Hello, Alan. You're right. My fault. Please see log below: (9) User-Name = "testlogin" (9) NAS-Port = 215 (9) State = 0x5d9ac8cb5bb0d1b476356bca7bc2305b (9) EAP-Message = 0x022a00681900170303005d0000000000000002301470a7306238a494e48f971e6c3870bb09639041141c00594ceaf49ffe07ac3d0ecdb68988c165ca8f370152e4cc61bf8065410eb9cf70432c800237bc3f4b089aaa37633688a6abe470d7f72aacf17e16110ef7 (9) Message-Authenticator = 0x3a5c65e42a9d0494a1805e850396ff75 (9) Acct-Session-Id = "8O2.1x811d36760006c7c6" (9) NAS-Port-Id = "ge-3/0/40.0" (9) Calling-Station-Id = "2c-4d-54-65-19-3b" (9) Called-Station-Id = "88-e0-f3-b0-d6-00" (9) NAS-IP-Address = 192.168.7.2 (9) NAS-Identifier = "sw-ex6210" (9) NAS-Port-Type = Ethernet (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) if (!control:Cleartext-Password && &User-Password) { (9) if (!control:Cleartext-Password && &User-Password) -> FALSE (9) if (config:User-Password && config:Cleartext-Password) { (9) if (config:User-Password && config:Cleartext-Password) -> FALSE (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "testlogin", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 42 length 104 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x1b445c8e1b6e4610 (9) eap: Finished EAP session with state 0x5d9ac8cb5bb0d1b4 (9) eap: Previous EAP request found for state 0x5d9ac8cb5bb0d1b4, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state phase2 (9) eap_peap: EAP method MSCHAPv2 (26) (9) eap_peap: Got tunneled request (9) eap_peap: EAP-Message = 0x022a00491a022a0044314bdbebd0c0d0e6a8932b5fcdc388361a00000000000000004318685452e8005b97b446f5c1c0d23265bc1198557b1aa900646d697472792e616e616e796576 (9) eap_peap: Setting User-Name to testlogin (9) eap_peap: Sending tunneled request to default (9) eap_peap: EAP-Message = 0x022a00491a022a0044314bdbebd0c0d0e6a8932b5fcdc388361a00000000000000004318685452e8005b97b446f5c1c0d23265bc1198557b1aa900646d697472792e616e616e796576 (9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (9) eap_peap: User-Name = "testlogin" (9) eap_peap: State = 0x1b445c8e1b6e4610f294f492105a1239 (9) Virtual server default received request (9) EAP-Message = 0x022a00491a022a0044314bdbebd0c0d0e6a8932b5fcdc388361a00000000000000004318685452e8005b97b446f5c1c0d23265bc1198557b1aa900646d697472792e616e616e796576 (9) FreeRADIUS-Proxied-To = 127.0.0.1 (9) User-Name = "testlogin" (9) State = 0x1b445c8e1b6e4610f294f492105a1239 (9) WARNING: Outer and inner identities are the same. User privacy is compromised. (9) server default { (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) if (!control:Cleartext-Password && &User-Password) { (9) if (!control:Cleartext-Password && &User-Password) -> FALSE (9) if (config:User-Password && config:Cleartext-Password) { (9) if (config:User-Password && config:Cleartext-Password) -> FALSE (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "testlogin", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 42 length 73 (9) eap: No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) sql-wifi: EXPAND %{User-Name} (9) sql-wifi: --> testlogin (9) sql-wifi: SQL-User-Name set to 'testlogin' rlm_sql (sql-wifi): Reserved connection (2) (9) sql-wifi: EXPAND SELECT wifi_id as id, username, 'NT-Password' as attribute, pass_hash, ':=' as op FROM userstable WHERE username = '%{SQL-User-Name}' ORDER BY id (9) sql-wifi: --> SELECT wifi_id as id, username, 'NT-Password' as attribute, pass_hash, ':=' as op FROM userstable WHERE username = 'testlogin' ORDER BY id (9) sql-wifi: Executing select query: SELECT wifi_id as id, username, 'NT-Password' as attribute, pass_hash, ':=' as op FROM userstable WHERE username = 'testlogin' ORDER BY id (9) sql-wifi: User found in radcheck table (9) sql-wifi: Conditional check items matched, merging assignment check items (9) sql-wifi: NT-Password := 0x6336623331333036323736373866653636626166393538616561356566363138 (9) sql-wifi: EXPAND SELECT wifi_id as id, username, 'NT-Password' as attribute, pass_hash, ':=' as op FROM userstable WHERE username = '%{SQL-User-Name}' ORDER BY id (9) sql-wifi: --> SELECT wifi_id as id, username, 'NT-Password' as attribute, pass_hash, ':=' as op FROM userstable WHERE username = 'testlogin' ORDER BY id (9) sql-wifi: Executing select query: SELECT wifi_id as id, username, 'NT-Password' as attribute, pass_hash, ':=' as op FROM userstable WHERE username = 'testlogin' ORDER BY id (9) sql-wifi: User found in radreply table, merging reply items (9) sql-wifi: NT-Password := 0x6336623331333036323736373866653636626166393538616561356566363138 (9) sql-wifi: EXPAND SELECT 'OfficeWifi' as GroupName FROM userstable WHERE UserName='%{SQL-User-Name}' (9) sql-wifi: --> SELECT 'OfficeWifi' as GroupName FROM userstable WHERE UserName='testlogin' (9) sql-wifi: Executing select query: SELECT 'OfficeWifi' as GroupName FROM userstable WHERE UserName='testlogin' (9) sql-wifi: User found in the group table (9) sql-wifi: EXPAND SELECT wifi_id as id, 'OfficeWifi' as GroupName, 'NT-Password' as attribute, password, ':=' as op FROM userstable WHERE Username = '%{SQL-User-Name}' ORDER BY id (9) sql-wifi: --> SELECT wifi_id as id, 'OfficeWifi' as GroupName, 'NT-Password' as attribute, password, ':=' as op FROM userstable WHERE Username = 'testlogin' ORDER BY id (9) sql-wifi: Executing select query: SELECT wifi_id as id, 'OfficeWifi' as GroupName, 'NT-Password' as attribute, password, ':=' as op FROM userstable WHERE Username = 'testlogin' ORDER BY id (9) sql-wifi: Group "OfficeWifi": Conditional check items matched (9) sql-wifi: Group "OfficeWifi": Merging assignment check items (9) sql-wifi: NT-Password := 0x61675648496e73416b666d41 (9) sql-wifi: EXPAND SELECT wifi_id as id, 'OfficeWifi' as GroupName, 'NT-Password' as attribute, password, ':=' as op FROM userstable WHERE Username = '%{SQL-User-Name}' ORDER BY id (9) sql-wifi: --> SELECT wifi_id as id, 'OfficeWifi' as GroupName, 'NT-Password' as attribute, password, ':=' as op FROM userstable WHERE Username = 'testlogin' ORDER BY id (9) sql-wifi: Executing select query: SELECT wifi_id as id, 'OfficeWifi' as GroupName, 'NT-Password' as attribute, password, ':=' as op FROM userstable WHERE Username = 'testlogin' ORDER BY id (9) sql-wifi: Group "OfficeWifi": Merging reply items (9) sql-wifi: NT-Password := 0x61675648496e73416b666d41 rlm_sql (sql-wifi): Released connection (2) (9) [sql-wifi] = ok (9) pap: WARNING: Auth-Type already set. Not setting to PAP (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = eap (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x1b445c8e1b6e4610 (9) eap: Finished EAP session with state 0x1b445c8e1b6e4610 (9) eap: Previous EAP request found for state 0x1b445c8e1b6e4610, released from the list (9) eap: Peer sent packet with method EAP MSCHAPv2 (26) (9) eap: Calling submodule eap_mschapv2 to process data (9) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/default (9) eap_mschapv2: Auth-Type MS-CHAP { (9) mschap: WARNING: NT-Password found but incorrect length, expected 16 bytes got 12 bytes. Authentication may fail (9) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (9) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (9) mschap: Creating challenge hash with username: testlogin (9) mschap: Client is using MS-CHAPv2 (9) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (9) mschap: ERROR: MS-CHAP2-Response is incorrect (9) [mschap] = reject (9) } # Auth-Type MS-CHAP = reject чт, 20 дек. 2018 г. в 21:06, Alan DeKok <aland@deployingradius.com>:
On Dec 20, 2018, at 3:52 PM, Anton Kiryushkin <swood@fotofor.biz> wrote:
Hello, Alan.
I checked it.
Let me show you full log:
Thu Dec 20 01:10:08 2018 : Debug: (138) User-Name = " anonymous@espressif.com"
Please post the log from "radiusd -X" as suggested *EVERYWHERE* in the documentation.
For some unknown reason people recently seem to be ignoring all of the documentation that says to post "radiusd -X". This is mentioned in the "man" page, the Wiki, and in the email you get when you join the list.
Out of general principle, I'm going to ignore messages which fail to follow the documentation.
Re-post this with the *correct* debug log, and I will read it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Best regards, Anton Kiryushkin