact ALL work
in FreeRADIUS uses modules.  you are doing EAP - therefore the request needs
to go into a virtual server that is called in the eap.conf configuration.
default in virtual-server.

I'll repeat. stop what you are currently doing, install the default config,
add your client and THEN start work....once its working and you get to know
what each module does and how the server works, THEN reduce the
configuration 

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list