Dear Phil, By removing this option, it tries to authenticate with EAP/MSCHAPv2, and also fails. Authentication is what I'm doing wireless network. Below is the result of debugging when I removed the Auth-Type PAP table radgroupcheck: [sql_visitantes] expand: %{Stripped-User-Name} -> usql2 [sql_visitantes] sql_set_user escaped user --> 'usql2' rlm_sql (sql_visitantes): Reserving sql socket id: 1 [sql_visitantes] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'usql2' ORDER BY id [sql_visitantes] User found in radcheck table [sql_visitantes] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'usql2' ORDER BY id [sql_visitantes] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'usql2' ORDER BY priority [sql_visitantes] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'visitantes' ORDER BY id [sql_visitantes] User found in group visitantes [sql_visitantes] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'visitantes' ORDER BY id rlm_sql (sql_visitantes): Released sql socket id: 1 +++[sql_visitantes] returns ok ++- if (Realm == "visitantes" ) returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list *[eap] EAP/mschapv2* [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: usql2@visitantes [mschap] Told to do MS-CHAPv2 for usql2@visitantes with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. 2011/3/17 Phil Mayers <p.mayers@imperial.ac.uk>
On 03/17/2011 08:01 PM, joaocdc@gmail.com wrote:
*[pap] ERROR: You set 'Auth-Type = PAP' for a request that does not contain a User-Password attribute!*
This is very clear:
mysql> select * from radgroupcheck; +----+------------+-----------+----+-------+ | id | groupname | attribute | op | value | +----+------------+-----------+----+-------+ | 1 | visitantes | Auth-Type | := | PAP | +----+------------+-----------+----+-------+ 1 row in set (0.00 sec)
This is wrong. Remove it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- João Paulo de Lima Barbosa Fone: (45) 9938-8399 Blog: http://joao.us Twitter: @joaocdc "O erro dos que tem poder é colocar barreiras para que ninguém os alcance, incentivando-nos a buscar todas as formas que encontramos para alcança-los."