Hi, I am trying to use PAM authentication with freeradius for Win XP client (PEAP). I am getting error in the tls section. Ver : FreeRADIUS 1.1.1 in Linux AP : Linksys Client : Windows XP I enabled the options in raidusd.conf and I have placed with prober entries in /etc/pam.d I ran the below command *radtest username "password" localhost 1 testing123 * Output: ======= sysnet-gateway25 ~ # radtest muthu "password" localhost 2 testing123 Sending Access-Request of id 130 to 127.0.0.1 port 1812 User-Name = "muthu" User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 2 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=130, length=20 Client: ======== When I try to use from Windows XP client machine, it prompting for username and password. After I typed the username and password, it is not getting connected. It is keep saying "Trying to Authenticate". Client settings in XP : PEAP, validate certificate option is not enabled" If I look at the serverside logs, it is saying multiple error like, *rlm_eap_tls: Start returned 1, eaptls_verify returned 11, rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session.** * So I attached the full debug log in this mail. Pls help me on this. Server side debug log: ====================== rad_recv: Access-Request packet from host 192.168.0.142:2048, id=0, length=123 User-Name = "muthu" NAS-IP-Address = 192.168.0.142 Called-Station-Id = "001217102e2e" Calling-Station-Id = "0012f0444aa3" NAS-Identifier = "001217102e2e" NAS-Port = 45 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000a016d75746875 Message-Authenticator = 0xbca303874074727b4b65a69509bb731c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "muthu", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 192.168.0.142 port 2048 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa866ca10b5f371e8e53fbfebe5307ce0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.142:2048, id=0, length=211 User-Name = "muthu" NAS-IP-Address = 192.168.0.142 Called-Station-Id = "001217102e2e" Calling-Station-Id = "0012f0444aa3" NAS-Identifier = "001217102e2e" NAS-Port = 45 Framed-MTU = 1400 State = 0xa866ca10b5f371e8e53fbfebe5307ce0 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201005019800000004616030100410100003d030144b0dffdd8f693786422edf97c49f4343ecc13aad75093912d990b6bda25d40c00001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0xa99a675d8eba749010439b512eac06b8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "muthu", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 02d7], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 0 to 192.168.0.142 port 2048 EAP-Message = 0x0102033a1900160301004a02000046030144b0d849e10e331db1eab13dfd51c3659279c6cea9cb802871cbb32c3dd270e5200421d74bc64b451bf65a807251eece64a76048cabe160e52af94cb7cebb74a8d00040016030102d70b0002d30002d00002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e7420636572746966 EAP-Message = 0x69636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030 EAP-Message = 0x818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09779afa3d EAP-Message = 0xd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e835036516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7dae0a8612eeb132ce408f8df394f3a0 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.142:2048, id=0, length=323 User-Name = "muthu" NAS-IP-Address = 192.168.0.142 Called-Station-Id = "001217102e2e" Calling-Station-Id = "0012f0444aa3" NAS-Identifier = "001217102e2e" NAS-Port = 45 Framed-MTU = 1400 State = 0x7dae0a8612eeb132ce408f8df394f3a0 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200c01980000000b61603010086100000820080542d7bb3645e47fc6feda7709e7145f048e741c81e299fe0f6373344aca4a7be3b64c745d9a47aec1e55e28411b74061185ffd6a5fee2fcc9d298f9a733ffa4fd0d2eed8577830ba403e8dc4afdb4ae473dec2cbe190028b5967be8483c617196db0fad02f9909b78b1df7d7063719207fcdf8d4b59ceb088b3daaeb47167e4614030100010116030100202112e387bb6cebe749727be7cdd0da3629ba181306e2c221b1fcce60089167d1 Message-Authenticator = 0x7ca279ee6b43a242fd409d6e475cad2c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "muthu", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 0 to 192.168.0.142 port 2048 EAP-Message = 0x01030031190014030100010116030100207dcf757a63f78f532eedcb0253324c106b6b3803bc2afada89d2f058b67105d7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x98a8efaf81fde7503edad7e110b20404 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.142:2048, id=0, length=137 User-Name = "muthu" NAS-IP-Address = 192.168.0.142 Called-Station-Id = "001217102e2e" Calling-Station-Id = "0012f0444aa3" NAS-Identifier = "001217102e2e" NAS-Port = 45 Framed-MTU = 1400 State = 0x98a8efaf81fde7503edad7e110b20404 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0x9b90602709d935a5da18d0ed60e3bc6a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "muthu", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 0 to 192.168.0.142 port 2048 EAP-Message = 0x01040020190017030100158dda0df9cdef5e3687b7d519fc47822fbbcc9813a0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x779974e1770813a7e8a6097539d59abf Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.142:2048, id=0, length=164 User-Name = "muthu" NAS-IP-Address = 192.168.0.142 Called-Station-Id = "001217102e2e" Calling-Station-Id = "0012f0444aa3" NAS-Identifier = "001217102e2e" NAS-Port = 45 Framed-MTU = 1400 State = 0x779974e1770813a7e8a6097539d59abf NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400211900170301001672ccf21456545dc224b4b4c1b6fbfc0071017a82faad Message-Authenticator = 0x7f0540a46bd8ccb3c5b13c7d5a13f88d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "muthu", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 4 length 33 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - muthu rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of muthu PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to muthu Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "muthu", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 4 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 0 to 192.168.0.142 port 2048 EAP-Message = 0x010500361900170301002b2c22860183854f6a55c100c85d2c78be83f1afab3a40e49373bd7990d0d06d091922907022b7e48d597c29 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1d64eb1932f6e356c6890d53d9c3c4dd Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.142:2048, id=0, length=218 User-Name = "muthu" NAS-IP-Address = 192.168.0.142 Called-Station-Id = "001217102e2e" Calling-Station-Id = "0012f0444aa3" NAS-Identifier = "001217102e2e" NAS-Port = 45 Framed-MTU = 1400 State = 0x1d64eb1932f6e356c6890d53d9c3c4dd NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500571900170301004cf131dc1876143f35e3f376892adb80c72d7ae37d8fceef5573317cb4cc345c0eb7727a61b7beabdf5da381d5667f16ffbe72b23cb9e24ba9810c93fec8be45ec40ecb6ac4da2bcf409cedaba Message-Authenticator = 0x950bd18efdce7c7bc50baf9437f8d42a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "muthu", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 87 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to muthu PEAP: Adding old state with 3d 60 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "muthu", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 64 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 5 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for muthu with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 5 modcall: leaving group MS-CHAP (returns reject) for request 5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 5 modcall: leaving group authenticate (returns reject) for request 5 auth: Failed to validate the user. Login incorrect: [muthu/<no User-Password attribute>] (from client localhost port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 0 to 192.168.0.142 port 2048 EAP-Message = 0x010600261900170301001b88cd580851e3522b1a4516b384de6ea0f9c4e36944e068bd9b1fc0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7c90bcf7478ad30a644a3f50c12b4611 Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.142:2048, id=0, length=169 User-Name = "muthu" NAS-IP-Address = 192.168.0.142 Called-Station-Id = "001217102e2e" Calling-Station-Id = "0012f0444aa3" NAS-Identifier = "001217102e2e" NAS-Port = 45 Framed-MTU = 1400 State = 0x7c90bcf7478ad30a644a3f50c12b4611 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600261900170301001b59d1cd3753054b8b1797fd0beb904a25105f437a11e7ac8b21b8f4 Message-Authenticator = 0xc48fa3cd3df1609ff1ebbc19b3907780 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "muthu", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 6 modcall: leaving group authenticate (returns invalid) for request 6 auth: Failed to validate the user. Login incorrect: [muthu/<no User-Password attribute>] (from client private-network-1 port 45 cli 0012f0444aa3) Delaying request 6 for 1 seconds Finished request 6 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.0.142 port 2048 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 Cleaning up request 6 ID 0 with timestamp 44b0d849 Nothing to do. Sleeping until we see a request. Thanks & Regards, Muthu.
Muthu wrote:
Hi,
I am trying to use PAM authentication with freeradius for Win XP client (PEAP). I am getting error in the tls section.
You cannot use PAM to answer PEAP/MS-CHAP requests. You must either have the plaintext password for the user, the NT or LM hashes for their password, or access to an NT domain controller and use the "ntlm_auth" helper in the mschap module.
Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 5 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for muthu with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 5 modcall: leaving group MS-CHAP (returns reject) for request 5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 5 modcall: leaving group authenticate (returns reject) for request 5
Muthu <cmuthu@naturesoft.net> wrote:
I am trying to use PAM authentication with freeradius for Win XP client (PEAP).
It's impossible.
I enabled the options in raidusd.conf and I have placed with prober entries in /etc/pam.d
No, PAM doesn't support MSCHAP, which is what PEAP uses. So you *couldn't* have placed the proper entries in pam.d, because there are *no* proper entries for MSCHAP.
If I look at the serverside logs, it is saying multiple error like, *rlm_eap_tls: Start returned 1, eaptls_verify returned 11, rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session.**
So could you try reading the earlier log messages? It tells you what went wrong, and why. Alan DeKok.
participants (3)
-
Alan DeKok -
Muthu -
Phil Mayers