Hi, I'm using freeradius 2.1.12 with mysql module (freeradius-mysql) I want to authenticate users by MAC address, so in radcheck table I set the attribute Calling-Station Id == XX-XX-XX-XX-XX-XX, but it didn't work, user can't authenticate, when I delete this row, user can authenticate perfectly, so it seems this is not the way I should configure server to perform MAC authentication. Could somebody help me with this? Thanks [this is the output when I set Calling-Station-Id == XX-XX-XX-XX-XX-XX}: rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=158, length=158 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0200000c0164707275656261 Message-Authenticator = 0x4be696f8c2c8db73cf3e49464a80a84a # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> dprueba [sql] sql_set_user escaped user --> 'dprueba' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dprueba' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dprueba' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dprueba' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi' ORDER BY id [sql] User found in group wifi [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 158 to 10.25.4.250 port 44145 Framed-Protocol := PPP Framed-Compression := Van-Jacobson-TCP-IP Framed-MTU := 1500 Service-Type := Framed-User MS-Primary-DNS-Server := 10.25.1.10 Framed-IP-Netmask := 255.255.255.255 EAP-Message = 0x010100160410ce619bb1b16b584f4a55e298b518b595 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa65194aaa65090b9e5aa8a871ea68523 Finished request 36. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=159, length=170 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020100060319 State = 0xa65194aaa65090b9e5aa8a871ea68523 Message-Authenticator = 0x49e2f93415e6ffa01f754feda2629bd6 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> dprueba [sql] sql_set_user escaped user --> 'dprueba' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dprueba' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dprueba' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dprueba' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi' ORDER BY id [sql] User found in group wifi [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 159 to 10.25.4.250 port 44145 Framed-Protocol := PPP Framed-Compression := Van-Jacobson-TCP-IP Framed-MTU := 1500 Service-Type := Framed-User MS-Primary-DNS-Server := 10.25.1.10 Framed-IP-Netmask := 255.255.255.255 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa65194aaa7538db9e5aa8a871ea68523 Finished request 37. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=160, length=364 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020200c81980000000be16030100b9010000b503015638bd689d9c6ee8b3f1a8853b65c2d8594789b893023905f46fa838fdcda289000048c014c00a00390038c00fc0050035c012c00800160013c00dc003000ac013c00900330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000 State = 0xa65194aaa7538db9e5aa8a871ea68523 Message-Authenticator = 0x4120527dda65730b1f014fa03c973746 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 200 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 190 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00b9], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 02c8], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 160 to 10.25.4.250 port 44145 EAP-Message = 0x0103040019c0000004641603010039020000350301e349bb58d1d3295ec527d76a7eebdca2d3fb2ae4cfac72f973ffbcff62a77a9b00c01400000dff01000100000b00040300010216030102c80b0002c40002c10002be308202ba308201a2a003020102020900ce69d09555557538300d06092a864886f70d01010b05003015311330110603550403130a77696669726164697573301e170d3135313032393135313530325a170d3235313032363135313530325a3015311330110603550403130a7769666972616469757330820122300d06092a864886f70d01010105000382010f003082010a02820101009c1433a91142092dabc37d5325c8eeb6 EAP-Message = 0x056e5c2013b734155ed595d570443d4b9a775fff03d74f88a6f77c3a77dd9339394d356639a69ff20868d94749a4683d0a7d72b13bf305c6fb760f1779401d713c872f90ed68c957f9f5c83d78be375233516f99c8e24fd6be6f98e804a00ad929b5681112ff83fb0d89b33aa9ce1e3406c05676b25eb62ffecd39f17361184a3e7438f6a83738c69a31285ebde0025a9fddbab018c07007d979dfd14bccd171f3994dde09244972aa69a2227fd4af075490577d77d6997c4b4e543872e5adc5860c356203e996f8eda8e90633078f60f24529efc19a311206e5e519517aa9b64d224416b4d27bd5daf5ffe66772cc710203010001a30d300b30090603 EAP-Message = 0x551d1304023000300d06092a864886f70d01010b050003820101001eb333a9023182bea3f5cff9d9bb6f237209706cd1b8aa42db6a1e2505f0355d5aab0e49640191fbc54464fd8bdaad9ac8633650c99178c78d09d9b9db9971c98b6283999da38050e411a9049eb93c355cd913f792795957e37e3376ec144d8de7bf6d434e3450029dc669a4ea176aeddfb612f280cc5a44ed86ecf0bb6b932b962f9b075eb63eb10af2e425f0909836cca41706f236d058fc7f50953ee08fbfd43bed06151eb2dbe1eb3184fe72b4f18ae17bfb5c2581b181fa260ab7c86837f9f748c9694a5db35ced09c94ef5e936659b1cc8e99d2b0d78abf8c03022c5c06d87 EAP-Message = 0x3d9820712b41eeabe4600486644990bc34b49890a14c0a2ffb9dc60483cf160301014b0c0001470300174104bb1283b8643e3a221a317f23a50a31b91f0799d4a8bebf1893b54c405da7cfa4cd07033b70a12d18c761eb1e11d6d4d7b967704f91dfc93ecf68d6642d019e5f01002cfc8504d595106cf4add50a3f5b31bf94daa316072eb0bb2f6e2883763a4918ae23c5f18c16d3ce50b86e3c3834882a874b5c25cc96d55b100b826e87267ec61b627c8846c2740fe2a5b33e241eff469723ac7d6bc838ae8e7145ab8c3b40e5c148e48e3af994b76f2cc1a8e3a63337b8acf961bd6c8f0724a902470a0f5d52c50d017556f75b5aa427a49af80e21 EAP-Message = 0x3f55b8c20d939065e7bf45cf Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa65194aaa4528db9e5aa8a871ea68523 Finished request 38. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=161, length=170 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020300061900 State = 0xa65194aaa4528db9e5aa8a871ea68523 Message-Authenticator = 0xe8ae7aafbf65523d200ffe429c2a66c0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 161 to 10.25.4.250 port 44145 EAP-Message = 0x0104007419001aeaaf3170c28c77913b4c33a2dc5c4386afd7f37111872be8af7d575e4b323a56a89f84122b92b22f77f88514a1ac593d3e885beea192f419e198caaaab64e37478cb4f40365cbee9fb50eb0dabbecde54aae6482c7aab720d5006138438a26acbca734bc16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa65194aaa5558db9e5aa8a871ea68523 Finished request 39. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=162, length=308 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0204009019800000008616030100461000004241045751461749561a2d5d3194b5e79d548e8933be5aa103414fc3316cdfd2d30edab44a349495eecd34490465dc08f3270bf3ac231bcdedb40158cad7d15525d1b51403010001011603010030f69b46babe879f7a06ef536a075e1c7b034f341fae14fa451570db3c7767ebc66cbec2db5bb2dc58c6cabdf2700bc777 State = 0xa65194aaa5558db9e5aa8a871ea68523 Message-Authenticator = 0xf96563cc6ba01abaa1048cfff4efd9d0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 162 to 10.25.4.250 port 44145 EAP-Message = 0x0105004119001403010001011603010030026f349689fa5da4363102163d0dd8908f1b5847d21dc1f95bbf9377d897232d5477a431b68c6d561f47c34ea8b3c2d0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa65194aaa2548db9e5aa8a871ea68523 Finished request 40. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=163, length=170 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020500061900 State = 0xa65194aaa2548db9e5aa8a871ea68523 Message-Authenticator = 0x00bd0e39e83e214fb866c735ff089d2b # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 163 to 10.25.4.250 port 44145 EAP-Message = 0x0106002b190017030100208c4dccbdfac51bb4b216b385ee7d974f9e675fe16104eb4274dfc9bb5f263ca6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa65194aaa3578db9e5aa8a871ea68523 Finished request 41. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=164, length=244 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02060050190017030100203f864e1a350a312975bdbbfcaf7ff2021d133bcb969b27210179851fc1ccb40b17030100206e0599cf15687f6c43aa33ec532c67e0ddc39ccb74fc3adb2473376d3b5bcb85 State = 0xa65194aaa3578db9e5aa8a871ea68523 Message-Authenticator = 0x14b99b8e5853b55670f8936e949ae9cd # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - dprueba [peap] Got inner identity 'dprueba' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206000c0164707275656261 server { [peap] Setting User-Name to dprueba Sending tunneled request EAP-Message = 0x0206000c0164707275656261 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "dprueba" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> dprueba [sql] sql_set_user escaped user --> 'dprueba' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dprueba' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dprueba' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi' ORDER BY id [sql] User found in group wifi [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi' ORDER BY id rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 Framed-Protocol := PPP Framed-Compression := Van-Jacobson-TCP-IP Framed-MTU := 1500 Service-Type := Framed-User MS-Primary-DNS-Server := 10.25.1.10 Framed-IP-Netmask := 255.255.255.255 EAP-Message = 0x010700211a0107001c10a58f1aff9e9e95e3df5667726e5b86da64707275656261 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x138ded3d138af7a13ad2c8138d486583 [peap] Got tunneled reply RADIUS code 11 Framed-Protocol := PPP Framed-Compression := Van-Jacobson-TCP-IP Framed-MTU := 1500 Service-Type := Framed-User MS-Primary-DNS-Server := 10.25.1.10 Framed-IP-Netmask := 255.255.255.255 EAP-Message = 0x010700211a0107001c10a58f1aff9e9e95e3df5667726e5b86da64707275656261 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x138ded3d138af7a13ad2c8138d486583 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 164 to 10.25.4.250 port 44145 EAP-Message = 0x0107004b19001703010040bdef2d38678359432d6266c8d7f420ba14921ee87fd862a0a7257e539659dcc0bec990abad261b9f26bbe5db1ac85bd262bf5de6fb73e3ae326f294d6060c824 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa65194aaa0568db9e5aa8a871ea68523 Finished request 42. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=165, length=308 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0207009019001703010020acb86b95706efaa775287c058b069664408382577b67bb85dbf0b0799c35f099170301006048783d63d8d53df67cc63b4e341b204c0b332e503cda2f22d44cef5660f2d60d0622885dd9e96b86e2a8948f60bfc5453e48eaaa1b118be663680db9d6de04cb9a9730bcdc7387e8f391ac68206356df81cb4e9d10e10835ef2ddd691ac730a6 State = 0xa65194aaa0568db9e5aa8a871ea68523 Message-Authenticator = 0x4773d1a02e02785f3c640a863b235080 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700421a0207003d312c29b4e62a18efaf1bca93031a9bc48a0000000000000000ff2b7cade8eb372e40905cc5552700f40738dbfcb23121840064707275656261 server { [peap] Setting User-Name to dprueba Sending tunneled request EAP-Message = 0x020700421a0207003d312c29b4e62a18efaf1bca93031a9bc48a0000000000000000ff2b7cade8eb372e40905cc5552700f40738dbfcb23121840064707275656261 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "dprueba" State = 0x138ded3d138af7a13ad2c8138d486583 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 66 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> dprueba [sql] sql_set_user escaped user --> 'dprueba' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dprueba' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dprueba' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi' ORDER BY id [sql] User found in group wifi [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: dprueba [mschap] Told to do MS-CHAPv2 for dprueba with NT-Password *[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.[mschap] FAILED: MS-CHAP2-Response is incorrec*t ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 Framed-Protocol := PPP Framed-Compression := Van-Jacobson-TCP-IP Framed-MTU := 1500 Service-Type := Framed-User MS-Primary-DNS-Server := 10.25.1.10 Framed-IP-Netmask := 255.255.255.255 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 Framed-Protocol := PPP Framed-Compression := Van-Jacobson-TCP-IP Framed-MTU := 1500 Service-Type := Framed-User MS-Primary-DNS-Server := 10.25.1.10 Framed-IP-Netmask := 255.255.255.255 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 165 to 10.25.4.250 port 44145 EAP-Message = 0x0108002b190017030100200f7edf20af25286e24f0a1ec03a04a5e4b893e385955244fa3c44457b30c81cb Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa65194aaa1598db9e5aa8a871ea68523 Finished request 43. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=166, length=244 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0208005019001703010020a60874f0b621b855a82de262f1330ac8a1b05f4708527620f981ef3722e3b1cf170301002006ae0d5ee86405c776ba893bd138d82d811bcf6916da13d0681a9d327692ef1b State = 0xa65194aaa1598db9e5aa8a871ea68523 Message-Authenticator = 0xa8b1ee9f9adf7785813d07e9b14f55a9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. *[peap] Peap state send tlv failure* [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> dprueba attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 44 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 44 Sending Access-Reject of id 166 to 10.25.4.250 port 44145 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. Cleaning up request 36 ID 158 with timestamp +40 Cleaning up request 37 ID 159 with timestamp +40 Cleaning up request 38 ID 160 with timestamp +40 Cleaning up request 39 ID 161 with timestamp +40 Cleaning up request 40 ID 162 with timestamp +40 Cleaning up request 41 ID 163 with timestamp +40 Cleaning up request 42 ID 164 with timestamp +40 Cleaning up request 43 ID 165 with timestamp +40 Waking up in 1.0 seconds. Cleaning up request 44 ID 166 with timestamp +41 Ready to process requests.