Hello I'm trying to use eapol_test to test freeradius EAP process. according to http://deployingradius.com/scripts/eapol_test/ I followed the steps to bring up FreeRadius Server version 2.1.12 and eapol_test (wpa_supplicant-2.0)in Ubuntu 10.04.But the authentication process was not success. It was always Access-Reject result. then i followed the website http://www.freesoftwaremagazine.com/articles/howto_incremental_setup_freerad... i do the step 4 in the above website,but it still does not work. do some radius configuration files(eg. eap.conf or radiusd.conf) need more modification ? Can anyone help me?Thanks! some important debug informations or file are below for eapol_test(PAP, user name is bob,his password is passbob,the secret is testing123,and the test is localhost environment): *(freeradius server terminal)* # radiusd -X ... adding new socket proxy address * port 48094 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 44726, id=0, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01616e6f6e796d6f7573 Message-Authenticator = 0x2f6860f96c26a5453d21db9125aff4e8 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> anonymous [sql] sql_set_user escaped user --> 'anonymous' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'anonymous' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'anonymous' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User anonymous not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 127.0.0.1 port 44726 EAP-Message = 0x01010016041031c544638527529b08c013be38035e82 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb81e5489b81f50a4b2d4f9c388430583 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 44726, id=1, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100060315 State = 0xb81e5489b81f50a4b2d4f9c388430583 Message-Authenticator = 0xbd1047623d98324569e98d518045db81 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> anonymous [sql] sql_set_user escaped user --> 'anonymous' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'anonymous' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'anonymous' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User anonymous not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] NAK asked for unsupported type EAP-TTLS [eap] No common EAP types found. [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> anonymous attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 1 to 127.0.0.1 port 44726 EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 0 with timestamp +3 Waking up in 1.0 seconds. Cleaning up request 1 ID 1 with timestamp +3 Ready to process requests. *(eapol_test terminal)* # eapol_test -c eapol_test.conf.pap -s testing123 Reading configuration file 'eapol_test.conf.peap' Line: 4 - start of a new network block key_mgmt: 0x1 eap methods - hexdump(len=16): 00 00 00 00 15 00 00 00 00 00 00 00 00 00 00 00 identity - hexdump_ascii(len=3): 62 6f 62 bob anonymous_identity - hexdump_ascii(len=9): 61 6e 6f 6e 79 6d 6f 75 73 anonymous password - hexdump_ascii(len=7): 70 61 73 73 62 6f 62 passbob phase2 - hexdump_ascii(len=8): 61 75 74 68 3d 50 41 50 auth=PAP Priority group 0 id=0 ssid='' Authentication server 127.0.0.1:1812 RADIUS local address: 127.0.0.1:34535 EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Sending fake EAP-Request-Identity EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using anonymous identity - hexdump_ascii(len=9): 61 6e 6f 6e 79 6d 6f 75 73 anonymous EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=14) TX EAP -> RADIUS - hexdump(len=14): 02 00 00 0e 01 61 6e 6f 6e 79 6d 6f 75 73 Encapsulating EAP message into a RADIUS packet Learned identity from EAP-Response-Identity - hexdump(len=9): 61 6e 6f 6e 79 6d 6f 75 73 Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=0 length=126 Attribute 1 (User-Name) length=11 Value: 'anonymous' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=16 Value: 02 00 00 0e 01 61 6e 6f 6e 79 6d 6f 75 73 Attribute 80 (Message-Authenticator) length=18 Value: c6 18 63 bf 04 9d aa 99 df 2b e6 ae dc 9a 4f 62 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 80 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=0 length=80 Attribute 79 (EAP-Message) length=24 Value: 01 01 00 16 04 10 71 fc 64 70 75 ac c6 10 c6 0a 4d e8 01 aa 41 ee Attribute 80 (Message-Authenticator) length=18 Value: d4 96 61 25 98 3c f3 94 58 65 88 46 9e fd 94 03 Attribute 24 (State) length=18 Value: f1 f3 cc a8 f1 f2 c8 96 aa 0e f0 55 a4 56 38 89 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=1 len=22) from RADIUS server: EAP-Request-MD5 (4) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD EAP: configuration does not allow: vendor 0 method 4 EAP: vendor 0 method 4 not allowed CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK EAP: Status notification: refuse proposed method (param=MD5) EAP: Building EAP-Nak (requested type 4 vendor=0 method=0 not allowed) EAP: allowed methods - hexdump(len=1): 15 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 01 00 06 03 15 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=1 length=136 Attribute 1 (User-Name) length=11 Value: 'anonymous' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 02 01 00 06 03 15 Attribute 24 (State) length=18 Value: f1 f3 cc a8 f1 f2 c8 96 aa 0e f0 55 a4 56 38 89 Attribute 80 (Message-Authenticator) length=18 Value: 67 47 36 e8 38 3e 60 c6 cd 13 e5 02 76 cb 50 f8 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 44 bytes from RADIUS server Received RADIUS message RADIUS message: code=3 (Access-Reject) identifier=1 length=44 Attribute 79 (EAP-Message) length=6 Value: 04 01 00 04 Attribute 80 (Message-Authenticator) length=18 Value: ff 62 f1 59 12 84 99 e4 65 8a 03 00 53 97 b9 6b STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 1.00 sec RADIUS packet matching with station decapsulated EAP packet (code=4 id=1 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: Status notification: completion (param=failure) EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=0 EAPOL: EAP key not available MPPE keys OK: 0 mismatch: 1 FAILURE root@lsc-desktop:/opt/wpa_supplicant-2.0/wpa_supplicant# eapol_test -c eapol_test.conf.peap -s testing123 Reading configuration file 'eapol_test.conf.peap' Line: 4 - start of a new network block key_mgmt: 0x1 eap methods - hexdump(len=16): 00 00 00 00 15 00 00 00 00 00 00 00 00 00 00 00 identity - hexdump_ascii(len=3): 62 6f 62 bob anonymous_identity - hexdump_ascii(len=9): 61 6e 6f 6e 79 6d 6f 75 73 anonymous password - hexdump_ascii(len=7): 70 61 73 73 62 6f 62 passbob phase2 - hexdump_ascii(len=8): 61 75 74 68 3d 50 41 50 auth=PAP Priority group 0 id=0 ssid='' Authentication server 127.0.0.1:1812 RADIUS local address: 127.0.0.1:44726 EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Sending fake EAP-Request-Identity EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using anonymous identity - hexdump_ascii(len=9): 61 6e 6f 6e 79 6d 6f 75 73 anonymous EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=14) TX EAP -> RADIUS - hexdump(len=14): 02 00 00 0e 01 61 6e 6f 6e 79 6d 6f 75 73 Encapsulating EAP message into a RADIUS packet Learned identity from EAP-Response-Identity - hexdump(len=9): 61 6e 6f 6e 79 6d 6f 75 73 Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=0 length=126 Attribute 1 (User-Name) length=11 Value: 'anonymous' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=16 Value: 02 00 00 0e 01 61 6e 6f 6e 79 6d 6f 75 73 Attribute 80 (Message-Authenticator) length=18 Value: 2f 68 60 f9 6c 26 a5 45 3d 21 db 91 25 af f4 e8 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 80 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=0 length=80 Attribute 79 (EAP-Message) length=24 Value: 01 01 00 16 04 10 31 c5 44 63 85 27 52 9b 08 c0 13 be 38 03 5e 82 Attribute 80 (Message-Authenticator) length=18 Value: b9 f5 cb c9 84 1d 02 3c 4f 4e 6e ef b2 d8 a7 dd Attribute 24 (State) length=18 Value: b8 1e 54 89 b8 1f 50 a4 b2 d4 f9 c3 88 43 05 83 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=1 len=22) from RADIUS server: EAP-Request-MD5 (4) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD EAP: configuration does not allow: vendor 0 method 4 EAP: vendor 0 method 4 not allowed CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK EAP: Status notification: refuse proposed method (param=MD5) EAP: Building EAP-Nak (requested type 4 vendor=0 method=0 not allowed) EAP: allowed methods - hexdump(len=1): 15 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 01 00 06 03 15 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=1 length=136 Attribute 1 (User-Name) length=11 Value: 'anonymous' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 02 01 00 06 03 15 Attribute 24 (State) length=18 Value: b8 1e 54 89 b8 1f 50 a4 b2 d4 f9 c3 88 43 05 83 Attribute 80 (Message-Authenticator) length=18 Value: bd 10 47 62 3d 98 32 45 69 e9 8d 51 80 45 db 81 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 44 bytes from RADIUS server Received RADIUS message RADIUS message: code=3 (Access-Reject) identifier=1 length=44 Attribute 79 (EAP-Message) length=6 Value: 04 01 00 04 Attribute 80 (Message-Authenticator) length=18 Value: 03 3b 7f f7 84 de 2c 69 6c 2f fe 4c fd 4e 92 f0 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 1.00 sec RADIUS packet matching with station decapsulated EAP packet (code=4 id=1 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: Status notification: completion (param=failure) EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=0 EAPOL: EAP key not available MPPE keys OK: 0 mismatch: 1 FAILURE *eapol_test.conf.pap file:* # # eapol_test -c eapol_test.conf.pap -s testing123 # network={ key_mgmt=WPA-EAP eap=TTLS identity="bob" anonymous_identity="anonymous" password="passbob" phase2="auth=PAP" # # Uncomment the following to perform server certificate validation. # ca_cert = /usr/local/etc/raddb/certs/ca.pem } two more question : 1.during the above process ,my /usr/local/var/log/radius.log is empty.why? 2.the user is bob,but in the radiusd -X debug information, it is < User-Name = "anonymous">.But if i uncomment the <anonymous_identity="anonymous">in the *eapol_test.conf.pap file, *it will change to be < User-Name = "bob">,so why? Thanks a lot !