Hello folks, I want to do a setup with a HP Procurve 520wl Access Point, OpenLDAP and FreeRadius with 802.1x and users in my LDAP backend. LDAP and Radius works fine, when i do a radtest user pass radius.domain.tld 0 secret i get an access accept package back. Now i configured my AP to use the Radius server for 802.1x auth, when i want to logon into the WLAN I enter my user and pass that just worked with radtest but I recieve an acces reject package. This is really strange cause the Radius debug mode tells me LDAP connection successfull. I use clear passwords in the backend, so there should be no problem. Anyone has an idea for my problem? Here is the Radius debug message with the access reject packet: rlm_ldap: - authorize rlm_ldap: performing user authorization for user radius_xlat: '(uid=user)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=user) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 11 to xxx.xxx.164.26:6001 EAP-Message = 0x0105040619407c917840ad1cf254e5ca549ca9b1053de4de1e704dc6eb9cec86a35eafabe5 2f60e8ee1a9697a755a713be14acd2db7f3402acb70864e3139ef470c900d024f2fd0f455b94 028c87d7a170ce86f302e35c4e658d09f17016227f0003cf308203cb30820334a00302010202 0900927540ab5d693004300d06092a864886f70d01010405003081a0310b3009060355040613 0244453110300e06035504081307426176617269613112301006035504071309577565727a62 75726731163014060355040a130d4765466f656b6f4d20652e562e31193017060355040b1310 4765466f656b6f4d20652e562e20434131193017060355040313 EAP-Message = 0x104765466f656b6f4d20652e562e204341311d301b06092a864886f70d010901160e636140 6765666f656b6f6d2e6465301e170d3035303531363137313832335a170d3036303531363137 313832335a3081a0310b30090603550406130244453110300e06035504081307426176617269 613112301006035504071309577565727a6275726731163014060355040a130d4765466f656b 6f4d20652e562e31193017060355040b13104765466f656b6f4d20652e562e20434131193017 060355040313104765466f656b6f4d20652e562e204341311d301b06092a864886f70d010901 160e6361406765666f656b6f6d2e646530819f300d06092a8648 EAP-Message = 0x86f70d010101050003818d0030818902818100c8124b32b761710b8c576a5b8f566a1dd8cc 97c423dfd8901cd58b9e90960328233879b3a09ebda855dbaa4376c00318ebc1767173051ae1 5995a1d41c9a6289707d5f7dd1e608ca5071e2aeb99092204f9386789c9ec8d5f754a26e9940 297ffbe547b5d0cf5ee16566abcc7578e25ac6a3b5e57befee43f2828174d27db19f02030100 01a382010930820105301d0603551d0e04160414ac6e4891d5a749d6548d7eda627ca2d64d12 d2693081d50603551d230481cd3081ca8014ac6e4891d5a749d6548d7eda627ca2d64d12d269 a181a6a481a33081a0310b30090603550406130244453110300e EAP-Message = 0x06035504081307426176617269613112301006035504071309577565727a62757267311630 14060355040a130d4765466f656b6f4d20652e562e31193017060355040b13104765466f656b 6f4d20652e562e20434131193017060355040313104765466f656b6f4d20652e562e20434131 1d301b06092a864886f70d010901160e6361406765666f656b6f6d2e6465820900927540ab5d 693004300c0603551d13040530030101ff300d06092a864886f70d0101040500038181004a36 34f23e46d180ec87122ee39ba0c6757d22a23ec39a38e3f282e82efb7428b83d04f665e28b00 e99a88217803c1abb4a0bc90fe6a51a37eec1c1868853a5436d5 EAP-Message = 0x9035f217c35ab4d53d6f1e3d11cdeabc9f77 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc479631c6d6d413371d8af0ebf14ac4f Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 4 seconds... rad_recv: Access-Request packet from host xxx.xxx.164.26:6001, id=12, length=155 User-Name = "user" NAS-IP-Address = xxx.xxx.1.66 Called-Station-Id = "00-08-88-12-2e-3f" Calling-Station-Id = "00-0d-37-ab-2f-c7" NAS-Identifier = "ORiNOCO-AP-2000-00-02-00" State = 0xc479631c6d6d413371d8af0ebf14ac4f Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500061900 Message-Authenticator = 0xb07e446b64197c49b0ebaca6e799dc53 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for user radius_xlat: '(uid=user)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=user) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 12 to xxx.xxx.164.26:6001 EAP-Message = 0x0106003b1900715e896f163c5ccb279cd28b82295a1bd493ac86f6ffe4733d43f380f4871b 567d14ecb8d5171f15de61995e16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xccbffd45885465294711dc5bf8395320 Finished request 3 Going to the next request Waking up in 4 seconds... rad_recv: Access-Request packet from host xxx.xxx.164.26:6001, id=13, length=341 User-Name = "user" NAS-IP-Address = xxx.xxx.1.66 Called-Station-Id = "00-08-88-12-2e-3f" Calling-Station-Id = "00-0d-37-ab-2f-c7" NAS-Identifier = "ORiNOCO-AP-2000-00-02-00" State = 0xccbffd45885465294711dc5bf8395320 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600c01980000000b616030100861000008200801942772db96a99e5e538cb1d5d208967 b1353ea1158512bb1bd050ab7e2aca218fe43e45fbb41a076a2a0dad179b456de8d7afce55b7 c72e125ebe3bb4c42ff4804ded92a10e29c9f021a9dcfe7cac9c60fc41d1be343c7cb74b2889 5a5855e476b79b5db1fea73e1d0615baa9bfcca6004b37f7ebc2ef0f54e6d38ba0c57a631403 010001011603010020340f13326352d4d4b739b0a1d5350db6b211be3d1b16345f3429ce4875 18e879 Message-Authenticator = 0x1379379ef003130e6e5d8bc4ea849160 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 6 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for user radius_xlat: '(uid=user)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=user) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 13 to xxx.xxx.164.26:6001 EAP-Message = 0x0107003119001403010001011603010020eb7dbacfe1675927e1f3fcf8e5f61914d375ca69 10fcded8e503adb2dbfccbff Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbe4b1111c47a456a9bbe659aa28a4911 Finished request 4 Going to the next request Waking up in 4 seconds... rad_recv: Access-Request packet from host xxx.xxx.164.26:6001, id=14, length=182 User-Name = "user" NAS-IP-Address = xxx.xxx.1.66 Called-Station-Id = "00-08-88-12-2e-3f" Calling-Station-Id = "00-0d-37-ab-2f-c7" NAS-Identifier = "ORiNOCO-AP-2000-00-02-00" State = 0xbe4b1111c47a456a9bbe659aa28a4911 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020700211980000000171503010012a389dbe218dce122f0104ff21769ccb64b2b Message-Authenticator = 0xca07ce402c4e46c7342a2abc05383cab Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 7 length 33 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for user radius_xlat: '(uid=user)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=user) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user. Delaying request 5 for 1 seconds Finished request 5 Going to the next request Waking up in 4 seconds... rad_recv: Access-Request packet from host xxx.xxx.164.26:6001, id=14, length=182 Sending Access-Reject of id 14 to xxx.xxx.164.26:6001 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 9 with timestamp 43886940 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 10 with timestamp 43886941 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 11 with timestamp 43886942 Cleaning up request 3 ID 12 with timestamp 43886942 Cleaning up request 4 ID 13 with timestamp 43886942 Cleaning up request 5 ID 14 with timestamp 43886942 Nothing to do. Sleeping until we see a request.
On Saturday 26 November 2005 08:50, Christian Poessinger wrote:
rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user.
The lines just before the reject hold the clue. Zoltan Ori
Does anyone have a working php authentation page working with the radius server to authentate users to a website using the radius server? I have found one example on the net, but able to get it to work. using Freebsd, and apache and php5
I never tried with with php, but there is an apache module available which you can pretty easily use with perl or perhaps mod_perl even. Here is the sample code, Apache::AuthenRadius # Configuration in httpd.conf PerlModule Apache::AuthenRadius # Authentication in .htaccess AuthName Radius AuthType Basic # authenticate via Radius PerlAuthenHandler Apache::AuthenRadius PerlSetVar Auth_Radius_host radius.foo.com PerlSetVar Auth_Radius_port 1647 PerlSetVar Auth_Radius_secret MySharedSecret PerlSetVar Auth_Radius_timeout 5 require valid-user -apu --- "Global Net, LLC" <jeffa@globalco.net> wrote:
Does anyone have a working php authentation page working with the radius server to authentate users to a website using the radius server?
I have found one example on the net, but able to get it to work. using Freebsd, and apache and php5> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------ Do or Do Not, there is no try.
Zoltan A. Ori wrote:
On Saturday 26 November 2005 08:50, Christian Poessinger wrote:
rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user.
The lines just before the reject hold the clue.
Zoltan Ori
What to do? Im running the latest version out of the FreeBSD portage tree. I can't find anything on google.
On Saturday 26 November 2005 12:27, Christian Poessinger wrote:
Zoltan A. Ori wrote:
On Saturday 26 November 2005 08:50, Christian Poessinger wrote:
rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user.
The lines just before the reject hold the clue.
Zoltan Ori
What to do? Im running the latest version out of the FreeBSD portage tree. I can't find anything on google.
I'm not an expert and am often wrong, but I don't think FreeRADIUS is the problem here. Everything is working up to that point. Does it break at the same place every time? Double check the NAS and supplicant configurations.
Zoltan A. Ori wrote:
I'm not an expert and am often wrong, but I don't think FreeRADIUS is the problem here. Everything is working up to that point. Does it break at the same place every time? Double check the NAS and supplicant configurations.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I tripplechecked the configs and found nothing. As i said, radtest works fine. Ist this EAP thing.
On Saturday 26 November 2005 13:58, Christian Poessinger wrote:
Zoltan A. Ori wrote:
I'm not an expert and am often wrong, but I don't think FreeRADIUS is the problem here. Everything is working up to that point. Does it break at the same place every time? Double check the NAS and supplicant configurations.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I tripplechecked the configs and found nothing. As i said, radtest works fine. Ist this EAP thing.
Are you trying to use PEAP/MSCHAP-V2? I don't see any mschapv2 in your logs.
On Sunday 27 November 2005 06:52, Christian Poessinger wrote:
Yes, I'm trying to use PEAP, I have configured MS-CHAPv1 as described in many Howtos.
MS-CHAP V2 is in the Howtos of PEAP that I have read. In any case, there is no mschap info in the tunnel which is indicated in the error message: rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. The error messages in FreeRADIUS are very informative and always right on the money in the cases I've experienced. At this point, I would check to see what my supplicant was configured to send and then check my eap.conf to make sure that RADIUS was configured to receive it.
hi ca somebody post a howto what describe the configuration: - peap/mschapv2 with ldap and freeradius - client configuration (M$ Windows XP, SecureW2) thx Zoltan A. Ori schrieb:
On Sunday 27 November 2005 06:52, Christian Poessinger wrote:
Yes, I'm trying to use PEAP, I have configured MS-CHAPv1 as described in many Howtos.
MS-CHAP V2 is in the Howtos of PEAP that I have read. In any case, there is no mschap info in the tunnel which is indicated in the error message:
rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel.
The error messages in FreeRADIUS are very informative and always right on the money in the cases I've experienced.
At this point, I would check to see what my supplicant was configured to send and then check my eap.conf to make sure that RADIUS was configured to receive it.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Monday 28 November 2005 04:31, Konne wrote:
hi
ca somebody post a howto what describe the configuration:
- peap/mschapv2 with ldap and freeradius - client configuration (M$ Windows XP, SecureW2)
thx
There are many howtos available that can be found searching the mail archives or googling. Before you spend a lot of time on them, read the documentation that comes with FreeRADIUS and study the .conf files so that you might understand what's really going on. Many want to do a quick configuration based on a howto that doesn't always fit their case. When things go wrong, they don't know what to do and the howto can't help. See /doc in your FreeRADIUS sources for ldap documentation. The comments in eap.conf tell you how to do peap/mschapv2. As far as I know, SecureW2 does not do PEAP. You will have to use the XP's native supplicant. The configuration is straight forward but depends on what you are trying to do. Zoltan Ori
Konne <bridge_stone@gmx.net> wrote:
ca somebody post a howto what describe the configuration:
- peap/mschapv2 with ldap and freeradius - client configuration (M$ Windows XP, SecureW2)
http://www.freeradius.org/doc/ contains multiple howto's. Alan DeKok.
Zoltan A. Ori wrote:
On Sunday 27 November 2005 06:52, Christian Poessinger wrote:
Yes, I'm trying to use PEAP, I have configured MS-CHAPv1 as described in many Howtos.
MS-CHAP V2 is in the Howtos of PEAP that I have read. In any case, there is no mschap info in the tunnel which is indicated in the error message:
rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel.
The error messages in FreeRADIUS are very informative and always right on the money in the cases I've experienced.
At this point, I would check to see what my supplicant was configured to send and then check my eap.conf to make sure that RADIUS was configured to receive it.
OK, i redesigned my CA. I haven't done that xpextensions stuff now i don't recieve the error above anymore. But now i get a new one :/ Any new ideas? rlm_ldap: user XXX authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 35 modcall: group authorize returns updated for request 35 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 35 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 35 modcall: group authenticate returns invalid for request 35 auth: Failed to validate the user. Delaying request 35 for 1 seconds Finished request 35 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.109:6001, id=36, length=166 Sending Access-Reject of id 36 to xxx.xxx.xxx.109:6001 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 2 seconds...
On Monday 28 November 2005 12:32, Christian Poessinger wrote:
rlm_eap_peap: Had sent TLV failure, rejecting.
Use the latest available drivers for your wireless adaptor. I've encountered many strange connectivity issues that are fixed with new drivers. If the supplicant is XP SP2 you may need the Windows KB885453 hot fix. http://support.microsoft.com/?kbid=885453 You would have to beg Microsoft for it, but fortunately, it is available from many other sources on the Web. KB890937 supposedly includes this fix as well, but I've not used it. The KB893357 WPA2 roll up may also be applied. It doesn't address this problem but does seem to shorten the time taken to get the login prompt and connect. http://support.microsoft.com/?kbid=893357
Zoltan Ori wrote:
On Monday 28 November 2005 12:32, Christian Poessinger wrote:
rlm_eap_peap: Had sent TLV failure, rejecting.
Use the latest available drivers for your wireless adaptor. I've encountered many strange connectivity issues that are fixed with new drivers.
If the supplicant is XP SP2 you may need the Windows KB885453 hot fix.
I requested and installed this fix, but I still get the same error message on the radius server. rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: group authenticate returns invalid for request 7 auth: Failed to validate the user.
On Tuesday 29 November 2005 08:53, Christian Poessinger wrote:
I requested and installed this fix, but I still get the same error message on the radius server.
rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: group authenticate returns invalid for request 7 auth: Failed to validate the user.
Are there any other errors in the log? The actual reason for rejection may come long before that.
Zoltan Ori wrote:
Are there any other errors in the log? The actual reason for rejection may come long before that.
Here is the complete log: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded LDAP ldap: server = "localhost" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "ou=people,dc=domain,dc=de" ldap: filter = "(uid=%u)" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "userPassword" ldap: access_attr = "uid" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO fUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP userPassword mapped to RADIUS User-Password rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x8070800 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/server.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/server.pem" tls: CA_file = "/usr/local/etc/raddb/certs/ca.pem" tls: private_key_password = "(null)" tls: dh_file = "/usr/local/etc/raddb/certs/server.dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded detail detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/var/log/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:6001, id=1, length=122 User-Name = "USERNAME" NAS-IP-Address = 172.16.1.65 Called-Station-Id = "00-08-14-7f-ab-a0" Calling-Station-Id = "00-0e-b4-11-3e-cd" NAS-Identifier = "AP1" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202000c016d6f6c6f63686f Message-Authenticator = 0xbeaa1808ab12e585a5deadb77c2e3732 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "USERNAME", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for USERNAME radius_xlat: '(uid=USERNAME)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=USERNAME) rlm_ldap: checking if remote access for USERNAME is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user USERNAME authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 1 to xxx.xxx.xxx.xxx:6001 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x98674ca9ef2d38e129a73aa7782190f3 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:6001, id=2, length=208 User-Name = "USERNAME" NAS-IP-Address = 172.16.1.65 Called-Station-Id = "00-08-14-7f-ab-a0" Calling-Station-Id = "00-0e-b4-11-3e-cd" NAS-Identifier = "AP1" State = 0x98674ca9ef2d38e129a73aa7782190f3 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0203005019800000004616030100410100003d0301438c6ea9d883f4a2f7c6bfcb4b93c53a ac8646d52a39456bc777be6c6f45f4f500001600040005000a00090064006200030006001300 1200630100 Message-Authenticator = 0x397f7d0167792781a9ae1c2b1d1f521f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "USERNAME", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 3 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for USERNAME radius_xlat: '(uid=USERNAME)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=USERNAME) rlm_ldap: checking if remote access for USERNAME is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user USERNAME authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 06e5], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 2 to xxx.xxx.xxx.xxx:6001 EAP-Message = 0x0104040a19c000000742160301004a020000460301438c725f1fd81c936bcfed113ae40c46 61b72ee39930fa7eea0df2581e6fa427209784d4bea0f6acf75163f594a29ccb90d9f8b02430 30b720ebe8949f59da57b800040016030106e50b0006e10006de0002e8308202e43082024da0 0302010202090083518f3dfc548111300d06092a864886f70d01010405003081ab310b300906 03550406130244453110300e0603550408130742617661726961311230100603550407130957 7565727a6275726731163014060355040a130d4765466f656b6f4d20652e562e311630140603 55040b130d4765466f656b6f4d20652e562e3127302506035504 EAP-Message = 0x03131e4765466f656b6f4d20652e562e20726f6f74206365727469666963617465311d301b 06092a864886f70d010901160e6361406765666f656b6f6d2e6465301e170d30353131323831 37313832335a170d3036313132383137313832335a3081a2310b300906035504061302444531 10300e06035504081307426176617269613112301006035504071309577565727a6275726731 163014060355040a130d4765466f656b6f4d20652e562e31163014060355040b130d4765466f 656b6f4d20652e562e311e301c0603550403131563616368656275732e6765666f656b6f6d2e 6f7267311d301b06092a864886f70d010901160e636140676566 EAP-Message = 0x6f656b6f6d2e646530819f300d06092a864886f70d010101050003818d0030818902818100 b9cb481f6e0963e1c04634161ceebaf0d325c645fa3b16c7344852d59226616ad492b9beffd7 6d72f90a944b874862220aa448b96c3bcd0d12bc0d4800f12afa56fd7b7917d8d1c045988fc7 1fc992f47896558e5c6b725f61c2d97e1216e7349841e85be215b97a1da08da3804f154c9433 ebf5f3f2131d2c6b4e91689ecd3b0203010001a317301530130603551d25040c300a06082b06 010505070301300d06092a864886f70d010104050003818100954f187249a6d2c69fc96ff3d4 fd6097d7e454691dc5a220f890fe1bf132ad25ca2e6316d93639 EAP-Message = 0xe4ade04604dc4acd3e286a79600b8d05cd83ee7d5cbf492bbff8bef04e1ef11ff9926f4c71 3fe3c542ce02fb7871b70bfcfcb31b30df8dd840c6651318cb0ca5c1593cd21885deb20c788c 662a3356b4ff662290018db67c9f0003f0308203ec30820355a00302010202090083518f3dfc 548110300d06092a864886f70d01010405003081ab310b30090603550406130244453110300e 06035504081307426176617269613112301006035504071309577565727a6275726731163014 060355040a130d4765466f656b6f4d20652e562e31163014060355040b130d4765466f656b6f 4d20652e562e312730250603550403131e4765466f656b6f4d20 EAP-Message = 0x652e562e20726f6f7420636572746966696361746531 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7eb3954031e444b3db54203876edad03 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:6001, id=3, length=134 User-Name = "USERNAME" NAS-IP-Address = 172.16.1.65 Called-Station-Id = "00-08-14-7f-ab-a0" Calling-Station-Id = "00-0e-b4-11-3e-cd" NAS-Identifier = "AP1" State = 0x7eb3954031e444b3db54203876edad03 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061900 Message-Authenticator = 0x8c15155a88a78babd540715a66881fbc Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "USERNAME", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for USERNAME radius_xlat: '(uid=USERNAME)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=USERNAME) rlm_ldap: checking if remote access for USERNAME is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user USERNAME authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 3 to xxx.xxx.xxx.xxx:6001 EAP-Message = 0x0105034819001d301b06092a864886f70d010901160e6361406765666f656b6f6d2e646530 1e170d3035313132383137303930365a170d3130313132383137303930365a3081ab310b3009 0603550406130244453110300e06035504081307426176617269613112301006035504071309 577565727a6275726731163014060355040a130d4765466f656b6f4d20652e562e3116301406 0355040b130d4765466f656b6f4d20652e562e312730250603550403131e4765466f656b6f4d 20652e562e20726f6f74206365727469666963617465311d301b06092a864886f70d01090116 0e6361406765666f656b6f6d2e646530819f300d06092a864886 EAP-Message = 0xf70d010101050003818d0030818902818100c2f42dc0f736de1faeeca84dfd972cfa7dc17b 59a3c013048d1cfc5cf1fa877526c0beed305322b734dae503cfc2e6a36e34504741fc05eb1d f70733488362ce98ae049198cdf3be6d21fee4cfe01ce457e83fec799dda2918760aa14fc58f a4432ac1fbe0b5b5a035f28d846001c6d214b2dc2d2a4264ad334b65d9c0c891110203010001 a382011430820110301d0603551d0e04160414679c5130da395b84a7252a953e6a26db767a65 4a3081e00603551d230481d83081d58014679c5130da395b84a7252a953e6a26db767a654aa1 81b1a481ae3081ab310b30090603550406130244453110300e06 EAP-Message = 0x035504081307426176617269613112301006035504071309577565727a6275726731163014 060355040a130d4765466f656b6f4d20652e562e31163014060355040b130d4765466f656b6f 4d20652e562e312730250603550403131e4765466f656b6f4d20652e562e20726f6f74206365 727469666963617465311d301b06092a864886f70d010901160e6361406765666f656b6f6d2e 646582090083518f3dfc548110300c0603551d13040530030101ff300d06092a864886f70d01 0104050003818100a01765c40317389726939f485a26f406351ea5631d002403def4c184df58 e715a90cd11d97a321095af44900b39769612e381748fb432319 EAP-Message = 0x313c40d3fe58e53fd81e4162b6a0d78ed9b34f24bc4ab6aefc7dded712b44a6cdc3ef3f592 7cb41e5d04ea7d9e33f5175edafe516763fe885003b2ca4137065daf60e63e493225a1160301 00040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe32db95eb749a564a9e32698b3c17b68 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:6001, id=4, length=320 User-Name = "USERNAME" NAS-IP-Address = 172.16.1.65 Called-Station-Id = "00-08-14-7f-ab-a0" Calling-Station-Id = "00-0e-b4-11-3e-cd" NAS-Identifier = "AP1" State = 0xe32db95eb749a564a9e32698b3c17b68 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500c01980000000b616030100861000008200804011864a7315ddc591f0f618deb19201 e92a48f722213d71a91808befa6bd63f0ab698147fff1ba6b4d1a17eb2d904ba54c8f34652bd e2ee76fbaa2ad317e300ebcc12d972845c216f75bb49eba71bef9a3dc9a30e8a77eadc58a45f e121221406f628c9b774090721f18ef43fc8d0bdbd1184cd9d9bce1e98a8cb359c9453e51403 010001011603010020e07a32a75b81a2ab3342fb1b0af332cbf93181b4fefe0916d4d4527397 c9ccc1 Message-Authenticator = 0x1a5d9622009137ac596afff58372ffac Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "USERNAME", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 5 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for USERNAME radius_xlat: '(uid=USERNAME)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=USERNAME) rlm_ldap: checking if remote access for USERNAME is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user USERNAME authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 4 to xxx.xxx.xxx.xxx:6001 EAP-Message = 0x0106003119001403010001011603010020bb7e1ce0d239a9355b5ff7b3908ee73574379e48 52146d9e6e6756c429b8a4a3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x33629b73cb9a10b3cf9eed3070e62f5e Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:6001, id=5, length=134 User-Name = "USERNAME" NAS-IP-Address = 172.16.1.65 Called-Station-Id = "00-08-14-7f-ab-a0" Calling-Station-Id = "00-0e-b4-11-3e-cd" NAS-Identifier = "AP1" State = 0x33629b73cb9a10b3cf9eed3070e62f5e Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600061900 Message-Authenticator = 0x86cc07427b971b817bee1a7a65bf2e3a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "USERNAME", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for USERNAME radius_xlat: '(uid=USERNAME)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=USERNAME) rlm_ldap: checking if remote access for USERNAME is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user USERNAME authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 5 to xxx.xxx.xxx.xxx:6001 EAP-Message = 0x010700201900170301001584ba3216d772e7524013c0eaa7afe8120182212732 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x232b1e4b9267b70fc788e64757ecf902 Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:6001, id=6, length=163 User-Name = "USERNAME" NAS-IP-Address = 172.16.1.65 Called-Station-Id = "00-08-14-7f-ab-a0" Calling-Station-Id = "00-0e-b4-11-3e-cd" NAS-Identifier = "AP1" State = 0x232b1e4b9267b70fc788e64757ecf902 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207002319001703010018b6eb4954605386b30a72850e3a5ea72e34c42a89ba8e7d19 Message-Authenticator = 0xfe197db35b0ed160e73b454581056074 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "USERNAME", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 7 length 35 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for USERNAME radius_xlat: '(uid=USERNAME)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=USERNAME) rlm_ldap: checking if remote access for USERNAME is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user USERNAME authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - USERNAME rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x0207000c016d6f6c6f63686f PEAP: Got tunneled identity of USERNAME PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to USERNAME PEAP: Sending tunneled request EAP-Message = 0x0207000c016d6f6c6f63686f FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "USERNAME" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "USERNAME", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 7 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for USERNAME radius_xlat: '(uid=USERNAME)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=USERNAME) rlm_ldap: checking if remote access for USERNAME is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user USERNAME authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: group authenticate returns handled for request 5 PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x010800211a0108001c1011c0b719fdf34e651b29739133eb4ea56d6f6c6f63686f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1163558556cd2457c79c36ed236161a4 PEAP: Processing from tunneled session code 0x8181140 11 EAP-Message = 0x010800211a0108001c1011c0b719fdf34e651b29739133eb4ea56d6f6c6f63686f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1163558556cd2457c79c36ed236161a4 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: group authenticate returns handled for request 5 Sending Access-Challenge of id 6 to xxx.xxx.xxx.xxx:6001 EAP-Message = 0x010800381900170301002d0d35b3c1a1c900bf994cba9d397a565eda847957dabdc593646e 04b1d098bb18aab33e439c1de66a5966b69fe9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfed45b0e459b18225b5ecf79bb76834f Finished request 5 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:6001, id=7, length=217 User-Name = "USERNAME" NAS-IP-Address = 172.16.1.65 Called-Station-Id = "00-08-14-7f-ab-a0" Calling-Station-Id = "00-0e-b4-11-3e-cd" NAS-Identifier = "AP1" State = 0xfed45b0e459b18225b5ecf79bb76834f Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800591900170301004e5a8ff9bbc8954b8814247395f773c5d148797c2da141d2f5c880 ad556721ad245fdae7c55952885ebe95e8295ad67c7da080452d043f80bc51a71db5904a86f6 f3159bbc46444dff1e79e5bf7fe4 Message-Authenticator = 0xcebdb847a8ebb8d6c35a1a7bd7a9ec10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "USERNAME", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 8 length 89 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for USERNAME radius_xlat: '(uid=USERNAME)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=USERNAME) rlm_ldap: checking if remote access for USERNAME is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user USERNAME authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020800421a0208003d3159b33fc5de767e2b3d0524ac596a5297000000000000000080a403 96640285fab5335eea306db1c64c8143b37a5fab0a006d6f6c6f63686f PEAP: Setting User-Name to USERNAME PEAP: Adding old state with 11 63 PEAP: Sending tunneled request EAP-Message = 0x020800421a0208003d3159b33fc5de767e2b3d0524ac596a5297000000000000000080a403 96640285fab5335eea306db1c64c8143b37a5fab0a006d6f6c6f63686f FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "USERNAME" State = 0x1163558556cd2457c79c36ed236161a4 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "USERNAME", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 8 length 66 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for USERNAME radius_xlat: '(uid=USERNAME)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=USERNAME) rlm_ldap: checking if remote access for USERNAME is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user USERNAME authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for USERNAME with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: group Auth-Type returns reject for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x8181240 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 7 to xxx.xxx.xxx.xxx:6001 EAP-Message = 0x010900261900170301001bb2954e11fd5d06d5ca10eb691a8d4d703ccc7c58ed084b3fcc39 8c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x995ca850279c2e3114113d48f117ba1f Finished request 6 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:6001, id=8, length=166 User-Name = "USERNAME" NAS-IP-Address = 172.16.1.65 Called-Station-Id = "00-08-14-7f-ab-a0" Calling-Station-Id = "00-0e-b4-11-3e-cd" NAS-Identifier = "AP1" State = 0x995ca850279c2e3114113d48f117ba1f Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020900261900170301001b32ff56d3ed7fec6de3294e788ffd11aa08859f9036eeb85b128b 72 Message-Authenticator = 0x8b5d57319d9c72d551ff1280cc069a4a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "USERNAME", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for USERNAME radius_xlat: '(uid=USERNAME)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=USERNAME) rlm_ldap: checking if remote access for USERNAME is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user USERNAME authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: group authenticate returns invalid for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:6001, id=8, length=166 Sending Access-Reject of id 8 to xxx.xxx.xxx.xxx:6001 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 1 with timestamp 438c725f Cleaning up request 1 ID 2 with timestamp 438c725f Cleaning up request 2 ID 3 with timestamp 438c725f Cleaning up request 3 ID 4 with timestamp 438c725f Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 5 with timestamp 438c7260 Cleaning up request 5 ID 6 with timestamp 438c7260 Cleaning up request 6 ID 7 with timestamp 438c7260 Cleaning up request 7 ID 8 with timestamp 438c7260 Nothing to do. Sleeping until we see a request.
Your problem lies here: modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for USERNAME with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: group Auth-Type returns reject for request 6 You didn't configure a password for the user. --Mike
Michael Griego wrote:
Your problem lies here:
modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for USERNAME with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: group Auth-Type returns reject for request 6
You didn't configure a password for the user.
Yes, I did. I have a userPassword atribute in my LDAP backend, also it contains a clear text password. I can fully use this account in the backend for ftp/ssh/http but not with peap/mschapv2 over radius.
On Tuesday 29 November 2005 11:07, Christian Poessinger wrote:
You didn't configure a password for the user.
Yes, I did. I have a userPassword atribute in my LDAP backend, also it contains a clear text password. I can fully use this account in the backend for ftp/ssh/http but not with peap/mschapv2 over radius.
You have ntlm_auth in your mschap configuration. You don't want that for LDAP. You don't need anything NT in that module. The default configuration had everything commented out but authtype = MS-CHAP. Start with that and then add what you need.
Zoltan Ori wrote:
You have ntlm_auth in your mschap configuration. You don't want that for LDAP. You don't need anything NT in that module. The default configuration had everything commented out but authtype = MS-CHAP. Start with that and then add what you need.
Nope, there is everything uncommented. I also tried to add this to the ldap.attrmap file: checkItem LM-Password userPassword checkItem NT-Password userPassword But this hadn't any effect either.
On Tuesday 29 November 2005 13:56, Christian Poessinger wrote:
Nope, there is everything uncommented. I also tried to add this to the ldap.attrmap file:
That's the problem everything is uncommented. Comment out ntlm_auth and with_ntdomain_hack. If you have plain text passwords, you aren't authenticating to a Windows domain controller, you don't have windbindd and nmbd running, you don't need want them in your mschap configuration.
Zoltan Ori wrote:
That's the problem everything is uncommented. Comment out ntlm_auth and with_ntdomain_hack. If you have plain text passwords, you aren't authenticating to a Windows domain controller, you don't have windbindd and nmbd running, you don't need want them in your mschap configuration.
Sorry, my fault :), there was a typo in my last message. I double and tripplechecked my configs but I don't find the error. Can you please have a look? I uploaded em to http://helix.mybll.de/raddb Thanks, Christian Poessinger
Christian Poessinger wrote:
Zoltan Ori wrote:
That's the problem everything is uncommented. Comment out ntlm_auth and with_ntdomain_hack. If you have plain text passwords, you aren't authenticating to a Windows domain controller, you don't have windbindd and nmbd running, you don't need want them in your mschap configuration.
Sorry, my fault :), there was a typo in my last message. I double and tripplechecked my configs but I don't find the error. Can you please have a look? I uploaded em to http://helix.mybll.de/raddb
Thanks, Christian Poessinger
Fixed it myself. After removing checkItem LM-Password userPassword checkItem NT-Password userPassword from the ldap.attrmap file, and adding checkItem userPassword lmPassword instead, it worked. Now i can use RADIUS & LDAP to auth my WLAN clients.
On Thursday 01 December 2005 09:19, Christian Poessinger wrote:
Fixed it myself. After removing
checkItem LM-Password userPassword checkItem NT-Password userPassword
from the ldap.attrmap file, and adding
checkItem userPassword lmPassword
instead, it worked. Now i can use RADIUS & LDAP to auth my WLAN clients.
Good!
"Christian Poessinger" <christian@poessinger.com> wrote:
I tripplechecked the configs and found nothing. As i said, radtest works fine. Ist this EAP thing.
You haven't said what supplicant you're using. Also, it doesn't help that radtest works. radtest doesn't do EAP, so it's testing a completely different code path. Alan DeKok.
participants (8)
-
Alan DeKok -
Apu islam -
Christian Poessinger -
Global Net, LLC -
Konne -
Michael Griego -
Zoltan A. Ori -
Zoltan Ori