how to set eap/ttls tunnel with auth-type pap work
Hi Alan/Ivan: As i configured my freeradius server 2.0.5 for our realm xxxx.ca with Ivan's guides it works well by local test or NTRadPing (from WinXP) which did not use any eap stuff. But as I tested by Netgear AP which needs to use eap/ttls/ tunnel and in the tunnel to use pap then it failed with message "rlm_pap: No clear-text password in the request. Not performing PAP. ++[pap] returns noop auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user." (no matter if my username with/without realm). Before I created realm xxxx.ca in proxy.conf file both types of tests( i.e. with/without eap/ttls tunnel)work fine. enclosed here the debugging output message: rad_recv: Access-Request packet from host 10.10.10.29 port 1265, id=52, length=153 User-Name = "andyan" NAS-IP-Address = 10.10.10.29 NAS-Port = 2 Called-Station-Id = "00-14-6C-CC-93-E8:eduroam" Calling-Station-Id = "00-17-F2-52-8A-C7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000b01616e6479616e Message-Authenticator = 0x9b0622cd28c0ca07a2894252266d9582 +- entering group authorize expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722 expand: %t -> Tue Jul 22 17:29:18 2008 ++[auth_log] returns ok rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "andyan" rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns ok rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for andyan WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=andyan) expand: ou=People,dc=eciad,dc=ca -> ou=People,dc=eciad,dc=ca rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.eciad.ca:389, authentication 0 rlm_ldap: bind as cn=radius,ou=Applications,dc=eciad,dc=ca/#password to ldap1.eciad.ca:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=eciad,dc=ca, with filter (uid=andyan) rlm_ldap: Added User-Password = {crypt}24234234fsdgfs2342 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user andyan authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 52 to 10.10.10.29 port 1265 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4c8576424c846361777cb0ac160f1e24 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.29 port 1265, id=53, length=272 User-Name = "andyan" NAS-IP-Address = 10.10.10.29 NAS-Port = 2 Called-Station-Id = "00-14-6C-CC-93-E8:eduroam" Calling-Station-Id = "00-17-F2-52-8A-C7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201007015800000006616030100610100005d030148867b68f229dc3370728c32f16cc8eba5dace189d85f03d39f18438ab70dbde000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100 State = 0x4c8576424c846361777cb0ac160f1e24 Message-Authenticator = 0x5d147b305a321b03b57beb1712544955 +- entering group authorize expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722 expand: %t -> Tue Jul 22 17:29:18 2008 ++[auth_log] returns ok rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "andyan" rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns ok rlm_eap: EAP packet type response id 1 length 112 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS TLS Length 102 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 53 to 10.10.10.29 port 1265 EAP-Message = 0x0102040015c0000008bb160301004a02000046030148867b5eef813368f7f8a4d7a1763bcb77f3abe2e302c009685f134c0dd2a5d820f3f04518281bc20040b6888ed2ac438c03f5acefad34e1e45c69a9d22ddd6349002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303631383232303934315a170d3039303631383232303934315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c5d8f1bfb0aec2555c5e034ee4677c814ac120afc2c6737fae65f755df4a EAP-Message = 0x2af9434f85596064fc5bcd9b5f2e16f426c39ff51614c80a65c2e067a3a4c7911a38a3b8839007ea4d03cbda93410f383e643cd8bd788e9e14d2b3abd1067ad10efcc6eb0f8b8c0302ff00327e8604af8c16debd1e6ca2195d2b8187ca25e77d5f7bd4c84b985981baf5fd0be7cabe98da5d14817bd3ad62f2ac4f281098433100a22663ddb348f2a6ed0dd82f1de13a8ad2a57a3afe6d1e82eca0bf7f708ef7b7999a1af5b78b30171d2a40ce03d8b4daedcacd5bd389559f4b7fc82a4c411712829a3b5a09686b33a1c50abe21e8cff6189d8a481e19871e6f8b629e79dbf5ff590203010001a317301530130603551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d01010405000382010100abdc8d29f0855dd309bd358b192e5c368fa45e161de5671519a4ae6db6c8ed586c8a6c3565dbc39b7c3c648061daabd6d1a220997c7caf6d105df85affd385a5dbae3b9b9040f59b066fa399496d909f04ffbe88e13cb90791e3fa8cb66577101e2967fe5a9d562b5c903c7f3625c59de375241836391ccb85aaad9d02a15af33203b928cdff6276ad00bfdaf17f5ef12d0370926d5dee595b22f0dd8a332ffe2c6e3f80d55551787a6b58e31933c44a6282f6eaaefc8c454955db064b742cf6907cf558d08da46b3a3e1925581fee05bb6ca641511d4f35c7880bbedfed8ea20f0276b21a85 EAP-Message = 0x2889877f5db3c70defc739be Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4c8576424d876361777cb0ac160f1e24 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.29 port 1265, id=54, length=166 User-Name = "andyan" NAS-IP-Address = 10.10.10.29 NAS-Port = 2 Called-Station-Id = "00-14-6C-CC-93-E8:eduroam" Calling-Station-Id = "00-17-F2-52-8A-C7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200061500 State = 0x4c8576424d876361777cb0ac160f1e24 Message-Authenticator = 0x0b5f2f4dbef2761860878e8a58a3fb97 +- entering group authorize expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722 expand: %t -> Tue Jul 22 17:29:19 2008 ++[auth_log] returns ok rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "andyan" rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns ok rlm_eap: EAP packet type response id 2 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 54 to 10.10.10.29 port 1265 EAP-Message = 0x0103040015c0000008bbcef8e8135051d22c8e604c46bbe50004ab308204a73082038fa003020102020900964407b7ca8a72e7300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303631383232303933395a170d3038303731383232303933395a308193310b EAP-Message = 0x3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e71a28d861d1bc000ead67dda77fc24c88fd7f4e6b154ec39e6c1328da93acb45c4203d45485a76bd3ebf28e55486d785b45f54c81ee601a8e73e1c07d16f606a1b6146055903f54ebc8a5 EAP-Message = 0x06d421fb703b664bc1a37493d95559d894f04a2ca09c3c5292e9d82cff10a031177cab034ab883b3871e6c2460325a0d8a2a68322698cde33ad81ed808a429177249ff720932bea36f3558c8037fba4110a20451ed263bdd7021686bc816249ff209de18ebc36a923977b852b198a70b3601fb87b263c740a0d191a59591300981709f9beb6987b67bdfa820db88dcb3c3af3fa827552afb43f6accf386739f292c311b7f6287609afec629a4b8f1c0c0d4a9e165d0203010001a381fb3081f8301d0603551d0e041604148fc1ab4304f6a473ea66c4512ef6f9a078dbe3623081c80603551d230481c03081bd80148fc1ab4304f6a473ea66c4512ef6 EAP-Message = 0xf9a078dbe362a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900964407b7ca8a72e7300c0603551d13040530030101ff300d06092a864886f70d010105050003820101008c2687a029f098693008dbc4ee9968c7e71b0a4792003dc2d62403a142c75c227df610ac8979ffd430cf55103bab EAP-Message = 0xb78977c9a55b9a3571e655a3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4c8576424e866361777cb0ac160f1e24 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.29 port 1265, id=55, length=166 User-Name = "andyan" NAS-IP-Address = 10.10.10.29 NAS-Port = 2 Called-Station-Id = "00-14-6C-CC-93-E8:eduroam" Calling-Station-Id = "00-17-F2-52-8A-C7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300061500 State = 0x4c8576424e866361777cb0ac160f1e24 Message-Authenticator = 0x427b0f9046aa0368441bfe10c2d7179a +- entering group authorize expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722 expand: %t -> Tue Jul 22 17:29:19 2008 ++[auth_log] returns ok rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "andyan" rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns ok rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 55 to 10.10.10.29 port 1265 EAP-Message = 0x010400d91580000008bb04ae601515d34e563c02cc3de859401a836dc8d5b9e0c675cc610078839fc238a6f3ca30ce79381a61c588416489587635fe1fa874b66bc643d652e322305ad54f40382d23f7fe74c6df9df734c099780d8604e304ca13d8bc9e2bb3ebd9221731634de6099bb36ff584bae8b16bfd00d3b19ffe67c20b40e9d66366325f55810904fc6fa593c6186bf3cedd075e3c447a65a23d444547c434ec02220b377133980437496ee79601f296ea241e10ed902bcdf83adac9980a26ac91f4b034ef1e88febcd2e3a416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4c8576424f816361777cb0ac160f1e24 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.29 port 1265, id=56, length=498 User-Name = "andyan" NAS-IP-Address = 10.10.10.29 NAS-Port = 2 Called-Station-Id = "00-14-6C-CC-93-E8:eduroam" Calling-Station-Id = "00-17-F2-52-8A-C7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0204015015800000014616030101061000010201004ceebe5f879c41a3395d900eea4eb9966d09e70dc9df76e62f4b0affb35186dbaf85a117a323524a163eaa6f96d26ed9c7e9e75bbf86c15067035166e9e00b5e7226527516b954ba6b671993562c37555bbfe8a01223163311723e6e54d4f799c84d5c31745b311c0ac699953c5b854eb6f490116780513148e5d1e65c5974824b5fb3d951969c0e631c0511f7a5e4362927de0802017cb1bddf30bcf459b83f4faf5c1bc0e9b3d2714121d5e8952ab7746f63747bfb56134f5943d006a9c08a66de60ee8f2bf08ecea6919f8c9b1fd54dd4ad4d4ceefe6ac7bdeb8a4618549b22278c2065efcff4 EAP-Message = 0x24092ced63af3d613749e3b3b718a8050e3598c26e4fa27914030100010116030100300e32ab01355213c817cdedc7514b16d9b5f9e654efa6b9719e0270680c1ba911b01901404fc087870162cdadcd55db30 State = 0x4c8576424f816361777cb0ac160f1e24 Message-Authenticator = 0x35b507b12476ef1128fe82146ce3a7eb +- entering group authorize expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722 expand: %t -> Tue Jul 22 17:29:19 2008 ++[auth_log] returns ok rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "andyan" rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns ok rlm_eap: EAP packet type response id 4 length 253 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS TLS Length 326 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 56 to 10.10.10.29 port 1265 EAP-Message = 0x0105004515800000003b1403010001011603010030fde8c6f00ff0117be406521d638021351155e4bf6e518fe011ae9856c9a02a77a7c883770992848eb3f5ef926cb0a2cd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4c85764248806361777cb0ac160f1e24 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.10.10.29 port 1265, id=57, length=319 User-Name = "andyan" NAS-IP-Address = 10.10.10.29 NAS-Port = 2 Called-Station-Id = "00-14-6C-CC-93-E8:eduroam" Calling-Station-Id = "00-17-F2-52-8A-C7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0205009f1580000000951703010090a9ab31a7f43c2c59f864f296d626095e508727aa6d4307653d6b9ecbe7650e8ea07fdb2154f9309e6beae535be1fff046b09d490cb1812abd04d9786a8581c5aff4c9bcded643edc67f71220341b01f4bcc1cd1eb13f3610fe7ddef6bb2b7b78f9d131f3c788f156c965e1fcd9fa219ae71b29e33f8cb796582208aa4155e240d2f19d32eb483e97707ca9d74e47924c State = 0x4c85764248806361777cb0ac160f1e24 Message-Authenticator = 0x0ae56b01a9b527a7ea9ec6b016b0f1c3 +- entering group authorize expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722 expand: %t -> Tue Jul 22 17:29:19 2008 ++[auth_log] returns ok rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "andyan" rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns ok rlm_eap: EAP packet type response id 5 length 159 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS TLS Length 149 rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. +- entering group authorize expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722 expand: %t -> Tue Jul 22 17:29:19 2008 ++[auth_log] returns ok rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "andyan" rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns ok rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for andyan WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=andyan) expand: ou=People,dc=eciad,dc=ca -> ou=People,dc=eciad,dc=ca rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=eciad,dc=ca, with filter (uid=andyan) rlm_ldap: Added User-Password = {crypt}26dafouiho8902 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user andyan authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: No clear-text password in the request. Not performing PAP. ++[pap] returns noop auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> andyan attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 57 to 10.10.10.29 port 1265 EAP-Message = 0x04050004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 5. Going to the next request Thanks in advance for any guide/clue. -- Andy An Junior Programmer Information Technology Services Emily Carr University of Art and Design Tel: 604-630-4556 Fax: 604-844-3801 SB Room 341
rlm_pap: No clear-text password in the request. Not performing PAP. ++[pap] returns noop auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user.
Are you sure your supplicant is set to use PAP inside TTLS? You have disabled chap and mschap on the server so we can't see what is supplicant sending - it doesn't seem to be pap. Ivan Kalik Kalik Informatika ISP
participants (2)
-
Andy An -
Ivan Kalik