<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:Courier New, courier, monaco, monospace, sans-serif;font-size:12pt"><DIV>
<DIV>Hi Alan,</DIV>
<DIV> </DIV>
<DIV>Please find the debug log attached below.</DIV>
<DIV>I am pretty new to 802.1x, so might be missing something. Please correct me if I am wrong</DIV>
<DIV>EAP PEAP with MSCHAPv2 ...does MSCHAPv2 authentication at the phase2 under the hood of the TLS tunnel, dont we need the configs for MSCHAPv2 like username and password.</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Regards,</DIV>
<DIV>Dev</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>start logs --------------</DIV>
<DIV> </DIV>
<DIV>FreeRADIUS Version 2.1.8, for host i686-pc-linux-gnu, built on Feb 2 2010 at 16:20:53<BR>Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. <BR>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A <BR>PARTICULAR PURPOSE. <BR>You may redistribute copies of FreeRADIUS under the terms of the <BR>GNU General Public License v2. <BR>Starting - reading configuration files ...<BR>including configuration file /usr/local/etc/raddb/radiusd.conf<BR>including configuration file /usr/local/etc/raddb/proxy.conf<BR>including configuration file /usr/local/etc/raddb/clients.conf<BR>including files in directory /usr/local/etc/raddb/modules/<BR>including configuration file /usr/local/etc/raddb/modules/sql_log<BR>including configuration file /usr/local/etc/raddb/modules/checkval<BR>including configuration file /usr/local/etc/raddb/modules/detail.example.com<BR>including configuration file
/usr/local/etc/raddb/modules/radutmp<BR>including configuration file /usr/local/etc/raddb/modules/smbpasswd<BR>including configuration file /usr/local/etc/raddb/modules/detail<BR>including configuration file /usr/local/etc/raddb/modules/sradutmp<BR>including configuration file /usr/local/etc/raddb/modules/expiration<BR>including configuration file /usr/local/etc/raddb/modules/echo<BR>including configuration file /usr/local/etc/raddb/modules/otp<BR>including configuration file /usr/local/etc/raddb/modules/files<BR>including configuration file /usr/local/etc/raddb/modules/preprocess<BR>including configuration file /usr/local/etc/raddb/modules/ippool<BR>including configuration file /usr/local/etc/raddb/modules/realm<BR>including configuration file /usr/local/etc/raddb/modules/pam<BR>including configuration file /usr/local/etc/raddb/modules/acct_unique<BR>including configuration file /usr/local/etc/raddb/modules/attr_filter<BR>including configuration file
/usr/local/etc/raddb/modules/ntlm_auth<BR>including configuration file /usr/local/etc/raddb/modules/expr<BR>including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login<BR>including configuration file /usr/local/etc/raddb/modules/linelog<BR>including configuration file /usr/local/etc/raddb/modules/inner-eap<BR>including configuration file /usr/local/etc/raddb/modules/pap<BR>including configuration file /usr/local/etc/raddb/modules/detail.log<BR>including configuration file /usr/local/etc/raddb/modules/exec<BR>including configuration file /usr/local/etc/raddb/modules/passwd<BR>including configuration file /usr/local/etc/raddb/modules/logintime<BR>including configuration file /usr/local/etc/raddb/modules/wimax<BR>including configuration file /usr/local/etc/raddb/modules/perl<BR>including configuration file /usr/local/etc/raddb/modules/cui<BR>including configuration file /usr/local/etc/raddb/modules/smsotp<BR>including configuration
file /usr/local/etc/raddb/modules/policy<BR>including configuration file /usr/local/etc/raddb/modules/ldap<BR>including configuration file /usr/local/etc/raddb/modules/mac2vlan<BR>including configuration file /usr/local/etc/raddb/modules/mac2ip<BR>including configuration file /usr/local/etc/raddb/modules/krb5<BR>including configuration file /usr/local/etc/raddb/modules/attr_rewrite<BR>including configuration file /usr/local/etc/raddb/modules/unix<BR>including configuration file /usr/local/etc/raddb/modules/always<BR>including configuration file /usr/local/etc/raddb/modules/etc_group<BR>including configuration file /usr/local/etc/raddb/modules/digest<BR>including configuration file /usr/local/etc/raddb/modules/chap<BR>including configuration file /usr/local/etc/raddb/modules/mschap<BR>including configuration file /usr/local/etc/raddb/modules/counter<BR>including configuration file /usr/local/etc/raddb/eap.conf<BR>including configuration file
/usr/local/etc/raddb/policy.conf<BR>including files in directory /usr/local/etc/raddb/sites-enabled/<BR>including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel<BR>including configuration file /usr/local/etc/raddb/sites-enabled/control-socket<BR>including configuration file /usr/local/etc/raddb/sites-enabled/default<BR>main {<BR> allow_core_dumps = no<BR>}<BR>including dictionary file /usr/local/etc/raddb/dictionary<BR>main {<BR> prefix = "/usr/local"<BR> localstatedir = "/usr/local/var"<BR> logdir = "/usr/local/var/log/radius"<BR> libdir = "/usr/local/lib"<BR> radacctdir = "/usr/local/var/log/radius/radacct"<BR> hostname_lookups = no<BR> max_request_time = 30<BR> cleanup_delay = 5<BR> max_requests = 1024<BR> pidfile = "/usr/local/var/run/radiusd/radiusd.pid"<BR> checkrad = "/usr/local/sbin/checkrad"<BR> debug_level = 0<BR> proxy_requests = yes<BR> log
{<BR> stripped_names = no<BR> auth = no<BR> auth_badpass = no<BR> auth_goodpass = no<BR> }<BR> security {<BR> max_attributes = 200<BR> reject_delay = 1<BR> status_server = yes<BR> }<BR>}<BR>radiusd: #### Loading Realms and Home Servers ####<BR> proxy server {<BR> retry_delay = 5<BR> retry_count = 3<BR> default_fallback = no<BR> dead_time = 120<BR> wake_all_if_all_dead = no<BR> }<BR> home_server localhost {<BR> ipaddr = 127.0.0.1<BR> port = 1812<BR> type = "auth"<BR> secret = "testing123"<BR> response_window = 20<BR> max_outstanding = 65536<BR> require_message_authenticator = no<BR> zombie_period = 40<BR> status_check = "status-server"<BR> ping_interval = 30<BR> check_interval = 30<BR> num_answers_to_alive = 3<BR> num_pings_to_alive = 3<BR> revive_interval = 120<BR> status_check_timeout =
4<BR> irt = 2<BR> mrt = 16<BR> mrc = 5<BR> mrd = 30<BR> }<BR> home_server_pool my_auth_failover {<BR> type = fail-over<BR> home_server = localhost<BR> }<BR> realm example.com {<BR> auth_pool = my_auth_failover<BR> }<BR> realm LOCAL {<BR> }<BR>radiusd: #### Loading Clients ####<BR> client localhost1 {<BR> ipaddr = 127.0.0.1<BR> require_message_authenticator = no<BR> secret = "testing123"<BR> nastype = "other"<BR> }<BR> client 10.191.8.187 {<BR> require_message_authenticator = no<BR> secret = "freeradius"<BR> }<BR>radiusd: #### Instantiating modules ####<BR> instantiate {<BR> Module: Linked to module rlm_exec<BR> Module: Instantiating exec<BR> exec {<BR> wait = no<BR> input_pairs = "request"<BR> shell_escape = yes<BR> }<BR> Module: Linked to module rlm_expr<BR> Module: Instantiating
expr<BR> Module: Linked to module rlm_expiration<BR> Module: Instantiating expiration<BR> expiration {<BR> reply-message = "Password Has Expired "<BR> }<BR> Module: Linked to module rlm_logintime<BR> Module: Instantiating logintime<BR> logintime {<BR> reply-message = "You are calling outside your allowed timespan "<BR> minimum-timeout = 60<BR> }<BR> }<BR>radiusd: #### Loading Virtual Servers ####<BR>server inner-tunnel {<BR> modules {<BR> Module: Checking authenticate {...} for more modules to load<BR> Module: Linked to module rlm_pap<BR> Module: Instantiating pap<BR> pap {<BR> encryption_scheme = "auto"<BR> auto_header = no<BR> }<BR> Module: Linked to module rlm_chap<BR> Module: Instantiating chap<BR> Module: Linked to module rlm_mschap<BR> Module: Instantiating mschap<BR> mschap {<BR> use_mppe =
yes<BR> require_encryption = no<BR> require_strong = no<BR> with_ntdomain_hack = no<BR> }<BR> Module: Linked to module rlm_unix<BR> Module: Instantiating unix<BR> unix {<BR> radwtmp = "/usr/local/var/log/radius/radwtmp"<BR> }<BR> Module: Linked to module rlm_eap<BR> Module: Instantiating eap<BR> eap {<BR> default_eap_type = "peap"<BR> timer_expire = 60<BR> ignore_unknown_eap_types = no<BR> cisco_accounting_username_bug = no<BR> max_sessions = 4096<BR> }<BR> Module: Linked to sub-module rlm_eap_md5<BR> Module: Instantiating eap-md5<BR> Module: Linked to sub-module rlm_eap_leap<BR> Module: Instantiating eap-leap<BR> Module: Linked to sub-module rlm_eap_gtc<BR> Module: Instantiating eap-gtc<BR> gtc {<BR> challenge = "Password: "<BR> auth_type = "PAP"<BR> }<BR> Module: Linked to sub-module
rlm_eap_tls<BR> Module: Instantiating eap-tls<BR> tls {<BR> rsa_key_exchange = no<BR> dh_key_exchange = yes<BR> rsa_key_length = 512<BR> dh_key_length = 512<BR> verify_depth = 0<BR> pem_file_type = yes<BR> private_key_file = "/usr/local/etc/raddb/certs/radsvr.key"<BR> certificate_file = "/usr/local/etc/raddb/certs/radsvrcert.pem"<BR> CA_file = "/usr/local/etc/raddb/certs/cacert.pem"<BR> private_key_password = "freeradius"<BR> dh_file = "/usr/local/etc/raddb/certs/dh"<BR> random_file = "/usr/local/etc/raddb/certs/random"<BR> fragment_size = 1024<BR> include_length = yes<BR> check_crl = no<BR> cipher_list = "DEFAULT"<BR> make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"<BR> cache {<BR> enable = no<BR> lifetime = 24<BR> max_entries = 255<BR> }<BR> }<BR> Module: Linked to
sub-module rlm_eap_ttls<BR> Module: Instantiating eap-ttls<BR> ttls {<BR> default_eap_type = "md5"<BR> copy_request_to_tunnel = yes<BR> use_tunneled_reply = yes<BR> virtual_server = "inner-tunnel"<BR> include_length = yes<BR> }<BR> Module: Linked to sub-module rlm_eap_peap<BR> Module: Instantiating eap-peap<BR> peap {<BR> default_eap_type = "mschapv2"<BR> copy_request_to_tunnel = yes<BR> use_tunneled_reply = yes<BR> proxy_tunneled_request_as_eap = yes<BR> virtual_server = "inner-tunnel"<BR> }<BR> Module: Linked to sub-module rlm_eap_mschapv2<BR> Module: Instantiating eap-mschapv2<BR> mschapv2 {<BR> with_ntdomain_hack = no<BR> }<BR> Module: Checking authorize {...} for more modules to load<BR> Module: Linked to module rlm_realm<BR> Module: Instantiating suffix<BR> realm suffix
{<BR> format = "suffix"<BR> delimiter = "@"<BR> ignore_default = no<BR> ignore_null = no<BR> }<BR> Module: Linked to module rlm_files<BR> Module: Instantiating files<BR> files {<BR> usersfile = "/usr/local/etc/raddb/users"<BR> acctusersfile = "/usr/local/etc/raddb/acct_users"<BR> preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"<BR> compat = "no"<BR> }<BR> Module: Checking session {...} for more modules to load<BR> Module: Linked to module rlm_radutmp<BR> Module: Instantiating radutmp<BR> radutmp {<BR> filename = "/usr/local/var/log/radius/radutmp"<BR> username = "%{User-Name}"<BR> case_sensitive = yes<BR> check_with_nas = yes<BR> perm = 384<BR> callerid = yes<BR> }<BR> Module: Checking post-proxy {...} for more modules to load<BR> Module: Checking post-auth {...} for more modules to load<BR> Module: Linked
to module rlm_attr_filter<BR> Module: Instantiating attr_filter.access_reject<BR> attr_filter attr_filter.access_reject {<BR> attrsfile = "/usr/local/etc/raddb/attrs.access_reject"<BR> key = "%{User-Name}"<BR> }<BR> } # modules<BR>} # server<BR>server {<BR> modules {<BR> Module: Checking authenticate {...} for more modules to load<BR> Module: Checking authorize {...} for more modules to load<BR> Module: Linked to module rlm_preprocess<BR> Module: Instantiating preprocess<BR> preprocess {<BR> huntgroups = "/usr/local/etc/raddb/huntgroups"<BR> hints = "/usr/local/etc/raddb/hints"<BR> with_ascend_hack = no<BR> ascend_channels_per_line = 23<BR> with_ntdomain_hack = no<BR> with_specialix_jetstream_hack = no<BR> with_cisco_vsa_hack = no<BR> with_alvarion_vsa_hack = no<BR> }<BR> Module: Checking preacct {...} for more modules to
load<BR> Module: Linked to module rlm_acct_unique<BR> Module: Instantiating acct_unique<BR> acct_unique {<BR> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<BR> }<BR> Module: Checking accounting {...} for more modules to load<BR> Module: Linked to module rlm_detail<BR> Module: Instantiating detail<BR> detail {<BR> detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<BR> header = "%t"<BR> detailperm = 384<BR> dirperm = 493<BR> locking = no<BR> log_packet_header = no<BR> }<BR> Module: Instantiating attr_filter.accounting_response<BR> attr_filter attr_filter.accounting_response {<BR> attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"<BR> key = "%{User-Name}"<BR> }<BR> Module: Checking session {...} for more modules to load<BR> Module: Checking post-proxy {...} for
more modules to load<BR> Module: Checking post-auth {...} for more modules to load<BR> } # modules<BR>} # server<BR>radiusd: #### Opening IP addresses and Ports ####<BR>listen {<BR> type = "auth"<BR> ipaddr = *<BR> port = 0<BR>}<BR>listen {<BR> type = "acct"<BR> ipaddr = *<BR> port = 0<BR>}<BR>listen {<BR> type = "control"<BR> listen {<BR> socket = "/usr/local/var/run/radiusd/radiusd.sock"<BR> }<BR>}<BR>Listening on authentication address * port 1812<BR>Listening on accounting address * port 1813<BR>Listening on command file /usr/local/var/run/radiusd/radiusd.sock<BR>Listening on proxy address * port 1814<BR>Ready to process requests.<BR>rad_recv: Access-Request packet from host 10.191.8.187 port 1025, id=15, length=125<BR> EAP-Message = 0x021100090164657661<BR> NAS-Port-Type = Ethernet<BR> User-Name = "deva"<BR> NAS-IP-Address = 10.191.8.187<BR> NAS-Port =
2<BR> Framed-MTU = 1000<BR> NAS-Port-Id = "Port 2"<BR> Calling-Station-Id = "00-c0-ee-66-09-b6"<BR> Called-Station-Id = "00-22-6b-33-ee-0d"<BR> Message-Authenticator = 0xa4b9e48629f2ee7e4ad6409f322bb932<BR>+- entering group authorize {...}<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR>[suffix] No <A href="mailto:'@'">'@'</A> in User-Name = "deva", looking up realm NULL<BR>[suffix] No such realm "NULL"<BR>++[suffix] returns noop<BR>[eap] EAP packet type response id 17 length 9<BR>[eap] No EAP Start, assuming it's an on-going EAP conversation<BR>++[eap] returns updated<BR>++[unix] returns updated<BR>WARNING: Found User-Password == "...".<BR>WARNING: Are you sure you don't mean Cleartext-Password?<BR>WARNING: See "man rlm_pap" for more information.<BR>[files] users: Matched entry deva at line 61<BR>++[files] returns ok<BR>++[expiration] returns noop<BR>++[logintime] returns noop<BR>[pap] Found
existing Auth-Type, not changing it.<BR>++[pap] returns noop<BR>Found Auth-Type = EAP<BR>+- entering group authenticate {...}<BR>[eap] EAP Identity<BR>[eap] processing type tls<BR>[tls] Initiate<BR>[tls] Start returned 1<BR>++[eap] returns handled<BR>Sending Access-Challenge of id 15 to 10.191.8.187 port 1025<BR> EAP-Message = 0x011200061920<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0xb27c20a6b26e394a0ab57f4dc80f905e<BR>Finished request 0.<BR>Going to the next request<BR>Waking up in 4.9 seconds.<BR>rad_recv: Access-Request packet from host 10.191.8.187 port 1025, id=16, length=208<BR> EAP-Message = 0x0212004a198000000040160301003b0100003703014b6c69da6376f61ced77e9a203c21d1bad812388a9b7b4dbbce4e319c8c51b680000100035000a002f006200610009000800060100<BR> State = 0xb27c20a6b26e394a0ab57f4dc80f905e<BR> NAS-Port-Type = Ethernet<BR> User-Name = "deva"<BR> NAS-IP-Address =
10.191.8.187<BR> NAS-Port = 2<BR> Framed-MTU = 1000<BR> NAS-Port-Id = "Port 2"<BR> Calling-Station-Id = "00-c0-ee-66-09-b6"<BR> Called-Station-Id = "00-22-6b-33-ee-0d"<BR> Message-Authenticator = 0xc75bfb0056761c651c370ce733100af1<BR>+- entering group authorize {...}<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR>[suffix] No <A href="mailto:'@'">'@'</A> in User-Name = "deva", looking up realm NULL<BR>[suffix] No such realm "NULL"<BR>++[suffix] returns noop<BR>[eap] EAP packet type response id 18 length 74<BR>[eap] Continuing tunnel setup.<BR>++[eap] returns ok<BR>Found Auth-Type = EAP<BR>+- entering group authenticate {...}<BR>[eap] Request found, released from the list<BR>[eap] EAP/peap<BR>[eap] processing type peap<BR>[peap] processing EAP-TLS<BR> TLS Length 64<BR>[peap] Length Included<BR>[peap] eaptls_verify returned 11 <BR>[peap] (other): before/accept
initialization <BR>[peap] TLS_accept: before/accept initialization <BR>[peap] <<< TLS 1.0 Handshake [length 003b], ClientHello <BR>[peap] TLS_accept: SSLv3 read client hello A <BR>[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello <BR>[peap] TLS_accept: SSLv3 write server hello A <BR>[peap] >>> TLS 1.0 Handshake [length 053b], Certificate <BR>[peap] TLS_accept: SSLv3 write certificate A <BR>[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone <BR>[peap] TLS_accept: SSLv3 write server done A <BR>[peap] TLS_accept: SSLv3 flush data <BR>[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A<BR>In SSL Handshake Phase <BR>In SSL Accept mode <BR>[peap] eaptls_process returned 13 <BR>[peap]
EAPTLS_HANDLED<BR>++[eap] returns handled<BR>Sending Access-Challenge of id 16 to 10.191.8.187 port 1025<BR> EAP-Message = 0x011303e419c000000578160301002a0200002603014b6c69eba5d1959633be99157b4bfc698d4336fa773b37271e69e202fb97e65a00003500160301053b0b0005370005340002633082025f308201c8a003020102020101300d06092a864886f70d0101050500306b310b3009060355040613025553310b3009060355040813024341310c300a060355040a13036b796f310d300b060355040b13046669726d3111300f060355040313086665646f72613131311f301d06092a864886f70d01090116106665646f72616c6c406b796f2e636f6d301e170d3130303230333137343735305a170d3230303230313137343735305a3067310b3009060355<BR> EAP-Message =
0x040613025553310b3009060355040813024341310c300a060355040a13036b796f310d300b060355040b13046669726d310f300d06035504031306726164737672311d301b06092a864886f70d010901160e726164737672406b796f2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100be8aab06120f2db63c18efa9f677779b532d2da34915ce20d86610cc22db2aefee3313b16299aef39d57d05ed9c7cc387fd76cfff2acd4c588fb635468489d8045275b8428d5ded96697bc4e023e3fa81373b6147f7be593da077c4242f20140e6d07bcc2ce33cd7842950d40c32f9b60dfcc4afbba6b177f8e5b008ab25dc8b<BR> EAP-Message =
0x0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810010f68d27691e384cd37b29568ca870d91872a61d6047b14a2af09d842a4a7e5ba25c020f6088f71afcfe654ac375dec4cabb87b2a45f2006d5bd910041a82941f4788ae93ff137215ce00fb0bd227673b35e160cb8dba986cc84a250bf84f0d6563f64582d12a28b74b68cd4eb14c46d5b2dc5ce420ade0910ffeff5824b20b70002cb308202c730820230a003020102020100300d06092a864886f70d0101050500306b310b3009060355040613025553310b3009060355040813024341310c300a060355040a13036b796f<BR> EAP-Message =
0x310d300b060355040b13046669726d3111300f060355040313086665646f72613131311f301d06092a864886f70d01090116106665646f72616c6c406b796f2e636f6d301e170d3130303230333032313235395a170d3133303230323032313235395a306b310b3009060355040613025553310b3009060355040813024341310c300a060355040a13036b796f310d300b060355040b13046669726d3111300f060355040313086665646f72613131311f301d06092a864886f70d01090116106665646f72616c6c406b796f2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0xb27c20a6b36f394a0ab57f4dc80f905e<BR>Finished request 1.<BR>Going to the next request<BR>Waking up in 4.9 seconds.<BR>rad_recv: Access-Request packet from host 10.191.8.187 port 1025, id=17, length=140<BR> EAP-Message = 0x021300061900<BR> State = 0xb27c20a6b36f394a0ab57f4dc80f905e<BR> NAS-Port-Type = Ethernet<BR> User-Name = "deva"<BR> NAS-IP-Address =
10.191.8.187<BR> NAS-Port = 2<BR> Framed-MTU = 1000<BR> NAS-Port-Id = "Port 2"<BR> Calling-Station-Id = "00-c0-ee-66-09-b6"<BR> Called-Station-Id = "00-22-6b-33-ee-0d"<BR> Message-Authenticator = 0x703e7d0dff6e45d1d9a1f81513ea38c6<BR>+- entering group authorize {...}<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR>[suffix] No <A href="mailto:'@'">'@'</A> in User-Name = "deva", looking up realm NULL<BR>[suffix] No such realm "NULL"<BR>++[suffix] returns noop<BR>[eap] EAP packet type response id 19 length 6<BR>[eap] Continuing tunnel setup.<BR>++[eap] returns ok<BR>Found Auth-Type = EAP<BR>+- entering group authenticate {...}<BR>[eap] Request found, released from the list<BR>[eap] EAP/peap<BR>[eap] processing type peap<BR>[peap] processing EAP-TLS<BR>[peap] Received TLS ACK<BR>[peap] ACK handshake fragment handler<BR>[peap] eaptls_verify returned 1 <BR>[peap] eaptls_process returned 13
<BR>[peap] EAPTLS_HANDLED<BR>++[eap] returns handled<BR>Sending Access-Challenge of id 17 to 10.191.8.187 port 1025<BR> EAP-Message = 0x011401a41900be2c09ebe17bf56823a8a54e9fdb8f87468ffc568253c08eb6281081c4881f47a0764f5e16850c36953dd4e5287a19930c3536b642c8cd3ad2f6216b702219774fbe99df2f59f442c8f669848d7949ea5a9cb6b64db00b0dde1eb08897db81d1ef86116e1c58ff4b7f5795e65fa6659a66f987bf97d6113442a66f0721e95e6d0203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414bdf82300e11365e480d9924c6d1e34e17699bff7301f0603551d23041830168014bdf82300e11365e480<BR> EAP-Message =
0xd9924c6d1e34e17699bff7300d06092a864886f70d010105050003818100823802406247501f766162dc90260500d56ca022471e50902ed8316f26fdcffe7f9a9d64937ebdfaed8ebd221685369c75556317916ea0301f5b1ccd550dbfc457dfcc0ccbebd826e56d4ce564b53b6a8ae91ea7a3357a3a43a5e355319ecb8ca631f9db961a5089725768e3e065927f79cea61b262d4ff6cfb7e0f39e6558b016030100040e000000<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0xb27c20a6b068394a0ab57f4dc80f905e<BR>Finished request 2.<BR>Going to the next request<BR>Waking up in 4.8 seconds.<BR>rad_recv: Access-Request packet from host 10.191.8.187 port 1025, id=18, length=342<BR> EAP-Message =
0x021400d01980000000c6160301008610000082008049d315aeb5db8e95469539cb35c50329caa30a71f2af5f77edf85daa9309099eb41d0b2423672538fe84b2164a800cbd9592b32388e889d685235703bd679affd7b489ab0ed7f4a3338ce36c4f7dd4f62da3a35ede3286abc345d7d29ea5b4cc7cbd9648c43e9b574d6f8c1fe9f231e5040ae057245f2d95c76f55d157dc66a41403010001011603010030972820e36a4d7b25386123ac9715c29ec84b2232323f5d5a653a3769f9d515a3082fa5054f85e8183211a156356ab92c<BR> State = 0xb27c20a6b068394a0ab57f4dc80f905e<BR> NAS-Port-Type = Ethernet<BR> User-Name = "deva"<BR> NAS-IP-Address = 10.191.8.187<BR> NAS-Port = 2<BR> Framed-MTU = 1000<BR> NAS-Port-Id = "Port 2"<BR> Calling-Station-Id = "00-c0-ee-66-09-b6"<BR> Called-Station-Id = "00-22-6b-33-ee-0d"<BR> Message-Authenticator = 0x141a3c15642be74a6c95788cf8144e29<BR>+- entering group authorize {...}<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR>[suffix] No <A
href="mailto:'@'">'@'</A> in User-Name = "deva", looking up realm NULL<BR>[suffix] No such realm "NULL"<BR>++[suffix] returns noop<BR>[eap] EAP packet type response id 20 length 208<BR>[eap] Continuing tunnel setup.<BR>++[eap] returns ok<BR>Found Auth-Type = EAP<BR>+- entering group authenticate {...}<BR>[eap] Request found, released from the list<BR>[eap] EAP/peap<BR>[eap] processing type peap<BR>[peap] processing EAP-TLS<BR> TLS Length 198<BR>[peap] Length Included<BR>[peap] eaptls_verify returned 11 <BR>[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange <BR>[peap] TLS_accept: SSLv3 read client key exchange A <BR>[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] <BR>[peap] <<< TLS 1.0 Handshake [length 0010], Finished <BR>[peap] TLS_accept: SSLv3 read finished A <BR>[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
<BR>[peap] TLS_accept: SSLv3 write change cipher spec A <BR>[peap] >>> TLS 1.0 Handshake [length 0010], Finished <BR>[peap] TLS_accept: SSLv3 write finished A <BR>[peap] TLS_accept: SSLv3 flush data <BR>[peap] (other): SSL negotiation finished successfully <BR>SSL Connection Established <BR>[peap] eaptls_process returned 13 <BR>[peap] EAPTLS_HANDLED<BR>++[eap] returns handled<BR>Sending Access-Challenge of id 18 to 10.191.8.187 port 1025<BR> EAP-Message = 0x0115004119001403010001011603010030f3f11162018cf0697f8df90b46cb2977488676fd8c01ec17f886436a783cc80675f16b74ac916bba96c1b667b4e69948<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0xb27c20a6b169394a0ab57f4dc80f905e<BR>Finished request 3.<BR>Going to the next request<BR>Waking up in 4.7 seconds.<BR>rad_recv: Access-Request packet from host 10.191.8.187
port 1025, id=19, length=140<BR> EAP-Message = 0x021500061900<BR> State = 0xb27c20a6b169394a0ab57f4dc80f905e<BR> NAS-Port-Type = Ethernet<BR> User-Name = "deva"<BR> NAS-IP-Address = 10.191.8.187<BR> NAS-Port = 2<BR> Framed-MTU = 1000<BR> NAS-Port-Id = "Port 2"<BR> Calling-Station-Id = "00-c0-ee-66-09-b6"<BR> Called-Station-Id = "00-22-6b-33-ee-0d"<BR> Message-Authenticator = 0xe1196e0e907453fe8529ba8754f5ba7c<BR>+- entering group authorize {...}<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR>[suffix] No <A href="mailto:'@'">'@'</A> in User-Name = "deva", looking up realm NULL<BR>[suffix] No such realm "NULL"<BR>++[suffix] returns noop<BR>[eap] EAP packet type response id 21 length 6<BR>[eap] Continuing tunnel setup.<BR>++[eap] returns ok<BR>Found Auth-Type = EAP<BR>+- entering group authenticate {...}<BR>[eap] Request found, released from the list<BR>[eap]
EAP/peap<BR>[eap] processing type peap<BR>[peap] processing EAP-TLS<BR>[peap] Received TLS ACK<BR>[peap] ACK handshake is finished<BR>[peap] eaptls_verify returned 3 <BR>[peap] eaptls_process returned 3 <BR>[peap] EAPTLS_SUCCESS<BR>++[eap] returns handled<BR>Sending Access-Challenge of id 19 to 10.191.8.187 port 1025<BR> EAP-Message = 0x0116002b19001703010020ce85837d277054c3469c6ab1594af7a219ac2c0ea337c4a1876620e1bc387232<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0xb27c20a6b66a394a0ab57f4dc80f905e<BR>Finished request 4.<BR>Going to the next request<BR>Waking up in 4.7 seconds.<BR>rad_recv: Access-Request packet from host 10.191.8.187 port 1025, id=20, length=151<BR> EAP-Message = 0x0216001119800000000715030100020200<BR> State = 0xb27c20a6b66a394a0ab57f4dc80f905e<BR> NAS-Port-Type = Ethernet<BR> User-Name = "deva"<BR> NAS-IP-Address = 10.191.8.187<BR> NAS-Port =
2<BR> Framed-MTU = 1000<BR> NAS-Port-Id = "Port 2"<BR> Calling-Station-Id = "00-c0-ee-66-09-b6"<BR> Called-Station-Id = "00-22-6b-33-ee-0d"<BR> Message-Authenticator = 0x2ad8b97864739fa1946164e479a487bb<BR>+- entering group authorize {...}<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR>[suffix] No <A href="mailto:'@'">'@'</A> in User-Name = "deva", looking up realm NULL<BR>[suffix] No such realm "NULL"<BR>++[suffix] returns noop<BR>[eap] EAP packet type response id 22 length 17<BR>[eap] Continuing tunnel setup.<BR>++[eap] returns ok<BR>Found Auth-Type = EAP<BR>+- entering group authenticate {...}<BR>[eap] Request found, released from the list<BR>[eap] EAP/peap<BR>[eap] processing type peap<BR>[peap] processing EAP-TLS<BR> TLS Length 7<BR>[peap] Length Included<BR>[peap] eaptls_verify returned 11 <BR>[peap] >>> TLS 1.0 Alert [length 0002], fatal decryption_failed <BR>TLS
Alert write:fatal:decryption failed <BR>[peap] SSL_read Error<BR>[peap] eaptls_process returned 4 <BR>[peap] EAPTLS_OTHERS<BR>[eap] Handler failed in EAP/peap<BR>[eap] Failed in EAP select<BR>++[eap] returns invalid<BR>Failed to authenticate the user.<BR>Using Post-Auth-Type Reject<BR>+- entering group REJECT {...}<BR>[attr_filter.access_reject] expand: %{User-Name} -> deva<BR> attr_filter: Matched entry DEFAULT at line 11<BR>++[attr_filter.access_reject] returns updated<BR>Delaying reject of request 5 for 1 seconds<BR>Going to the next request<BR>Waking up in 0.9 seconds.<BR></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>end of logs ....................</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: Courier New, courier, monaco, monospace, sans-serif">Date: Wed, 10 Feb 2010 00:38:47 +0100<BR>From: Alan DeKok <<A href="mailto:aland@deployingradius.com" ymailto="mailto:aland@deployingradius.com"><FONT color=#0000ff>aland@deployingradius.com</FONT></A>><BR>Subject: Re: freeradius with PEAP configuration<BR>To: FreeRadius users mailing list<BR> <<A href="mailto:freeradius-users@lists.freeradius.org" ymailto="mailto:freeradius-users@lists.freeradius.org"><FONT color=#0000ff>freeradius-users@lists.freeradius.org</FONT></A>><BR>Message-ID: <<A href="mailto:4B71F207.6050108@deployingradius.com" ymailto="mailto:4B71F207.6050108@deployingradius.com"><SPAN class=yshortcuts id=lw_1265762339_24><FONT color=#0000ff>4B71F207.6050108@deployingradius.com</FONT></SPAN></A>><BR>Content-Type: text/plain; charset=ISO-8859-1<BR><BR>dev nath wrote:<BR>> I am trying to authenticate Xsupplicant
(open1x) through freeradius<BR>> using EAP-PEAP-MSCHAPv2 configs. TLS initial connection was successful<BR>> but MSCHAP-v2 authentication was not initiating (Xsupplicant returned<BR>> TLS application packet not decrypted).<BR><BR> Knowing the real error message would help.<BR><BR>> PLEASE HELP with correct freeradius configurations required. I was not<BR>> able to google the appropriate configurations for the same. Please<BR>> provide me with config files with some working PEAP<BR>> configurations(radiusd.conf, eap.conf, user, clients.conf)<BR><BR> In 2.1.x, the *default* configuration works for PEAP. See also my web<BR>site for step-by-step instructions on getting PEAP to work:<BR><BR><A href="http://deployingradius.com/" target=_blank><SPAN class=yshortcuts id=lw_1265762339_25><FONT color=#810081>http://deployingradius.com</FONT></SPAN></A><BR><BR> Alan
DeKok.<BR><BR><BR>------------------------------<BR><BR></DIV></DIV><!-- cg10.c2.mail.re1.yahoo.com compressed/chunked Fri Feb 5 17:12:16 PST 2010 --></div><br>
</body></html>