Getting PEAP/MSChap-v2 working with Cisco AP1231G Access points.
FreeRADIUS Version 1.1.3-r0.1.2 I have been using FreeRADIUS for some time now to do simple MAC authentication for the original implementation of our wireless network. This of course was a temporary solution and I am trying to move all of the users over to PEAP Authentication. I Have been unable to get the PEAP Authentication to work with MSChap-v2. All of my Access points are Cisco AP1231G Models. I am fairly new to FreeRADIUS, so I expect what I am doing wrong is going to be obvious to most but any advice would be welcomed. From what I can see it appears that the User-Password attribute may not be getting processed correctly as indicated by the following lines. auth: Failed to validate the user. Login incorrect: [C12660/<no User-Password attribute>] (from client localhost port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE I have included my debug output below. Terry Pelley Network Analyst Business and Learning Technologies Ottawa-Carleton District School Board Debug Output.########### Ready to process requests. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1645, id=1, length=125 User-Name = "C12660" Framed-MTU = 1400 Called-Station-Id = "0011.aaaa.17b0" Calling-Station-Id = "0004.1e45.382e" Service-Type = Login-User Message-Authenticator = 0x85aa28b563b14c66500cdbee3613d047 EAP-Message = 0x0202000b01433132363630 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Identifier = "AP1231G" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "C12660", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 875 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type leap rlm_eap_leap: Stage 2 rlm_eap_leap: Issuing AP Challenge rlm_eap_leap: Successfully initiated modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 1 to xxx.xxx.xxx.xxx port 1645 EAP-Message = 0x01030016110100082abab9994950d11b433132363630 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x734179eb51b60c489589265407691b5c Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1645, id=2, length=138 User-Name = "C12660" Framed-MTU = 1400 Called-Station-Id = "0011.aaaa.17b0" Calling-Station-Id = "0004.1e45.382e" Service-Type = Login-User Message-Authenticator = 0x6c47bb7bdfb40f5047245b3ff39ad738 EAP-Message = 0x020300060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 State = 0x734179eb51b60c489589265407691b5c NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Identifier = "AP1231G" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "C12660", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 875 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 2 to xxx.xxx.xxx.xxx port 1645 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x13c573d53e826031d83b6b1edc7b48a8 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1645, id=3, length=212 User-Name = "C12660" Framed-MTU = 1400 Called-Station-Id = "0011.aaaa.17b0" Calling-Station-Id = "0004.1e45.382e" Service-Type = Login-User Message-Authenticator = 0x2a5655347310a8601241f7abe218f989 EAP-Message = 0x0204005019800000004616030100410100003d030146ea79da12620feb62ae90bcb89ee2fffe650b3c45bc 8ed6d684bc598d417eed00001600040005000a000900640062000300060013001200630100 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 State = 0x13c573d53e826031d83b6b1edc7b48a8 NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Identifier = "AP1231G" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "C12660", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 4 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 875 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 09cd], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 3 to xxx.xxx.xxx.xxx port 1645 EAP-Message = 0x0105040a19c000000a2a160301004a02000046030146ea79dbc0b72f7f465487ff478709f071de1d3b8b1e 9d6438ecd574a1f1f8922016808fabeeb491a841f8d0c02de86ed4e88a3b2234d8bb1991055ad1b2446c4a00040016030109cd0b0009c9 0009c60004f4308204f030820459a003020102020102300d06092a864886f70d01010405003081ad311a30180603550403131146726565 5241444955532e6e65742d4341310b3009060355040613025553310e300c06035504071305446f766572311630140603550408130d4e65 772048616d70736869726531173015060355040a130e467265655241444955532e6e657431163014060355040b EAP-Message = 0x130d46726565205468696e6b6572733129302706092a864886f70d010901161a4a6566662e5265696c6c79 40467265655241444955532e6e6574301e170d3036303431333031303830345a170d3136303431303031303030305a3081b1311e301c06 035504031315467265655241444955532e6e65742d536572766572310b3009060355040613025553310e300c06035504071305446f7665 72311630140603550408130d4e65772048616d70736869726531173015060355040a130e467265655241444955532e6e65743116301406 0355040b130d46726565205468696e6b6572733129302706092a864886f70d010901161a4a6566662e5265696c EAP-Message = 0x6c7940467265655241444955532e6e657430819f300d06092a864886f70d010101050003818d0030818902 818100c52fed9c525523e090e52f74c1aa17e728f81326d6dc25fec0026a3b38d521f2c1534da84a50a71bfa98a73e41f1478ae2009823 4719694067607438c1b7729d1f83ba66d2f74def53d7b651446b1ca59be01e1d734e31ad3ab1baf2fac4bd42b3870fcb8de045f8c22c40 e549ce34d13facabff6dda49f3993d71b33951b3330203010001a382021830820214300c0603551d130101ff04023000301d0603551d0e 04160414deb8cba35c689399984553c2bb09245ffd24102f3081da0603551d230481d23081cf801468e090479d EAP-Message = 0x6ed81e03d598e1d67ce31a0f96ad36a181b3a481b03081ad311a3018060355040313114672656552414449 55532e6e65742d4341310b3009060355040613025553310e300c06035504071305446f766572311630140603550408130d4e6577204861 6d70736869726531173015060355040a130e467265655241444955532e6e657431163014060355040b130d46726565205468696e6b6572 733129302706092a864886f70d010901161a4a6566662e5265696c6c7940467265655241444955532e6e6574820101300b0603551d0f04 04030202e4306f0603551d250468306606082b0601050507030106082b0601050507030206082b060105050703 EAP-Message = 0x0306082b0601050507030406082b0601050507030806 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5ff0a13a76110935f4f62436568f7102 Finished request 2 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1645, id=4, length=138 User-Name = "C12660" Framed-MTU = 1400 Called-Station-Id = "0011.aaaa.17b0" Calling-Station-Id = "0004.1e45.382e" Service-Type = Login-User Message-Authenticator = 0x9387267e436cd878e0b77dfa7e6a482e EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 State = 0x5ff0a13a76110935f4f62436568f7102 NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Identifier = "AP1231G" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "C12660", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 875 modcall[authorize]: module "files" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 4 to xxx.xxx.xxx.xxx port 1645 EAP-Message = 0x010604061940082b0601050507030506082b0601050507030606082b0601050507030706082b0601050508 0202060a2b06010401823714020230250603551d11041e301c811a4a6566662e5265696c6c7940467265655241444955532e6e65743025 0603551d12041e301c811a4a6566662e5265696c6c7940467265655241444955532e6e6574301106096086480186f84201010404030202 c4302906096086480186f842010d041c161a5669736974207777772e467265655241444955532e6e65742021300d06092a864886f70d01 01040500038181007662b3b6b60fc4dd059c85c504e04f19d060660b72b0b2b0a70f99324f3f7499a81d0fc9be EAP-Message = 0xbe049e43e2838532195b27deba265f2a5b62da9d95a87c9e50ec264bd467e8db60f54ebeb9972228c05359 53e51baeb35ce908fa9e335e68d77a440074263ef771dd949c5312f4d985f6bcc9d3e0b8e32d7f1f83ddcb70e1929afc0004cc308204c8 30820431a003020102020101300d06092a864886f70d01010405003081ad311a301806035504031311467265655241444955532e6e6574 2d4341310b3009060355040613025553310e300c06035504071305446f766572311630140603550408130d4e65772048616d7073686972 6531173015060355040a130e467265655241444955532e6e657431163014060355040b130d4672656520546869 EAP-Message = 0x6e6b6572733129302706092a864886f70d010901161a4a6566662e5265696c6c7940467265655241444955 532e6e6574301e170d3036303431333031303531325a170d3136303431303031303531325a3081ad311a30180603550403131146726565 5241444955532e6e65742d4341310b3009060355040613025553310e300c06035504071305446f766572311630140603550408130d4e65 772048616d70736869726531173015060355040a130e467265655241444955532e6e657431163014060355040b130d4672656520546869 6e6b6572733129302706092a864886f70d010901161a4a6566662e5265696c6c7940467265655241444955532e EAP-Message = 0x6e657430819f300d06092a864886f70d010101050003818d0030818902818100d9a1e9eb8dfc66796b854d 0dde4ce84379bc84f46fa7e2a8165d571d417f42bb482867554d44cccd69f9c0e463b97651d84d0470e58ffae406d9182f4b071e9ba481 75ea28f5b09ccef89ed7d05875ef188b05276682a2ff93f2b036af66394802207c829c43b388e24f71f315ef158061ccba5b27e4327b46 14e56f451ee2ad0203010001a38201f4308201f0300f0603551d130101ff040530030101ff301d0603551d0e0416041468e090479d6ed8 1e03d598e1d67ce31a0f96ad363081da0603551d230481d23081cf801468e090479d6ed81e03d598e1d67ce31a EAP-Message = 0x0f96ad36a181b3a481b03081ad311a301806 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05a71bebf0e68eb436ba851a1069c1e9 Finished request 3 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1645, id=5, length=138 User-Name = "C12660" Framed-MTU = 1400 Called-Station-Id = "0011.aaaa.17b0" Calling-Station-Id = "0004.1e45.382e" Service-Type = Login-User Message-Authenticator = 0x53b6ff3e904ba17f428901174910de9f EAP-Message = 0x020600061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 State = 0x05a71bebf0e68eb436ba851a1069c1e9 NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Identifier = "AP1231G" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "C12660", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 875 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 5 to xxx.xxx.xxx.xxx port 1645 EAP-Message = 0x010702301900035504031311467265655241444955532e6e65742d4341310b300906035504061302555331 0e300c06035504071305446f766572311630140603550408130d4e65772048616d70736869726531173015060355040a130e4672656552 41444955532e6e657431163014060355040b130d46726565205468696e6b6572733129302706092a864886f70d010901161a4a6566662e 5265696c6c7940467265655241444955532e6e6574820101300b0603551d0f040403020106306f0603551d250468306606082b06010505 07030106082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703080608 EAP-Message = 0x2b0601050507030506082b0601050507030606082b0601050507030706082b06010505080202060a2b0601 0401823714020230250603551d11041e301c811a4a6566662e5265696c6c7940467265655241444955532e6e6574301106096086480186 f84201010404030200c7302906096086480186f842010d041c161a5669736974207777772e467265655241444955532e6e65742021300d 06092a864886f70d01010405000381810000674d1b82e8db81e5a6fdb44ba24f89738dc5954c777fa794282102a5a8b3376a39e2aadc4b e4d3833545cd0ea6fda3208a2a9ed4619f3dd71302f1327d4d65035933c1fc05b542ff65d9f971306a4b97932f EAP-Message = 0x283257f64f66c8947edd4f93ee7ccf279d826338e05dee101e2524fdbe3000a60605c1070d081b97da24da dbf316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x402ad25b6167d63f4d49a90417269d2a Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 4 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1645, id=6, length=324 User-Name = "C12660" Framed-MTU = 1400 Called-Station-Id = "0011.aaaa.17b0" Calling-Station-Id = "0004.1e45.382e" Service-Type = Login-User Message-Authenticator = 0x90d4c8b0f49ded28f4259944626a11db EAP-Message = 0x020700c01980000000b61603010086100000820080a7578fd88aebb8530564dff4e840e9e373d47725cbb2 ea170409b8a5eceab4bfb3968fbebee32ed953c9e38be3aca01f10735d3d2540445022e36dd47e7dc5b7a5c0b1c270ee716fc75fbf7996 1a0120149faa656cf951961bfc94d1e92ae420c36cb14d2f0a14c3e538fdf37cf96f2553b370c205954251f4345795918cdfea14030100 01011603010020d8080d7bd1bd611040eb207b7ba5926cfb794b8967ea0302fe0ce8fdfda57483 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 State = 0x402ad25b6167d63f4d49a90417269d2a NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Identifier = "AP1231G" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "C12660", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 7 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 875 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 6 to xxx.xxx.xxx.xxx port 1645 EAP-Message = 0x0108003119001403010001011603010020f1071c8236e6cdec340e80c204de51d422d9a394f3bb47548ebc 25dd26951588 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05f8c978699fcafe9a8b8257d497b7fe Finished request 5 Going to the next request Waking up in 4 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1645, id=7, length=138 User-Name = "C12660" Framed-MTU = 1400 Called-Station-Id = "0011.aaaa.17b0" Calling-Station-Id = "0004.1e45.382e" Service-Type = Login-User Message-Authenticator = 0xd6dd6119858638da70df2a9147c7a486 EAP-Message = 0x020800061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 State = 0x05f8c978699fcafe9a8b8257d497b7fe NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Identifier = "AP1231G" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "C12660", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 8 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 875 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 7 to xxx.xxx.xxx.xxx port 1645 EAP-Message = 0x0109002019001703010015482065584b7c70bc8c6870baae24014341d756b1f9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe78002ce41f0ccf2a79c28dc1d491876 Finished request 6 Going to the next request Waking up in 4 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1645, id=8, length=166 User-Name = "C12660" Framed-MTU = 1400 Called-Station-Id = "0011.aaaa.17b0" Calling-Station-Id = "0004.1e45.382e" Service-Type = Login-User Message-Authenticator = 0x60a26279e0c87ed6ee707db18a9228c5 EAP-Message = 0x0209002219001703010017f07f268d447d7cd34ec25dcd533f63e527d6ddd4c6910a NAS-Port-Type = Wireless-802.11 NAS-Port = 257 State = 0xe78002ce41f0ccf2a79c28dc1d491876 NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Identifier = "AP1231G" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "C12660", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 34 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 875 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - C12660 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of C12660 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to C12660 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "C12660", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 875 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 8 to xxx.xxx.xxx.xxx port 1645 EAP-Message = 0x010a00371900170301002cadd82261d07f090bdbebeda865056e11d059384fa1df810906df9559bd8005e3 77f38f07917424a3a61c80ce Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb97c77fadc7f0fe144db4c94230c406 Finished request 7 Going to the next request --- Walking the entire request list --- Waking up in 3 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1645, id=9, length=220 User-Name = "C12660" Framed-MTU = 1400 Called-Station-Id = "0011.aaaa.17b0" Calling-Station-Id = "0004.1e45.382e" Service-Type = Login-User Message-Authenticator = 0xb9cdb400a3aa33c86b387410714aa409 EAP-Message = 0x020a00581900170301004de1a29bdfb877e82649f8555a6271b0629e2e42f305702e520510148e1e7559a8 4b01030e9cdc6fd6bfc99edd4a99a625298df3077046688852a37e8de0f0450d92b423836558a5da2ef4d1e1d4 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 State = 0xbb97c77fadc7f0fe144db4c94230c406 NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Identifier = "AP1231G" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "C12660", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 10 length 88 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry DEFAULT at line 875 modcall[authorize]: module "files" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to C12660 PEAP: Adding old state with 89 38 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "C12660", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 10 length 65 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry DEFAULT at line 875 modcall[authorize]: module "files" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 8 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for C12660 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 8 modcall: leaving group MS-CHAP (returns reject) for request 8 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 8 modcall: leaving group authenticate (returns reject) for request 8 auth: Failed to validate the user. Login incorrect: [C12660/<no User-Password attribute>] (from client localhost port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 8 modcall: leaving group authenticate (returns handled) for request 8 Sending Access-Challenge of id 9 to xxx.xxx.xxx.xxx port 1645 EAP-Message = 0x010b00261900170301001bffa738fbcf207d384d16215ca7b8b84af1e9931abfca58062618f4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x09dc8afc60ab61b4a60d20c8118a9879 Finished request 8 Going to the next request Waking up in 3 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1645, id=10, length=170 User-Name = "C12660" Framed-MTU = 1400 Called-Station-Id = "0011.aaaa.17b0" Calling-Station-Id = "0004.1e45.382e" Service-Type = Login-User Message-Authenticator = 0x69506c8cf1653acc63c6025c65831643 EAP-Message = 0x020b00261900170301001beecc46bc9861adaac15f64eaa0510883ad1a144c17c697388f38b5 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 State = 0x09dc8afc60ab61b4a60d20c8118a9879 NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Identifier = "AP1231G" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "chap" returns noop for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "C12660", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 11 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 users: Matched entry DEFAULT at line 875 modcall[authorize]: module "files" returns ok for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 9 modcall: leaving group authenticate (returns invalid) for request 9 auth: Failed to validate the user. Login incorrect: [C12660/<no User-Password attribute>] (from client OCDSB_HQ port 257 cli 0004.2350.382e) Delaying request 9 for 1 seconds Finished request 9 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 1 with timestamp 46ea79da Sending Access-Reject of id 10 to xxx.xxx.xxx.xxx port 1645 EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 2 with timestamp 46ea79db Cleaning up request 2 ID 3 with timestamp 46ea79db Cleaning up request 3 ID 4 with timestamp 46ea79db Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 5 with timestamp 46ea79dc Cleaning up request 5 ID 6 with timestamp 46ea79dc Cleaning up request 6 ID 7 with timestamp 46ea79dc Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 7 ID 8 with timestamp 46ea79dd Cleaning up request 8 ID 9 with timestamp 46ea79dd Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 10 with timestamp 46ea79de Nothing to do. Sleeping until we see a request.
Terry Pelley wrote:
FreeRADIUS Version 1.1.3-r0.1.2
Hmm... it would be best to upgrade to 1.1.7, but that's a separate issue.
I am fairly new to FreeRADIUS, so I expect what I am doing wrong is going to be obvious to most but any advice would be welcomed. From what I can see it appears that the User-Password attribute may not be getting processed correctly as indicated by the following lines.
In 1.1.3, put the following at the TOP of the "users" file: bob User-Password := "bob" And then login via PEAP as that user. It should work. The problem is that the server hasn't been told a "known good" password for the user, so it can't authenticate them.
Ottawa-Carleton District School Board
Hmm... lived in that are for 30 years. Cold. Alan DeKok.
Hi,
I have been using FreeRADIUS for some time now to do simple MAC authentication for the original implementation of our wireless network. This of course was a temporary solution and I am trying to move all of the users over to PEAP Authentication.
okay. you'd be much better off with recent version of the server/daemon..but still. by the looks of it, almost everything is fine - barring the final check of the use r- HOW are you attempting to authorise the users? I ask because the main issue i see from debug is
rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 8 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for C12660 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 8 modcall: leaving group MS-CHAP (returns reject) for request 8 rlm_eap: Freeing handler
this means the inner tunnel part of the PEAP (MSCHAPv2) is failing because it knows not the way of dealing with the password supplied (if any!) so, you can either put a password into a DB or plain file (users) or you can use eg ntlm_auth to so a challenge response check alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Terry Pelley