Cisco AP, mysql, either MSCHAP or Auth-Type problem i think
Hi, Trying to get Freeradius to work with a Cisco Aironet 1100 AP. Also as said in the "DEBUGGING" lines in the manual, change on thing at a time .... I'm using default setup, only uncomment the sql in the default "sites-enabled" Running version: 2.0.3 I'm here so far .... radtest 44 4444 localhost 1 testing123
From the "radiusd -X" User-Name = "44" User-Password = "4444" NAS-IP-Address = 172.17.4.1 NAS-Port = 1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "44", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> 44 rlm_sql (sql): sql_set_user escaped user --> '44' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '44' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '44' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '44' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "4444" rlm_pap: Using clear text password "4444" rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [44/4444] (from client localhost port 1) Finished request 37. Going to the next request Waking up in 4.9 seconds.
That means it knows my user .... +----+----------+--------------------+----+-------+ | id | username | attribute | op | value | +----+----------+--------------------+----+-------+ | 2 | 44 | Cleartext-Password | := | 4444 | +----+----------+--------------------+----+-------+ Now I'm trying to Auth from my windows vista to the access point ... I'm posted all debug from the session: User-Name = "44" Framed-MTU = 1400 Called-Station-Id = "001e.be8e.03e0" Calling-Station-Id = "001b.77d2.b10c" Service-Type = Login-User Message-Authenticator = 0x2c78ecc5c0e94423b079797fb172c8a9 EAP-Message = 0x02020007013434 NAS-Port-Type = Wireless-802.11 NAS-Port = 691 NAS-IP-Address = 172.17.4.30 NAS-Identifier = "ap30" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "44", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 7 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> 44 rlm_sql (sql): sql_set_user escaped user --> '44' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '44' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '44' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '44' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled EAP-Message = 0x0103001604101ff42f65fb82fd975b5cce4925620508 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac4fe051ac4ce41caf8c0fb3ddec01f0 Finished request 38. Going to the next request Waking up in 4.9 seconds. User-Name = "44" Framed-MTU = 1400 Called-Station-Id = "001e.be8e.03e0" Calling-Station-Id = "001b.77d2.b10c" Service-Type = Login-User Message-Authenticator = 0xbaeede640114549687d2d83426b3629b EAP-Message = 0x020300060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 691 State = 0xac4fe051ac4ce41caf8c0fb3ddec01f0 NAS-IP-Address = 172.17.4.30 NAS-Identifier = "ap30" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "44", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> 44 rlm_sql (sql): sql_set_user escaped user --> '44' rlm_sql (sql): Reserving sql socket id: 1 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '44' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '44' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '44' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac4fe051ad4bf91caf8c0fb3ddec01f0 Finished request 39. Going to the next request Waking up in 4.9 seconds. User-Name = "44" Framed-MTU = 1400 Called-Station-Id = "001e.be8e.03e0" Calling-Station-Id = "001b.77d2.b10c" Service-Type = Login-User Message-Authenticator = 0xa94ce1a35fdea2d052afa1f206662678 EAP-Message = 0x0204007119800000006716030100620100005e030147eaeedd67f44753eca6bf1b25ce0a71b731d414137b7a8064d2aa9f3e8bd48d000018002f00350005000ac009c00ac013c01400320038001300040100001d0000000700050000023434000a00080006001700180019000b00020100 NAS-Port-Type = Wireless-802.11 NAS-Port = 691 State = 0xac4fe051ad4bf91caf8c0fb3ddec01f0 NAS-IP-Address = 172.17.4.30 NAS-Identifier = "ap30" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "44", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 113 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 103 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0062], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 084e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x0105040019c0000008ab160301004a02000046030147eaeeeb095d1a1e0b315cd9f0268b134ca77cd5895f40da89812c21caeca0e32039e479dd4abc49d2871a393c28d71b0ddfac0e267de00c586e4cc3bbfd1983f3002f00160301084e0b00084a0008470003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303332363032313532345a170d3039303332363032313532345a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e737c8c3ca5af3e7707cd4419ca136ffdc51e18148696a366e09b2eee768 EAP-Message = 0xf656c770f21e6b5b964ae27f4ceefdddcb808219bae71d92befa93658f5c30e0fc077cc0053ec4f30ed422740f1baaea6910f17265509d1454c36e685626bb76650a24262543747f478f337067d75e59c7a0106fd7915e245ec713d0f37d317e323a15b38bc434a1b175e0726259aa7beb188ce53c088dbec44ec51802fda762f9a27f38e41be1d1e579711b00c8f0ac8e7b0a2fb889d6491de037ed8b465a5d4a9a2d3e673eb9c462100bbfaced9f15603c89a70b081f39a916fe9fac9a26874a5a2b99db598ab726d489733fce2b570fd1b01ada4dd74c9eb47cfb82585457fa770203010001a317301530130603551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d0101040500038201010092dc877d80b06ecae5ba2b180d9a462868e2d7da701ff11ba0685c3fbd1652f4b67dfed1e8621cc0bb54c74dc55896274adc89f95485c30d35c8261ddde283c08801d5ac36875554f706046e4142bdcb08bbc8ed80d9fde3b149cbc304bda53d8484f7b0abb357cc528cb61ac3ca5b94a5694ec7c9eee2c85bcda0661fcf595e03b8a8b11e778d9f9513e9e3bcb15552b32f662371a3aa68fa1ff830714340391283ae4569905e47ae9ad97903ff146ce4709bba831d172e46296c42b8fb221675b973129a30c776cb9871a76a368d02352a75386af2783fa3dae5d7c2142226bd4f2014c07d EAP-Message = 0x89f399ca4e40799b54d7b7f0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac4fe051ae4af91caf8c0fb3ddec01f0 Finished request 40. Going to the next request Waking up in 4.9 seconds. User-Name = "44" Framed-MTU = 1400 Called-Station-Id = "001e.be8e.03e0" Calling-Station-Id = "001b.77d2.b10c" Service-Type = Login-User Message-Authenticator = 0x7a48e054d23bf5218cd465711cdf2d89 EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 691 State = 0xac4fe051ae4af91caf8c0fb3ddec01f0 NAS-IP-Address = 172.17.4.30 NAS-Identifier = "ap30" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "44", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x010603fc19407d1a9e53e68b483ec93486a6b62800049b308204973082037fa003020102020100300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303332363032313531385a170d3038303432353032313531385a308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100cc59d17404c68eb77da5daae25944298fc16f0d16e4af40485998432137ded9c8ecab6adb289e5f182f021a485c2ce0d0408034643fd3e8396f07c2a0d7b321ac9308c81bce0fa87d151a6c78ea6d21fc19734475df7ee EAP-Message = 0x67ff51a6a11960d95c1855453d722a8c7ae3a5ed6f2b90f94f3fb2d2c59fd4af10d121b6c52a57043d7e72b2b82bfd4eef52a668b9835d93c3a7f4f553329464537ed323f1a8b9784a24de668f2d471a06ba0b3269106b446bb5cade889c644b96d59bc3ac98905edcb2737534f75d83778c9374041c947b38515267e61a8cea3241a0834e0a25d94fa3778ddb671c75ad9fbb878989f2d16f06ac03cb74ab803de2659f1baf564c170203010001a381f33081f0301d0603551d0e04160414e230d425fc9675360707dc7d8b81364fcb4202dc3081c00603551d230481b83081b58014e230d425fc9675360707dc7d8b81364fcb4202dca18199a48196 EAP-Message = 0x308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010405000382010100aa73739552fb793eb38967f2cd283e961921b162826a746de1daeebbc9869bb1b9a11631d4655732bc659282809630229d2c454636e5dba531433968ec3f253f0943 EAP-Message = 0xae9d48dcba25d3e1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac4fe051af49f91caf8c0fb3ddec01f0 Finished request 41. Going to the next request Waking up in 4.9 seconds. User-Name = "44" Framed-MTU = 1400 Called-Station-Id = "001e.be8e.03e0" Calling-Station-Id = "001b.77d2.b10c" Service-Type = Login-User Message-Authenticator = 0xbca4b17cb162e97121365b24329f3f51 EAP-Message = 0x020600061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 691 State = 0xac4fe051af49f91caf8c0fb3ddec01f0 NAS-IP-Address = 172.17.4.30 NAS-Identifier = "ap30" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "44", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x010700c51900b428f1e7fcc055a0b54a919224898754cdaa1224993cfd614efb270d034988e65ff91f1bff7b0afaea539505c02990844d4c3866371cd9767ddca1c5d31d1f72c26d3b12f47ec4c5cd98188631557121c1267dab38229ab3b155bce4cfe2e82af9817212cb64fa705f5ed9eb8c34aa67f0ce97b1ff8aa14abd749607d357c855cd95039d65f85c3c9c461ae630a5af488ac8289cc9df8ca6c7cb466a6604d0f7b905c2eff4781fd01d2b7705101f27680b182256ca2e16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac4fe051a848f91caf8c0fb3ddec01f0 Finished request 42. Going to the next request Waking up in 4.8 seconds. User-Name = "44" Framed-MTU = 1400 Called-Station-Id = "001e.be8e.03e0" Calling-Station-Id = "001b.77d2.b10c" Service-Type = Login-User Message-Authenticator = 0xa3a63c00ff890e9765dbc6e7b0e9db86 EAP-Message = 0x0207015019800000014616030101061000010201000eff9767934a9d5177220f926c4f85f06024b8e1f9bced0a0fd33624864ab2ca6f88531c736b31beb9d95262ebabaa437975bd07d5705dcef2aa1bbb35deb071e84184f75972ab63506697c027a3e6570dfec441b4823ca1f303733534059deb99f14a5488dbc174a5d985ebdb3464484053bb45f72e4e12f01bfcf1605df3d5b031d087e45f24f79c03f3f6f5eccbe173e08777b76a062d06efc9c32e58d9dc761fb95b5551ad889e1cdaf33a7a211a01bf8379c0568faedf73c050ad7028ec75e5dbcbd551a6ce206495cfe00690d3a03b9554636fd83d6a0d9f6b91017c15578a035b8bf3618b EAP-Message = 0x641db5c4d33b9fe5a9ca377a2de9a74857fb5b3b35c3a1951403010001011603010030d402557fb1e6617086ebe5d21bf90950ed9220350ce2f5de49c6b1cf6de14639b190058ac2b298260275f90f9c04d51d NAS-Port-Type = Wireless-802.11 NAS-Port = 691 State = 0xac4fe051a848f91caf8c0fb3ddec01f0 NAS-IP-Address = 172.17.4.30 NAS-Identifier = "ap30" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "44", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 7 length 253 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 326 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x0108004119001403010001011603010030bcfd373096d5438924af92e0207aec4f1ec1c651b2ddaa21f0e8383dcbad84976837bff893b4e6fbf9cb254f51369e2a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac4fe051a947f91caf8c0fb3ddec01f0 Finished request 43. Going to the next request Waking up in 4.8 seconds. User-Name = "44" Framed-MTU = 1400 Called-Station-Id = "001e.be8e.03e0" Calling-Station-Id = "001b.77d2.b10c" Service-Type = Login-User Message-Authenticator = 0x98e9620b015809364bac4ebfd64a18b1 EAP-Message = 0x020800061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 691 State = 0xac4fe051a947f91caf8c0fb3ddec01f0 NAS-IP-Address = 172.17.4.30 NAS-Identifier = "ap30" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "44", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 8 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled EAP-Message = 0x0109002b19001703010020320b66e1a80499fc6cc7abf63e8262b634dcf89c1fec94e342f00719e0b05c84 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac4fe051aa46f91caf8c0fb3ddec01f0 Finished request 44. Going to the next request Waking up in 4.8 seconds. User-Name = "44" Framed-MTU = 1400 Called-Station-Id = "001e.be8e.03e0" Calling-Station-Id = "001b.77d2.b10c" Service-Type = Login-User Message-Authenticator = 0xe822cea7db71367fb74643fca49763c8 EAP-Message = 0x0209002b190017030100205fa8fd2083f6024ec6e3265a3184d53ad3dc3e1436f25f1683ddbebe4bbe0102 NAS-Port-Type = Wireless-802.11 NAS-Port = 691 State = 0xac4fe051aa46f91caf8c0fb3ddec01f0 NAS-IP-Address = 172.17.4.30 NAS-Identifier = "ap30" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "44", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 9 length 43 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - 44 PEAP: Got tunneled identity of 44 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to 44 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [44/<no User-Password attribute>] (from client ap30 port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled EAP-Message = 0x010a002b19001703010020bbe8e18591d9547924aa8edcf8488ab76d40e59daaa552d122744c0647c3b0d6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac4fe051ab45f91caf8c0fb3ddec01f0 Finished request 45. Going to the next request Waking up in 4.1 seconds. User-Name = "44" Framed-MTU = 1400 Called-Station-Id = "001e.be8e.03e0" Calling-Station-Id = "001b.77d2.b10c" Service-Type = Login-User Message-Authenticator = 0x64694103d3bc1eb94961ded676b3c9ed EAP-Message = 0x020a002b1900170301002007064ccd8a958d75834052d3fc66dac7e31f52d610588da475bf61ab46f99be6 NAS-Port-Type = Wireless-802.11 NAS-Port = 691 State = 0xac4fe051ab45f91caf8c0fb3ddec01f0 NAS-IP-Address = 172.17.4.30 NAS-Identifier = "ap30" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "44", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 10 length 43 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [44/<via Auth-Type = EAP>] (from client ap30 port 691 cli 001b.77d2.b10c) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 44 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 46 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 46 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.1 seconds. Cleaning up request 38 ID 123 with timestamp +2658 Cleaning up request 39 ID 124 with timestamp +2658 Cleaning up request 40 ID 125 with timestamp +2658 Cleaning up request 41 ID 126 with timestamp +2658 Cleaning up request 42 ID 127 with timestamp +2658 Cleaning up request 43 ID 128 with timestamp +2658 Cleaning up request 44 ID 129 with timestamp +2658 Cleaning up request 45 ID 130 with timestamp +2658 Waking up in 1.6 seconds. Cleaning up request 46 ID 131 with timestamp +2658 Ready to process requests. The place I think it goes wrong is: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user But what do I need? I have added the user with "dialup_admin" and changed the User-Password -> Cleartext-Password as stated in the Debug information ... But i'm lost here ... I havent done any Radius configuration before ... So i'm completely lost here .... Setting a Auth-Type := System gives: User-Name = "44" Framed-MTU = 1400 Called-Station-Id = "001e.be8e.03e0" Calling-Station-Id = "001b.77d2.b10c" Service-Type = Login-User Message-Authenticator = 0x83911cfc873f7688e9ce7b7954aa46ce EAP-Message = 0x02020007013434 NAS-Port-Type = Wireless-802.11 NAS-Port = 710 NAS-IP-Address = 172.17.4.30 NAS-Identifier = "ap30" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "44", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 7 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> 44 rlm_sql (sql): sql_set_user escaped user --> '44' rlm_sql (sql): Reserving sql socket id: 0 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '44' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '44' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '44' ORDER BY priority rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type System auth: type "System" +- entering group authenticate rlm_unix: Attribute "User-Password" is required for authentication. ++[unix] returns invalid auth: Failed to validate the user. Login incorrect: [44/<via Auth-Type = System>] (from client ap30 port 710 cli 001b.77d2.b10c) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 44 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 47 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 47 Waking up in 4.9 seconds. Cleaning up request 47 ID 132 with timestamp +3218 Ready to process requests. and Auth-Type := Local: User-Name = "44" Framed-MTU = 1400 Called-Station-Id = "001e.be8e.03e0" Calling-Station-Id = "001b.77d2.b10c" Service-Type = Login-User Message-Authenticator = 0x896a8b81dd239b1870c2b24ad9d22689 EAP-Message = 0x02020007013434 NAS-Port-Type = Wireless-802.11 NAS-Port = 713 NAS-IP-Address = 172.17.4.30 NAS-Identifier = "ap30" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "44", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 7 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> 44 rlm_sql (sql): sql_set_user escaped user --> '44' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '44' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '44' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '44' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [44/<via Auth-Type = Local>] (from client ap30 port 713 cli 001b.77d2.b10c) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 44 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated So .... as you can see ... I'm not at all master of what I'm trying to do here .... Hope there are some help to get ... Links where do read more, as the freeradius site are so big that I dont know where to begin ..... Really hope there are someone that can cast some light over my problem .... really lost. best regards Mikael Syska
Mikael Syska wrote:
I'm using default setup, only uncomment the sql in the default "sites-enabled"
Running version: 2.0.3
I think you have to copy "sites-available/inner-tunnel" from the tar file to /etc/raddb. It isn't installed by default in 2.0.3, but it *is* referenced. Sorry... This is fixed in CVS head. Alan DeKok.
Hi, Thanks, that seemed to get me a bit further to the end .... now I got this: +----+----------+--------------------+----+-------+ | id | username | attribute | op | value | +----+----------+--------------------+----+-------+ | 2 | 44 | Cleartext-Password | := | 4444 | +----+----------+--------------------+----+-------+ Here is where its failing: ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm! Cancelling invalid proxy request. rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for 44 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [44/<via Auth-Type = EAP>] (from client ap30 port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled EAP-Message = 0x010b002b190017030100206f04599b56f9940737b9c497b35f5f64e78bceb46ce824932fe2d58d5d3850de Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5856f36f505dea9c1496d5ca0872b221 Finished request 20. Going to the next request Waking up in 3.9 seconds. So ... what do I need to set ... I'm not sure were I can read about this, so this mailing list is my only hope ... :-) Maybe its something about what Alan wrote:
hi,
trying to authenticate Vista against a plain password? PEAP doesnt work like this. you could put an NThash into the database instead.. or try using SecureW2 or other asupplicant that does EAP-TTLS/PAP alan
But I'm not sure ... its still all very new to me ... If you need more information, just say so ... and I will get it. best regards Mikael Syska On Thu, Mar 27, 2008 at 6:38 AM, Alan DeKok <aland@deployingradius.com> wrote:
Mikael Syska wrote:
I'm using default setup, only uncomment the sql in the default "sites-enabled"
Running version: 2.0.3
I think you have to copy "sites-available/inner-tunnel" from the tar file to /etc/raddb. It isn't installed by default in 2.0.3, but it *is* referenced. Sorry...
This is fixed in CVS head.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mikael Syska wrote:
Thanks, that seemed to get me a bit further to the end .... now I got this: +----+----------+--------------------+----+-------+ | id | username | attribute | op | value | +----+----------+--------------------+----+-------+ | 2 | 44 | Cleartext-Password | := | 4444 | +----+----------+--------------------+----+-------+
So... you have user information in SQL.
Here is where its failing: ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop
And... no SQL module being called. If you don't tell the server to look in SQL, it won't look in SQL. Alan DeKok.
Will look into that ... but I could auth with the radtest local on the machine, and then I asumed it was using mysql to lookup the user. But as you say, it seem logical :-) I will try and see if I can figure out where the error might be .. or else I will return to the list :-) // ouT On Thu, Mar 27, 2008 at 1:38 PM, Alan DeKok <aland@deployingradius.com> wrote:
Mikael Syska wrote:
Thanks, that seemed to get me a bit further to the end .... now I got this: +----+----------+--------------------+----+-------+ | id | username | attribute | op | value | +----+----------+--------------------+----+-------+ | 2 | 44 | Cleartext-Password | := | 4444 | +----+----------+--------------------+----+-------+
So... you have user information in SQL.
Here is where its failing: ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop
And... no SQL module being called.
If you don't tell the server to look in SQL, it won't look in SQL.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
It looks like you haven't configured sql (and password is in the database). Ivan Kalik Kalik Informatika ISP Dana 27/3/2008, "Mikael Syska" <mikael@syska.dk> piše:
Hi,
Thanks, that seemed to get me a bit further to the end .... now I got this: +----+----------+--------------------+----+-------+ | id | username | attribute | op | value | +----+----------+--------------------+----+-------+ | 2 | 44 | Cleartext-Password | := | 4444 | +----+----------+--------------------+----+-------+
Here is where its failing: ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm! Cancelling invalid proxy request. rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for 44 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [44/<via Auth-Type = EAP>] (from client ap30 port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled EAP-Message = 0x010b002b190017030100206f04599b56f9940737b9c497b35f5f64e78bceb46ce824932fe2d58d5d3850de Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5856f36f505dea9c1496d5ca0872b221 Finished request 20. Going to the next request Waking up in 3.9 seconds.
So ... what do I need to set ... I'm not sure were I can read about this, so this mailing list is my only hope ... :-) Maybe its something about what Alan wrote:
hi,
trying to authenticate Vista against a plain password? PEAP doesnt work like this. you could put an NThash into the database instead.. or try using SecureW2 or other asupplicant that does EAP-TTLS/PAP alan
But I'm not sure ... its still all very new to me ...
If you need more information, just say so ... and I will get it.
best regards Mikael Syska
On Thu, Mar 27, 2008 at 6:38 AM, Alan DeKok <aland@deployingradius.com> wrote:
Mikael Syska wrote:
I'm using default setup, only uncomment the sql in the default "sites-enabled"
Running version: 2.0.3
I think you have to copy "sites-available/inner-tunnel" from the tar file to /etc/raddb. It isn't installed by default in 2.0.3, but it *is* referenced. Sorry...
This is fixed in CVS head.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi, trying to authenticate Vista against a plain password? PEAP doesnt work like this. you could put an NThash into the database instead.. or try using SecureW2 or other asupplicant that does EAP-TTLS/PAP alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Ivan Kalik -
Mikael Syska