Failing to authenticate using FreeRadius(in OpenBSD) + XP as a client + Cisco AP 1200 using peap
Hello All, Thanks in advance. Trying to authenticate login just using "users" file. And getting the following failure: rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [bob/<via Auth-Type = EAP>] (from client myhost port 693 cli 000d.8857.52cc) Copied the whole log of radius server and also attached a single file which includes the configurations of eap.conf, clients.conf and radiusd.conf I would appreciate some directions in debugging this issue Thanks Raja Script started on Tue Jun 17 16:31:00 2008 # radiusd -X FreeRADIUS Version 2.0.3, for host i386-unknown-openbsd4.1, built on May 6 2008 at 07:30:48 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.176.2 { require_message_authenticator = no secret = "password" shortname = "myhost" nastype = "other" login = "!root" password = "password" } client 192.168.176.1 { require_message_authenticator = no secret = "password" shortname = "myhost" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "password" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 192.168.176.1 port = 1645 } listen { type = "acct" ipaddr = 192.168.176.1 port = 1646 } Listening on authentication address 192.168.176.1 port 1645 Listening on accounting address 192.168.176.1 port 1646 Listening on proxy address 192.168.176.1 port 1647 Ready to process requests. User-Name = "bob" Framed-MTU = 1400 Called-Station-Id = "0019.aa76.b8e0" Calling-Station-Id = "000d.8857.52cc" Service-Type = Login-User Message-Authenticator = 0x3cefdb1079d5ae27b486cdafcf52e5db EAP-Message = 0x0202000801626f62 NAS-Port-Type = Wireless-802.11 NAS-Port = 693 NAS-IP-Address = 192.168.176.2 NAS-Identifier = "myhost" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "bob", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry bob at line 76 expand: Hello, %{User-Name} -> Hello, bob ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Reply-Message = "Hello, bob" EAP-Message = 0x010300123604107c58cb4abcf0127423956d77efc0b1b3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x191f8a90191c8e0507761a6d9eb3e051 Finished request 0. Going to the next request Waking up in 4.9 seconds. User-Name = "bob" Framed-MTU = 1400 Called-Station-Id = "0019.aa76.b8e0" Calling-Station-Id = "000d.8857.52cc" Service-Type = Login-User Message-Authenticator = 0x27f49eceb429e2cf4b1a2911b78478 EAP-Message = 0x020300060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 693 State = 0x191f8a90191c8e0507761a6d9eb3e051 NAS-IP-Address = 192.168.176.2 NAS-Identifier = "myhost" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "bob", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry bob at line 76 expand: Hello, %{User-Name} -> Hello, bob ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Reply-Message = "Hello, bob" EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x191f8a90181b930507761a6d9eb3e051 Finished request 1. Going to the next request Waking up in 4.9 seconds. User-Name = "bob" Framed-MTU = 1400 Called-Station-Id = "0019.aa76.b8e0" Calling-Station-Id = "000d.8857.52cc" Service-Type = Login-User Message-Authenticator = 0xd8d442203b63fbd1bebfc5e8b2550d EAP-Message = 0x02045019800000004616030100410100003d0301485849579271b361f36ac3ad41780d2fe01e15767d39e065bcb271ffc3c43e00001600040005000a000900640062000300060013001200630100 NAS-Port-Type = Wireless-802.11 NAS-Port = 693 State = 0x191f8a90181b930507761a6d9eb3e051 NAS-IP-Address = 192.168.176.2 NAS-Identifier = "myhost" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "bob", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 70 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x0105040019c0000008bb160301004a0200004603014858494b7669c2c48489d8665eb0013b94d3aa4bdecc4875b5c948f822226d8020e56d672a5fbf70d0079a03d50d851336fbc7cc543f18da07c776f25f55ce4a7a000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b300906035504061302465231000d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303631373232333335385a170d3039303631373232333335385a307c310b3009060355040613024652310f300d06035504080652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c3403d2d798fb6f194d86b12ff215e1afe7debef361c4aad17dc70a99632 EAP-Message = 0x704bd32a7a55fe1a655f1e561a34463799a8a52fc34b4244dcdc28f16969496d48f0fc031b68de62c18abf1943a3561f2c192364f7e5fd5e6ecfc56043dc726d65af142c207f92b9b7a0ef4826924fa84e9c57b1ea1136294b419a14a785ef03c50216df5f70759b47e0ae61c60419a81231bc82b26b3b550b13d52e9d02255f24c0dab1069759563dd3d27c86d0d873d6d56ad7b6abb4520edeb7989f7cfd2214ae73e7bb97b227354d7b4c370b90215fe11d397669dd871ab584e97469325d023afd3b1bb7dd7ae2939cb497b211788ec148e4a662247d29fe6b99ba48e551b70203010001a317301530130603551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d010104050003820101004c9b1df24b63e703347729b65cd37475a85ae1d611be6bcc8117306d2d29a912857f32981baa8186183e47fe58cc4c4b7641dd3a48bcca91060c9bb423b239324202bed2d900ad8cfd393329ecdb9352c6d62124853809e72134e85ebbab0278e738ca3ae871deee8cca525d6945dbb748c0770f75318b50b652ff66dc05ab1f7be4018f915accde010e0e5ef9cfe7c8a6466c45251f73985553c24fba1683c7e80078da9f30c7b83da6f70873130dad5c915b07e24c07390c72dc5661c94e12cafac1c31f8d1ccb87866d9de7e1064d4bc3d347b4c9057aa892d32bd1d1e69762cf426c67 EAP-Message = 0xc3470ea88d07a75dbb3c844a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x191f8a901b1a930507761a6d9eb3e051 Finished request 2. Going to the next request Waking up in 4.9 seconds. User-Name = "bob" Framed-MTU = 1400 Called-Station-Id = "0019.aa76.b8e0" Calling-Station-Id = "000d.8857.52cc" Service-Type = Login-User Message-Authenticator = 0x90ad9901a9e534dd43519ce01dfa8de7 EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 693 State = 0x191f8a901b1a930507761a6d9eb3e051 NAS-IP-Address = 192.168.176.2 NAS-Identifier = "myhost" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "bob", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x010603fc19400f8d1f539991634ee4da9958fc980004ab308204a73082038fa003020102020900b4d3408cb5b742e1300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303631373232333330355a170d3038303731373232333330355a308193310b30090603 EAP-Message = 0x55040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100adf9731579fccd42f3ae8bb15d05de971825d36965707d986a3dcb580f0df15f6a89c039a0339f42318982153d059414852664c055b13e1564335c016ebc63812d3f446762809629fc250cbf42ccb3 EAP-Message = 0xe38f53233d17c50cbd743c99f4ca7e09006df13be64d9a4714e0ddfa4f97aa545735fcd2d29168313dbcde2b3ee22d12b4bddbfbef59ddba4ba2b9e90a1a64570c3bf8b8e7dd434f8a138ad1d564f5b2aa83d87e7368f97f7e307ffcf51c69baa73872c72a56c8d28899c933297923e0b2954909945549f8ae93854ba661aa149cff6cbf3332e6c7de2638676f196213646e818a214adc4f40aba012550feeecf4d11bc2ed4d2f38ab0eada49b6975263d0203010001a381fb3081f8301d0603551d0e04160414a67218b90dacd79a6298636476224c2f8c7e572a3081c80603551d230481c03081bd8014a67218b90dacd79a6298636476224c2f8c7e EAP-Message = 0x572aa18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900b4d3408cb5b742e1300c0603551d13040530030101ff300d06092a864886f70d0101040500038201010055b89baadf905b039ceb8014ff014dc67e8c08cd2242af10244f2693f3b07614d07a35231ba19b69dc5d66a0b04be0c7dc94 EAP-Message = 0xf3377e71e00a3942 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x191f8a901a19930507761a6d9eb3e051 Finished request 3. Going to the next request Waking up in 4.8 seconds. User-Name = "bob" Framed-MTU = 1400 Called-Station-Id = "0019.aa76.b8e0" Calling-Station-Id = "000d.8857.52cc" Service-Type = Login-User Message-Authenticator = 0x8f070da35043c737cbc5d672513d923d EAP-Message = 0x020600061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 693 State = 0x191f8a901a19930507761a6d9eb3e051 NAS-IP-Address = 192.168.176.2 NAS-Identifier = "myhost" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "bob", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x010700d5190005151baedaadd0453f1ed6d2e419265da42097ce6d1e9195f232addfd35f16baa84f086ca843e92ee39ac6c2f1ac78c556fe41196e03d607629bb4ffb59c4470a0deee9a710a2c79145029ef6e563a6e9cac0255ee1be47c0fbe040ebca66fa98355cb384d03453570e9931e27c4758fef55063853a0b5efc3503927685c5b657af09a0bdae8c2aa17bd919dd5c27b57d9954328cd30dbe6d55738a6a6dd8bf41f937a312e419052a760337a0ab15acee3bc29bfd7cc0c43efb73fa0dd46541f1a8e914cc1b316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x191f8a901d18930507761a6d9eb3e051 Finished request 4. Going to the next request Waking up in 4.8 seconds. User-Name = "bob" Framed-MTU = 1400 Called-Station-Id = "0019.aa76.b8e0" Calling-Station-Id = "000d.8857.52cc" Service-Type = Login-User Message-Authenticator = 0xc67a250f9491ab50dccf0c2eefb85e07 EAP-Message = 0x0207014019800000013616030101061000010201006b7ade6b3156f6e1602ccb225a60b6ee436eaf84feb3689b8ed83987c0cfbafe40559ce89982ac46982fc47df1f0174fc69d7e782a9ceeee35d866bd8a750a9772fb2307f1831b37cd9f4c390aa490b99d7568b62d5ce30b2846680305b92cec4695642b3dd684748ae74a36b372ed7ff8e3492964b5f28d115e2d961aae5680279bceb97f23f500dbdd579d8b18bbf09ae0f73842a7bb6d903ec23441ce1ef62f430389008cda402b7dc097a00d239a71122f629d6e262d1afc6b315fab246732c00c923b8b6b69a70c9cb5ffb337cf5b54b7f3f92e66d195f8d31f3eec9dd0cb5a444485a6124d EAP-Message = 0xb3bb75c4644ecd2779d32352ccc72de928fc2c770efa43311403010001011603010020418d5a00d54b7985cecf7347bfa7831d4617b6c701d3c42b6f22ee7a83050317 NAS-Port-Type = Wireless-802.11 NAS-Port = 693 State = 0x191f8a901d18930507761a6d9eb3e051 NAS-IP-Address = 192.168.176.2 NAS-Identifier = "myhost" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "bob", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 7 length 253 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 310 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x01080031190014030100010116030100202a24937c57f29c8a051fcd131fe5330a39a71116cbd68d9e75ffe189051c4101 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x191f8a901c17930507761a6d9eb3e051 Finished request 5. Going to the next request Waking up in 3.8 seconds. User-Name = "bob" Framed-MTU = 1400 Called-Station-Id = "0019.aa76.b8e0" Calling-Station-Id = "000d.8857.52cc" Service-Type = Login-User Message-Authenticator = 0x3db43e10eef0c7186e4a64b8522e76b5 EAP-Message = 0x020800061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 693 State = 0x191f8a901c17930507761a6d9eb3e051 NAS-IP-Address = 192.168.176.2 NAS-Identifier = "myhost" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "bob", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 8 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled EAP-Message = 0x01090020190017030100157a7f9183493e68e7e04ab4e03be335e5678ece8fc2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x191f8a901f16930507761a6d9eb3e051 Finished request 6. Going to the next request Waking up in 2.1 seconds. User-Name = "bob" Framed-MTU = 1400 Called-Station-Id = "0019.aa76.b8e0" Calling-Station-Id = "000d.8857.52cc" Service-Type = Login-User Message-Authenticator = 0x60071387ab9d40bd3f3bf6dfdfd23bd6 EAP-Message = 0x0209001f19001703010014933d09de1256f1a70674998d777d287f56abef4d NAS-Port-Type = Wireless-802.11 NAS-Port = 693 State = 0x191f8a901f16930507761a6d9eb3e051 NAS-IP-Address = 192.168.176.2 NAS-Identifier = "myhost" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "bob", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 9 length 31 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - bob PEAP: Got tunneled identity of bob PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to bob auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [bob/<no User-Password attribute>] (from client myhost port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled EAP-Message = 0x010a00261900170301001bd432cd4b6c7809f2f1963d19db2bd938852e35eb0fae057d7f4501 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x191f8a901e15930507761a6d9eb3e051 Finished request 7. Going to the next request Waking up in 0.5 seconds. Cleaning up request 0 ID 127 with timestamp +16 Cleaning up request 1 ID 128 with timestamp +16 Cleaning up request 2 ID 129 with timestamp +16 Cleaning up request 3 ID 130 with timestamp +17 Cleaning up request 4 ID 131 with timestamp +17 Waking up in 1.0 seconds. User-Name = "bob" Framed-MTU = 1400 Called-Station-Id = "0019.aa76.b8e0" Calling-Station-Id = "000d.8857.52cc" Service-Type = Login-User Message-Authenticator = 0xcce353e6bb64391c709c0c120687d4df EAP-Message = 0x020a00261900170301001b8d04372db319eb3bf826cdd928abdc26e908edb7dec7425f95ef59 NAS-Port-Type = Wireless-802.11 NAS-Port = 693 State = 0x191f8a901e15930507761a6d9eb3e051 NAS-IP-Address = 192.168.176.2 NAS-Identifier = "myhost" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "bob", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 10 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [bob/<via Auth-Type = EAP>] (from client myhost port 693 cli 000d.8857.52cc) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.1 seconds. Cleaning up request 5 ID 132 with timestamp +18 Waking up in 0.8 seconds. Sending delayed reject for request 8 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 0.8 seconds. Cleaning up request 6 ID 133 with timestamp +19 Waking up in 1.5 seconds. Cleaning up request 7 ID 134 with timestamp +21 Waking up in 2.5 seconds. Cleaning up request 8 ID 135 with timestamp +22 Ready to process requests. ^C # exit Script done on Tue Jun 17 16:31:44 2008 http://www.nabble.com/file/p17957152/test1 test1 -- View this message in context: http://www.nabble.com/Failing-to-authenticate-using-FreeRadius%28in-OpenBSD%... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Raja Peer wrote:
Trying to authenticate login just using "users" file.
And getting the following failure: rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session.
That message means you're supposed to read the REST of the debug log to see where the REAL error is.
Copied the whole log of radius server and also attached a single file which includes the configurations of eap.conf, clients.conf and radiusd.conf
You're running 2.0.3. It has a bug where the "inner-tunnel" file isn't installed. Install it, or upgrade to 2.0.5. Alan DeKok.
Thanks ofr your reponse Alan. Here is the other error message.... auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [bob/<no User-Password attribute>] (from client myhost port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE Anyhow I will try again with version 2.0.5 Raja Alan DeKok-4 wrote:
Raja Peer wrote:
Trying to authenticate login just using "users" file.
And getting the following failure: rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session.
That message means you're supposed to read the REST of the debug log to see where the REAL error is.
Copied the whole log of radius server and also attached a single file which includes the configurations of eap.conf, clients.conf and radiusd.conf
You're running 2.0.3. It has a bug where the "inner-tunnel" file isn't installed. Install it, or upgrade to 2.0.5.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Failing-to-authenticate-using-FreeRadius%28in-OpenBSD%... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (2)
-
Alan DeKok -
Raja Peer