Dear Hoercher, Thank you for your email. I noticed that too, however it didn't seem working and it stopped with error even before that with the following users entry : "testuser" User-Password := "testuser" the error was about no matching "anonymous_identity", and thats why I had to have a DEFAULT entry after this with Auth-Type :=EAP. Do you suggest any particular format of my users file ? Please note, the phase 1 user identity is "anonymous_identity", and phase 2 user/passwd is "testuser/testuser". Below is my full debug out put. Please advise further ... Rafi # ./radiusd -X -A -f -s^M Starting - reading configuration files ...^M reread_config: reading radiusd.conf^M Config: including file: /usr/local/etc/raddb/proxy.conf^M Config: including file: /usr/local/etc/raddb/clients.conf^M Config: including file: /usr/local/etc/raddb/snmp.conf^M Config: including file: /usr/local/etc/raddb/eap.conf^M Config: including file: /usr/local/etc/raddb/sql.conf^M main: prefix = "/usr/local"^M main: localstatedir = "/usr/local/var"^M main: logdir = "/usr/local/var/log/radius"^M main: libdir = "/usr/local/lib"^M main: radacctdir = "/usr/local/var/log/radius/radacct"^M main: hostname_lookups = no^M main: max_request_time = 30^M main: cleanup_delay = 4^M main: max_requests = 1024^M main: delete_blocked_requests = 0^M main: port = 0^M main: allow_core_dumps = no^M main: log_stripped_names = yes^M main: log_file = "/usr/local/var/log/radius/radius.log"^M main: log_auth = yes^M main: log_auth_badpass = yes^M main: log_auth_goodpass = yes^M main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"^M main: user = "(null)"^M main: group = "(null)"^M main: usercollide = no^M main: lower_user = "no"^M main: lower_pass = "no"^M main: nospace_user = "no"^M main: nospace_pass = "no"^M main: checkrad = "/usr/local/sbin/checkrad"^M main: proxy_requests = yes^M proxy: retry_delay = 5^M proxy: retry_count = 3^M proxy: synchronous = no^M proxy: default_fallback = yes^M proxy: dead_time = 120^M proxy: post_proxy_authorize = no^M proxy: wake_all_if_all_dead = no^M security: max_attributes = 20^M security: reject_delay = 2^M security: status_server = no^M main: debug_level = 0^M read_config_files: reading dictionary^M read_config_files: reading naslist^M Using deprecated naslist file. Support for this will go away soon.^M read_config_files: reading clients^M read_config_files: reading realms^M radiusd: entering modules setup^M Module: Library search path is /usr/local/lib^M Module: Loaded expr ^M Module: Instantiated expr (expr) ^M Module: Loaded PAP ^M pap: encryption_scheme = "crypt"^M Module: Instantiated pap (pap) ^M Module: Loaded DIGEST ^M Module: Instantiated digest (digest) ^M Module: Loaded eap ^M eap: default_eap_type = "ttls"^M eap: timer_expire = 60^M eap: ignore_unknown_eap_types = no^M eap: cisco_accounting_username_bug = no^M rlm_eap: Loaded and initialized type md5^M rlm_eap: Loaded and initialized type leap^M gtc: challenge = "Password: "^M gtc: auth_type = "PAP"^M rlm_eap: Loaded and initialized type gtc^M tls: rsa_key_exchange = yes^M tls: dh_key_exchange = no^M tls: rsa_key_length = 1024^M tls: dh_key_length = 1024^M tls: verify_depth = 2^M tls: CA_path = "(null)"^M tls: pem_file_type = yes^M tls: private_key_file = "/etc/freeradius/etc/certs/key2.pem"^M tls: certificate_file = "/etc/freeradius/etc/certs/cert2.pem"^M tls: CA_file = "/etc/freeradius/etc/certs/cacert.pem"^M tls: private_key_password = "wimax i2 test certs"^M tls: dh_file = "/etc/freeradius/etc/certs/dh"^M tls: random_file = "/etc/freeradius/etc/certs/random"^M tls: fragment_size = 1024^M tls: include_length = yes^M tls: check_crl = no^M tls: check_cert_cn = "%{User-Name}"^M tls: cipher_list = "(null)"^M tls: check_cert_issuer = "(null)"^M rlm_eap_tls: Loading the certificate file as a chain^M rlm_eap: Loaded and initialized type tls^M ttls: default_eap_type = "mschapv2"^M ttls: copy_request_to_tunnel = no^M ttls: use_tunneled_reply = no^M rlm_eap: Loaded and initialized type ttls^M peap: default_eap_type = "mschapv2"^M peap: copy_request_to_tunnel = no^M peap: use_tunneled_reply = no^M peap: proxy_tunneled_request_as_eap = yes^M rlm_eap: Loaded and initialized type peap^M mschapv2: with_ntdomain_hack = no^M rlm_eap: Loaded and initialized type mschapv2^M Module: Instantiated eap (eap) ^M Module: Loaded MS-CHAP ^M mschap: use_mppe = yes^M mschap: require_encryption = no^M mschap: require_strong = yes^M mschap: with_ntdomain_hack = no^M mschap: passwd = "(null)"^M mschap: ntlm_auth = "(null)"^M Module: Instantiated mschap (mschap) ^M Module: Loaded preprocess ^M preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"^M preprocess: hints = "/usr/local/etc/raddb/hints"^M preprocess: with_ascend_hack = no^M preprocess: ascend_channels_per_line = 23^M preprocess: with_ntdomain_hack = no^M preprocess: with_specialix_jetstream_hack = no^M preprocess: with_cisco_vsa_hack = no^M preprocess: with_alvarion_vsa_hack = no^M Module: Instantiated preprocess (preprocess) ^M Module: Loaded detail ^M detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"^M detail: detailperm = 384^M detail: dirperm = 493^M detail: locking = no^M Module: Instantiated detail (auth_log) ^M Module: Loaded CHAP ^M Module: Instantiated chap (chap) ^M Module: Loaded realm ^M realm: format = "suffix"^M realm: delimiter = "@"^M realm: ignore_default = no^M realm: ignore_null = no^M Module: Instantiated realm (realmsuffix) ^M realm: format = "prefix"^M realm: delimiter = "/"^M realm: ignore_default = no^M realm: ignore_null = no^M Module: Instantiated realm (realmslash) ^M realm: format = "prefix"^M realm: delimiter = "\"^M realm: ignore_default = no^M realm: ignore_null = no^M Module: Instantiated realm (realmbackslash) ^M realm: format = "suffix"^M realm: delimiter = "%"^M realm: ignore_default = no^M realm: ignore_null = no^M Module: Instantiated realm (realmpercent) ^M Module: Loaded fastusers ^M fastusers: usersfile = "/usr/local/etc/raddb/users"^M fastusers: acctusersfile = "/usr/local/etc/raddb/acct_users"^M fastusers: hashsize = 1000^M fastusers: stats = no^M fastusers: compat = "no"^M fastusers: hash_reload = 5^M fastusers: Reading /usr/local/etc/raddb/acct_users^M fastusers: Reading /usr/local/etc/raddb/users^M rlm_fastusers: Loaded 1 users and 1 defaults^M Module: Instantiated fastusers (fastusers) ^M Module: Loaded Acct-Unique-Session-Id ^M acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"^M Module: Instantiated acct_unique (acct_unique) ^M detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"^M detail: detailperm = 384^M detail: locking = no^M Module: Instantiated detail (auth_log) ^M Module: Loaded CHAP ^M Module: Instantiated chap (chap) ^M Module: Loaded realm ^M realm: format = "suffix"^M realm: delimiter = "@"^M realm: ignore_default = no^M realm: ignore_null = no^M Module: Instantiated realm (realmsuffix) ^M realm: format = "prefix"^M realm: delimiter = "/"^M realm: ignore_default = no^M realm: ignore_null = no^M Module: Instantiated realm (realmslash) ^M realm: format = "prefix"^M realm: delimiter = "\"^M realm: ignore_default = no^M realm: ignore_null = no^M Module: Instantiated realm (realmbackslash) ^M realm: format = "suffix"^M realm: delimiter = "%"^M realm: ignore_default = no^M realm: ignore_null = no^M Module: Instantiated realm (realmpercent) ^M Module: Loaded fastusers ^M fastusers: usersfile = "/usr/local/etc/raddb/users"^M fastusers: acctusersfile = "/usr/local/etc/raddb/acct_users"^M fastusers: hashsize = 1000^M fastusers: stats = no^M fastusers: compat = "no"^M fastusers: hash_reload = 5^M fastusers: Reading /usr/local/etc/raddb/acct_users^M fastusers: Reading /usr/local/etc/raddb/users^M rlm_fastusers: Loaded 1 users and 1 defaults^M Module: Instantiated fastusers (fastusers) ^M Module: Loaded Acct-Unique-Session-Id ^M acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"^M Module: Instantiated acct_unique (acct_unique) ^M detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"^M detail: detailperm = 384^M detail: dirperm = 493^M detail: locking = no^M Module: Instantiated detail (detail) ^M Module: Loaded radutmp ^M radutmp: filename = "/usr/local/var/log/radius/radutmp"^M radutmp: username = "%{User-Name}"^M radutmp: case_sensitive = yes^M radutmp: check_with_nas = yes^M radutmp: perm = 384^M radutmp: callerid = yes^M Module: Instantiated radutmp (radutmp) ^M detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"^M detail: detailperm = 384^M detail: dirperm = 493^M radutmp: callerid = yes^M Module: Instantiated radutmp (radutmp) ^M detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"^M detail: detailperm = 384^M detail: dirperm = 493^M detail: locking = no^M Module: Instantiated detail (reply_log) ^M Listening on authentication *:1812^M Listening on accounting *:1813^M Ready to process requests.^M rad_recv: Access-Request packet from host 192.168.1.102:19801, id=2, length=133^M User-Name = "anonymous_identity"^M NAS-IP-Address = 192.168.1.102^M NAS-Port = 19801^M Service-Type = Login-User^M Called-Station-Id = "\313\026\344Q\000"^M Calling-Station-Id = "DU\224I\272("^M NAS-Identifier = "testuser"^M NAS-Port-Type = Wireless-Other^M EAP-Message = 0x0202001701616e6f6e796d6f75735f6964656e74697479^M Message-Authenticator = 0x1612b328a300f3a07fb104ea3b1b2b79^M Processing the authorize section of radiusd.conf^M modcall: entering group authorize for request 0^M modcall[authorize]: module "preprocess" returns ok for request 0^M radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.102/auth-detail-20061020'^M rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/ra dius/radacct/192.168.1.102/auth-detail-20061020^M modcall[authorize]: module "auth_log" returns ok for request 0^M modcall[authorize]: module "chap" returns noop for request 0^M rlm_eap: EAP packet type response id 2 length 23^M rlm_eap: No EAP Start, assuming it's an on-going EAP conversation^M modcall[authorize]: module "eap" returns updated for request 0^M modcall[authorize]: module "mschap" returns noop for request 0^M modcall[authorize]: module "digest" returns noop for request 0^M rlm_realm: No '@' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmsuffix" returns noop for request 0^M rlm_realm: No '/' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmslash" returns noop for request 0^M rlm_realm: No '\' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmbackslash" returns noop for request 0^M rlm_realm: No '%' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmpercent" returns noop for request 0^M rlm_fastusers: Reloading fastusers hash^M rlm_fastusers: File /usr/local/etc/raddb/acct_users was unchanged. Not reloading.^M rlm_fastusers: File /usr/local/etc/raddb/users was unchanged. Not reloading.^M rlm_fastusers: checking defaults^M fastusers: Matched DEFAULT at 6^M modcall[authorize]: module "fastusers" returns updated for request 0^M modcall: leaving group authorize (returns updated) for request 0^M rad_check_password: Found Auth-Type EAP^M auth: type "EAP"^M Processing the authenticate section of radiusd.conf^M modcall: entering group authenticate for request 0^M rlm_eap: EAP Identity^M rlm_eap: processing type tls^M rlm_eap_tls: Initiate^M rlm_eap_tls: Start returned 1^M modcall[authenticate]: module "eap" returns handled for request 0^M modcall: leaving group authenticate (returns handled) for request 0^M Sending Access-Challenge of id 2 to 192.168.1.102 port 19801^M EAP-Message = 0x010300061520^M Message-Authenticator = 0x00000000000000000000000000000000^M State = 0xb6f4137eeccba240eb5fb35d9a7720fd^M Finished request 0^M Going to the next request^M --- Walking the entire request list ---^M Waking up in 5 seconds...^M --- Walking the entire request list ---^M Cleaning up request 0 ID 2 with timestamp 45394f82^M Nothing to do. Sleeping until we see a request.^M rad_recv: Access-Request packet from host 192.168.1.102:19801, id=3, length=218^M User-Name = "anonymous_identity"^M NAS-IP-Address = 192.168.1.102^M NAS-Port = 19801^M Service-Type = Login-User^M Called-Station-Id = "\313\026\344Q\000"^M Calling-Station-Id = "DU\224I\272("^M NAS-Identifier = "testuser"^M NAS-Port-Type = Wireless-Other^M EAP-Message = 0x0203006c150016030100610100005d03013d7b3c4fb8bbad3b5d5e3aab9cc3d3689c21b9c006cc4b1e77b3642e90d7 3ae200003600390038003500160013000a00330032002f000700660005000400630062006100150012000900650064006000140011000800060003 0100^M Message-Authenticator = 0x34960047891b107d3d82dda0a176d255^M Processing the authorize section of radiusd.conf^M modcall: entering group authorize for request 1^M modcall[authorize]: module "preprocess" returns ok for request 1^M radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.102/auth-detail-20061020'^M rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/ra dius/radacct/192.168.1.102/auth-detail-20061020^M modcall[authorize]: module "auth_log" returns ok for request 1^M modcall[authorize]: module "chap" returns noop for request 1^M rlm_eap: EAP packet type response id 3 length 108^M rlm_eap: No EAP Start, assuming it's an on-going EAP conversation^M modcall[authorize]: module "eap" returns updated for request 1^M modcall[authorize]: module "mschap" returns noop for request 1^M modcall[authorize]: module "digest" returns noop for request 1^M rlm_realm: No '@' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmsuffix" returns noop for request 1^M rlm_realm: No '/' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmslash" returns noop for request 1^M rlm_realm: No '\' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmbackslash" returns noop for request 1^M rlm_realm: No '%' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmpercent" returns noop for request 1^M rlm_fastusers: Reloading fastusers hash^M rlm_fastusers: File /usr/local/etc/raddb/acct_users was unchanged. Not reloading.^M rlm_fastusers: File /usr/local/etc/raddb/users was unchanged. Not reloading.^M rlm_fastusers: checking defaults^M fastusers: Matched DEFAULT at 6^M modcall[authorize]: module "fastusers" returns updated for request 0^M modcall: leaving group authorize (returns updated) for request 0^M rad_check_password: Found Auth-Type EAP^M auth: type "EAP"^M Processing the authenticate section of radiusd.conf^M modcall: entering group authenticate for request 0^M rlm_eap: EAP Identity^M rlm_eap: processing type tls^M rlm_eap_tls: Initiate^M rlm_eap_tls: Start returned 1^M modcall[authenticate]: module "eap" returns handled for request 0^M modcall: leaving group authenticate (returns handled) for request 0^M Sending Access-Challenge of id 2 to 192.168.1.102 port 19801^M EAP-Message = 0x010300061520^M Message-Authenticator = 0x00000000000000000000000000000000^M State = 0xb6f4137eeccba240eb5fb35d9a7720fd^M Finished request 0^M Going to the next request^M --- Walking the entire request list ---^M Waking up in 5 seconds...^M --- Walking the entire request list ---^M Cleaning up request 0 ID 2 with timestamp 45394f82^M Nothing to do. Sleeping until we see a request.^M rad_recv: Access-Request packet from host 192.168.1.102:19801, id=3, length=218^M User-Name = "anonymous_identity"^M NAS-IP-Address = 192.168.1.102^M NAS-Port = 19801^M Service-Type = Login-User^M Called-Station-Id = "\313\026\344Q\000"^M Calling-Station-Id = "DU\224I\272("^M NAS-Identifier = "testuser"^M NAS-Port-Type = Wireless-Other^M EAP-Message = 0x0203006c150016030100610100005d03013d7b3c4fb8bbad3b5d5e3aab9cc3d3689c21b9c006cc4b1e77b3642e90d7 3ae200003600390038003500160013000a00330032002f000700660005000400630062006100150012000900650064006000140011000800060003 0100^M Message-Authenticator = 0x34960047891b107d3d82dda0a176d255^M Processing the authorize section of radiusd.conf^M modcall: entering group authorize for request 1^M modcall[authorize]: module "preprocess" returns ok for request 1^M radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.102/auth-detail-20061020'^M rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/ra dius/radacct/192.168.1.102/auth-detail-20061020^M modcall[authorize]: module "auth_log" returns ok for request 1^M modcall[authorize]: module "chap" returns noop for request 1^M rlm_eap: EAP packet type response id 3 length 108^M rlm_eap: No EAP Start, assuming it's an on-going EAP conversation^M modcall[authorize]: module "eap" returns updated for request 1^M modcall[authorize]: module "eap" returns updated for request 1^M modcall[authorize]: module "mschap" returns noop for request 1^M modcall[authorize]: module "digest" returns noop for request 1^M rlm_realm: No '@' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmsuffix" returns noop for request 1^M rlm_realm: No '/' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmslash" returns noop for request 1^M rlm_realm: No '\' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmbackslash" returns noop for request 1^M rlm_realm: No '%' in User-Name = "anonymous_identity", looking up realm NULL^M rlm_realm: No such realm "NULL"^M modcall[authorize]: module "realmpercent" returns noop for request 1^M rlm_fastusers: Reloading fastusers hash^M rlm_fastusers: File /usr/local/etc/raddb/acct_users was unchanged. Not reloading.^M rlm_fastusers: File /usr/local/etc/raddb/users was unchanged. Not reloading.^M rlm_fastusers: checking defaults^M fastusers: Matched DEFAULT at 6^M modcall[authorize]: module "fastusers" returns updated for request 1^M modcall: leaving group authorize (returns updated) for request 1^M rad_check_password: Found Auth-Type EAP^M auth: type "EAP"^M Processing the authenticate section of radiusd.conf^M modcall: entering group authenticate for request 1^M rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^M rlm_eap: Failed in handler^M modcall[authenticate]: module "eap" returns invalid for request 1^M modcall: leaving group authenticate (returns invalid) for request 1^M auth: Failed to validate the user.^M Login incorrect: [anonymous_identity/<no User-Password attribute>] (from client 192.168.1.102 port 19801 cli DU?I\272( )^M Delaying request 1 for 2 seconds^M Finished request 1^M Going to the next request^M --- Walking the entire request list ---^M Waking up in 2 seconds...^M --- Walking the entire request list ---^M Waking up in 2 seconds...^M --- Walking the entire request list ---^M Sending Access-Reject of id 3 to 192.168.1.102 port 19801^M Waking up in 1 seconds...^M --- Walking the entire request list ---^M Cleaning up request 1 ID 3 with timestamp 45394f9b^M Nothing to do. Sleeping until we see a request.^M exit^M On 10/21/06, K. Hoercher <wbhoer@gmail.com> wrote:
Hi,
as mentioned in various places in the documentation and countless times on this list:
On 10/21/06, Rafiqul Ahsan <rafiqul.ahsan@gmail.com> wrote:
Here is my users file :
"testuser" Auth-Type := EAP, User-Password := "testuser"
DEFAULT Auth-Type := EAP
Dont't set Auth-Type
Here is the radius log (only shown the failed part)
rlm_fastusers: checking defaults^M fastusers: Matched DEFAULT at 6^M modcall[authorize]: module "fastusers" returns updated for request 1^M modcall: leaving group authorize (returns updated) for request 1^M rad_check_password: Found Auth-Type EAP^M auth: type "EAP"^M Processing the authenticate section of radiusd.conf^M modcall: entering group authenticate for request 1^M rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^M rlm_eap: Failed in handler^M modcall[authenticate]: module "eap" returns invalid for request 1^M modcall: leaving group authenticate (returns invalid) for request 1^M
Thats pretty much non-informative. In case, the above fix does not yet yield the desired results, provide the full debug output.
regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Rafiqul Ahsan 630-717-1698(h) 2120 Periwinkle Ln 630-689-1457(h) Naperville, IL 60540 847-812-6176(c)