thank you Alan (i am on the FAQ) user=maman passwd= maman is a sql based user. trying peap with sql based user give error message, but trying it with Ad_based user give no error message, just don't connect... with radtest: radtest maman maman localhost 1812 testing123 Sending Access-Request of id 48 to 127.0.0.1 port 1812 User-Name = "maman" User-Password = "maman" NAS-IP-Address = 127.0.0.2 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=48, length=20 same credential with my Access-Point (part of output). --------------------------------------------------------------------------------------------- rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: Told to do MS-CHAPv2 for maman with NT-Password expand: --username=%{mschap:User-Name} -> --username=maman mschap2: 64 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=2ebb047f9367e21a expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=9a350da9a792cd203c8bbc949a8522dc0540f2f6561bc24b Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [maman/<via Auth-Type = EAP>] (from client Ap8500 port 2 cli 00-12-F0-0C-97-61 via TLS tunnel) } # server (null) PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\021E=691 R=1" EAP-Message = 0x04110004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x81d8f90 3 MS-CHAP-Error = "\021E=691 R=1" EAP-Message = 0x04110004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 93 to 10.10.44.246 port 1036 EAP-Message = 0x011200261900170301001b073fa5a0bd298ecb1079cb86c898132309fee25458125b2dd2fa73 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf57621b1f264389c4e317c094fd9f295 Finished request 477. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.10.44.246 port 1036, id=94, length=194 User-Name = "maman" NAS-IP-Address = 10.10.44.246 NAS-Port = 2 Called-Station-Id = "00-1C-F0-08-FB-FA:PEAP" Calling-Station-Id = "00-12-F0-0C-97-61" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x021200261900170301001b45d08a0aa2a8e62c56613f082cafa76f4b6f51d358557fefd07b7f State = 0xf57621b1f264389c4e317c094fd9f295 Message-Authenticator = 0xc80003ff430d4f991ea016e1e620ecaf +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "maman", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 18 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [maman/<via Auth-Type = EAP>] (from client Ap8500 port 2 cli 00-12-F0-0C-97-61) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> maman attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 94 to 10.10.44.246 port 1036 EAP-Message = 0x04120004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 478. Going to the next request Waking up in 4.8 seconds. --------------------------------------------------------------------------------------------- ----- Message d'origine ---- De : Alan DeKok <aland@deployingradius.com> À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Envoyé le : Samedi, 19 Juillet 2008, 17h19mn 58s Objet : Re: Re : Re : EAP-TLS OK - EAP-PEAP KO!! why that? Reveal MAP wrote:
Now i am trying to authenticate via PEAP a user existing onmy sql database:
The debug log doesn't show that.
the output is too long, mailing list parameters won't accept it. i post part of the output that seem to give the point of misconfiguration. if it is not sufficient, please let me know, and i will find a way to put somewher the whole output of RADIUD -X. thank you. ... Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
What's the problem? You're using Samba to authenticate to Active Directory, and the password is wrong. Check that the passwords are correct. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr