Hi Everyone<br><br>I have set up a freeRadius in Ubuntu server 10.0.4. I also set up a Cisco switch as a NAS and enable 802.1x in the switch port. I used the configuration first (clients.conf, users). The 802.1x authentication just works fine.<br>
<br>Then I start to use mySql database, instead of clients.conf and users.<br><br>I followed the instructions from this link <a href="http://wiki.freeradius.org/SQL_HOWTO">http://wiki.freeradius.org/SQL_HOWTO</a>.<br><br>
I use the "radtest" command to test the username/password. It works fine. Then I use the Cisco switch to test the username/password and NAS, it also works fine.<br><br>But the 802.1x authentication does not work. Here is the output from "freeradius -X"<br>
<br>Ready to process requests.<br>rad_recv: Access-Request packet from host 10.5.84.14 port 1645, id=213, length=265<br> User-Name = "anonymous"<br> Service-Type = Framed-User<br> Framed-MTU = 1500<br>
Called-Station-Id = "00-1A-6C-79-7F-89"<br> Calling-Station-Id = "00-18-8B-B2-74-CE"<br> EAP-Message = 0x0207006b190017030100603436ac7bdf2130158ce653dea69c9c5c155d4a677f8bf6a3330838e2ca749c29c00d7fef558443728826479cb9dbd75b4e3fc4e62b27ecc64a942b06784ae85df1499325a9c927f9e0de86a9989d7349874019e3a286ebb4ab95347d704aaf79<br>
Message-Authenticator = 0x8a020beb0674cb778f3feb2400792a88<br> NAS-Port-Type = Ethernet<br> NAS-Port = 50107<br> NAS-Port-Id = "FastEthernet1/0/7"<br> State = 0xc7b0e155c2nt (0018.8bb2.74ce) on Interface Fa1/0/7 AuditSessionID 0A05540E0000005E17970995b7f81cdb855c0280b00b4a<br>
NAS-IP-Address = 10.5.84.14<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "anonymous", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 7 length 107<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] eaptls_verify returned 7 <br>[peap] Done initial handshake<br>[peap] eaptls_process returned 7 <br>
[peap] EAPTLS_OK<br>[peap] Session established. Decoding tunneled attributes.<br>[peap] EAP type mschapv2<br>[peap] Got tunneled request<br> EAP-Message = 0x020700401a0207003b31c49dddfb7a41c1b1af6d0248706af94e0000000000000000d2f582ba4490575f7f0c78eb1e81b3dc81c41b0cb19cfc81003833303038<br>
server {<br> PEAP: Setting User-Name to 83008<br>Sending tunneled r<br>020358: Nov 17 11:41:28.199 PST: %AUTHMGR-5-FAIL: Authorization failed for client (0018.8bb2.74ce) on Interface Fa1/0/7 AuditSessionID 0equest<br> EAP-Message = 0x020700401a0207003b31c49dddfb7a41c1b1af6d0248706af94e0000000000000000d2f582ba4490575f7f0c78eb1e81b3dc81c41b0cb19cfc81003833303038<br>
FreeRADIUS-Proxied-To = 127.0.0.1<br> User-Name = "83008"<br> State = 0xe741fb76e746e148ba5c58c22edbac30<br>server inner-tunnel {<br>+- entering group authorize {...}<br>++[chap] returns noop<br>
++[mschap] returns noop<br>++[unix] returns notfound<br>[suffix] No '@' in User-Name = "83008", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++[control] returns noop<br>
[eap] EAP packet type response id 7 length 64<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[files] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br>
++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/mschapv2<br>[eap] processing type mschapv2<br>[mschapv2] +- enA05540E0000005E17970995tering group MS-CHAP {...}<br>
[mschap] No Cleartext-Password configured. Cannot create LM-Password.<br>[mschap] No Cleartext-Password configured. Cannot create NT-Password.<br>[mschap] Told to do MS-CHAPv2 for 83008 with NT-Password<br>[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.<br>
[mschap] FAILED: MS-CHAP2-Response is incorrect<br>++[mschap] returns reject<br>[eap] Freeing handler<br>++[eap] returns reject<br>Failed to authenticate the user.<br><br>83008 is my user id. Why it tries to use MSCHAP module and use NT-Password ?<br>
<br>Here is the fradius database information in mySql.<br><br>mysql> show tables;<br>+-------------------+<br>| Tables_in_fradius |<br>+-------------------+<br>| nas |<br>| radacct |<br>| radcheck |<br>
| radgroupcheck |<br>| radgroupreply |<br>| radpostauth |<br>| radreply |<br>| radusergroup |<br>+-------------------+<br>8 rows in set (0.00 sec)<br><br>mysql> select * from nas;<br>+----+------------+------------------+-----------------+-------+--------+-----------+---------------+<br>
| id | nasname | shortname | type | ports | secret | community | description |<br>+----+------------+------------------+-----------------+-------+--------+-----------+---------------+<br>| 2 | 10.5.84.14 | lab-3750b | cisco | NULL | spl00t | NULL | RADIUS Client |<br>
+----+------------+------------------+-----------------+-------+--------+-----------+---------------+<br>1 row in set (0.00 sec)<br><br>mysql> select * from radcheck;<br>+----+----------+--------------------+----+------------+<br>
| id | username | attribute | op | value |<br>+----+----------+--------------------+----+------------+<br>| 1 | sqltest | Password | == | testpwd |<br>| 2 | 83008 | Cleartext-Password | := | testing123 |<br>
+----+----------+--------------------+----+------------+<br>2 rows in set (0.00 sec)<br><br>mysql> select * from radreply;<br>+----+----------+--------------+----+-------------------+<br>| id | username | attribute | op | value |<br>
+----+----------+--------------+----+-------------------+<br>| 2 | 83008 | cisco-avpair | = | shell:priv-lvl=15 |<br>+----+----------+--------------+----+-------------------+<br>1 row in set (0.00 sec)<br><br>The other tables is empty.<br>
<br>Thank to take a lootk<br><br><br><br>