They also say this: "The most common problem with PEAP is that the client sends a series of Access-Request messages, the server sends an series of Access-Challenge responses, and then... nothing happens. After a little wait, it all starts again. If you see this happening STOP! The RAIDUS server certificate has to have special OID's in it, or else the Microsoft clients will silently fail. etc." Ivan Kalik Kalik Informatika ISP Dana 11/5/2007, "anoop_c@sifycorp.com" <anoop_c@sifycorp.com> piše:
The FAQ, README, INSTALL, etc. all say to run the server in debugging mode to see what\'s going on.
Dear all I run the radius server in debug mode and the output is as follows. I didn;t get any clue for the problem.
[root@anoop raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = \"/usr/local\" main: localstatedir = \"/usr/local/var\" main: logdir = \"/usr/local/var/log/radius\" main: libdir = \"/usr/local/lib\" main: radacctdir = \"/usr/local/var/log/radius/radacct\" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = \"/usr/local/var/log/radius/radius.log\" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = \"/usr/local/var/run/radiusd/radiusd.pid\" main: user = \"(null)\" main: group = \"(null)\" main: usercollide = no main: lower_user = \"no\" main: lower_pass = \"no\" main: nospace_user = \"no\" main: nospace_pass = \"no\" main: checkrad = \"/usr/local/sbin/checkrad\" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = \"(null)\" mschap: ntlm_auth = \"(null)\" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = \"tls\" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = \"(null)\" tls: pem_file_type = yes tls: private_key_file = \"/etc/raddb/certs/07xwifi.pem\" tls: certificate_file = \"/etc/raddb/certs/07xwifi.pem\" tls: CA_file = \"/etc/raddb/certs/root.pem\" tls: private_key_password = \"password\" tls: dh_file = \"/etc/raddb/certs/dh\" tls: random_file = \"/etc/raddb/certs/random\" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = \"(null)\" tls: cipher_list = \"(null)\" tls: check_cert_issuer = \"(null)\" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = \"tls\" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = \"/etc/raddb/huntgroups\" preprocess: hints = \"/etc/raddb/hints\" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = \"/etc/raddb/users\" files: acctusersfile = \"/etc/raddb/acct_users\" files: preproxy_usersfile = \"/etc/raddb/preproxy_users\" files: compat = \"no\" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = \"User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port\" Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = \"suffix\" realm: delimiter = \"@\" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded detail detail: detailfile = \"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = \"(null)\" unix: shadow = \"(null)\" unix: group = \"(null)\" unix: radwtmp = \"/usr/local/var/log/radius/radwtmp\" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = \"/usr/local/var/log/radius/radutmp\" radutmp: username = \"%{User-Name}\" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.50:1031, id=0, length=197 Message-Authenticator = 0xc7b1d7b5ec22e8aeb3d3c2a37c3b3a57 Service-Type = Framed-User User-Name = \"anoop07\" Framed-MTU = 1488 Called-Station-Id = \"00-0F-3D-AF-DD-C2:default\" Calling-Station-Id = \"00-0E-35-F3-A1-67\" NAS-Identifier = \"D-Link Access Point\" NAS-Port-Type = Wireless-802.11 Connect-Info = \"CONNECT 54Mbps 802.11g\" EAP-Message = 0x0200000c01616e6f6f703037 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = \"STA port # 1\" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module \"preprocess\" returns ok for request 0 modcall[authorize]: module \"mschap\" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 12 rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation modcall[authorize]: module \"eap\" returns updated for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module \"files\" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type \"EAP\" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module \"eap\" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 192.168.0.50 port 1031 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x002d8b408269eb13be9fe51557152e71 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.50:1031, id=2, length=197 Message-Authenticator = 0xd4ad8d1460fc72220a6f4977f5267e73 Service-Type = Framed-User User-Name = \"anoop07\" Framed-MTU = 1488 Called-Station-Id = \"00-0F-3D-AF-DD-C2:default\" Calling-Station-Id = \"00-0E-35-F3-A1-67\" NAS-Identifier = \"D-Link Access Point\" NAS-Port-Type = Wireless-802.11 Connect-Info = \"CONNECT 54Mbps 802.11g\" EAP-Message = 0x0202000c01616e6f6f703037 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = \"STA port # 1\" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module \"preprocess\" returns ok for request 1 modcall[authorize]: module \"mschap\" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 12 rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation modcall[authorize]: module \"eap\" returns updated for request 1 users: Matched entry DEFAULT at line 153 modcall[authorize]: module \"files\" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type \"EAP\" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module \"eap\" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 2 to 192.168.0.50 port 1031 EAP-Message = 0x010300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x317c46c3f86f28005a91c1f1980ab3ab Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 4 seconds... rad_recv: Access-Request packet from host 192.168.0.50:1031, id=3, length=283 Message-Authenticator = 0x701e18b26592377cb69381a32d9b7549 Service-Type = Framed-User User-Name = \"anoop07\" Framed-MTU = 1488 State = 0x317c46c3f86f28005a91c1f1980ab3ab Called-Station-Id = \"00-0F-3D-AF-DD-C2:default\" Calling-Station-Id = \"00-0E-35-F3-A1-67\" NAS-Identifier = \"D-Link Access Point\" NAS-Port-Type = Wireless-802.11 Connect-Info = \"CONNECT 54Mbps 802.11g\" EAP-Message = 0x020300500d800000004616030100410100003d0301464433995ca90757d734f0075c780c8f33eb9fdc362a96a9a3eee9d37cb4c71700001600040005000a000900640062000300060013001200630100 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = \"STA port # 1\" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module \"preprocess\" returns ok for request 2 modcall[authorize]: module \"mschap\" returns noop for request 2 rlm_eap: EAP packet type response id 3 length 80 rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation modcall[authorize]: module \"eap\" returns updated for request 2 users: Matched entry DEFAULT at line 153 modcall[authorize]: module \"files\" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type \"EAP\" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 04bf], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004c], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module \"eap\" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 3 to 192.168.0.50 port 1031 EAP-Message = 0x0104040a0dc000000564160301004a0200004603014644339a2a93e1117f8dc62c68b0c2051f4cb05aa4ee8bf4060d2e103cad32312021dad64d5e809b5721688753c3fa8c1a57936fe7e37a42293229abde363dc93100040016030104bf0b0004bb0004b800022c3082022830820191a003020102020101300d06092a864886f70d0101040500303b310b300906035504061302494e310b300906035504081302544e310d300b060355040a1304536966793110300e0603550403130730377877696669301e170d3037303131323135333533305a170d3038303131323135333533305a3060310b300906035504061302494e310b3009060355040813 EAP-Message = 0x02544e310d300b060355040a1304536966793110300e06035504031307303778776966693123302106092a864886f70d0109011614616e6f6f705f634073696679636f72702e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d2bbbe35bc8a47709632284aff484695385e69c3522f63da46834f9586a420bda380889693fa77fedd9ed4290e6f9ff4436721775294fc65a38fea098f18975b34b5063de27220e18a07d433cbb6e19aeb3f84b012f7c20071dd280457a932634bbe50f438cc2ee6f4d65fa395a10bdecc4bf9087979ec45af000940e186ed290203010001a317301530130603551d25040c300a06082b EAP-Message = 0x06010505070301300d06092a864886f70d0101040500038181000afea7f2a8a9cffe60baa8f779353c523457f8237faeff81ba5f2c22664c70b6b2fb58c8967ca4a4c847b80e1d5a6cc4558ffa1d161614f374d8b5efd565aa66045b192b3ac3da82c81c4a99fc10cfe473f9ac258ef99b16cbd335004677694a05addae48c6a9dcdb26b86ddb56c635266c33c7de7586543532692e5220d30b100028630820282308201eba003020102020100300d06092a864886f70d0101040500303b310b300906035504061302494e310b300906035504081302544e310d300b060355040a1304536966793110300e0603550403130730377877696669301e170d EAP-Message = 0x3037303131323135333435305a170d3038303131323135333435305a303b310b300906035504061302494e310b300906035504081302544e310d300b060355040a1304536966793110300e060355040313073037787769666930819f300d06092a864886f70d010101050003818d0030818902818100ba8b07a479bb6ce9adf2d8bc6ac9cf214506dfc039cb10c3b4d27d1bbc082caff0bb77424819728977f04b32e231a3c4755a65823b366f1a604f15ce6c499883ab7d2757a5a2c07a11e75b7a00d6c55a8fb7443b202a25a3cdaad39579b2d8f4c09c974056f0c8666fff754d574836fcaf105200fcd5df5158e2b387310c4ed90203010001a381 EAP-Message = 0x95308192301d0603551d0e041604149eda6f69065423 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x19754bedc30572111832212fcc84191e Finished request 2 Going to the next request Waking up in 4 seconds... rad_recv: Access-Request packet from host 192.168.0.50:1031, id=4, length=209 Message-Authenticator = 0xcb2030e901c7f1526ddac51af57e4dba Service-Type = Framed-User User-Name = \"anoop07\" Framed-MTU = 1488 State = 0x19754bedc30572111832212fcc84191e Called-Station-Id = \"00-0F-3D-AF-DD-C2:default\" Calling-Station-Id = \"00-0E-35-F3-A1-67\" NAS-Identifier = \"D-Link Access Point\" NAS-Port-Type = Wireless-802.11 Connect-Info = \"CONNECT 54Mbps 802.11g\" EAP-Message = 0x020400060d00 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = \"STA port # 1\" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module \"preprocess\" returns ok for request 3 modcall[authorize]: module \"mschap\" returns noop for request 3 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation modcall[authorize]: module \"eap\" returns updated for request 3 users: Matched entry DEFAULT at line 153 modcall[authorize]: module \"files\" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type \"EAP\" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module \"eap\" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 4 to 192.168.0.50 port 1031 EAP-Message = 0x0105016e0d80000005647ec1c9e4d07a608e0e6dcd730f30630603551d23045c305a80149eda6f690654237ec1c9e4d07a608e0e6dcd730fa13fa43d303b310b300906035504061302494e310b300906035504081302544e310d300b060355040a1304536966793110300e0603550403130730377877696669820100300c0603551d13040530030101ff300d06092a864886f70d0101040500038181006b514f008b6a77757fc73ddbe9d54e4ea925a1ab9ce80ad7895d6d19661d8b8558d0e359876aac023aa52d4273e00407b9b588b30dbc35c5911bc89d2d99677e0ec8dea17fece35d0b4dfab8775ba73eaeb0a0998bcdf1437cff0a1031f6a5b1 EAP-Message = 0x7e8bcdc01e2e964cb256f49d947eea2cfd42989aef397fa438be294fa3dc7a3d160301004c0d000044020102003f003d303b310b300906035504061302494e310b300906035504081302544e310d300b060355040a1304536966793110300e06035504031307303778776966690e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdc59784c151c5f91316f8ad08591688c Finished request 3 Going to the next request Waking up in 4 seconds... rad_recv: Access-Request packet from host 192.168.0.50:1031, id=5, length=209 Message-Authenticator = 0x25ded394258af7d7d4a0822acf32fbf7 Service-Type = Framed-User User-Name = \"anoop07\" Framed-MTU = 1488 State = 0xdc59784c151c5f91316f8ad08591688c Called-Station-Id = \"00-0F-3D-AF-DD-C2:default\" Calling-Station-Id = \"00-0E-35-F3-A1-67\" NAS-Identifier = \"D-Link Access Point\" NAS-Port-Type = Wireless-802.11 Connect-Info = \"CONNECT 54Mbps 802.11g\" EAP-Message = 0x020500060d00 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = \"STA port # 1\" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module \"preprocess\" returns ok for request 4 modcall[authorize]: module \"mschap\" returns noop for request 4 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation modcall[authorize]: module \"eap\" returns updated for request 4 users: Matched entry DEFAULT at line 153 modcall[authorize]: module \"files\" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type \"EAP\" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module \"eap\" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 5 to 192.168.0.50 port 1031 EAP-Message = 0x0106000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfc4dda99d8ba977e9954c938dac93595 Finished request 4 Going to the next request Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 46443398 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 2 with timestamp 4644339a Cleaning up request 2 ID 3 with timestamp 4644339a Cleaning up request 3 ID 4 with timestamp 4644339a Cleaning up request 4 ID 5 with timestamp 4644339a Nothing to do. Sleeping until we see a request.
Anoop
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html