I provide debug log for session 72, please see below. I've found the reason of failed authentication when connecting through AP 192.168.14.247. Compare request format from AP 192.168.14.241 with one from AP 192.168.14.247.
From AP 192.168.14.241: (27) Received Access-Request Id 9 from 192.168.14.241:3074 to xx.xx.xx.xx:1812 length 159 (27) User-Name = "oreshkin" (27) NAS-IP-Address = 192.168.14.241 (27) NAS-Port = 0 (27) Called-Station-Id = "00-1E-C1-AE-56-22:HEPD-COMMON" (27) Calling-Station-Id = "30-E3-7A-D5-61-F0" (27) Framed-MTU = 1400 (27) NAS-Port-Type = Wireless-802.11 (27) Connect-Info = "CONNECT 0Mbps 802.11" (27) EAP-Message = 0x0201000d016f726573686b696e (27) Message-Authenticator = 0x10afad72dec6e948c7598d93b080d695
From AP 192.168.14.247:
(72) Received Access-Request Id 94 from 192.168.14.247:1024 to xx.xx.xx.xx:1812 length 289 (72) User-Name = "oreshkin" (72) Framed-MTU = 1450 (72) EAP-Message = 0x02080062190017030300570000000000000002c33f501457841cbb0e149619fc4d43cc6a068202273d657c55e3e1d067dba950cae1b2c59d5e949e9e1703dc7b5db406d7385c0bc3fc2da7482ca85aeca17ddf01796fc871adcc26d52b52562636df (72) Message-Authenticator = 0xa57fbdeaacbf7b4d92e68fcf1563b7cc (72) NAS-IP-Address = 192.168.14.247 (72) NAS-Identifier = "3Com AP9552 Dual Band 802.11n" (72) NAS-Port = 16912385 (72) NAS-Port-Type = Wireless-802.11 (72) Service-Type = Framed-User (72) Framed-Protocol = PPP (72) Calling-Station-Id = "30-E3-7A-D5-61-F0" (72) Called-Station-Id = "40-01-C6-12-9A-50:HEPD-COMMON" (72) Framed-IP-Address = 10.2.0.118 (72) State = 0xe46f1db3e267046e2153a66971fb5083 In request format from AP 192.168.14.247 presents line (72) Framed-Protocol = PPP Users login and password are kept in the file /etc/raddb/users Default user in /etc/raddb/users is specified as follows: DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP So radius selects DEFAULT user instead of my user name and hence (72) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password Read debug log ... (72) files: users: Matched entry DEFAULT at line 181 ... (72) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (72) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password In Radius 2 as DEFAULT user it was specified DEFAULT Auth-Type = System Fall-Through = 1 so authentication worked. In Radius 3 there is no " Auth-Type = System" so I've left DEFAULT which was in /etc/raddb/users At least I dont found suitable DEFAULT from the list in /etc/raddb/users May be you can suggest DEFAULT user ? Now I've commented out DEFAULT in /etc/raddb/users and authentication through AP 192.168.14.297 succeeded. Extract from debug log with authentication failed: --------------------------------- (72) Received Access-Request Id 94 from 192.168.14.247:1024 to xx.xx.xx.xx:1812 length 289 (72) User-Name = "oreshkin" (72) Framed-MTU = 1450 (72) EAP-Message = 0x02080062190017030300570000000000000002c33f501457841cbb0e149619fc4d43cc6a068202273d657c55e3e1d067dba950cae1b2c59d5e949e9e1703dc7b5db406d7385c0bc3fc2da7482ca85aeca17ddf01796fc871adcc26d52b52562636df (72) Message-Authenticator = 0xa57fbdeaacbf7b4d92e68fcf1563b7cc (72) NAS-IP-Address = 192.168.14.247 (72) NAS-Identifier = "3Com AP9552 Dual Band 802.11n" (72) NAS-Port = 16912385 (72) NAS-Port-Type = Wireless-802.11 (72) Service-Type = Framed-User (72) Framed-Protocol = PPP (72) Calling-Station-Id = "30-E3-7A-D5-61-F0" (72) Called-Station-Id = "40-01-C6-12-9A-50:HEPD-COMMON" (72) Framed-IP-Address = 10.2.0.118 (72) State = 0xe46f1db3e267046e2153a66971fb5083 (72) session-state: No cached attributes (72) # Executing section authorize from file /etc/raddb/sites-enabled/default (72) authorize { (72) policy filter_username { (72) if (&User-Name) { (72) if (&User-Name) -> TRUE (72) if (&User-Name) { (72) if (&User-Name =~ / /) { (72) if (&User-Name =~ / /) -> FALSE (72) if (&User-Name =~ /@[^@]*@/ ) { (72) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (72) if (&User-Name =~ /\.\./ ) { (72) if (&User-Name =~ /\.\./ ) -> FALSE (72) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (72) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (72) if (&User-Name =~ /\.$/) { (72) if (&User-Name =~ /\.$/) -> FALSE (72) if (&User-Name =~ /@\./) { (72) if (&User-Name =~ /@\./) -> FALSE (72) } # if (&User-Name) = notfound (72) } # policy filter_username = notfound (72) [preprocess] = ok (72) [chap] = noop (72) [mschap] = noop (72) suffix: Checking for suffix after "@" (72) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL (72) suffix: No such realm "NULL" (72) [suffix] = noop (72) ntdomain: Checking for prefix before "\" (72) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL (72) ntdomain: No such realm "NULL" (72) [ntdomain] = noop (72) eap: Peer sent EAP Response (code 2) ID 8 length 98 (72) eap: Continuing tunnel setup (72) [eap] = ok (72) } # authorize = ok (72) Found Auth-Type = eap (72) # Executing group from file /etc/raddb/sites-enabled/default (72) authenticate { (72) eap: Expiring EAP session with state 0x34bd73d634b56993 (72) eap: Finished EAP session with state 0xe46f1db3e267046e (72) eap: Previous EAP request found for state 0xe46f1db3e267046e, released from the list (72) eap: Peer sent packet with method EAP PEAP (25) (72) eap: Calling submodule eap_peap to process data (72) eap_peap: Continuing EAP-TLS (72) eap_peap: [eaptls verify] = ok (72) eap_peap: Done initial handshake (72) eap_peap: [eaptls process] = ok (72) eap_peap: Session established. Decoding tunneled attributes (72) eap_peap: PEAP state phase2 (72) eap_peap: EAP method MSCHAPv2 (26) (72) eap_peap: Got tunneled request (72) eap_peap: EAP-Message = 0x020800431a0208003e31db2debec2958a1454151483d486adca50000000000000000b9f84f22b42361e69c262ea08581e402f79c2f9c3a44fa4f006f726573686b696e (72) eap_peap: Setting User-Name to oreshkin (72) eap_peap: Sending tunneled request to inner-tunnel (72) eap_peap: EAP-Message = 0x020800431a0208003e31db2debec2958a1454151483d486adca50000000000000000b9f84f22b42361e69c262ea08581e402f79c2f9c3a44fa4f006f726573686b696e (72) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (72) eap_peap: User-Name = "oreshkin" (72) eap_peap: State = 0x34bd73d634b56993b0879cec39df5238 (72) eap_peap: Framed-MTU = 1450 (72) eap_peap: NAS-IP-Address = 192.168.14.247 (72) eap_peap: NAS-Identifier = "3Com AP9552 Dual Band 802.11n" (72) eap_peap: NAS-Port = 16912385 (72) eap_peap: NAS-Port-Type = Wireless-802.11 (72) eap_peap: Service-Type = Framed-User (72) eap_peap: Framed-Protocol = PPP (72) eap_peap: Calling-Station-Id = "30-E3-7A-D5-61-F0" (72) eap_peap: Called-Station-Id = "40-01-C6-12-9A-50:HEPD-COMMON" (72) eap_peap: Framed-IP-Address = 10.2.0.118 (72) eap_peap: Event-Timestamp = "Jun 1 2020 14:14:50 MSK" (72) Virtual server inner-tunnel received request (72) EAP-Message = 0x020800431a0208003e31db2debec2958a1454151483d486adca50000000000000000b9f84f22b42361e69c262ea08581e402f79c2f9c3a44fa4f006f726573686b696e (72) FreeRADIUS-Proxied-To = 127.0.0.1 (72) User-Name = "oreshkin" (72) State = 0x34bd73d634b56993b0879cec39df5238 (72) Framed-MTU = 1450 (72) NAS-IP-Address = 192.168.14.247 (72) NAS-Identifier = "3Com AP9552 Dual Band 802.11n" (72) NAS-Port = 16912385 (72) NAS-Port-Type = Wireless-802.11 (72) Service-Type = Framed-User (72) Framed-Protocol = PPP (72) Calling-Station-Id = "30-E3-7A-D5-61-F0" (72) Called-Station-Id = "40-01-C6-12-9A-50:HEPD-COMMON" (72) Framed-IP-Address = 10.2.0.118 (72) Event-Timestamp = "Jun 1 2020 14:14:50 MSK" (72) WARNING: Outer and inner identities are the same. User privacy is compromised. (72) server inner-tunnel { (72) session-state: No cached attributes (72) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (72) authorize { (72) policy filter_username { (72) if (&User-Name) { (72) if (&User-Name) -> TRUE (72) if (&User-Name) { (72) if (&User-Name =~ / /) { (72) if (&User-Name =~ / /) -> FALSE (72) if (&User-Name =~ /@[^@]*@/ ) { (72) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (72) if (&User-Name =~ /\.\./ ) { (72) if (&User-Name =~ /\.\./ ) -> FALSE (72) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (72) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (72) if (&User-Name =~ /\.$/) { (72) if (&User-Name =~ /\.$/) -> FALSE (72) if (&User-Name =~ /@\./) { (72) if (&User-Name =~ /@\./) -> FALSE (72) } # if (&User-Name) = notfound (72) } # policy filter_username = notfound (72) [chap] = noop (72) [mschap] = noop (72) ntdomain: Checking for prefix before "\" (72) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL (72) ntdomain: No such realm "NULL" (72) [ntdomain] = noop (72) update control { (72) &Proxy-To-Realm := LOCAL (72) } # update control = noop (72) eap: Peer sent EAP Response (code 2) ID 8 length 67 (72) eap: No EAP Start, assuming it's an on-going EAP conversation (72) [eap] = updated (72) files: users: Matched entry DEFAULT at line 181 (72) [files] = ok (72) [expiration] = noop (72) [logintime] = noop (72) [pap] = noop (72) } # authorize = updated (72) Found Auth-Type = eap (72) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (72) authenticate { (72) eap: Expiring EAP session with state 0x34bd73d634b56993 (72) eap: Finished EAP session with state 0x34bd73d634b56993 (72) eap: Previous EAP request found for state 0x34bd73d634b56993, released from the list (72) eap: Peer sent packet with method EAP MSCHAPv2 (26) (72) eap: Calling submodule eap_mschapv2 to process data (72) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (72) eap_mschapv2: authenticate { (72) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (72) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (72) mschap: Creating challenge hash with username: oreshkin (72) mschap: Client is using MS-CHAPv2 (72) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (72) mschap: ERROR: MS-CHAP2-Response is incorrect (72) [mschap] = reject (72) } # authenticate = reject (72) eap: Sending EAP Failure (code 4) ID 8 length 4 (72) eap: Freeing handler (72) [eap] = reject (72) } # authenticate = reject (72) Failed to authenticate the user (72) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [oreshkin] (from client 3com9552 port 16912385 cli 30-E3-7A-D5-61-F0 via TLS tunnel) (72) Using Post-Auth-Type Reject (72) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (72) Post-Auth-Type REJECT { (72) update outer.session-state { (72) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication' (72) } # update outer.session-state = noop (72) } # Post-Auth-Type REJECT = noop (72) } # server inner-tunnel (72) Virtual server sending reply (72) Framed-Protocol = PPP (72) Framed-Compression = Van-Jacobson-TCP-IP (72) MS-CHAP-Error = "\010E=691 R=1 C=2aadf661100584402f8bb93462af5d53 V=3 M=Authentication failed" (72) EAP-Message = 0x04080004 (72) Message-Authenticator = 0x00000000000000000000000000000000 (72) eap_peap: Got tunneled reply code 3 (72) eap_peap: Framed-Protocol = PPP (72) eap_peap: Framed-Compression = Van-Jacobson-TCP-IP (72) eap_peap: MS-CHAP-Error = "\010E=691 R=1 C=2aadf661100584402f8bb93462af5d53 V=3 M=Authentication failed" (72) eap_peap: EAP-Message = 0x04080004 (72) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (72) eap_peap: Got tunneled reply RADIUS code 3 (72) eap_peap: Framed-Protocol = PPP (72) eap_peap: Framed-Compression = Van-Jacobson-TCP-IP (72) eap_peap: MS-CHAP-Error = "\010E=691 R=1 C=2aadf661100584402f8bb93462af5d53 V=3 M=Authentication failed" (72) eap_peap: EAP-Message = 0x04080004 (72) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (72) eap_peap: Tunneled authentication was rejected (72) eap_peap: FAILURE (72) eap: Sending EAP Request (code 1) ID 9 length 46 (72) eap: EAP session adding &reply:State = 0xe46f1db3e366046e (72) [eap] = handled (72) } # authenticate = handled (72) Using Post-Auth-Type Challenge (72) # Executing group from file /etc/raddb/sites-enabled/default (72) Challenge { ... } # empty sub-section is ignored (72) session-state: Saving cached attributes (72) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" (72) Sent Access-Challenge Id 94 from xx.xx.xx.xx:1812 to 192.168.14.247:1024 length 0 (72) EAP-Message = 0x0109002e190017030300232f1c04ca542acfe094941bb20f03a5498700ed1375fd28eec62833f28ad725fdd3f9f5 (72) Message-Authenticator = 0x00000000000000000000000000000000 (72) State = 0xe46f1db3e366046e2153a66971fb5083 (72) Finished request I've commented DEFAULT user in /etc/raddb/users and ср, 3 июн. 2020 г. в 16:06, Alan DeKok <aland@deployingradius.com>:
On Jun 3, 2020, at 6:27 AM, Anatoly Oreshkin <anatoly.oreshkin@gmail.com> wrote:
I was for several years successfully using Radius 2 with authentication types EAP (PEAP) mschapv2. Now I've upgraded to Radius 3 with the same authentication. From laptop under MS Windows 10 I' trying to connect to WiFi network
through
Access Points (AP). After some time I've managed to connect wifi network. Then I've disconnected intentionally from network and attempted once more connect to network but this time failed to connect. Radius debug log is very big, so I provide extract from Radius debug log below. From debug log I see that laptop is eventually authenticated through AP 192.168.14.241 but going through many unsuccessful steps. The line Login OK: [oreshkin] (from client 3com9150 port 0 cli 30-E3-7A-D5-61-F0) shows that.
Why is it required so many steps to successfully connect ? Some errors in radius configuration ?
Second attempt to connect after disconnection is failed. Why ?
Read the debug log.
(72) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (72) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
Why is there no password? I have no idea. You deleted all of the debug output from packet (72) which shows where the password came from. Which also mans we don't know *why* the password lookup failed.
Please follow the instructions on https://wiki.freeradius.org/list-help
There is no need to post debug output from an authentication session which succeeds. It doesn't help. Post the debug output for a session which fails. *ALL* of the debug output.
Editing the debug output is like taking your car to a mechanic and saying "something's wrong, but I'm not going to tell you what. You have to figure it out and fix it"
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html