<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:'times new roman', 'new york', times, serif;font-size:12pt"><div>Hello all,</div><div><br></div><div>I'm doing some investigation to set up a system to authenticate wireless clients using 802.1X. freeradius is my choice because it's free and robust. I followed the instructions in "Deploying FreeRadius with MySQL Cluster Database" to set it up. I used radtest to verify the account in both "users" file and "mysql" database successfully. However, when it came to working with the wireless client, only the account in "users" file worked. The users stored in "mysql" database didn't. I configured the laptop to use EAP-PEAP.</div><div><br></div><div>I examined the debug and found that FR rejected the client request at the last steps (when using mysql database):</div><div><br></div><div><div>rad_recv: Access-Request packet from host 10.100.0.152 port 1226,
id=242, length=271</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>User-Name = "user1"</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>NAS-IP-Address = 10.100.0.152</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>NAS-Identifier = "00:1f:41:54:c4:19"</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>NAS-Port = 1</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Called-Station-Id = "00-1F-41-54-C4-19:free-internet"</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Calling-Station-Id = "00-19-7E-75-8F-E5"</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Framed-MTU = 1400</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>NAS-Port-Type = Wireless-802.11</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Connect-Info = "CONNECT 11Mbps 802.11b"</div><div><span
class="Apple-tab-span" style="white-space:pre"> </span>EAP-Message = 0x020700571900170301004c7a9ca4c1143f9e8369e9648842e42d52e47f32e377ddb7109dea0dff2a19a761b2344bf994690cdcc4929bbd725db2e151869d3c1673f6cb54cdfc8a9c366acb69ae7492cf63732a02a10a98</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>State = 0xfa24a8fafc23b1c9dd29d46684e60d05</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Message-Authenticator = 0xe5772ca3d27eede908597d3ec363cdfe</div><div>+- entering group authorize {...}</div><div>++[preprocess] returns ok</div><div>++[chap] returns noop</div><div>++[mschap] returns noop</div><div>[suffix] No '@' in User-Name = "user1", looking up realm NULL</div><div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div><div>[eap] EAP packet type response id 7 length 87</div><div>[eap] Continuing tunnel setup.</div><div>++[eap] returns ok</div><div>Found Auth-Type = EAP</div><div>+- entering group
authenticate {...}</div><div>[eap] Request found, released from the list</div><div>[eap] EAP/peap</div><div>[eap] processing type peap</div><div>[peap] processing EAP-TLS</div><div>[peap] eaptls_verify returned 7 </div><div>[peap] Done initial handshake</div><div>[peap] eaptls_process returned 7 </div><div>[peap] EAPTLS_OK</div><div>[peap] Session established. Decoding tunneled attributes.</div><div>[peap] EAP type mschapv2</div><div>[peap] Got tunneled request</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>EAP-Message = 0x020700401a0207003b31f1d2adb1254069291e8790ea6b2abf8b0000000000000000c0da299a4d8e225d5eb3c29a799bdfd2e5f1fbb8b9ccf5c8007573657231</div><div>server {</div><div> PEAP: Setting User-Name to user1</div><div>Sending tunneled request</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>EAP-Message =
0x020700401a0207003b31f1d2adb1254069291e8790ea6b2abf8b0000000000000000c0da299a4d8e225d5eb3c29a799bdfd2e5f1fbb8b9ccf5c8007573657231</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>FreeRADIUS-Proxied-To = 127.0.0.1</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>User-Name = "user1"</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>State = 0xb8773755b8702dae4ab169969e969276</div><div>server inner-tunnel {</div><div>+- entering group authorize {...}</div><div>++[chap] returns noop</div><div>++[mschap] returns noop</div><div>++[unix] returns notfound</div><div>[suffix] No '@' in User-Name = "user1", looking up realm NULL</div><div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div><div>++[control] returns noop</div><div>[eap] EAP packet type response id 7 length 64</div><div>[eap] No EAP Start, assuming it's an on-going EAP conversation</div><div>++[eap] returns
updated</div><div>++[files] returns noop</div><div>++[expiration] returns noop</div><div>++[logintime] returns noop</div><div>++[pap] returns noop</div><div>Found Auth-Type = EAP</div><div>+- entering group authenticate {...}</div><div>[eap] Request found, released from the list</div><div>[eap] EAP/mschapv2</div><div>[eap] processing type mschapv2</div><div>[mschapv2] +- entering group MS-CHAP {...}</div><div>[mschap] No Cleartext-Password configured. Cannot create LM-Password.</div><div>[mschap] No Cleartext-Password configured. Cannot create NT-Password.</div><div>[mschap] Told to do MS-CHAPv2 for user1 with NT-Password</div><div>[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.</div><div>[mschap] FAILED: MS-CHAP2-Response is incorrect</div><div>++[mschap] returns reject</div><div>[eap] Freeing handler</div><div>++[eap] returns reject</div><div>Failed to authenticate the user.</div><div>} # server
inner-tunnel</div><div>[peap] Got tunneled reply code 3</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>MS-CHAP-Error = "\007E=691 R=1"</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>EAP-Message = 0x04070004</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Message-Authenticator = 0x00000000000000000000000000000000</div><div>[peap] Got tunneled reply RADIUS code 3</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>MS-CHAP-Error = "\007E=691 R=1"</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>EAP-Message = 0x04070004</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Message-Authenticator = 0x00000000000000000000000000000000</div><div>[peap] Tunneled authentication was rejected.</div><div>[peap] FAILURE</div><div>++[eap] returns handled</div><div>Sending Access-Challenge of id 242 to 10.100.0.152 port 1226</div><div><span
class="Apple-tab-span" style="white-space:pre"> </span>EAP-Message = 0x010800261900170301001bb01d04e6aa35394f3fb1a6ba4967e4d4d123c69434f2c2cf442703</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Message-Authenticator = 0x00000000000000000000000000000000</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>State = 0xfa24a8fafd2cb1c9dd29d46684e60d05</div><div>Finished request 21.</div><div><br></div><div>I'm still reading more to understand the technology. But I hope that someone could help me to fix the problem.</div><div><br></div><div>Thanks,</div><div>Thai.</div></div><div style="position:fixed"></div>
<!-- cg3.c0.mail.mud.yahoo.com compressed/chunked Wed Dec 2 20:09:11 PST 2009 -->
</div><br>
</body></html>