Hi, I'm using freeradius 2.1.12 with mysql module (freeradius-mysql) I want to authenticate users by MAC address, so in radcheck table I set the attribute Calling-Station Id == XX-XX-XX-XX-XX-XX, but it didn't work, user can't authenticate, when I delete this row, user can authenticate perfectly, so it seems this is not the way I should configure server to perform MAC authentication. Could somebody help me with this? Thanks [this is the output when I set Calling-Station-Id == XX-XX-XX-XX-XX-XX}: rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=158, length=158 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0200000c0164707275656261 Message-Authenticator = 0x4be696f8c2c8db73cf3e49464a80a84a # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> dprueba [sql] sql_set_user escaped user --> 'dprueba' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dprueba' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dprueba' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dprueba' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi' ORDER BY id [sql] User found in group wifi [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 158 to 10.25.4.250 port 44145 Framed-Protocol := PPP Framed-Compression := Van-Jacobson-TCP-IP Framed-MTU := 1500 Service-Type := Framed-User MS-Primary-DNS-Server := 10.25.1.10 Framed-IP-Netmask := 255.255.255.255 EAP-Message = 0x010100160410ce619bb1b16b584f4a55e298b518b595 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa65194aaa65090b9e5aa8a871ea68523 Finished request 36. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=159, length=170 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020100060319 State = 0xa65194aaa65090b9e5aa8a871ea68523 Message-Authenticator = 0x49e2f93415e6ffa01f754feda2629bd6 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> dprueba [sql] sql_set_user escaped user --> 'dprueba' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dprueba' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dprueba' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dprueba' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi' ORDER BY id [sql] User found in group wifi [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 159 to 10.25.4.250 port 44145 Framed-Protocol := PPP Framed-Compression := Van-Jacobson-TCP-IP Framed-MTU := 1500 Service-Type := Framed-User MS-Primary-DNS-Server := 10.25.1.10 Framed-IP-Netmask := 255.255.255.255 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa65194aaa7538db9e5aa8a871ea68523 Finished request 37. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=160, length=364 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020200c81980000000be16030100b9010000b503015638bd689d9c6ee8b3f1a8853b65c2d8594789b893023905f46fa838fdcda289000048c014c00a00390038c00fc0050035c012c00800160013c00dc003000ac013c00900330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000 State = 0xa65194aaa7538db9e5aa8a871ea68523 Message-Authenticator = 0x4120527dda65730b1f014fa03c973746 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 200 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 190 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00b9], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 02c8], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 160 to 10.25.4.250 port 44145 EAP-Message = 0x0103040019c0000004641603010039020000350301e349bb58d1d3295ec527d76a7eebdca2d3fb2ae4cfac72f973ffbcff62a77a9b00c01400000dff01000100000b00040300010216030102c80b0002c40002c10002be308202ba308201a2a003020102020900ce69d09555557538300d06092a864886f70d01010b05003015311330110603550403130a77696669726164697573301e170d3135313032393135313530325a170d3235313032363135313530325a3015311330110603550403130a7769666972616469757330820122300d06092a864886f70d01010105000382010f003082010a02820101009c1433a91142092dabc37d5325c8eeb6 EAP-Message = 0x056e5c2013b734155ed595d570443d4b9a775fff03d74f88a6f77c3a77dd9339394d356639a69ff20868d94749a4683d0a7d72b13bf305c6fb760f1779401d713c872f90ed68c957f9f5c83d78be375233516f99c8e24fd6be6f98e804a00ad929b5681112ff83fb0d89b33aa9ce1e3406c05676b25eb62ffecd39f17361184a3e7438f6a83738c69a31285ebde0025a9fddbab018c07007d979dfd14bccd171f3994dde09244972aa69a2227fd4af075490577d77d6997c4b4e543872e5adc5860c356203e996f8eda8e90633078f60f24529efc19a311206e5e519517aa9b64d224416b4d27bd5daf5ffe66772cc710203010001a30d300b30090603 EAP-Message = 0x551d1304023000300d06092a864886f70d01010b050003820101001eb333a9023182bea3f5cff9d9bb6f237209706cd1b8aa42db6a1e2505f0355d5aab0e49640191fbc54464fd8bdaad9ac8633650c99178c78d09d9b9db9971c98b6283999da38050e411a9049eb93c355cd913f792795957e37e3376ec144d8de7bf6d434e3450029dc669a4ea176aeddfb612f280cc5a44ed86ecf0bb6b932b962f9b075eb63eb10af2e425f0909836cca41706f236d058fc7f50953ee08fbfd43bed06151eb2dbe1eb3184fe72b4f18ae17bfb5c2581b181fa260ab7c86837f9f748c9694a5db35ced09c94ef5e936659b1cc8e99d2b0d78abf8c03022c5c06d87 EAP-Message = 0x3d9820712b41eeabe4600486644990bc34b49890a14c0a2ffb9dc60483cf160301014b0c0001470300174104bb1283b8643e3a221a317f23a50a31b91f0799d4a8bebf1893b54c405da7cfa4cd07033b70a12d18c761eb1e11d6d4d7b967704f91dfc93ecf68d6642d019e5f01002cfc8504d595106cf4add50a3f5b31bf94daa316072eb0bb2f6e2883763a4918ae23c5f18c16d3ce50b86e3c3834882a874b5c25cc96d55b100b826e87267ec61b627c8846c2740fe2a5b33e241eff469723ac7d6bc838ae8e7145ab8c3b40e5c148e48e3af994b76f2cc1a8e3a63337b8acf961bd6c8f0724a902470a0f5d52c50d017556f75b5aa427a49af80e21 EAP-Message = 0x3f55b8c20d939065e7bf45cf Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa65194aaa4528db9e5aa8a871ea68523 Finished request 38. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=161, length=170 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020300061900 State = 0xa65194aaa4528db9e5aa8a871ea68523 Message-Authenticator = 0xe8ae7aafbf65523d200ffe429c2a66c0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 161 to 10.25.4.250 port 44145 EAP-Message = 0x0104007419001aeaaf3170c28c77913b4c33a2dc5c4386afd7f37111872be8af7d575e4b323a56a89f84122b92b22f77f88514a1ac593d3e885beea192f419e198caaaab64e37478cb4f40365cbee9fb50eb0dabbecde54aae6482c7aab720d5006138438a26acbca734bc16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa65194aaa5558db9e5aa8a871ea68523 Finished request 39. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=162, length=308 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0204009019800000008616030100461000004241045751461749561a2d5d3194b5e79d548e8933be5aa103414fc3316cdfd2d30edab44a349495eecd34490465dc08f3270bf3ac231bcdedb40158cad7d15525d1b51403010001011603010030f69b46babe879f7a06ef536a075e1c7b034f341fae14fa451570db3c7767ebc66cbec2db5bb2dc58c6cabdf2700bc777 State = 0xa65194aaa5558db9e5aa8a871ea68523 Message-Authenticator = 0xf96563cc6ba01abaa1048cfff4efd9d0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 162 to 10.25.4.250 port 44145 EAP-Message = 0x0105004119001403010001011603010030026f349689fa5da4363102163d0dd8908f1b5847d21dc1f95bbf9377d897232d5477a431b68c6d561f47c34ea8b3c2d0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa65194aaa2548db9e5aa8a871ea68523 Finished request 40. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=163, length=170 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020500061900 State = 0xa65194aaa2548db9e5aa8a871ea68523 Message-Authenticator = 0x00bd0e39e83e214fb866c735ff089d2b # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 163 to 10.25.4.250 port 44145 EAP-Message = 0x0106002b190017030100208c4dccbdfac51bb4b216b385ee7d974f9e675fe16104eb4274dfc9bb5f263ca6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa65194aaa3578db9e5aa8a871ea68523 Finished request 41. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=164, length=244 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02060050190017030100203f864e1a350a312975bdbbfcaf7ff2021d133bcb969b27210179851fc1ccb40b17030100206e0599cf15687f6c43aa33ec532c67e0ddc39ccb74fc3adb2473376d3b5bcb85 State = 0xa65194aaa3578db9e5aa8a871ea68523 Message-Authenticator = 0x14b99b8e5853b55670f8936e949ae9cd # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - dprueba [peap] Got inner identity 'dprueba' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206000c0164707275656261 server { [peap] Setting User-Name to dprueba Sending tunneled request EAP-Message = 0x0206000c0164707275656261 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "dprueba" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> dprueba [sql] sql_set_user escaped user --> 'dprueba' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dprueba' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dprueba' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi' ORDER BY id [sql] User found in group wifi [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi' ORDER BY id rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 Framed-Protocol := PPP Framed-Compression := Van-Jacobson-TCP-IP Framed-MTU := 1500 Service-Type := Framed-User MS-Primary-DNS-Server := 10.25.1.10 Framed-IP-Netmask := 255.255.255.255 EAP-Message = 0x010700211a0107001c10a58f1aff9e9e95e3df5667726e5b86da64707275656261 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x138ded3d138af7a13ad2c8138d486583 [peap] Got tunneled reply RADIUS code 11 Framed-Protocol := PPP Framed-Compression := Van-Jacobson-TCP-IP Framed-MTU := 1500 Service-Type := Framed-User MS-Primary-DNS-Server := 10.25.1.10 Framed-IP-Netmask := 255.255.255.255 EAP-Message = 0x010700211a0107001c10a58f1aff9e9e95e3df5667726e5b86da64707275656261 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x138ded3d138af7a13ad2c8138d486583 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 164 to 10.25.4.250 port 44145 EAP-Message = 0x0107004b19001703010040bdef2d38678359432d6266c8d7f420ba14921ee87fd862a0a7257e539659dcc0bec990abad261b9f26bbe5db1ac85bd262bf5de6fb73e3ae326f294d6060c824 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa65194aaa0568db9e5aa8a871ea68523 Finished request 42. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=165, length=308 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0207009019001703010020acb86b95706efaa775287c058b069664408382577b67bb85dbf0b0799c35f099170301006048783d63d8d53df67cc63b4e341b204c0b332e503cda2f22d44cef5660f2d60d0622885dd9e96b86e2a8948f60bfc5453e48eaaa1b118be663680db9d6de04cb9a9730bcdc7387e8f391ac68206356df81cb4e9d10e10835ef2ddd691ac730a6 State = 0xa65194aaa0568db9e5aa8a871ea68523 Message-Authenticator = 0x4773d1a02e02785f3c640a863b235080 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700421a0207003d312c29b4e62a18efaf1bca93031a9bc48a0000000000000000ff2b7cade8eb372e40905cc5552700f40738dbfcb23121840064707275656261 server { [peap] Setting User-Name to dprueba Sending tunneled request EAP-Message = 0x020700421a0207003d312c29b4e62a18efaf1bca93031a9bc48a0000000000000000ff2b7cade8eb372e40905cc5552700f40738dbfcb23121840064707275656261 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "dprueba" State = 0x138ded3d138af7a13ad2c8138d486583 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 66 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> dprueba [sql] sql_set_user escaped user --> 'dprueba' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dprueba' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dprueba' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi' ORDER BY id [sql] User found in group wifi [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: dprueba [mschap] Told to do MS-CHAPv2 for dprueba with NT-Password *[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.[mschap] FAILED: MS-CHAP2-Response is incorrec*t ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 Framed-Protocol := PPP Framed-Compression := Van-Jacobson-TCP-IP Framed-MTU := 1500 Service-Type := Framed-User MS-Primary-DNS-Server := 10.25.1.10 Framed-IP-Netmask := 255.255.255.255 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 Framed-Protocol := PPP Framed-Compression := Van-Jacobson-TCP-IP Framed-MTU := 1500 Service-Type := Framed-User MS-Primary-DNS-Server := 10.25.1.10 Framed-IP-Netmask := 255.255.255.255 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 165 to 10.25.4.250 port 44145 EAP-Message = 0x0108002b190017030100200f7edf20af25286e24f0a1ec03a04a5e4b893e385955244fa3c44457b30c81cb Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa65194aaa1598db9e5aa8a871ea68523 Finished request 43. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=166, length=244 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0208005019001703010020a60874f0b621b855a82de262f1330ac8a1b05f4708527620f981ef3722e3b1cf170301002006ae0d5ee86405c776ba893bd138d82d811bcf6916da13d0681a9d327692ef1b State = 0xa65194aaa1598db9e5aa8a871ea68523 Message-Authenticator = 0xa8b1ee9f9adf7785813d07e9b14f55a9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dprueba", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. *[peap] Peap state send tlv failure* [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> dprueba attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 44 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 44 Sending Access-Reject of id 166 to 10.25.4.250 port 44145 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. Cleaning up request 36 ID 158 with timestamp +40 Cleaning up request 37 ID 159 with timestamp +40 Cleaning up request 38 ID 160 with timestamp +40 Cleaning up request 39 ID 161 with timestamp +40 Cleaning up request 40 ID 162 with timestamp +40 Cleaning up request 41 ID 163 with timestamp +40 Cleaning up request 42 ID 164 with timestamp +40 Cleaning up request 43 ID 165 with timestamp +40 Waking up in 1.0 seconds. Cleaning up request 44 ID 166 with timestamp +41 Ready to process requests.
On Nov 3, 2015, at 9:04 AM, Daniel Lopez <danilogo1991@gmail.com> wrote:
Hi, I'm using free radius 2.1.12
Ugh. Upgrade.
with mysql module (freeradius-mysql) I want to authenticate users by MAC address, so in radcheck table I set the attribute Calling-Station Id == XX-XX-XX-XX-XX-XX, but it didn't work, user can't authenticate, when I delete this row, user can authenticate perfectly, so it seems this is not the way I should configure server to perform MAC authentication. Could somebody help me with this?
Reading the debug output usually helps.
[this is the output when I set Calling-Station-Id == XX-XX-XX-XX-XX-XX}:
rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=158, length=158 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0200000c0164707275656261 Message-Authenticator = 0x4be696f8c2c8db73cf3e49464a80a84a
That is the OUTER authentication session. ...
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dprueba' ORDER BY id [sql] User found in radcheck table
Which is clear. The server prints out these SQL queries so you can check them for yourself. ... and lots of debug output later, we have the INNER session
[peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206000c0164707275656261 server { [peap] Setting User-Name to dprueba Sending tunneled request EAP-Message = 0x0206000c0164707275656261 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "dprueba"
Note: No Calling-Station-Id. Please *read* raddb/eap.conf. Look for "copy_request_to_tunnel". This is documented.
server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel ... [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dprueba' ORDER BY id
And note there's no "user found in radcheck" message. Because there's no Calling-Station-Id attribute in the inner tunnel. Alan DeKok.
Exelent, It was that, you were a great help, thanks a lot. 2015-11-03 9:17 GMT-05:00 Alan DeKok <aland@deployingradius.com>:
On Nov 3, 2015, at 9:04 AM, Daniel Lopez <danilogo1991@gmail.com> wrote:
Hi, I'm using free radius 2.1.12
Ugh. Upgrade.
with mysql module (freeradius-mysql) I want to authenticate users by MAC address, so in radcheck table I set the attribute Calling-Station Id == XX-XX-XX-XX-XX-XX, but it didn't work, user can't authenticate, when I delete this row, user can authenticate perfectly, so it seems this is not the way I should configure server to perform MAC authentication. Could somebody help me with this?
Reading the debug output usually helps.
[this is the output when I set Calling-Station-Id == XX-XX-XX-XX-XX-XX}:
rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=158, length=158 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0200000c0164707275656261 Message-Authenticator = 0x4be696f8c2c8db73cf3e49464a80a84a
That is the OUTER authentication session.
...
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dprueba' ORDER BY id [sql] User found in radcheck table
Which is clear. The server prints out these SQL queries so you can check them for yourself.
... and lots of debug output later, we have the INNER session
[peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206000c0164707275656261 server { [peap] Setting User-Name to dprueba Sending tunneled request EAP-Message = 0x0206000c0164707275656261 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "dprueba"
Note: No Calling-Station-Id.
Please *read* raddb/eap.conf. Look for "copy_request_to_tunnel".
This is documented.
server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel ... [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dprueba' ORDER BY id
And note there's no "user found in radcheck" message.
Because there's no Calling-Station-Id attribute in the inner tunnel.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Daniel Lopez