Hello Mailing-List Members, I have manged to set up an freeradius server with mysql backend. My Supplicants are TP-Link Accesspoints (will be exchanged to Unifi soon) with OpenWRT installed. Port-Based authentacation and dynamic VLAN assignment works. All Passwords in the MySQL Database are stored as Cleartext-Password. Everythings works fine. I have tested the envirement with radtest and Smartphones and laptops via the Accesspoint. No I have changed the Database table radcheck to store MD5-Password. Tests with radtest works, but livetest will be rejected. I really dont know much about protocolls (pap, chap, eap and so on) Debigging freeradius told me that radtest uses pap and live test via accespoint cant establish pap and uses somthing other. Is there someone who can help me please. The System is not live yet. So we can search for my fault or I also can setup a new freeradius if troubleshooting ends up with a neverending story :-) Background: We are a BOYD school. If the solution is to install a protocoll extension on every client of our students to achieve md5 passwords, than the project is not possible and I will keep Cleartext-Password Best Regards Jan If you want to see more outputs or config-file, tell me, I will post them Here is the Debug output: rad_recv: Access-Request packet from host 10.4.254.128 port 47333, id=236, length=185 User-Name = "FuchsA" Called-Station-Id = "C6-E9-84-71-33-A2:FES-WLAN" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "44-00-10-57-E4-82" Connect-Info = "CONNECT 54Mbps 802.11g" Acct-Session-Id = "57DD11F2-0000001E" X-Ascend-Home-Agent-UDP-Port = 1027076 X-Ascend-Multilink-ID = 1027076 X-Ascend-Num-In-Multilink = 1027073 Framed-MTU = 1400 EAP-Message = 0x0286000b01467563687341 Message-Authenticator = 0x819d0053ba71a3c1525673a983d95924 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "FuchsA", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 134 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [sql] expand: %{User-Name} -> FuchsA [sql] sql_set_user escaped user --> 'FuchsA' rlm_sql (sql): Reserving sql socket id: 17 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'FuchsA' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'FuchsA' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'FuchsA' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id [sql] User found in group admin [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'admin' ORDER BY id rlm_sql (sql): Released sql socket id: 17 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 236 to 10.4.254.128 port 47333 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "250" EAP-Message = 0x01870016041036755ba251ac95120aa224d97bd61aa9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6d2213206da51747a13dedf79c550bd5 Finished request 28. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.4.254.128 port 47333, id=237, length=200 User-Name = "FuchsA" Called-Station-Id = "C6-E9-84-71-33-A2:FES-WLAN" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "44-00-10-57-E4-82" Connect-Info = "CONNECT 54Mbps 802.11g" Acct-Session-Id = "57DD11F2-0000001E" X-Ascend-Home-Agent-UDP-Port = 1027076 X-Ascend-Multilink-ID = 1027076 X-Ascend-Num-In-Multilink = 1027073 Framed-MTU = 1400 EAP-Message = 0x028700080319152b State = 0x6d2213206da51747a13dedf79c550bd5 Message-Authenticator = 0xdc30aaf425f5dabaa0472c254f5384b8 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "FuchsA", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 135 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [sql] expand: %{User-Name} -> FuchsA [sql] sql_set_user escaped user --> 'FuchsA' rlm_sql (sql): Reserving sql socket id: 16 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'FuchsA' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'FuchsA' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'FuchsA' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id [sql] User found in group admin [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'admin' ORDER BY id rlm_sql (sql): Released sql socket id: 16 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 237 to 10.4.254.128 port 47333 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "250" EAP-Message = 0x018800061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6d2213206caa0a47a13dedf79c550bd5 Finished request 29. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.4.254.128 port 47333, id=238, length=319 User-Name = "FuchsA" Called-Station-Id = "C6-E9-84-71-33-A2:FES-WLAN" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "44-00-10-57-E4-82" Connect-Info = "CONNECT 54Mbps 802.11g" Acct-Session-Id = "57DD11F2-0000001E" X-Ascend-Home-Agent-UDP-Port = 1027076 X-Ascend-Multilink-ID = 1027076 X-Ascend-Num-In-Multilink = 1027073 Framed-MTU = 1400 EAP-Message = 0x0288007f19800000007516030100700100006c030157eb768e89b2857cbe003d1389f98db48372a8570086886e7b71517d1a05be1400002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000 State = 0x6d2213206caa0a47a13dedf79c550bd5 Message-Authenticator = 0x45280af78c56a967ba77f3210aa4fe44 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "FuchsA", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 136 length 127 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 117 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0070], ClientHello [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 02ca], Certificate [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] TLS_accept: Need to read more data: unknown state In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 238 to 10.4.254.128 port 47333 EAP-Message = 0x0189040019c00000046616030100390200003503013cc6e4266ef83183eb4609ac0eae4f941b2e88e0103f771e18a149ae336fb3ae00c01400000dff01000100000b00040300010216030102ca0b0002c60002c30002c0308202bc308201a4a003020102020900a5fffa2bd980f52f300d06092a864886f70d01010b050030163114301206035504030c0b7261737062657272797069301e170d3136303531363039353930305a170d3236303531343039353930305a30163114301206035504030c0b726173706265727279706930820122300d06092a864886f70d01010105000382010f003082010a0282010100c3d09a5c1cf391c424a9db1c9546 EAP-Message = 0xe2d0d56ef0c7992e58cc9fddfcca2e1e792de870f1b44732e39760c9be69d00bee75ebb6544ef6e7552cd6071cf42a0314dfcf5f6588403e82906d1bdc76e22d83d897f5822cc3ad4e8688b26a7e51272de8f12178c18eeef3736db12c082c610cf4ed064ca669a8502cd0b304f9b347e9b6e792d22b7477447b724fc1a5b8feaa5bc2dab89c47f61083f2ad2a713346a45779f64738f78e6c6b50dd9fba57b8c429d9130ffe2852ae300f0da67338d241c7f9ed1a3edfd9e60e4a204888db9e7c2b2c4b2720cac0bb75955fdc8dededdcd3005b33e3c3665cb56f8fea647fe98b100ac37981f6664b06baf77672578b49510203010001a30d300b3009 EAP-Message = 0x0603551d1304023000300d06092a864886f70d01010b0500038201010059f5ccb527a5c95bd585d481cf2c0d940a2100bfe19c781f8fc6c9fe6ecf9581cc11899915a4a4a76f93ce5d9a27a1377e9f5b595d0c91b85158b46264b6bbf53d663f5972a29bb9ee27f94fa19c0e10cb315bbfff1a0b9dada6af7b44055bde3a97fce3d03d0e3d9dd2ca98d02899654c38e978067be45716b8095b7eec985ed5766a840d768fde1384f8d70c2b2b62f3bf1ce577e8c7e55870217ef8101973e33c417108d7645823438b1b637bf66d11755e23ccceabf7256480a3ce55f410d5479aa862e7cd048a3661213131c38bdcfae6a8223dbc92e680e4e8feee2c86 EAP-Message = 0xf60edf462d78a0cd61d0be2a807c82feddfb62a74cd23265bc34cf55c8de1296160301014b0c00014703001741043ead1ff12c3e5fed822014f6d59b539cabcbf196f4eb40ee5d62854c0dc2bdda5030b357400422658f71d055af54e1d62e7e5a5b9f22432c813f8003c72c570601009811ddf450723aa785b5bc9629ba26c9e1b1806b3e0ea97361040fb1b81deb2dd6e9ff5ad8e1961704df861d7487ac12fbdad29924c1f5ae6898b24f41103a99de1ee61d9a28ff0ae4db32bddace0029ac193391d575036ce541a1e8c989db3582cab0533386df57b67fa022ef71e3102b85135d484fc70a870f51145e5adb1d1881eb9ecb51be126594cd950c EAP-Message = 0x9e950b6987abca735dd6656b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6d2213206fab0a47a13dedf79c550bd5 Finished request 30. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.4.254.128 port 47333, id=239, length=198 User-Name = "FuchsA" Called-Station-Id = "C6-E9-84-71-33-A2:FES-WLAN" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "44-00-10-57-E4-82" Connect-Info = "CONNECT 54Mbps 802.11g" Acct-Session-Id = "57DD11F2-0000001E" X-Ascend-Home-Agent-UDP-Port = 1027076 X-Ascend-Multilink-ID = 1027076 X-Ascend-Num-In-Multilink = 1027073 Framed-MTU = 1400 EAP-Message = 0x028900061900 State = 0x6d2213206fab0a47a13dedf79c550bd5 Message-Authenticator = 0x7e55a5a478220f8876242bc4959696cd # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "FuchsA", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 137 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 239 to 10.4.254.128 port 47333 EAP-Message = 0x018a007619000822c25dfccbe32a0f8e5d315cbeb3f24eda13493ae01b43ca705bfd836af6a8ac776f2152e0481330415ba2b210ef511fd77d1c99a915e5624ce91cb979472e0117e1f9abeee7791ef4bbf951f30d85246f947afe66649ba8497178fb9172a8951fb621fbcc4416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6d2213206ea80a47a13dedf79c550bd5 Finished request 31. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.4.254.128 port 47333, id=240, length=336 User-Name = "FuchsA" Called-Station-Id = "C6-E9-84-71-33-A2:FES-WLAN" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "44-00-10-57-E4-82" Connect-Info = "CONNECT 54Mbps 802.11g" Acct-Session-Id = "57DD11F2-0000001E" X-Ascend-Home-Agent-UDP-Port = 1027076 X-Ascend-Multilink-ID = 1027076 X-Ascend-Num-In-Multilink = 1027073 Framed-MTU = 1400 EAP-Message = 0x028a00901980000000861603010046100000424104acff38e6d2efbb463eb192cbfd1960fc9726ecd13a153cfa0a86e678bcc4c07b968b58bad98e7ede0da65e40e22443b1243af69357374a908aa0eaaa8189bcbe140301000101160301003047da577f491a90ecf37d4971f3fbf1b674805e3211566f9a18a7d8237f3434aca36930765161165150e20ee086fa47be State = 0x6d2213206ea80a47a13dedf79c550bd5 Message-Authenticator = 0x01f653ca010fc02c1e138ba276e5028b # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "FuchsA", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 138 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: unknown state [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 240 to 10.4.254.128 port 47333 EAP-Message = 0x018b004119001403010001011603010030754f1b44a5ef9a3eb053ca666d7928e0ec660a6761ee7d3cfe8502961adfdfb081f8e341bf29200b219a09d1b4f89b3a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6d22132069a90a47a13dedf79c550bd5 Finished request 32. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.4.254.128 port 47333, id=241, length=198 User-Name = "FuchsA" Called-Station-Id = "C6-E9-84-71-33-A2:FES-WLAN" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "44-00-10-57-E4-82" Connect-Info = "CONNECT 54Mbps 802.11g" Acct-Session-Id = "57DD11F2-0000001E" X-Ascend-Home-Agent-UDP-Port = 1027076 X-Ascend-Multilink-ID = 1027076 X-Ascend-Num-In-Multilink = 1027073 Framed-MTU = 1400 EAP-Message = 0x028b00061900 State = 0x6d22132069a90a47a13dedf79c550bd5 Message-Authenticator = 0x614e1872ae450f11e6193f10d89d1152 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "FuchsA", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 139 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 241 to 10.4.254.128 port 47333 EAP-Message = 0x018c002b1900170301002040970fe4cdfce1c98d07750e9e8dfbfe6203c4c251f1c91f41a0a8c5af703471 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6d22132068ae0a47a13dedf79c550bd5 Finished request 33. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.4.254.128 port 47333, id=242, length=235 User-Name = "FuchsA" Called-Station-Id = "C6-E9-84-71-33-A2:FES-WLAN" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "44-00-10-57-E4-82" Connect-Info = "CONNECT 54Mbps 802.11g" Acct-Session-Id = "57DD11F2-0000001E" X-Ascend-Home-Agent-UDP-Port = 1027076 X-Ascend-Multilink-ID = 1027076 X-Ascend-Num-In-Multilink = 1027073 Framed-MTU = 1400 EAP-Message = 0x028c002b19001703010020a4f6487c901e758952d4ebb8192b06a100c952c0f51cbf9075095376ce46d79d State = 0x6d22132068ae0a47a13dedf79c550bd5 Message-Authenticator = 0x0d74a47e1f6a7da6ff1d1d56c9306c7f # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "FuchsA", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 140 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - FuchsA [peap] Got inner identity 'FuchsA' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x028c000b01467563687341 server { [peap] Setting User-Name to FuchsA Sending tunneled request EAP-Message = 0x028c000b01467563687341 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "FuchsA" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "FuchsA", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 140 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [sql] expand: %{User-Name} -> FuchsA [sql] sql_set_user escaped user --> 'FuchsA' rlm_sql (sql): Reserving sql socket id: 15 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'FuchsA' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'FuchsA' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'FuchsA' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id [sql] User found in group admin [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'admin' ORDER BY id rlm_sql (sql): Released sql socket id: 15 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "250" EAP-Message = 0x018d00201a018d001b10221b294c64d499b6034b7a226fd25479467563687341 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8847961788ca8c9cc6104708d23e8f0f [peap] Got tunneled reply RADIUS code 11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "250" EAP-Message = 0x018d00201a018d001b10221b294c64d499b6034b7a226fd25479467563687341 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8847961788ca8c9cc6104708d23e8f0f [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 242 to 10.4.254.128 port 47333 EAP-Message = 0x018d004b19001703010040f16b47ee01283d92c5211f2eba865c3cf690c5d8f379e6ceee8b650118294e59d208ef197054f33899aa42b3b5bb564c958de862da3e91f39a3855befbf2d416 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6d2213206baf0a47a13dedf79c550bd5 Finished request 34. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.4.254.128 port 47333, id=243, length=299 User-Name = "FuchsA" Called-Station-Id = "C6-E9-84-71-33-A2:FES-WLAN" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "44-00-10-57-E4-82" Connect-Info = "CONNECT 54Mbps 802.11g" Acct-Session-Id = "57DD11F2-0000001E" X-Ascend-Home-Agent-UDP-Port = 1027076 X-Ascend-Multilink-ID = 1027076 X-Ascend-Num-In-Multilink = 1027073 Framed-MTU = 1400 EAP-Message = 0x028d006b1900170301006032b97f11dad52cbaccf648b6e4c7e35fd590aa635a565d03d9c20b05c6e279f28ca0e9805a8fc5571a52378448b1e51fe1d64414e0a0d2e183a54ff7f8b97b31fe341b0a4b65f3a2c1d63dacb20e2c2b0aad4d3b77bcef5d7cc5ca14c78dbf67 State = 0x6d2213206baf0a47a13dedf79c550bd5 Message-Authenticator = 0x4d2fe674478a1905fc8bcb893ab44529 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "FuchsA", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 141 length 107 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x028d00411a028d003c318eac3750d1e862afbc3e94a20e35e8370000000000000000f60f6c1f11e9ecee306c68cb23756e67bd0c66735896eecf00467563687341 server { [peap] Setting User-Name to FuchsA Sending tunneled request EAP-Message = 0x028d00411a028d003c318eac3750d1e862afbc3e94a20e35e8370000000000000000f60f6c1f11e9ecee306c68cb23756e67bd0c66735896eecf00467563687341 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "FuchsA" State = 0x8847961788ca8c9cc6104708d23e8f0f server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "FuchsA", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 141 length 65 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [sql] expand: %{User-Name} -> FuchsA [sql] sql_set_user escaped user --> 'FuchsA' rlm_sql (sql): Reserving sql socket id: 14 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'FuchsA' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'FuchsA' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'FuchsA' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id [sql] User found in group admin [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'admin' ORDER BY id rlm_sql (sql): Released sql socket id: 14 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: FuchsA [mschap] Client is using MS-CHAPv2 for FuchsA, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> FuchsA attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\215E=691 R=1" EAP-Message = 0x048d0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\215E=691 R=1" EAP-Message = 0x048d0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 243 to 10.4.254.128 port 47333 EAP-Message = 0x018e002b1900170301002023498abf9b5d47cb17b4ebf0b990c141fcbd38fd2a87b7d8294e62fc5da56cce Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6d2213206aac0a47a13dedf79c550bd5 Finished request 35. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 10.4.254.128 port 47333, id=244, length=235 User-Name = "FuchsA" Called-Station-Id = "C6-E9-84-71-33-A2:FES-WLAN" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "44-00-10-57-E4-82" Connect-Info = "CONNECT 54Mbps 802.11g" Acct-Session-Id = "57DD11F2-0000001E" X-Ascend-Home-Agent-UDP-Port = 1027076 X-Ascend-Multilink-ID = 1027076 X-Ascend-Num-In-Multilink = 1027073 Framed-MTU = 1400 EAP-Message = 0x028e002b19001703010020f39ddab6c30dbe6e7aa9b45952c3032c64658f9f7db0a3c653ba5ec288b9ccaa State = 0x6d2213206aac0a47a13dedf79c550bd5 Message-Authenticator = 0x35027d583f9d44fccca2de40949ce9e1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "FuchsA", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 142 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> FuchsA attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 36 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 36 Sending Access-Reject of id 244 to 10.4.254.128 port 47333 EAP-Message = 0x048e0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.6 seconds. Cleaning up request 28 ID 236 with timestamp +189 Cleaning up request 29 ID 237 with timestamp +189 Cleaning up request 30 ID 238 with timestamp +189 Cleaning up request 31 ID 239 with timestamp +189 Cleaning up request 32 ID 240 with timestamp +189 Cleaning up request 33 ID 241 with timestamp +189 Cleaning up request 34 ID 242 with timestamp +189 Waking up in 0.1 seconds. Cleaning up request 35 ID 243 with timestamp +189 Waking up in 1.0 seconds. Cleaning up request 36 ID 244 with timestamp +189 Ready to process requests.