Ok I figured all that out, supposivly does not like the AP's connecting to different subnets which is not going to go over well with my DMZ. But now I am getting reject error when authenticating to wifi. Here is debug output. [peap] Got inner identity 'CORP\aschappell' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0217001401434f52505c61736368617070656c6c server { [peap] Setting User-Name to CORP\aschappell Sending tunneled request EAP-Message = 0x0217001401434f52505c61736368617070656c6c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "CORP\\aschappell" server inner-tunnel { WARNING: Empty authorize section. Using default return values. ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [CORP\\aschappell] (from client ClearEdge port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 54 to 10.0.1.149 port 32781 EAP-Message = 0x0118002b190017030100201647053fbeb14c32719744432002a54c459f497b2e32754269e04e1066211a2d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc2d6f40ac4ceed9bb2dc291e7276ac0d Finished request 55. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 10.0.1.149 port 32781, id=55, length=231 User-Name = "CORP\\aschappell" NAS-IP-Address = 10.0.1.149 NAS-Identifier = "24a43c105cfc" NAS-Port = 0 Called-Station-Id = "24-A4-3C-1B-9F-92:ClearEdgeCORP" Calling-Station-Id = "C8-BC-C8-C0-1D-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0218002b190017030100207c934f93a305a368e73e4b44d84d62b6006059b4228216bc5a70d117bf0a88e7 State = 0xc2d6f40ac4ceed9bb2dc291e7276ac0d Message-Authenticator = 0x51c3c60a40d2995b5f14141e055f0950 # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "CORP\aschappell", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 24 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [CORP\\aschappell] (from client ClearEdge port 0 cli C8-BC-C8-C0-1D-A7) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> CORP\aschappell attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 56 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 56 Sending Access-Reject of id 55 to 10.0.1.149 port 32781 EAP-Message = 0x04180004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.4 seconds. Cleaning up request 49 ID 48 with timestamp +214 Waking up in 0.4 seconds. Cleaning up request 50 ID 49 with timestamp +215 Cleaning up request 51 ID 50 with timestamp +215 Cleaning up request 52 ID 51 with timestamp +215 Cleaning up request 53 ID 52 with timestamp +215 Cleaning up request 54 ID 53 with timestamp +215 Cleaning up request 55 ID 54 with timestamp +215 Waking up in 1.0 seconds. Cleaning up request 56 ID 55 with timestamp +215 Ready to process requests. Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Thu, Mar 26, 2015 at 12:38 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Thu, Mar 26, 2015 at 12:21:19PM -0400, Adam Schappell wrote:
Yes so I am not getting any traffic going to radius server from the AP server, I disabled firewall and everything. Something is not right lol
Sounds like you need to fix that first then. Unlikely to be something anyone here can help with.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>