I have a HP JetDirect 690n print server that Im trying to authenticate via FreeRadius 2.1.8 for wireless clients to use. If I tell the 690 to use peap then I get the error "ERROR! Our request for peap was NAK'd with a request for peap". If I tell it to use eap-tls I get the error "ERROR! Our request for tls was NAK'd with a request for tls". Also, I have a user setup in the users file, but it still tries to search ldap for that user. I can login fine with the local "ktest" user via radtest or ntradping. Debug log from a peap request is here:<br>
<br>Ready to process requests.<br>rad_recv: Access-Request packet from host 10.1.1.1 port 47567, id=80, length=283<br> User-Name = "ktest"<br> NAS-IP-Address = 10.1.1.1<br> NAS-Port = 150<br>
Framed-MTU = 1400<br> Called-Station-Id = "00:1f:45:7f:83:fa"<br> Calling-Station-Id = "00:1b:78:eb:c8:1d"<br> NAS-Port-Type = Wireless-802.11<br> NAS-Identifier = "TEST"<br>
Siemens-AP-Serial = "0500010143052305"<br> Siemens-AP-Name = "AP01"<br> Siemens-VNS-Name = "TEST"<br> Siemens-BSSID = "TEST"<br> Siemens-BSS-MAC = "00:1f:45:7f:83:fa"<br>
Siemens-Policy = "NonAuth"<br> Siemens-Topology = "Bridged at AP untagged"<br> EAP-Message = 0x0201000a016b74657374<br> Message-Authenticator = 0xef83aea844bdbfb74c34110c7fafa33f<br>
+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "ktest", looking up realm NULL<br>[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>[eap] EAP packet type response id 1 length 10<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[unix] returns notfound<br>[files] users: Matched entry ktest at line 209<br>
++[files] returns ok<br>[ldap] performing user authorization for ktest<br>[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>[ldap] ... expanding second conditional<br>
[ldap] expand: %{User-Name} -> ktest<br>[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=ktest)<br>[ldap] expand: o=org -> o=org<br> [ldap] ldap_get_conn: Checking Id: 0<br> [ldap] ldap_get_conn: Got Id: 0<br>
[ldap] attempting LDAP reconnection<br> [ldap] (re)connect to <a href="http://ldap.company.com:389">ldap.company.com:389</a>, authentication 0<br> [ldap] setting TLS CACert File to /etc/raddb/certs/ca.pem<br> [ldap] starting TLS<br>
[ldap] bind as cn=radmin,o=org/<password> to <a href="http://ldap.company.com:389">ldap.company.com:389</a><br> [ldap] waiting for bind result ...<br> [ldap] Bind was successful<br> [ldap] performing search in o=org, with filter (cn=ktest)<br>
[ldap] object not found<br>[ldap] search failed<br> [ldap] ldap_release_conn: Release Id: 0<br>++[ldap] returns notfound<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] Found existing Auth-Type, not changing it.<br>
++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] EAP Identity<br>[eap] processing type tls<br>[tls] Initiate<br>[tls] Start returned 1<br>++[eap] returns handled<br>Sending Access-Challenge of id 80 to 10.1.1.1 port 47567<br>
Filter-Id = "Students"<br> EAP-Message = 0x010200061920<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xb21c3f23b21e261bc6f5440efd9d3572<br>Finished request 0.<br>
Going to the next request<br>Waking up in 4.9 seconds.<br>rad_recv: Access-Request packet from host 10.1.1.1 port 47567, id=80, length=361<br>Cleaning up request 0 ID 80 with timestamp +53<br> User-Name = "ktest"<br>
NAS-IP-Address = 10.1.1.1<br> NAS-Port = 150<br> Framed-MTU = 1400<br> Called-Station-Id = "00:1f:45:7f:83:fa"<br> Calling-Station-Id = "00:1b:78:eb:c8:1d"<br> NAS-Port-Type = Wireless-802.11<br>
NAS-Identifier = "TEST"<br> Siemens-AP-Serial = "0500010143052305"<br> Siemens-AP-Name = "AP01"<br> Siemens-VNS-Name = "TEST"<br> Siemens-BSSID = "TEST"<br>
Siemens-BSS-MAC = "00:1f:45:7f:83:fa"<br> Siemens-Policy = "NonAuth"<br> Siemens-Topology = "Bridged at AP untagged"<br> EAP-Message = 0x0202004619800000003c16030100370100003303010000000c2db78264c7293dabf829a390628548921ccd153f66aef981c50d964c00000c0035000a002f0005000400090100<br>
State = 0xb21c3f23b21e261bc6f5440efd9d3572<br> Message-Authenticator = 0x047a88b42dd297aff674849e11cc719b<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>
[suffix] No '@' in User-Name = "ktest", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 2 length 70<br>[eap] Continuing tunnel setup.<br>
++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br> TLS Length 60<br>
[peap] Length Included<br>[peap] eaptls_verify returned 11<br>[peap] (other): before/accept initialization<br>[peap] TLS_accept: before/accept initialization<br>[peap] <<< TLS 1.0 Handshake [length 0037], ClientHello<br>
[peap] TLS_accept: SSLv3 read client hello A<br>[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello<br>[peap] TLS_accept: SSLv3 write server hello A<br>[peap] >>> TLS 1.0 Handshake [length 0b95], Certificate<br>
[peap] TLS_accept: SSLv3 write certificate A<br>[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone<br>[peap] TLS_accept: SSLv3 write server done A<br>[peap] TLS_accept: SSLv3 flush data<br>[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A<br>
In SSL Handshake Phase<br>In SSL Accept mode<br>[peap] eaptls_process returned 13<br>[peap] EAPTLS_HANDLED<br>++[eap] returns handled<br>Sending Access-Challenge of id 80 to 10.1.1.1 port 47567<br> EAP-Message = 0x0103040019c000000bd2160301002a0200002603014cffb1ebbcc5475dcfc501c476c4728d86282b97d10966cfc06dd18a38bbef7f000035001603010b950b000b91000b8e0005b1308205ad30820495a003020102020103300d06092a864886f70d01010505003081c0310b3009060355040613025553310b30090603550408130257493111300f060355040713084b696d6265726c7931263024060355040a131d4b696d6265726c792041726561205363686f6f6c204469737472696374313c303a060355040313334b696d6265726c792041726561205363686f6f6c20446973747269637420436572746966696361746520417574686f72697479<br>
EAP-Message = 0x312b302906092a864886f70d010901161c7765626d6173746572406b696d6265726c792e6b31322e77692e7573301e170d3130303331363133333732345a170d3137303331343133333732345a3081a4310b3009060355040613025553310b30090603550408130257493111300f060355040713084b696d6265726c7931263024060355040a131d4b696d6265726c792041726561205363686f6f6c2044697374726963743120301e060355040313176c6461702e6b696d6265726c792e6b31322e77692e7573312b302906092a864886f70d010901161c7765626d6173746572406b696d6265726c792e6b31322e77692e757330820122300d06092a<br>
EAP-Message = 0x864886f70d01010105000382010f003082010a0282010100cad3696f20cbdc165ddd4dfdf8f4a1b96a1d4aca94548853d895b8e72a29d078e7fa69b4962adc66d2b8db9f8bcb9e49df313a06dabdbecca170d1a2a93341b2cffede3c8675053b9617aca00de9c263de036840e0982133f2e7972357662d6acd876ebfce2e14f7dc1408380fc802d6f0100d8014d7e818e59dda1307f59d5bcf2d861a54a28af634697fa10ce3ed1be9a95199a49a94c7fdf0b97a3e2bbc37b5aed07e002035f97d5231ba880ab7022ccf3e9b875654cd2dfde3d75558ad4287a29c74cfef1dfe9354c6a9f904ebff2c9b4d26b5f7ec4ff0da63fc2fe8c8171c029acbd4<br>
EAP-Message = 0x97e9a89184d0bd309837c787de2c0af4f43773ccce11cfdb3aaeb50203010001a38201ca308201c630090603551d1304023000303006096086480186f842010d04231621596153542047656e65726174656420536572766572204365727469666963617465301106096086480186f8420101040403020640300b0603551d0f0404030205a0301d0603551d0e0416041467eabf6541c39d4ed474b25d1d42b4a40641ef053081f50603551d230481ed3081ea8014cb6f25029dcbc68e70aeff2fa9a9baee6af47f77a181c6a481c33081c0310b3009060355040613025553310b30090603550408130257493111300f060355040713084b696d6265726c<br>
EAP-Message = 0x7931263024060355040a131d<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xb21c3f23b31f261bc6f5440efd9d3572<br>Finished request 1.<br>Going to the next request<br>
Waking up in 4.9 seconds.<br>rad_recv: Access-Request packet from host 10.1.1.1 port 47567, id=80, length=297<br>Cleaning up request 1 ID 80 with timestamp +54<br> User-Name = "ktest"<br> NAS-IP-Address = 10.1.1.1<br>
NAS-Port = 150<br> Framed-MTU = 1400<br> Called-Station-Id = "00:1f:45:7f:83:fa"<br> Calling-Station-Id = "00:1b:78:eb:c8:1d"<br> NAS-Port-Type = Wireless-802.11<br>
NAS-Identifier = "TEST"<br> Siemens-AP-Serial = "0500010143052305"<br> Siemens-AP-Name = "AP01"<br> Siemens-VNS-Name = "TEST"<br> Siemens-BSSID = "TEST"<br>
Siemens-BSS-MAC = "00:1f:45:7f:83:fa"<br> Siemens-Policy = "NonAuth"<br> Siemens-Topology = "Bridged at AP untagged"<br> EAP-Message = 0x020300061900<br> State = 0xb21c3f23b31f261bc6f5440efd9d3572<br>
Message-Authenticator = 0xce8fce3cab0d91febe1a2b82b5f43071<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "ktest", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 3 length 6<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] Received TLS ACK<br>[peap] ACK handshake fragment handler<br>[peap] eaptls_verify returned 1<br>
[peap] eaptls_process returned 13<br>[peap] EAPTLS_HANDLED<br>++[eap] returns handled<br>Sending Access-Challenge of id 80 to 10.1.1.1 port 47567<br> EAP-Message = 0x010403fc19404b696d6265726c792041726561205363686f6f6c204469737472696374313c303a060355040313334b696d6265726c792041726561205363686f6f6c20446973747269637420436572746966696361746520417574686f72697479312b302906092a864886f70d010901161c7765626d6173746572406b696d6265726c792e6b31322e77692e7573820900d6d85d886ad5a6f830270603551d110420301e811c7765626d6173746572406b696d6265726c792e6b31322e77692e757330270603551d120420301e811c7765626d6173746572406b696d6265726c792e6b31322e77692e7573300d06092a864886f70d0101050500038201<br>
EAP-Message = 0x01003f8292ee1e98c0595f0da2e0692d632b818fdef25f4ef7e4b6748c075fc7ca14f22ce2de91d9e407ee786de26e2be17f1208470e3480374ef3ba826f5c55a42e1b3e229008322e04b72781f73ef22e2404561731f03da7c07cb80dcabbdcc0bc5c6fd3da0f4f3cfd8a54d17041a4b675a09d99845f6af40ed129299427a11d34c5551142232eef7c36ef1e8d95e695057d6dd7450b27359b5a89663b910934d28977bb80ed5430b4dc92022622f56a00e4143d507701b7dc49ff5bb7e46db5621c0667cc15d480ae1ecb764bb89c0c255d5b874e31e484293b823056cf9cbc8bc94015bb8d99db0571cbbfb49ab775a6de4d98da36df016ac968ff<br>
EAP-Message = 0x4b78507d900005d7308205d3308204bba003020102020900d6d85d886ad5a6f8300d06092a864886f70d01010505003081c0310b3009060355040613025553310b30090603550408130257493111300f060355040713084b696d6265726c7931263024060355040a131d4b696d6265726c792041726561205363686f6f6c204469737472696374313c303a060355040313334b696d6265726c792041726561205363686f6f6c20446973747269637420436572746966696361746520417574686f72697479312b302906092a864886f70d010901161c7765626d6173746572406b696d6265726c792e6b31322e77692e7573301e170d31303033313631<br>
EAP-Message = 0x33333331375a170d3230303331333133333331375a3081c0310b3009060355040613025553310b30090603550408130257493111300f060355040713084b696d6265726c7931263024060355040a131d4b696d6265726c792041726561205363686f6f6c204469737472696374313c303a060355040313334b696d6265726c792041726561205363686f6f6c20446973747269637420436572746966696361746520417574686f72697479312b302906092a864886f70d010901161c7765626d6173746572406b696d6265726c792e6b31322e77692e757330820122300d06092a864886f70d01010105000382010f003082010a0282010100d551d5fb<br>
EAP-Message = 0xb0e4092778a12e41<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xb21c3f23b018261bc6f5440efd9d3572<br>Finished request 2.<br>Going to the next request<br>Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 10.1.1.1 port 47567, id=80, length=297<br>Cleaning up request 2 ID 80 with timestamp +54<br> User-Name = "ktest"<br> NAS-IP-Address = 10.1.1.1<br> NAS-Port = 150<br>
Framed-MTU = 1400<br> Called-Station-Id = "00:1f:45:7f:83:fa"<br> Calling-Station-Id = "00:1b:78:eb:c8:1d"<br> NAS-Port-Type = Wireless-802.11<br> NAS-Identifier = "TEST"<br>
Siemens-AP-Serial = "0500010143052305"<br> Siemens-AP-Name = "AP01"<br> Siemens-VNS-Name = "TEST"<br> Siemens-BSSID = "TEST"<br> Siemens-BSS-MAC = "00:1f:45:7f:83:fa"<br>
Siemens-Policy = "NonAuth"<br> Siemens-Topology = "Bridged at AP untagged"<br> EAP-Message = 0x020400061900<br> State = 0xb21c3f23b018261bc6f5440efd9d3572<br> Message-Authenticator = 0x552a1288d35108114eb710baa5d4e06d<br>
+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "ktest", looking up realm NULL<br>[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>[eap] EAP packet type response id 4 length 6<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>
[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] Received TLS ACK<br>[peap] ACK handshake fragment handler<br>[peap] eaptls_verify returned 1<br>[peap] eaptls_process returned 13<br>[peap] EAPTLS_HANDLED<br>
++[eap] returns handled<br>Sending Access-Challenge of id 80 to 10.1.1.1 port 47567<br> EAP-Message = 0x010503ec1900659f48472b8d2d5d9a8da76c445e33490bee5c5c155fe88108113ed74335a2ba068e51f7da1fa2c4ac8a156f3c5da7c0e1df69a27b32f3825880b80eff9cd02c2f3beeb9669ae0fea448d28da8498d9d227087fa2199c15dd80e9a6477e64fdb8b138265605f5ad61581084b9d7faa0deb343f6697ace0d0bdd3908736544251650239d0707fedf29c465e4bcecc92034249c23123dea30a5c85ed92f6d0475830555550d0997d1152892bb8ff7d7bd148652d69c1bcc014371df36e2f3a075b1f5f165dcdd816cb5e7750d6f6dd4ed1e4494cb0f050c53c0397f03e195d67f1d2f3dec0fc4a198d32775e34530ccf191e522cb3020301<br>
EAP-Message = 0x0001a38201cc308201c8300f0603551d130101ff040530030101ff302c06096086480186f842010d041f161d596153542047656e657261746564204341204365727469666963617465301106096086480186f8420101040403020106300b0603551d0f040403020106301d0603551d0e04160414cb6f25029dcbc68e70aeff2fa9a9baee6af47f773081f50603551d230481ed3081ea8014cb6f25029dcbc68e70aeff2fa9a9baee6af47f77a181c6a481c33081c0310b3009060355040613025553310b30090603550408130257493111300f060355040713084b696d6265726c7931263024060355040a131d4b696d6265726c792041726561205363<br>
EAP-Message = 0x686f6f6c204469737472696374313c303a060355040313334b696d6265726c792041726561205363686f6f6c20446973747269637420436572746966696361746520417574686f72697479312b302906092a864886f70d010901161c7765626d6173746572406b696d6265726c792e6b31322e77692e7573820900d6d85d886ad5a6f830270603551d110420301e811c7765626d6173746572406b696d6265726c792e6b31322e77692e757330270603551d120420301e811c7765626d6173746572406b696d6265726c792e6b31322e77692e7573300d06092a864886f70d010105050003820101004b96358c5945bbc3937219dc3371b00431ab3b6e<br>
EAP-Message = 0x67be20fd70177edba50c23cbe05be70995474416cc6562174c08602e4d075e8fd648a90b72be087d25fba87d2442973a4651da2690b02aab44222cc8336b8acf2d387b7606f5bb7a4f360e9381fc79c28535ff23aab2e3d2f31544a34f8ae2805ac32e6592ab7c9a090ddd1e15f7aba6a3c7758723b634d47dc7109564708bf0b30f04f55a6ea1ab28787407f33e0997412709d970d2fd79a4a5826967c41db74eb68bac6c309d1f1fe2b16fa0d18a5352159ac1bd7c29cbdf787ec92deb3d84cd27c32b351b8023f79f97a5e0b970b9fdb4456a626d87cbe45f1c36d580cbd51ff1572a27f7e5555ef8195e16030100040e000000<br>
Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xb21c3f23b119261bc6f5440efd9d3572<br>Finished request 3.<br>Going to the next request<br>Waking up in 4.9 seconds.<br>rad_recv: Access-Request packet from host 10.1.1.1 port 47567, id=80, length=297<br>
Cleaning up request 3 ID 80 with timestamp +54<br> User-Name = "ktest"<br> NAS-IP-Address = 10.1.1.1<br> NAS-Port = 150<br> Framed-MTU = 1400<br> Called-Station-Id = "00:1f:45:7f:83:fa"<br>
Calling-Station-Id = "00:1b:78:eb:c8:1d"<br> NAS-Port-Type = Wireless-802.11<br> NAS-Identifier = "TEST"<br> Siemens-AP-Serial = "0500010143052305"<br> Siemens-AP-Name = "AP01"<br>
Siemens-VNS-Name = "TEST"<br> Siemens-BSSID = "TEST"<br> Siemens-BSS-MAC = "00:1f:45:7f:83:fa"<br> Siemens-Policy = "NonAuth"<br> Siemens-Topology = "Bridged at AP untagged"<br>
EAP-Message = 0x020500060319<br> State = 0xb21c3f23b119261bc6f5440efd9d3572<br> Message-Authenticator = 0xbb238eafebdfefd81192fb93cacdb01c<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>
++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "ktest", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 5 length 6<br>
[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[unix] returns notfound<br>[files] users: Matched entry ktest at line 209<br>++[files] returns ok<br>[ldap] performing user authorization for ktest<br>
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>[ldap] ... expanding second conditional<br>[ldap] expand: %{User-Name} -> ktest<br>[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=ktest)<br>
[ldap] expand: o=org -> o=org<br> [ldap] ldap_get_conn: Checking Id: 0<br> [ldap] ldap_get_conn: Got Id: 0<br> [ldap] performing search in o=org, with filter (cn=ktest)<br> [ldap] object not found<br>[ldap] search failed<br>
[ldap] ldap_release_conn: Release Id: 0<br>++[ldap] returns notfound<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] Found existing Auth-Type, not changing it.<br>++[pap] returns noop<br>Found Auth-Type = EAP<br>
+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP NAK<br>[eap] ERROR! Our request for peap was NAK'd with a request for peap. Skipping the requested type.<br>[eap] No common EAP types found.<br>
[eap] Failed in EAP select<br>++[eap] returns invalid<br>Failed to authenticate the user.<br>Login incorrect ( [ldap] User not found): [ktest/<via Auth-Type = EAP>] (from client kasd port 150 cli 00:1b:78:eb:c8:1d)<br>
Using Post-Auth-Type Reject<br>+- entering group REJECT {...}<br>++[ldap] returns noop<br>Delaying reject of request 4 for 1 seconds<br>Going to the next request<br>Waking up in 0.9 seconds.<br>Sending delayed reject for request 4<br>
Sending Access-Reject of id 80 to 10.1.1.1 port 47567<br> Filter-Id = "Students"<br> EAP-Message = 0x04050004<br> Message-Authenticator = 0x00000000000000000000000000000000<br>Waking up in 4.9 seconds.<br>
Cleaning up request 4 ID 80 with timestamp +56<br>Ready to process requests.<br><br><br>