Can you point me where in the debug output it shows that i'ts doing PEAP+MSCHAP? (0) Received Access-Request Id 110 from 10.1.0.14:56440 to 10.1.0.22:1812 length 315 (0) User-Name = "user" (0) Chargeable-User-Identity = 0x08 (0) Location-Capable = Civic-Location (0) Calling-Station-Id = "94-65-2d-20-e7-8a" (0) Called-Station-Id = "64-e9-50-67-4d-b0:testes" (0) NAS-Port = 1 (0) Cisco-AVPair = "audit-session-id=08f910ac001cf280f828de64" (0) Acct-Session-Id = "64de28f8/94:65:2d:20:e7:8a/1967089" (0) Cisco-AVPair = "mDNS=true" (0) NAS-IP-Address = 172.16.249.8 (0) NAS-Identifier = "IFSUL_PEL_WLAN_CONTROLLER" (0) Airespace-Wlan-Id = 6 (0) Service-Type = Framed-User (0) Framed-MTU = 1300 (0) NAS-Port-Type = Wireless-802.11 (0) Tunnel-Type:0 = VLAN (0) Tunnel-Medium-Type:0 = IEEE-802 (0) Tunnel-Private-Group-Id:0 = "1" (0) EAP-Message = 0x0201001301726f647269676f616e74756e6573 (0) Message-Authenticator = 0x073ed17a2e43240477e9c3f2a01a855f (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "user", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 1 length 19 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 2 length 22 (0) eap: EAP session adding &reply:State = 0xd0b13007d0b3346e (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 110 from 10.1.0.22:1812 to 10.1.0.14:56440 length 80 (0) EAP-Message = 0x010200160410de1b40c91886dc69131359dd1a2d5c60 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xd0b13007d0b3346e8aa23b1bb1646026 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 111 from 10.1.0.14:56440 to 10.1.0.22:1812 length 320 (1) User-Name = "user" (1) Chargeable-User-Identity = 0x08 (1) Location-Capable = Civic-Location (1) Calling-Station-Id = "94-65-2d-20-e7-8a" (1) Called-Station-Id = "64-e9-50-67-4d-b0:testes" (1) NAS-Port = 1 (1) Cisco-AVPair = "audit-session-id=08f910ac001cf280f828de64" (1) Acct-Session-Id = "64de28f8/94:65:2d:20:e7:8a/1967089" (1) Cisco-AVPair = "mDNS=true" (1) NAS-IP-Address = 172.16.249.8 (1) NAS-Identifier = "IFSUL_PEL_WLAN_CONTROLLER" (1) Airespace-Wlan-Id = 6 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) Tunnel-Type:0 = VLAN (1) Tunnel-Medium-Type:0 = IEEE-802 (1) Tunnel-Private-Group-Id:0 = "1" (1) EAP-Message = 0x020200060315 (1) State = 0xd0b13007d0b3346e8aa23b1bb1646026 (1) Message-Authenticator = 0x6acb1f100d12e7635d6ca4258cab3cfc (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "user", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 2 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop rlm_ldap (ldap): Reserved connection (0) (1) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap: --> (sAMAccountName=user) (1) ldap: Performing search in "DC=adm,DC=ifsul,DC=edu,DC=br" with filter "(sAMAccountName=user)", scope "sub" (1) ldap: Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.adm.ifsul.edu.br/DC=ForestDnsZones,DC=adm,DC=ifsul,DC=edu,DC=br rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.adm.ifsul.edu.br/DC=DomainDnsZones,DC=adm,DC=ifsul,DC=edu,DC=br rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://adm.ifsul.edu.br/CN=Configuration,DC=adm,DC=ifsul,DC=edu,DC=br rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (1) ldap: User object found at DN "CN=Rodrigo Abrantes Antunes,OU=Users,OU=CampusPelotas,DC=adm,DC=ifsul,DC=edu,DC=br" (1) ldap: Processing user attributes (1) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (1) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (0) Need more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://10.1.0.3:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (1) [ldap] = ok (1) if ((ok || updated) && User-Password && !control:Auth-Type) { (1) if ((ok || updated) && User-Password && !control:Auth-Type) -> FALSE (1) [expiration] = noop (1) [logintime] = noop Not doing PAP as Auth-Type is already set. (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xd0b13007d0b3346e (1) eap: Finished EAP session with state 0xd0b13007d0b3346e (1) eap: Previous EAP request found for state 0xd0b13007d0b3346e, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type TTLS (21) (1) eap: Calling submodule eap_ttls to process data (1) eap_ttls: (TLS) Initiating new session (1) eap: Sending EAP Request (code 1) ID 3 length 6 (1) eap: EAP session adding &reply:State = 0xd0b13007d1b2256e (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) session-state: Saving cached attributes (1) Framed-MTU = 994 (1) Sent Access-Challenge Id 111 from 10.1.0.22:1812 to 10.1.0.14:56440 length 64 (1) EAP-Message = 0x010300061520 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xd0b13007d1b2256e8aa23b1bb1646026 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 112 from 10.1.0.14:56440 to 10.1.0.22:1812 length 463 (2) User-Name = "user" (2) Chargeable-User-Identity = 0x08 (2) Location-Capable = Civic-Location (2) Calling-Station-Id = "94-65-2d-20-e7-8a" (2) Called-Station-Id = "64-e9-50-67-4d-b0:testes" (2) NAS-Port = 1 (2) Cisco-AVPair = "audit-session-id=08f910ac001cf280f828de64" (2) Acct-Session-Id = "64de28f8/94:65:2d:20:e7:8a/1967089" (2) Cisco-AVPair = "mDNS=true" (2) NAS-IP-Address = 172.16.249.8 (2) NAS-Identifier = "IFSUL_PEL_WLAN_CONTROLLER" (2) Airespace-Wlan-Id = 6 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) Tunnel-Type:0 = VLAN (2) Tunnel-Medium-Type:0 = IEEE-802 (2) Tunnel-Private-Group-Id:0 = "1" (2) EAP-Message = 0x020300951500160301008a010000860303de78176f56f7aefe27c3d351422f2c1755b6cb9fa3da6ea586a05b0b848ac2b500002ac02bc02fc02cc030cca9cca8c009c023c013c027c00ac024c014c028009c009d002f003c0035003d000a01000033ff0100010000170000000d00140012040308040401050308050501080606010201000b00020100000a00080006001d00170018 (2) State = 0xd0b13007d1b2256e8aa23b1bb1646026 (2) Message-Authenticator = 0xefb44e4d8a2901c6432ed6957043e5ba (2) Restoring &session-state (2) &session-state:Framed-MTU = 994 (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "user", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 3 length 149 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xd0b13007d1b2256e (2) eap: Finished EAP session with state 0xd0b13007d1b2256e (2) eap: Previous EAP request found for state 0xd0b13007d1b2256e, released from the list (2) eap: Peer sent packet with method EAP TTLS (21) (2) eap: Calling submodule eap_ttls to process data (2) eap_ttls: Authenticate (2) eap_ttls: (TLS) EAP Done initial handshake (2) eap_ttls: (TLS) Handshake state - before SSL initialization (2) eap_ttls: (TLS) Handshake state - Server before SSL initialization (2) eap_ttls: (TLS) Handshake state - Server before SSL initialization (2) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello (2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello (2) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHello (2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello (2) eap_ttls: (TLS) send TLS 1.2 Handshake, Certificate (2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate (2) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write key exchange (2) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHelloDone (2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done (2) eap_ttls: (TLS) Server : Need to read more data: SSLv3/TLS write server done (2) eap_ttls: (TLS) In Handshake Phase (2) eap: Sending EAP Request (code 1) ID 4 length 1004 (2) eap: EAP session adding &reply:State = 0xd0b13007d2b5256e (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) session-state: Saving cached attributes (2) Framed-MTU = 994 (2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (2) Sent Access-Challenge Id 112 from 10.1.0.22:1812 to 10.1.0.14:56440 length 1068 (2) EAP-Message = 0x010403ec15c0000004bd160303003d02000039030399ac899f84a241f42e5249e6e6f55e4a42befff2b7eb0dcb422ec23b5b2b5f8400c02f000011ff01000100000b00040300010200170000160303033c0b0003380003350003323082032e30820216a00302010202140bdc8930fa93c935a1fe2e101c9b969c1b39bf7a300d06092a864886f70d01010b050030263124302206035504030c1b696673303173763030342e61646d2e696673756c2e6564752e6272301e170d3233303831303135343833385a170d3333303830373135343833385a30263124302206035504030c1b696673303173763030342e61646d2e696673756c2e6564752e627230820122300d06092a864886f70d01010105000382010f003082010a02820101008f47503a2f56ac3b1dcd9a368bd44ad374ee8b376cce40386bcc8a4d06347b1d84017a75ae425f9f663c0dc0583a1f45e106eb7f82deb3fdbac0f5798aa47245dc13a126b07ed574ffe995d7f75b0735405a738c641766f3c4 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xd0b13007d2b5256e8aa23b1bb1646026 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 113 from 10.1.0.14:56440 to 10.1.0.22:1812 length 320 (3) User-Name = "user" (3) Chargeable-User-Identity = 0x08 (3) Location-Capable = Civic-Location (3) Calling-Station-Id = "94-65-2d-20-e7-8a" (3) Called-Station-Id = "64-e9-50-67-4d-b0:testes" (3) NAS-Port = 1 (3) Cisco-AVPair = "audit-session-id=08f910ac001cf280f828de64" (3) Acct-Session-Id = "64de28f8/94:65:2d:20:e7:8a/1967089" (3) Cisco-AVPair = "mDNS=true" (3) NAS-IP-Address = 172.16.249.8 (3) NAS-Identifier = "IFSUL_PEL_WLAN_CONTROLLER" (3) Airespace-Wlan-Id = 6 (3) Service-Type = Framed-User (3) Framed-MTU = 1300 (3) NAS-Port-Type = Wireless-802.11 (3) Tunnel-Type:0 = VLAN (3) Tunnel-Medium-Type:0 = IEEE-802 (3) Tunnel-Private-Group-Id:0 = "1" (3) EAP-Message = 0x020400061500 (3) State = 0xd0b13007d2b5256e8aa23b1bb1646026 (3) Message-Authenticator = 0x8fb9cb6f3722e24d80cd22ce061c508a (3) Restoring &session-state (3) &session-state:Framed-MTU = 994 (3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "user", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 4 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xd0b13007d2b5256e (3) eap: Finished EAP session with state 0xd0b13007d2b5256e (3) eap: Previous EAP request found for state 0xd0b13007d2b5256e, released from the list (3) eap: Peer sent packet with method EAP TTLS (21) (3) eap: Calling submodule eap_ttls to process data (3) eap_ttls: Authenticate (3) eap_ttls: (TLS) Peer ACKed our handshake fragment (3) eap: Sending EAP Request (code 1) ID 5 length 229 (3) eap: EAP session adding &reply:State = 0xd0b13007d3b4256e (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) session-state: Saving cached attributes (3) Framed-MTU = 994 (3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) Sent Access-Challenge Id 113 from 10.1.0.22:1812 to 10.1.0.14:56440 length 287 (3) EAP-Message = 0x010500e51580000004bd935694d2a672946f8dd8f4dcbd146de3bdda1682df98aa8aff4ef5884e181a0c6bc06be842ffc9b0a3adb396b5fe1cac83b593b3926af66f69ea0da3e2cd5439350b160dc3e384f0800c5c3fdb41bc58c7cb5a4e8869acd39becc5c031a3c893b90566387801e56f9c6abac4489cfe0332f1645ed73820b1f6c82fdcc8801ba4056e7727ae4de0f9a9915f59a69ee0cd17040669b71f8ab72f313d8f1e11bb9e6aadf0f389e6217b5d824c761e2790b1b67f25a5765e095c1518ed949f5844a95ce99fb123f3a69cc99483057f8dc0fe8a2d16030300040e000000 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xd0b13007d3b4256e8aa23b1bb1646026 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 114 from 10.1.0.14:56440 to 10.1.0.22:1812 length 413 (4) User-Name = "user" (4) Chargeable-User-Identity = 0x08 (4) Location-Capable = Civic-Location (4) Calling-Station-Id = "94-65-2d-20-e7-8a" (4) Called-Station-Id = "64-e9-50-67-4d-b0:testes" (4) NAS-Port = 1 (4) Cisco-AVPair = "audit-session-id=08f910ac001cf280f828de64" (4) Acct-Session-Id = "64de28f8/94:65:2d:20:e7:8a/1967089" (4) Cisco-AVPair = "mDNS=true" (4) NAS-IP-Address = 172.16.249.8 (4) NAS-Identifier = "IFSUL_PEL_WLAN_CONTROLLER" (4) Airespace-Wlan-Id = 6 (4) Service-Type = Framed-User (4) Framed-MTU = 1300 (4) NAS-Port-Type = Wireless-802.11 (4) Tunnel-Type:0 = VLAN (4) Tunnel-Medium-Type:0 = IEEE-802 (4) Tunnel-Private-Group-Id:0 = "1" (4) EAP-Message = 0x0205006315001603030025100000212024fa4ea6b7900fd6094f19358a0512903336af60c9ed5d4d1b48b5ab929dce0d1403030001011603030028000000000000000098188b912188f7c3fdf5f376a6c5f23b4ae38c452e34f0651e5709d4d0ff868f (4) State = 0xd0b13007d3b4256e8aa23b1bb1646026 (4) Message-Authenticator = 0xe1c8de260318301176a326809d472675 (4) Restoring &session-state (4) &session-state:Framed-MTU = 994 (4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "user", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 5 length 99 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xd0b13007d3b4256e (4) eap: Finished EAP session with state 0xd0b13007d3b4256e (4) eap: Previous EAP request found for state 0xd0b13007d3b4256e, released from the list (4) eap: Peer sent packet with method EAP TTLS (21) (4) eap: Calling submodule eap_ttls to process data (4) eap_ttls: Authenticate (4) eap_ttls: (TLS) EAP Done initial handshake (4) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done (4) eap_ttls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (4) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange (4) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (4) eap_ttls: (TLS) recv TLS 1.2 Handshake, Finished (4) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished (4) eap_ttls: (TLS) send TLS 1.2 ChangeCipherSpec (4) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (4) eap_ttls: (TLS) send TLS 1.2 Handshake, Finished (4) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished (4) eap_ttls: (TLS) Handshake state - SSL negotiation finished successfully (4) eap_ttls: (TLS) Connection Established (4) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (4) eap_ttls: TLS-Session-Version = "TLS 1.2" (4) eap: Sending EAP Request (code 1) ID 6 length 61 (4) eap: EAP session adding &reply:State = 0xd0b13007d4b7256e (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) session-state: Saving cached attributes (4) Framed-MTU = 994 (4) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (4) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (4) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (4) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (4) TLS-Session-Version = "TLS 1.2" (4) Sent Access-Challenge Id 114 from 10.1.0.22:1812 to 10.1.0.14:56440 length 119 (4) EAP-Message = 0x0106003d158000000033140303000101160303002808490d9cfbda337bb9a1be8b062437f40d2269b6168811ae4cc82f2f5d69346a47cfb6c9f5e59460 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xd0b13007d4b7256e8aa23b1bb1646026 (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 115 from 10.1.0.14:56440 to 10.1.0.22:1812 length 397 (5) User-Name = "user" (5) Chargeable-User-Identity = 0x08 (5) Location-Capable = Civic-Location (5) Calling-Station-Id = "94-65-2d-20-e7-8a" (5) Called-Station-Id = "64-e9-50-67-4d-b0:testes" (5) NAS-Port = 1 (5) Cisco-AVPair = "audit-session-id=08f910ac001cf280f828de64" (5) Acct-Session-Id = "64de28f8/94:65:2d:20:e7:8a/1967089" (5) Cisco-AVPair = "mDNS=true" (5) NAS-IP-Address = 172.16.249.8 (5) NAS-Identifier = "IFSUL_PEL_WLAN_CONTROLLER" (5) Airespace-Wlan-Id = 6 (5) Service-Type = Framed-User (5) Framed-MTU = 1300 (5) NAS-Port-Type = Wireless-802.11 (5) Tunnel-Type:0 = VLAN (5) Tunnel-Medium-Type:0 = IEEE-802 (5) Tunnel-Private-Group-Id:0 = "1" (5) EAP-Message = 0x020600531500170303004800000000000000014c4ea959e5e96d267c449c740509fc718b7e42f0b65c6c70ea0046b7b893126bdd3aa20602103807c7ff81b8238d10f30223d9fc6adb6ef3decaf01491b82651 (5) State = 0xd0b13007d4b7256e8aa23b1bb1646026 (5) Message-Authenticator = 0xf9e894523322b64d979dc6efbceb955f (5) Restoring &session-state (5) &session-state:Framed-MTU = 994 (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (5) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (5) &session-state:TLS-Session-Version = "TLS 1.2" (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "user", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 6 length 83 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xd0b13007d4b7256e (5) eap: Finished EAP session with state 0xd0b13007d4b7256e (5) eap: Previous EAP request found for state 0xd0b13007d4b7256e, released from the list (5) eap: Peer sent packet with method EAP TTLS (21) (5) eap: Calling submodule eap_ttls to process data (5) eap_ttls: Authenticate (5) eap_ttls: (TLS) EAP Done initial handshake (5) eap_ttls: Session established. Proceeding to decode tunneled attributes (5) eap_ttls: Got tunneled request (5) eap_ttls: User-Name = "user" (5) eap_ttls: User-Password = "password" (5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (5) eap_ttls: Sending tunneled request (5) Virtual server inner-tunnel received request (5) User-Name = "user" (5) User-Password = "password" (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) WARNING: Outer and inner identities are the same. User privacy is compromised. (5) server inner-tunnel { (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [chap] = noop (5) [mschap] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "user", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop (5) eap: No EAP-Message, not doing EAP (5) [eap] = noop (5) [files] = noop rlm_ldap (ldap): Reserved connection (1) (5) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) (5) ldap: --> (sAMAccountName=user) (5) ldap: Performing search in "DC=adm,DC=ifsul,DC=edu,DC=br" with filter "(sAMAccountName=user)", scope "sub" (5) ldap: Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.adm.ifsul.edu.br/DC=ForestDnsZones,DC=adm,DC=ifsul,DC=edu,DC=br rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.adm.ifsul.edu.br/DC=DomainDnsZones,DC=adm,DC=ifsul,DC=edu,DC=br rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://adm.ifsul.edu.br/CN=Configuration,DC=adm,DC=ifsul,DC=edu,DC=br rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (5) ldap: User object found at DN "CN=Rodrigo Abrantes Antunes,OU=Users,OU=CampusPelotas,DC=adm,DC=ifsul,DC=edu,DC=br" (5) ldap: Processing user attributes (5) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (5) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (1) (5) [ldap] = ok (5) [expiration] = noop (5) [logintime] = noop (5) [pap] = noop (5) } # authorize = ok (5) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> user (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) update outer.session-state { (5) &Module-Failure-Message := &request:Module-Failure-Message -> 'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject' (5) } # update outer.session-state = noop (5) } # Post-Auth-Type REJECT = updated (5) } # server inner-tunnel (5) Virtual server sending reply (5) eap_ttls: Got tunneled Access-Reject (5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (5) eap: Sending EAP Failure (code 4) ID 6 length 4 (5) eap: Failed in EAP select (5) [eap] = invalid (5) } # authenticate = invalid (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> user (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) [eap] = noop (5) policy remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else { (5) [noop] = noop (5) } # else = noop (5) } # policy remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = updated (5) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (5) Sending delayed response (5) Sent Access-Reject Id 115 from 10.1.0.22:1812 to 10.1.0.14:56440 length 44 (5) EAP-Message = 0x04060004 (5) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 110 with timestamp +5 due to cleanup_delay was reached (1) Cleaning up request packet ID 111 with timestamp +5 due to cleanup_delay was reached (2) Cleaning up request packet ID 112 with timestamp +5 due to cleanup_delay was reached (3) Cleaning up request packet ID 113 with timestamp +5 due to cleanup_delay was reached (4) Cleaning up request packet ID 114 with timestamp +5 due to cleanup_delay was reached (5) Cleaning up request packet ID 115 with timestamp +5 due to cleanup_delay was reached Ready to process requests Citando Alan DeKok <aland@deployingradius.com>:
On Aug 17, 2023, at 10:02 AM, Rodrigo Abrantes Antunes <rodrigoantunes@pelotas.ifsul.edu.br> wrote:
It didn't! That's what I said earlier and thats the reason why I posted in the list.
Like I said, I followed that guide and it didn't work.
This is what the debug output says:
(25) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (25) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
It says a lot more than that.
Post ALL OF THE DEBUG OUTPUT.
All of the documentation says to do this.
It is extremely unhelpful to ignore all of the available documentation, and to post a message saying "I did stuff, and it didn't work".
Again, if you use TTLS+PAP it will work.
I will bet that the full debug output shows that it's doing PEAP+MSCHAP. Which won't work. And all of the documentation explains why it won't work.
Alan DeKok.
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html