hi the following line seems to be principally correct (don't use explicit Auth-Type):
a User-Password == "a"
the eap module fails in authentication because it can't find the User- Password for the user. Make sure that the "files" module is used in authorize i.e. that the users file is actually used. the modules pap and mschap are of no interest whatsoever. also, i don't understand the DEFAULT accept policy - imho it's nonsense. hope this helps artur
1. modules section ... pap { encryption_scheme = crypt }
# CHAP module # # To authenticate requests containing a CHAP-Password attribute. # chap { authtype = CHAP } ... $INCLUDE ${confdir}/eap.conf
mschap { ... }
files { ... }
...
The console output of radiusd -X -s is
Ready to process requests. rad_recv: Access-Request packet from host 10.11.12.107:1024, id=76, length=214 Framed-MTU = 1480 NAS-IP-Address = 10.11.12.107 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "test" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 24 NAS-Port-Type = Ethernet NAS-Port-Id = "24" Called-Station-Id = "00-0f-20-8d-04-c8" Calling-Station-Id = "00-c0-9f-0d-4a-1f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1010" EAP-Message = 0x020200090174657374 Message-Authenticator = 0xb12214c2d6fb14f33c7cc758ccfb54b7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 76 to 10.11.12.107:1024 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x0103001604100118f4899111b27fc08900284095e5e2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x33fe6026586af730cd367983bb9ea8b6 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.11.12.107:1024, id=77, length=249 Framed-MTU = 1480 NAS-IP-Address = 10.11.12.107 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "test" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 24 NAS-Port-Type = Ethernet NAS-Port-Id = "24" Called-Station-Id = "00-0f-20-8d-04-c8" Calling-Station-Id = "00-c0-9f-0d-4a-1f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1010" State = 0x33fe6026586af730cd367983bb9ea8b6 EAP-Message = 0x0203001a04101c913399463bebf9f6dc2d0af18f0c7974657374 Message-Authenticator = 0x2592cd875d1068f5b16fe7999f451769 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_eap: EAP packet type response id 3 length 26 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.11.12.107:1024, id=77, length=249 Sending Access-Reject of id 77 to 10.11.12.107:1024 EAP-Message = 0x04030004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 76 with timestamp 43826690 Cleaning up request 1 ID 77 with timestamp 43826690 Nothing to do. Sleeping until we see a request.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html <2#Mime.822> <GWAVADAT.TXT> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html