I configured my freeradius 1.1.7 + oracle + cisco 3750 switch to do 802.1x authentication for wired client. I configured it with EAP/MD5 method and it works well. Now I want to use peap/mschap-v2 method,but I didn't configure LDAP in radiusd.conf,and when the server start it report some error.Below are the details: radiusd.conf: authorize { preprocess mschap sql eap } authenticate { Auth-Type MS-CHAP { mschap } eap } eap.conf: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no } mschapv2 { } The debug message of radiusd -X: rad_recv: Access-Request packet from host 10.0.99.1:1645, id=141, length=252 NAS-IP-Address = 10.0.99.1 NAS-Port = 50441 Cisco-NAS-Port = "FastEthernet4/0/41" NAS-Port-Type = Ethernet User-Name = "testuser" Called-Station-Id = "00-19-2F-E1-C0-AD" Calling-Station-Id = "00-10-C6-A8-DA-00" Service-Type = Framed-User Framed-MTU = 1500 State = 0xb9868a780c968e9716093b01742690ee EAP-Message = 0x0206005a1900170301004f4ea0464ecb62296c3fe83ddbe7cb46cfc87deccd3b5d7786299443f17d173f52209f2eefb5497f3153bdd751357d7b5beb55afb0d7e60d775792b375564444f5f30c0ad8cae5c74b398405d8cc4b63 Message-Authenticator = 0x3ced719a5b1cfdb5e3e3c49fa411e309 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 radius_xlat: '/usr/local/var/log/radius/radacct/10.0.99.1/auth-detail-20090225' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.0.99.1/auth-detail-20090225 modcall[authorize]: module "auth_log" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 90 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 radius_xlat: 'testuser' rlm_sql (sql): sql_set_user escaped user --> 'testuser' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testuser' and (mac = '00-10-C6-A8-DA-00' or mac is null) ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'testuser' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020600431a0206003e316cdcc08e1adf37fdb332d32419efee1300000000000000002667d1668b083c47ab1b70edc530d3d3d9f0bb9a4c254ce8007465737475736572 PEAP: Setting User-Name to testuser PEAP: Adding old state with 64 0b PEAP: Sending tunneled request EAP-Message = 0x020600431a0206003e316cdcc08e1adf37fdb332d32419efee1300000000000000002667d1668b083c47ab1b70edc530d3d3d9f0bb9a4c254ce8007465737475736572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testuser" State = 0x640b188d31bc5ddc785afe862ca9225f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20090225' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20090225 modcall[authorize]: module "auth_log" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 67 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 radius_xlat: 'testuser' rlm_sql (sql): sql_set_user escaped user --> 'testuser' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testuser' and (mac = '' or mac is null) ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): User testuser not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User testuser not found in radgroupcheck rlm_sql (sql): Released sql socket id: 1 rlm_sql (sql): User not found modcall[authorize]: module "sql" returns notfound for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testuser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: leaving group authenticate (returns reject) for request 6 auth: Failed to validate the user. Login incorrect: [testuser/<no User-Password attribute>] (from client localhost port 0) ...... and ...... modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Login incorrect: [testuser/<no User-Password attribute>] (from client bg3750 port 50441 cli 00-10-C6-A8-DA-00) Delaying request 7 for 1 seconds Finished request 7 Going to the next request Does it because I'm not configure LDAP? Does PEAP/MSCHAP-V2 must use with LDAP? In my database I have already add the "testuser User-Password := test123" in radcheck table but it doesn't work. _________________________________________________________________ 讲述中国特色文化,体验不同的节日习俗,快来微软春节搜索! http://chunjie.live.com/?form=PANER01