Here is the debug. For some reason my user dfleming is being accepted even though the cisco-avpair does not match. Please see debug and layout of mysql tables below. My aplogies to the moderator as I trimmed the message to under 100kb. khadmin@BSpa-KH-DaloRadius01:~$ sudo freeradius -X FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Feb 24 2014 at 15:00:10 .... Ready to process requests. ! Connecting client that should be rejected dfleming Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=104, length=224 User-Name = "dfleming" Framed-MTU = 1400 Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt" Calling-Station-Id = "80-1F-02-D3-97-74" Cisco-AVPair = "ssid=BSpa-KH-Mgmt" Service-Type = Login-User Cisco-AVPair = "service-type=Login" Message-Authenticator = 0x56c8d1976c38d0c15b3b7510788d1114 EAP-Message = 0x020300060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 366 NAS-Port-Id = "366" State = 0xe398c72ae39bc3112b2facf2414ef68a NAS-IP-Address = 10.10.5.10 NAS-Identifier = "BSpa-KH-AP1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> dfleming [sql] sql_set_user escaped user --> 'dfleming' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 104 to 10.10.5.10 port 1645 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe398c72ae29cde112b2facf2414ef68a Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=105, length=323 User-Name = "dfleming" Framed-MTU = 1400 Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt" Calling-Station-Id = "80-1F-02-D3-97-74" Cisco-AVPair = "ssid=BSpa-KH-Mgmt" Service-Type = Login-User Cisco-AVPair = "service-type=Login" Message-Authenticator = 0x705abcc41bc6453d98e488076368d5b0 EAP-Message = 0x0204006919800000005f160301005a01000056030153d0fc4150ae5171e308a2672ae8b0c2c02f72ec78a1f46b4988a1b7e7f83e73000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 NAS-Port-Type = Wireless-802.11 NAS-Port = 366 NAS-Port-Id = "366" State = 0xe398c72ae29cde112b2facf2414ef68a NAS-IP-Address = 10.10.5.10 NAS-Identifier = "BSpa-KH-AP1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 105 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 95 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 02dc], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 105 to 10.10.5.10 port 1645 EAP-Message = 0x01050326190016030100310200002d03010c97450f25def4ced7dc7df384079486f3542d07e6833013a884eb6bfb0bb94100002f000005ff0100010016030102dc0b0002d80002d50002d2308202ce308201b6a003020102020900822e76b7f4e676e6300d06092a864886f70d01010b0500301f311d301b06035504031314425370612d4b482d44616c6f5261646975733031301e170d3134303731363139303331345a170d3234303731333139303331345a301f311d301b06035504031314425370612d4b482d44616c6f526164697573303130820122300d06092a864886f70d01010105000382010f003082010a0282010100bd678d84e6eea050 EAP-Message = 0xf696bcf0d3ea9ac8dcc3895e630b82e19179fdf0bc32cbb9e38b749f7972e9b587116ef4e0962859d179ce4f59861167882f74aeef86e4a0e1fa808b84d034d0d0948f0a121690d58ba805a62fd3212cdabc26599ac01f6ae0f992d111e052a8cf5b3147301f63d76591be067e58d7939d0434bc135c606ae8843f81d47db30f2e2ec75faa656ee1744d1bcddbfaab9c25fbd573d82c024841e3fb98da541915e7d21c6f08dd7eddb9dc03fc8062512d649fc96be72a51b62fc05d3cadd285ee4858cdc52b90823c99de6130157151d0b12bbaee10bb574671052ef36786e9ccdad6be4209150df2db1b6c57ae25e0310ff2de90399678610203010001 EAP-Message = 0xa30d300b30090603551d1304023000300d06092a864886f70d01010b050003820101004e8a90c9aa3f6aab067342e1a11faf0c678c2f7f4674372f9964687580fe9bb6185570fbe203d7f03a7140c607e0e3a4c76463754f380db2fe4f1e59eb759cb64ee43c51fb22f1d8f2027b8b695bae6185bbccf927a29b3c4cf96de82394521bbe90cc6467d05546c04e76cedb9483ab55de6450f06a924e176f532ebb75688d32f4b2d901db683c6deced70d56c6f811311d104b18720ab7c62803dbda5126ad15fe966ad36171fe6cf6f4f75b7eded5b4bee5f6ac5be52943cd9ae276d7a7f4ca26fb40bd4c92c12fb907f121b78c071f386f84ada8fa48a0c EAP-Message = 0x97087d75ba9109d5bc56a0df73634094328e929b39a58e2c31b88b38be212a5dfd8544d0a63c16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe398c72ae19dde112b2facf2414ef68a Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=106, length=556 User-Name = "dfleming" Framed-MTU = 1400 Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt" Calling-Station-Id = "80-1F-02-D3-97-74" Cisco-AVPair = "ssid=BSpa-KH-Mgmt" Service-Type = Login-User Cisco-AVPair = "service-type=Login" Message-Authenticator = 0xcd089534fccab7db28693d5b9d86a442 EAP-Message = 0x02050150198000000146160301010610000102010022bd3a65d01781fa46b75b886bad8c50420d06048d350a244d2a70f4d676c8000374ebc77170059405c33a7910fd709d2829a1471f91a01c4a2a44adec666eb77a5d05995485115cb1d6854ca0fcf370ae2108ca25706257a7af922ec783a8442a9838e03496200e8bec1214d3f5c6af905c2a2e080f0354f9f37e29e96a6b23ad4ea4a7048bec25a870f3c53bceb0b95ed97e2d145b506ced5a94a1e6b2d79a031a58c445a698ec388e48abd18c466c2f1170d400b2d78cbb5c150f2c69d1889a84e4a20251457d3b3edd8d9d2ceb2b681b4ab9e926ae41b07380e6d44405cedf893b39da921314 EAP-Message = 0x94b437e41da7e053b8335b25d4f8a846c4554efb002cc8ec14030100010116030100304b985086678690c358d8a71cca3bd01d6792bf0f15f1387921d08f3ab7ebc8c8d27604abcc1facbd4e0674db9dd3925c NAS-Port-Type = Wireless-802.11 NAS-Port = 366 NAS-Port-Id = "366" State = 0xe398c72ae19dde112b2facf2414ef68a NAS-IP-Address = 10.10.5.10 NAS-Identifier = "BSpa-KH-AP1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 106 to 10.10.5.10 port 1645 EAP-Message = 0x01060041190014030100010116030100309e49c5fe400c66b74f39bfdcaf566e506165f4805af06d42706bd2ca4160016223229a71052b67ec2140e7bcedb29055 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe398c72ae09ede112b2facf2414ef68a Finished request 11. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=107, length=224 User-Name = "dfleming" Framed-MTU = 1400 Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt" Calling-Station-Id = "80-1F-02-D3-97-74" Cisco-AVPair = "ssid=BSpa-KH-Mgmt" Service-Type = Login-User Cisco-AVPair = "service-type=Login" Message-Authenticator = 0x903e413386202060c488c16f2f3e84de EAP-Message = 0x020600061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 366 NAS-Port-Id = "366" State = 0xe398c72ae09ede112b2facf2414ef68a NAS-IP-Address = 10.10.5.10 NAS-Identifier = "BSpa-KH-AP1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 107 to 10.10.5.10 port 1645 EAP-Message = 0x0107002b1900170301002072b66494c00c9860d7ae27b5bdc316d95c67942e3d6909bd14b8e95144dad15c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe398c72ae79fde112b2facf2414ef68a Finished request 12. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=108, length=261 User-Name = "dfleming" Framed-MTU = 1400 Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt" Calling-Station-Id = "80-1F-02-D3-97-74" Cisco-AVPair = "ssid=BSpa-KH-Mgmt" Service-Type = Login-User Cisco-AVPair = "service-type=Login" Message-Authenticator = 0xd80759bc82877237c5ee00bb4982f0d3 EAP-Message = 0x0207002b190017030100200229e07a3163accabbf9d63f151206bdfe56866c6c0908833f0dc931a9e143a8 NAS-Port-Type = Wireless-802.11 NAS-Port = 366 NAS-Port-Id = "366" State = 0xe398c72ae79fde112b2facf2414ef68a NAS-IP-Address = 10.10.5.10 NAS-Identifier = "BSpa-KH-AP1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - dfleming [peap] Got inner identity 'dfleming' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0207000d0164666c656d696e67 server { [peap] Setting User-Name to dfleming Sending tunneled request EAP-Message = 0x0207000d0164666c656d696e67 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "dfleming" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> dfleming [sql] sql_set_user escaped user --> 'dfleming' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800221a0108001d10922d3619e3e3ae7153865670afca067064666c656d696e67 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc9b7eee2c9bff40721db4de2f5e8d831 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800221a0108001d10922d3619e3e3ae7153865670afca067064666c656d696e67 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc9b7eee2c9bff40721db4de2f5e8d831 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 108 to 10.10.5.10 port 1645 EAP-Message = 0x0108004b19001703010040e354ae24f8e5f9d802fd99a568a505148dae956713eeee1fe29b6cf13ab582b5c7e15342748bc0b5cf4794a5c47774cede06c276834338ff8f7187e268d2e6d8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe398c72ae690de112b2facf2414ef68a Finished request 13. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=109, length=325 User-Name = "dfleming" Framed-MTU = 1400 Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt" Calling-Station-Id = "80-1F-02-D3-97-74" Cisco-AVPair = "ssid=BSpa-KH-Mgmt" Service-Type = Login-User Cisco-AVPair = "service-type=Login" Message-Authenticator = 0xb4f91fc4a74780dd8d59ca37a367f017 EAP-Message = 0x0208006b190017030100606d6568104b85243dc9d97a2a632d19fd9a8d232a88d86ef8b1322f3a74f5946692b8fc279afe278b92f8085b48136721801cbc31a68be167d8e697af0ad1262c2b84c00849d98fe5380ea6eb61f193f27fbd396e781c8e847be168312372effb NAS-Port-Type = Wireless-802.11 NAS-Port = 366 NAS-Port-Id = "366" State = 0xe398c72ae690de112b2facf2414ef68a NAS-IP-Address = 10.10.5.10 NAS-Identifier = "BSpa-KH-AP1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800431a0208003e3168b2631d0a7e9207d78112c36e6c9aeb00000000000000000d2ffe427cf7f4b21ba561639b16ea0fac9ec0fd7619f0980064666c656d696e67 server { [peap] Setting User-Name to dfleming Sending tunneled request EAP-Message = 0x020800431a0208003e3168b2631d0a7e9207d78112c36e6c9aeb00000000000000000d2ffe427cf7f4b21ba561639b16ea0fac9ec0fd7619f0980064666c656d696e67 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "dfleming" State = 0xc9b7eee2c9bff40721db4de2f5e8d831 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> dfleming [sql] sql_set_user escaped user --> 'dfleming' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: dfleming [mschap] Told to do MS-CHAPv2 for dfleming with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d43464330373236373634334537313837364241463430433441443939374431343844394531393832 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc9b7eee2c8bef40721db4de2f5e8d831 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d43464330373236373634334537313837364241463430433441443939374431343844394531393832 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc9b7eee2c8bef40721db4de2f5e8d831 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 109 to 10.10.5.10 port 1645 EAP-Message = 0x0109005b190017030100506185ff39cb0494708efdc81974e25f277642b11486bfe766086d403b0f9e0a544ff9b3c52790e64e9b993633880722ce7da761ac18a7fe587e831cdf7a964c10ef0f0b652c6a73635173e6875e54f4af Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe398c72ae591de112b2facf2414ef68a Finished request 14. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=110, length=261 User-Name = "dfleming" Framed-MTU = 1400 Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt" Calling-Station-Id = "80-1F-02-D3-97-74" Cisco-AVPair = "ssid=BSpa-KH-Mgmt" Service-Type = Login-User Cisco-AVPair = "service-type=Login" Message-Authenticator = 0x212023c32292d56925e14f1147bdabe4 EAP-Message = 0x0209002b19001703010020ac7315140c4adcdef21a749af693f0a7b8a7efda8ddb0f82bd692b1d8a7c8465 NAS-Port-Type = Wireless-802.11 NAS-Port = 366 NAS-Port-Id = "366" State = 0xe398c72ae591de112b2facf2414ef68a NAS-IP-Address = 10.10.5.10 NAS-Identifier = "BSpa-KH-AP1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { [peap] Setting User-Name to dfleming Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "dfleming" State = 0xc9b7eee2c8bef40721db4de2f5e8d831 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> dfleming [sql] sql_set_user escaped user --> 'dfleming' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group post-auth {...} [sql] expand: %{User-Name} -> dfleming [sql] sql_set_user escaped user --> 'dfleming' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dfleming', '', 'Access-Accept', '2014-07-24 08:28:17') [sql] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dfleming', '', 'Access-Accept', '2014-07-24 08:28:17') rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dfleming', '', 'Access-Accept', '2014-07-24 08:28:17') rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x21b836e93eff70f6d6b2ec627ea1fbaf MS-MPPE-Recv-Key = 0xa73e45851d20023ff89a50e099c7ac0a EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "dfleming" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x21b836e93eff70f6d6b2ec627ea1fbaf MS-MPPE-Recv-Key = 0xa73e45851d20023ff89a50e099c7ac0a EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "dfleming" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 110 to 10.10.5.10 port 1645 EAP-Message = 0x010a002b19001703010020ffd2d4391027944a955f2a80e75582385d2bb77d88a0da77a3c35e870ab878e6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe398c72ae492de112b2facf2414ef68a Finished request 15. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=111, length=261 User-Name = "dfleming" Framed-MTU = 1400 Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt" Calling-Station-Id = "80-1F-02-D3-97-74" Cisco-AVPair = "ssid=BSpa-KH-Mgmt" Service-Type = Login-User Cisco-AVPair = "service-type=Login" Message-Authenticator = 0x9ad507ccd512242f7bf2caec1f20c3d7 EAP-Message = 0x020a002b190017030100203e355252ae01ca7b5f1465ce21b3bb9285bba4ef32e64818a0cd5cc8143b5fd5 NAS-Port-Type = Wireless-802.11 NAS-Port = 366 NAS-Port-Id = "366" State = 0xe398c72ae492de112b2facf2414ef68a NAS-IP-Address = 10.10.5.10 NAS-Identifier = "BSpa-KH-AP1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{User-Name} -> dfleming [sql] sql_set_user escaped user --> 'dfleming' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dfleming', '', 'Access-Accept', '2014-07-24 08:28:17') [sql] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dfleming', '', 'Access-Accept', '2014-07-24 08:28:17') rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dfleming', '', 'Access-Accept', '2014-07-24 08:28:17') rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 111 to 10.10.5.10 port 1645 MS-MPPE-Recv-Key = 0x5b480d2d4a8cde312f61c2c611543f1aebcc8abae61eb9155cda840760c3cea0 MS-MPPE-Send-Key = 0x56ec6be73861d6e421949f14631c05facadbeff6689370618d373d2b633ce24d EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "dfleming" Finished request 16. Going to the next request mysql> select * from radgroupcheck; +----+---------------------------+-------------------+----+-----------------------+ | id | groupname | attribute | op | value | +----+---------------------------+-------------------+----+-----------------------+ | 1 | daloRADIUS-Disabled-Users | Auth-Type | := | Reject | | 7 | Mgmt-Wireless | Cisco-AVPair | == | "ssid=1BSpa-KH-Mgmt1" | | 8 | Mgmt-Wireless | Called-Station-Id | := | *BSpa | | 9 | Test | Cisco-AVPair | == | df | +----+---------------------------+-------------------+----+-----------------------+ mysql> select * from userinfo; +----+-----------+-----------+----------+-------+------------+---------+-----------+-----------+-------------+---------+------+-------+---------+------+-------+----------------+---------------------+-------------------+---------------------+---------------+---------------------+----------+ | id | username | firstname | lastname | email | department | company | workphone | homephone | mobilephone | address | city | state | country | zip | notes | changeuserinfo | portalloginpassword | enableportallogin | creationdate | creationby | updatedate | updateby | +----+-----------+-----------+----------+-------+------------+---------+-----------+-----------+-------------+---------+------+-------+---------+------+-------+----------------+---------------------+-------------------+---------------------+---------------+---------------------+----------+ | 1 | dfleming | | | | | | | | | | | | | | | 0 | | 0 | 2014-07-16 15:24:47 | administrator | 2014-07-23 15:50:42 | admin | | 2 | mefleming | | | | | | | | | | | | | | | 0 | | 0 | 2014-07-16 16:57:27 | administrator | 2014-07-23 16:40:28 | admin | +----+-----------+-----------+----------+-------+------------+---------+-----------+-----------+-------------+---------+------+-------+---------+------+-------+----------------+---------------------+-------------------+---------------------+---------------+---------------------+----------+ mysql> select * from userinfo;radusergroup; +-----------+---------------+----------+ | username | groupname | priority | +-----------+---------------+----------+ | dfleming | Test | 0 | | mefleming | Mgmt-Wireless | 1 | +-----------+---------------+----------+ On Wed, Jul 23, 2014 at 5:20 PM, Dan Fleming <flemingdp@gmail.com> wrote:
Hello,
I am using daloradius with free radius 2.1.12 on Ubuntu 14.04.
I have configured users and passwords and sucessfully authenticate users
connecting to a standalone cisco 1142 accesspoint. I can see in the debug that the cisco-avpair is sending the ssid to the free radius server in the debug but I dont think it is being checked.
No matter what I put in av pair the user gets Access-Accept.
I have tried both operator == and =: but neither make a difference.
Any help is greatly appreciated.
Regards,
Daniel