<div dir="ltr"><div><div><div><div><div>Encountered the following issue.<br></div><br></div>Running FR 2.2.3. PEAP tunneled authentication was successful. But get rejected due to username mismatch. No issue when both username are the same.<br>
<br></div>Snippet of the debug log. Full debug.log for the attempt and radiusd -X attached.<br><br>Tue Feb 11 09:58:32 2014 : Debug: ++update outer.reply {<br>Tue Feb 11 09:58:32 2014 : Debug: expand: %{request:User-Name} -> jacquegp<br>
Tue Feb 11 09:58:32 2014 : Debug: ++} # update outer.reply = noop<br>Tue Feb 11 09:58:32 2014 : Debug: +} # group post-auth = noop<br>Tue Feb 11 09:58:32 2014 : Debug: [peap] Tunneled authentication was successful.<br>Tue Feb 11 09:58:32 2014 : Debug: [peap] SUCCESS<br>
Tue Feb 11 09:58:32 2014 : Debug: [peap] Saving tunneled attributes for later<br>Tue Feb 11 09:58:32 2014 : Debug: ++[eap_custom] = handled<br>Tue Feb 11 09:58:32 2014 : Debug: +} # group authenticate = handled<br>Tue Feb 11 09:58:32 2014 : Debug: Sending Access-Challenge packet to host 172.23.12.254 port 1645, id=101, length=0<br>
Tue Feb 11 09:58:32 2014 : Debug: User-Name = "jacquegp"<br>Tue Feb 11 09:58:32 2014 : Debug: EAP-Message = 0x010a002b190017030100201278d8b49e1c026b2f34d961bf660de263813d0f9033639f146fe5baf2675fcf<br>
Tue Feb 11 09:58:32 2014 : Debug: Message-Authenticator = 0x00000000000000000000000000000000<br>Tue Feb 11 09:58:32 2014 : Debug: State = 0x1873098d1079106583e3066b1fd4db72<br>Tue Feb 11 09:58:32 2014 : Debug: Finished request 556186.<br>
Tue Feb 11 09:58:32 2014 : Debug: Received Access-Request packet from host 172.23.12.254 port 1645, id=102, length=283<br>Tue Feb 11 09:58:32 2014 : Debug: User-Name = "jacquegp"<br>Tue Feb 11 09:58:32 2014 : Debug: Framed-MTU = 1400<br>
Tue Feb 11 09:58:32 2014 : Debug: Called-Station-Id = "003a.9aba.7bf0"<br>Tue Feb 11 09:58:32 2014 : Debug: Calling-Station-Id = "8832.9b40.493a"<br>Tue Feb 11 09:58:32 2014 : Debug: Cisco-AVPair = "ssid=Wireless"<br>
Tue Feb 11 09:58:32 2014 : Debug: WISPr-Location-Name = "Location"<br>Tue Feb 11 09:58:32 2014 : Debug: Service-Type = Login-User<br>Tue Feb 11 09:58:32 2014 : Debug: Message-Authenticator = 0xd3c7bd34fe6ab7510f2d1c529f4e9513<br>
Tue Feb 11 09:58:32 2014 : Debug: EAP-Message = 0x020a005019001703010020090e5ecf84ca7daf04c43eff2c62dffd490c3165926acddb05e42bca4a2feae7170301002084ce26a1c964a6ab6f8a698a7731102564f9c8867a7a05ddd592d015c17d6649<br>Tue Feb 11 09:58:32 2014 : Debug: NAS-Port-Type = Wireless-802.11<br>
Tue Feb 11 09:58:32 2014 : Debug: NAS-Port = 4351<br>Tue Feb 11 09:58:32 2014 : Debug: NAS-Port-Id = "4351"<br>Tue Feb 11 09:58:32 2014 : Debug: State = 0x1873098d1079106583e3066b1fd4db72<br>Tue Feb 11 09:58:32 2014 : Debug: NAS-IP-Address = 172.23.12.254<br>
Tue Feb 11 09:58:32 2014 : Debug: NAS-Identifier = "Site"<br>Tue Feb 11 09:58:32 2014 : Debug: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default<br>Tue Feb 11 09:58:32 2014 : Debug: +group authorize {<br>
Tue Feb 11 09:58:32 2014 : Debug: ++[preprocess] = ok<br>Tue Feb 11 09:58:32 2014 : Debug: [suffix] No '@' in User-Name = "jacquegp", looking up realm NULL<br>Tue Feb 11 09:58:32 2014 : Debug: [suffix] No such realm "NULL"<br>
Tue Feb 11 09:58:32 2014 : Debug: ++[suffix] = noop<br>Tue Feb 11 09:58:32 2014 : Debug: ++? if (Aruba-Essid-Name == "Visitor")<br>Tue Feb 11 09:58:32 2014 : Debug: (Attribute Aruba-Essid-Name was not found)<br>
Tue Feb 11 09:58:32 2014 : Debug: ? Evaluating (Aruba-Essid-Name == "Visitor") -> FALSE<br>Tue Feb 11 09:58:32 2014 : Debug: ++? if (Aruba-Essid-Name == "Visitor") -> FALSE<br>Tue Feb 11 09:58:32 2014 : Debug: ++else else {<br>
Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] EAP packet type response id 10 length 80<br>Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Continuing tunnel setup.<br>Tue Feb 11 09:58:32 2014 : Debug: +++[eap_custom] = ok<br>
Tue Feb 11 09:58:32 2014 : Debug: ++} # else else = ok<br>Tue Feb 11 09:58:32 2014 : Debug: ++[expiration] = noop<br>Tue Feb 11 09:58:32 2014 : Debug: ++[logintime] = noop<br>Tue Feb 11 09:58:32 2014 : Debug: ++[pap] = noop<br>
Tue Feb 11 09:58:32 2014 : Debug: +} # group authorize = ok<br>Tue Feb 11 09:58:32 2014 : Debug: Found Auth-Type = eap_custom<br>Tue Feb 11 09:58:32 2014 : Debug: # Executing group from file /usr/local/etc/raddb/sites-enabled/default<br>
Tue Feb 11 09:58:32 2014 : Debug: +group authenticate {<br>Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Request found, released from the list<br>Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Identity does not match User-Name. Authentication failed.<br>
Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Failed in handler<br>Tue Feb 11 09:58:32 2014 : Debug: ++[eap_custom] = invalid<br>Tue Feb 11 09:58:32 2014 : Debug: +} # group authenticate = invalid<br>Tue Feb 11 09:58:32 2014 : Debug: Failed to authenticate the user.<br>
Tue Feb 11 09:58:32 2014 : Debug: Using Post-Auth-Type REJECT<br>Tue Feb 11 09:58:32 2014 : Debug: # Executing group from file /usr/local/etc/raddb/sites-enabled/default<br>Tue Feb 11 09:58:32 2014 : Debug: +group REJECT {<br>
Tue Feb 11 09:58:32 2014 : Debug: [attr_filter.access_reject] expand: %{User-Name} -> jacquegp<br>Tue Feb 11 09:58:32 2014 : Debug: ++[attr_filter.access_reject] = updated<br>Tue Feb 11 09:58:32 2014 : Debug: +} # group REJECT = updated<br>
Tue Feb 11 09:58:32 2014 : Debug: Delaying reject of request 556187 for 1 seconds<br>Tue Feb 11 09:58:33 2014 : Debug: Cleaning up request 556177 ID 92 with timestamp +1110040<br>Tue Feb 11 09:58:33 2014 : Debug: Sending delayed reject for request 556187<br>
Tue Feb 11 09:58:33 2014 : Debug: Sending Access-Reject packet to host 172.23.12.254 port 1645, id=102, length=0<br><br></div>Anyone seen this issue before?<br><br></div>Thanks.<br></div>