Need help for adding dictionary and used for check item
Hello, I have problem in adding new dictionary in FreeRADIUS Version 2.2.8, and use the attribute to users check item, but always response Access-Reject. Below is my create step: First, Create 'dictionary.fitivision' in '/usr/share/freeradius2/', as following: # -*- text -*- # # As posted to the list. # # Version: $Id$ # VENDOR Fitivision 49809 BEGIN-VENDOR Fitivision ATTRIBUTE Fitivision-Essid-Name 1 string END-VENDOR Fitivision And add include in '/usr/share/freeradius2/dictionary': $INCLUDE dictionary.fitivision When I test it on reply item, it's workable. But when I used for check item, it always response Access-Reject. The users config as following: "test3" Cleartext-Password := "testpwd", Fitivision-Essid-Name == "test" And the radiux log as following: radiusd: FreeRADIUS Version 2.2.8, for host arm-openwrt-linux-gnu, built on Apr 28 2017 at 10:22:04 Copyright (C) 1999-2015 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius2/radiusd.conf including configuration file /etc/freeradius2/clients.conf including files in directory /etc/freeradius2/modules/ including configuration file /etc/freeradius2/modules/attr_filter including configuration file /etc/freeradius2/modules/attr_rewrite including configuration file /etc/freeradius2/modules/chap including configuration file /etc/freeradius2/modules/echo including configuration file /etc/freeradius2/modules/exec including configuration file /etc/freeradius2/modules/files including configuration file /etc/freeradius2/modules/mschap including configuration file /etc/freeradius2/modules/pap including configuration file /etc/freeradius2/eap.conf including files in directory /etc/freeradius2/sites/ including configuration file /etc/freeradius2/sites/default main { allow_core_dumps = no } including dictionary file /etc/freeradius2/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log" run_dir = "/var/run" libdir = "/usr/lib/freeradius2" radacctdir = "/var/db/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client 0.0.0.0/0 { require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Instantiating modules #### radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius2/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius2/modules/pap pap { encryption_scheme = "auto" auto_header = yes } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius2/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius2/modules/mschap mschap { use_mppe = no require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius2/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius2/certs" pem_file_type = yes private_key_file = "/etc/freeradius2/certs/server.pem" certificate_file = "/etc/freeradius2/certs/server.pem" CA_file = "/etc/freeradius2/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius2/certs/dh" random_file = "/etc/freeradius2/certs/random" fragment_size = 1024 include_length = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius2/modules/files files { usersfile = "/etc/freeradius2/users" acctusersfile = "/etc/freeradius2/acct_users" preproxy_usersfile = "/etc/freeradius2/preproxy_users" compat = "cistron" } reading pairlist file /etc/freeradius2/users [/etc/freeradius2/users]:21 Cistron compatibility checks for entry test3 ... reading pairlist file /etc/freeradius2/acct_users reading pairlist file /etc/freeradius2/preproxy_users Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius2/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } } # modules } # server radiusd: #### Opening IP addresses and Ports #### Listening on authentication address 192.168.168.205 port 1812 Listening on accounting address 192.168.168.205 port 1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=18, length=197 User-Name = "test3" Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "A4-67-06-6D-A8-2E" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "BF8FD357-00000002" Attr-186 = 0x0050f202 Attr-187 = 0x0050f202 Attr-188 = 0x000fac01 Fitivision-Essid-Name = "test" Framed-MTU = 1400 EAP-Message = 0x021b000a017465737433 Message-Authenticator = 0x07abb25c6fcac61aeb3d0f1e49cc98d6 # Executing section authorize from file /etc/freeradius2/sites/default +group authorize { ++[mschap] = noop [eap] EAP packet type response id 27 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius2/sites/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 18 to 192.168.168.205 port 42115 EAP-Message = 0x011c00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc30eff1bc312e6f65e8768c16e09584c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=19, length=336 User-Name = "test3" Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "A4-67-06-6D-A8-2E" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "BF8FD357-00000002" Attr-186 = 0x0050f202 Attr-187 = 0x0050f202 Attr-188 = 0x000fac01 Fitivision-Essid-Name = "test" Framed-MTU = 1400 011000500040100001f000a00080006001700180019000b0002010000050005010000000000120000 State = 0xc30eff1bc312e6f65e8768c16e09584c Message-Authenticator = 0x97c6fbb9e1abd4ef3a74f02b493bd9d9 # Executing section authorize from file /etc/freeradius2/sites/default +group authorize { ++[mschap] = noop [eap] EAP packet type response id 28 length 131 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius2/sites/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 121 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< Unknown TLS version [length 0005] [peap] <<< TLS 1.0 Handshake [length 0074], ClientHello [peap] TLS_accept: unknown state [peap] >>> Unknown TLS version [length 0005] [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: unknown state [peap] >>> Unknown TLS version [length 0005] [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: unknown state [peap] >>> Unknown TLS version [length 0005] [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: unknown state [peap] >>> Unknown TLS version [length 0005] [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] TLS_accept: Need to read more data: unknown state [peap] TLS_accept: Need to read more data: unknown state In SSL Handshake Phase [603087.097870] [wifi0] [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eFWLOG: [81054832] ap] = handled +} # group authenticate = handled Sending AccessRATE: ChainMask 1, peer_mac a8:2e, phymode 1, ni_flags 0x00040016, vht_mcs_set 0x0000, ht_mcs_set 0xffffffff, legacy_rate_set 0x0fff -Challenge of id 19 to 192.168.168.205 port 42115 071309536f6d65776865726531153013060355040a130c4578616d706c65200x73496e632e3120301e06092a864886f70d010901161161646d696e406578616d70, 6c652e636f6d312630240603550403131d4578616d706c6520436572746966 0xa EAP-Message = 0x696361746520417574686f72697479301e170d313630363, 0x90 ) , 0x90 ) 96e406578616d706c652e636f6d30820122300d06092a864, 0x3, 0x479, 0x0, 0x9 ) 886f70d01010105000382010f003082010a0282010100c946423265b4772617374660729c3c023d379b4681413b66f0de07f15b16eb15b5ee002373b664f5c61e11551f35c7 3f493e1437188fd72840aeeb6ceaf96f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505 fba07a9ee61c4c06d633ec4ec0c0885d07b45952f31d2edea03bb0bb93aa6e42fe7580a3d2f58b052a1fb56bde36002acee20f2e3b92bb99b72b0c67 EAP-Message = 0x65011ccb33e94e5fd90004ab Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc30eff1bc213e6f65e8768c16e09584c Finished request 1. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=20, length=211 User-Name = "test3" Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "A4-67-06-6D-A8-2E" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "BF8FD357-00000002" Attr-186 = 0x0050f202 Attr-187 = 0x0050f202 Attr-188 = 0x000fac01 Fitivision-Essid-Name = "test" Framed-MTU = 1400 EAP-Message = 0x021d00061900 State = 0xc30eff1bc213e6f65e8768c16e09584c Message-Authenticator = 0xf40ff990a4a13753cc3f28b33ca5a182 # Executing section authorize from file /etc/freeradius2/sites/default +group authorize { ++[mschap] = noop [eap] EAP packet type response id 29 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius2/sites/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 20 to 192.168.168.205 port 42115 7479301e170d3136303632313037343833345a170d3137303632313037343833345a308193310b3009060355040613024652310f300d060355040813 25d9d75e9faa36bacf2d256d8087504d1055532185e593fa3e07f9e6ddad8e457bf8979b2546bdc2768018764158ab0f21ae77998cecd6d1809b278b 0f8d572ebd0d9e887d3081c80603551d230481c03081bd80140e28c41f34600d01ab674c0f8d572ebd0d9e887da18199a48196308193310b30090603 fffb4632ebeca0865b13c0303e9485f59828369fe812f32b4d77d3d9706c7e97666a331797210b32c9cab80c500d4bf29224708affda268acc6bc612 EAP-Message = 0x68d2a1ab15f206e8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc30eff1bc110e6f65e8768c16e09584c Finished request 2. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=21, length=211 User-Name = "test3" Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "A4-67-06-6D-A8-2E" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "BF8FD357-00000002" Attr-186 = 0x0050f202 Attr-187 = 0x0050f202 Attr-188 = 0x000fac01 Fitivision-Essid-Name = "test" Framed-MTU = 1400 EAP-Message = 0x021e00061900 State = 0xc30eff1bc110e6f65e8768c16e09584c Message-Authenticator = 0xee0d464855fa5a53cf755d16de6fdb07 # Executing section authorize from file /etc/freeradius2/sites/default +group authorize { ++[mschap] = noop [eap] EAP packet type response id 30 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius2/sites/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 21 to 192.168.168.205 port 42115 0001470300174104975e7a95fb4a34da8edb2ed340d161af75e08b4a69b597f4cbda60518ee060eeb29b016c3f54fd1ff7fa5f5723e02b9b2409daaa 155596da9065984a02f00d19716a270374c21be8cec30236a14cf2e6eff550a27c26bce5e22b7314a6141ecf8695d2a5a74d9ee2dfe30413058ccb62 EAP-Message = 0xadbf51cc6d2a30b94b8ba5cc45dfc686b316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc30eff1bc011e6f65e8768c16e09584c Finished request 3. Going to the next request Waking up in 4.1 seconds. rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=22, length=349 User-Name = "test3" Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "A4-67-06-6D-A8-2E" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "BF8FD357-00000002" Attr-186 = 0x0050f202 Attr-187 = 0x0050f202 Attr-188 = 0x000fac01 Fitivision-Essid-Name = "test" Framed-MTU = 1400 116030100304477833ffd6e82754c90f5ccfc4fd75f7c67c30f13f0e3b07d3dbd903b794dc8bf52b3eb26040ed2925a094f71bebf30 State = 0xc30eff1bc011e6f65e8768c16e09584c Message-Authenticator = 0x981d19112699f36bcaa048ac6d5cb917 # Executing section authorize from file /etc/freeradius2/sites/default +group authorize { ++[mschap] = noop [eap] EAP packet type response id 31 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius2/sites/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< Unknown TLS version [length 0005] [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] <<< Unknown TLS version [length 0005] [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< Unknown TLS version [length 0005] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] >>> Unknown TLS version [length 0005] [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: unknown state [peap] >>> Unknown TLS version [length 0005] [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 22 to 192.168.168.205 port 42115 EAP-Message = 0x0120004119001403010001011603010030743a197efba6673363d52e38c84ee6af1156dc98475b254286422eec8c0d0c5e4a55682ec8483c791906496be38ca2b0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc30eff1bc72ee6f65e8768c16e09584c Finished request 4. Going to the next request Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=23, length=211 User-Name = "test3" Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "A4-67-06-6D-A8-2E" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "BF8FD357-00000002" Attr-186 = 0x0050f202 Attr-187 = 0x0050f202 Attr-188 = 0x000fac01 Fitivision-Essid-Name = "test" Framed-MTU = 1400 EAP-Message = 0x022000061900 State = 0xc30eff1bc72ee6f65e8768c16e09584c Message-Authenticator = 0x3ad860d004ef3fcabba5f7614d629707 # Executing section authorize from file /etc/freeradius2/sites/default +group authorize { ++[mschap] = noop [eap] EAP packet type response id 32 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius2/sites/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED [peap] >>> Unknown TLS version [length 0005] ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 23 to 192.168.168.205 port 42115 EAP-Message = 0x0121002b1900170301002038f0a9de8c6c35bb8c25d91742508de0756c5f96898a5f807bbf622d860fd702 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc30eff1bc62fe6f65e8768c16e09584c Finished request 5. Going to the next request Waking up in 3.5 seconds. rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=24, length=248 User-Name = "test3" Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "A4-67-06-6D-A8-2E" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "BF8FD357-00000002" Attr-186 = 0x0050f202 Attr-187 = 0x0050f202 Attr-188 = 0x000fac01 Fitivision-Essid-Name = "test" Framed-MTU = 1400 EAP-Message = 0x0221002b19001703010020d9a51a72f4d3f026ee29713f988b5ea384f63c39bca9d72cbd454c22dc9f7f6b State = 0xc30eff1bc62fe6f65e8768c16e09584c Message-Authenticator = 0x9598e5c8853b46372c49e0eab0d847b1 # Executing section authorize from file /etc/freeradius2/sites/default +group authorize { ++[mschap] = noop [eap] EAP packet type response id 33 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius2/sites/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< Unknown TLS version [length 0005] [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - test3 [peap] Got inner identity 'test3' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0221000a017465737433 server { [peap] Setting User-Name to test3 Sending tunneled request EAP-Message = 0x0221000a017465737433 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test3" Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "A4-67-06-6D-A8-2E" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "BF8FD357-00000002" Attr-186 = 0x0050f202 Attr-187 = 0x0050f202 Attr-188 = 0x000fac01 Fitivision-Essid-Name = "test" Framed-MTU = 1400 server { # Executing section authorize from file /etc/freeradius2/sites/default +group authorize { ++[mschap] = noop [eap] EAP packet type response id 33 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius2/sites/default +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server [peap] Got tunneled reply code 11 EAP-Message = 0x0122001f1a0122001a1038b1d4f1ac9d9e2d502428bcd4be1b877465737433 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaacefa4baaece0d52cbb51841f6886cc [peap] Got tunneled reply RADIUS code Access-Challenge EAP-Message = 0x0122001f1a0122001a1038b1d4f1ac9d9e2d502428bcd4be1b877465737433 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaacefa4baaece0d52cbb51841f6886cc [peap] Got tunneled Access-Challenge [peap] >>> Unknown TLS version [length 0005] ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 24 to 192.168.168.205 port 42115 EAP-Message = 0x0122003b19001703010030d70c7180d63f7345328c82eee2d29cc97bcbfd56bd375a88759bec5058ea295a12563bc4e70233b1f386d332e063d5c9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc30eff1bc52ce6f65e8768c16e09584c Finished request 6. Going to the next request Waking up in 3.2 seconds. rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=25, length=312 User-Name = "test3" Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "A4-67-06-6D-A8-2E" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "BF8FD357-00000002" Attr-186 = 0x0050f202 Attr-187 = 0x0050f202 Attr-188 = 0x000fac01 Fitivision-Essid-Name = "test" Framed-MTU = 1400 10519e089ae2095a3afea8dc67f17dc4b State = 0xc30eff1bc52ce6f65e8768c16e09584c Message-Authenticator = 0xea0f404b1fdc40e787d84bac706215d1 # Executing section authorize from file /etc/freeradius2/sites/default +group authorize { ++[mschap] = noop [eap] EAP packet type response id 34 length 107 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius2/sites/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< Unknown TLS version [length 0005] [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x022200401a0222003b3131bc7ac09237790b1b2f2de3c9da70d10000000000000000ff91457ee5eb447396e409f6847c1759fead5ba59f6f7b0a007465737433 server { [peap] Setting User-Name to test3 Sending tunneled request EAP-Message = 0x022200401a0222003b3131bc7ac09237790b1b2f2de3c9da70d10000000000000000ff91457ee5eb447396e409f6847c1759fead5ba59f6f7b0a007465737433 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test3" State = 0xaacefa4baaece0d52cbb51841f6886cc Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "A4-67-06-6D-A8-2E" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "BF8FD357-00000002" Attr-186 = 0x0050f202 Attr-187 = 0x0050f202 Attr-188 = 0x000fac01 Fitivision-Essid-Name = "test" Framed-MTU = 1400 server { # Executing section authorize from file /etc/freeradius2/sites/default +group authorize { ++[mschap] = noop [eap] EAP packet type response id 34 length 64 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius2/sites/default +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius2/sites/default [mschapv2] +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: test3 [mschap] Client is using MS-CHAPv2 for test3, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. } # server [peap] Got tunneled reply code 3 MS-CHAP-Error = "\"E=691 R=1" EAP-Message = 0x04220004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code Access-Reject MS-CHAP-Error = "\"E=691 R=1" EAP-Message = 0x04220004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE [peap] >>> Unknown TLS version [length 0005] ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 25 to 192.168.168.205 port 42115 EAP-Message = 0x0123002b190017030100200a019db07d5b363141790d2b79f35448849fb36c234d074dbdcaa68b4ec312f0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc30eff1bc42de6f65e8768c16e09584c Finished request 7. Going to the next request Waking up in 2.8 seconds. rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=26, length=248 User-Name = "test3" Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "A4-67-06-6D-A8-2E" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "BF8FD357-00000002" Attr-186 = 0x0050f202 Attr-187 = 0x0050f202 Attr-188 = 0x000fac01 Fitivision-Essid-Name = "test" Framed-MTU = 1400 EAP-Message = 0x0223002b19001703010020b8cd3f0acc578a073928fe39c5cd9910ae9fa867c95ddf1aade29daba16fd349 State = 0xc30eff1bc42de6f65e8768c16e09584c Message-Authenticator = 0xfa5287fca7371b423b4170722af255c2 # Executing section authorize from file /etc/freeradius2/sites/default +group authorize { ++[mschap] = noop [eap] EAP packet type response id 35 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius2/sites/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< Unknown TLS version [length 0005] [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 26 to 192.168.168.205 port 42115 EAP-Message = 0x04230004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1.7 seconds. Cleaning up request 0 ID 18 with timestamp +3 Waking up in 0.1 seconds. Cleaning up request 1 ID 19 with timestamp +3 Waking up in 0.4 seconds. Cleaning up request 2 ID 20 with timestamp +4 Waking up in 0.3 seconds. Cleaning up request 3 ID 21 with timestamp +4 Waking up in 0.1 seconds. Cleaning up request 4 ID 22 with timestamp +4 Waking up in 0.3 seconds. Cleaning up request 5 ID 23 with timestamp +4 Waking up in 0.3 seconds. Cleaning up request 6 ID 24 with timestamp +5 Waking up in 0.4 seconds. Cleaning up request 7 ID 25 with timestamp +5 Waking up in 1.0 seconds. Cleaning up request 8 ID 26 with timestamp +5 Ready to process requests. Do I missing something? Thanks Matt Wu
On Tue, May 09, 2017 at 08:38:48AM +0000, 吳子境 Matt.Wu/TP/FITI wrote:
I have problem in adding new dictionary in FreeRADIUS Version 2.2.8, and use the attribute to users check item, but always response Access-Reject.
Dunno, doesn't work here in v2. It works fine in v3. Version 2 is unsupported now, so upgrade to v3.0.13. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (2)
-
Matthew Newton -
吳子境 Matt.Wu/TP/FITI