EAP authentication failure

Pratik pratik.dhrona at gmail.com
Tue May 19 21:48:27 CEST 2015 

Hi,

I am trying to setup freeradius on my linux machine to work with a Cisco
WRV210 router. When testing with the router, I get the following error on
the freeradius log (just posting bits and pieces as the entire log is
long...please let me know if the full log is required).

Thanks for you help.

--
Pratik

*********************************************************************************
(5) Received Access-Request Id 41 from 192.168.0.106:1164 to
192.168.0.102:1812 length 169
(5)   User-Name = 'pratik'
(5)   NAS-IP-Address = 192.168.1.1
(5)   NAS-Port = 0
(5)   Called-Station-Id = '6C-50-4D-C0-57-A0'
(5)   Calling-Station-Id = '4C-EB-42-62-1B-69'
(5)   Framed-MTU = 1400
(5)   NAS-Port-Type = Wireless-802.11
(5)   Connect-Info = 'CONNECT 11Mbps 802.11b'
(5)   EAP-Message = 0x0206001119800000000715030100020230
(5)   State = 0xe5d173fbe1d76a19b8fdf8f1dc552dae
(5)   Message-Authenticator = 0x95a5086a3556a2d23f48f06c0fe39055
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (!&User-Name) {
(5)       if (!&User-Name)  -> FALSE
(5)       if (&User-Name =~ / /) {
(5)       if (&User-Name =~ / /)  -> FALSE
(5)       if (&User-Name =~ /@.*@/ ) {
(5)       if (&User-Name =~ /@.*@/ )  -> FALSE
(5)       if (&User-Name =~ /\.\./ ) {
(5)       if (&User-Name =~ /\.\./ )  -> FALSE
(5)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(5)       if (&User-Name =~ /\.$/)  {
(5)       if (&User-Name =~ /\.$/)   -> FALSE
(5)       if (&User-Name =~ /@\./)  {
(5)       if (&User-Name =~ /@\./)   -> FALSE
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "pratik", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) eap: Peer sent code Response (2) ID 6 length 17
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0xe5d173fbe1d76a19
(5) eap: Finished EAP session with state 0xe5d173fbe1d76a19
(5) eap: Previous EAP request found for state 0xe5d173fbe1d76a19, released
from the list
(5) eap: Peer sent method PEAP (25)
(5) eap: EAP PEAP (25)
(5) eap: Calling eap_peap to process EAP data
(5) eap_peap: processing EAP-TLS
(5) eap_peap: TLS Length 7
(5) eap_peap: Length Included
(5) eap_peap: eaptls_verify returned 11
(5) eap_peap: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
*(5) eap_peap: ERROR: TLS Alert read:fatal:unknown CA*
*(5) eap_peap: ERROR: TLS_accept: Failed in SSLv3 read client certificate A*
*(5) eap_peap: ERROR: SSL says: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca*
*SSL: SSL_read failed inside of TLS (-1), TLS session fails.*
TLS receive handshake failed during operation
(5) eap_peap: eaptls_process returned 4
(5) eap_peap: FR_TLS_OTHERS
*(5) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
failed*
(5) eap: Failed in EAP select
(5)     [eap] = invalid
(5)   } # authenticate = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(5)   Post-Auth-Type REJECT {
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject:    --> pratik
(5) attr_filter.access_reject: Matched entry DEFAULT at line 18
(5)     [attr_filter.access_reject] = updated
(5)     [eap] = noop
(5)     policy remove_reply_message_if_eap {
(5)       if (&reply:EAP-Message && &reply:Reply-Message) {
(5)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(5)       else {
(5)         [noop] = noop
(5)       } # else = noop
(5)     } # policy remove_reply_message_if_eap = noop
(5)   } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(5) Discarding duplicate request from client ciscoSwitch port 1164 - ID: 41
due to delayed response
Waking up in 0.1 seconds.
(5) <delay>: Sending delayed response
(5) <delay>: Sent Access-Reject Id 41 from 192.168.0.102:1812 to
192.168.0.106:1164 length 44
(5) <delay>:   EAP-Message = 0x04060004
(5) <delay>:   Message-Authenticator = 0x00000000000000000000000000000000
*********************************************************************************

More information about the Freeradius-Users mailing list