On Oct 2, 2017, at 4:28 PM, Oliver Webb <ow97nospam@outlook.com> wrote:
Apologies for the inconvenience. As requested, the server's debug output as produced during a radeapclient request:
Let's go through out it and pick out the important bits.
(0) Received Access-Request Id 231 from 192.168.1.106:35591 to 192.168.2.110:1812 length 51 (0) User-Name = "tu" (0) Message-Authenticator = 0x79b0471727dfc9526dfc5f2427b06cc9 (0) EAP-Message = 0x02d20007017475
Note there's no User-Password attribute in the request. Because it's EAP. There's not *supposed* to be a User-Password attribute.
... (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tu' ORDER BY id (1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tu' ORDER BY id (1) sql: User found in radcheck table (1) sql: Conditional check items matched, merging assignment check items (1) sql: Cleartext-Password := "testp2"
That's good.
... (1) Found Auth-Type = eap (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xfdc37fcafd107bfc (1) eap: Finished EAP session with state 0xfdc37fcafd107bfc (1) eap: Previous EAP request found for state 0xfdc37fcafd107bfc, released from the list (1) eap: Peer sent packet with method EAP MD5 (4) (1) eap: Calling submodule eap_md5 to process data (1) eap: Sending EAP Failure (code 4) ID 211 length 4 (1) eap: Freeing handler (1) [eap] = reject
Whatever password you entered in radeapclient doesn't match what's in the SQL database. It works for me with this input file in radeapclient: User-Name = "bob" Cleartext-Password = "bob" NAS-IP-Address = 127.0.0.1 EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = "bob" Message-Authenticator = 0 NAS-Port = 0 Alan DeKok.