Attribute "User-Password" is required for authentication
I found a few topics on this issue but nothing quite informative enough. I'm trying to get freeradius auth working with pam and peap. When I test my config with radtest, I get Access-accept. When I use a windows XP supplicant with a 3com access point, I get: rlm_pam: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "pam" returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user. Is the 3com not sending User-Password attributes in the packets, or is something else wrong?
On Monday 18 June 2007 16:31:37 Cody Jarrett wrote:
I found a few topics on this issue but nothing quite informative enough. I'm trying to get freeradius auth working with pam and peap. When I test my config with radtest, I get Access-accept. When I use a windows XP supplicant with a 3com access point, I get:
rlm_pam: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "pam" returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user.
Is the 3com not sending User-Password attributes in the packets, or is something else wrong?
Run FreeRADIUS in debug mode (radiusd -X) to verify. We cannot guess what your NAS/client is sending. -Kevin
Sorry, 10.1.22.10 is the ip of my 3com. rad_recv: Access-Request packet from host 10.1.22.10:2458, id=0, length=185 Message-Authenticator = 0xb0ba1aec817dfd6ab3fc3b0e49fb1125 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000d01636a617272657474 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 177 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type pam auth: type "PAM" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_pam: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "pam" returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 10.1.22.10 port 2458 Waking up in 4 seconds... Kevin Bonner wrote:
On Monday 18 June 2007 16:31:37 Cody Jarrett wrote:
I found a few topics on this issue but nothing quite informative enough. I'm trying to get freeradius auth working with pam and peap. When I test my config with radtest, I get Access-accept. When I use a windows XP supplicant with a 3com access point, I get:
rlm_pam: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "pam" returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user.
Is the 3com not sending User-Password attributes in the packets, or is something else wrong?
Run FreeRADIUS in debug mode (radiusd -X) to verify. We cannot guess what your NAS/client is sending.
-Kevin
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You are forcing Auth-Type PAM and doing EAP. Where is Auth-Type coming from? One of the DEFAULT entries? Don't set Auth-Type! Let the server swich to one that's needed. Ivan Kalik Kalik Informatika ISP Dana 18/6/2007, "Cody Jarrett" <cody.jarrett@itfreedom.com> piše:
Sorry, 10.1.22.10 is the ip of my 3com.
rad_recv: Access-Request packet from host 10.1.22.10:2458, id=0, length=185 Message-Authenticator = 0xb0ba1aec817dfd6ab3fc3b0e49fb1125 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000d01636a617272657474 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 177 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type pam auth: type "PAM" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_pam: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "pam" returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 10.1.22.10 port 2458 Waking up in 4 seconds...
On Monday 18 June 2007 16:31:37 Cody Jarrett wrote:
I found a few topics on this issue but nothing quite informative enough. I'm trying to get freeradius auth working with pam and peap. When I test my config with radtest, I get Access-accept. When I use a windows XP supplicant with a 3com access point, I get:
rlm_pam: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "pam" returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user.
Is the 3com not sending User-Password attributes in the packets, or is something else wrong?
Run FreeRADIUS in debug mode (radiusd -X) to verify. We cannot guess what your NAS/client is sending.
-Kevin
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Kevin Bonner wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Oh, I had "Default auth-type := pam" in users. I removed that line and get a much longer debug output when I try to connect with the xp machine to the wireless. radtest fails with this message "auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. I have a feeling something is wrong with my eap.conf, I have debug below, any input would be appreciated. eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no md5 { } gtc { auth_type = PAP } tls { private_key_password = testing123 private_key_file = ${dbdir}/certs/pem/server.pem certificate_file = ${dbdir}/certs/pem/server.pem CA_file = /etc/raddb/certs/pem/root.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom } ttls { default_eap_type = md5 } peap { default_eap_type = mschapv2 proxy_tunneled_request_as_eap = no } mschapv2 { } } users: DEFAULT Service-Type == Framed-User Framed-Protocol == PPP, Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP rad_recv: Access-Request packet from host 10.1.22.10:2626, id=0, length=185 Message-Authenticator = 0x381988b4c12ff0f1e3fa2e7e018b8ae5 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000d01636a617272657474 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 10.1.22.10 port 2626 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x36ba98c6e90e487eb0cfe88fcb5d879a Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=1, length=270 Message-Authenticator = 0x43e1cd5ba6e967f5717089de44e05384 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0x36ba98c6e90e487eb0cfe88fcb5d879a Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201005019800000004616030100410100003d03014676f85e6be1d378fdbdbe6213a94362bd4453b8699af3896b955781d14034be00001600040005000a000900640062000300060013001200630100 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 04f2], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 1 to 10.1.22.10 port 2626 EAP-Message = 0x0102040a19c00000054f160301004a0200004603014676f843d803483c15d36e93f5903c5cc8e52cbb90fc704442d65da40223da252005d814e7158dcfd27bf3ca5c85ae01dd827440aee3ab5505601792296939c1e400040016030104f20b0004ee0004eb000237308202333082019ca003020102020108300d06092a864886f70d01010505003043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d301e170d3037303631383135303533315a170d3038303631373135303533315a3063310b3009060355040613025553310e EAP-Message = 0x300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d311e301c060355040313156a7573746963652e697466726565646f6d2e636f6d30819f300d06092a864886f70d010101050003818d00308189028181009e6c73fe997b3baf2228a324bbb2f80c3ffeab664c08c2894e57a3c38cb5fc8d7299f642c27381fecf697b41b086f496fccc8153a6ac97654b560c49dda4115a56c66ea4e024678a787eabcf507a4d46b811aa27740106137123510fe0959c5bd8e0260a418ef4d7252a90054aa4f60d800cbef287370213a413e90f73b7acef0203010001a3173015301306 EAP-Message = 0x03551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100acc5695fa41984981e249e0631d35841f88973893c13a2e6830367d1304fbf4713b4618265bf5f5fb77b36a79c75e80a6f00dc89b2b78bfa26c4ff48e58d9e090362c60fb4aa414b5a570f2f5740ca2d983aa2183e29c6413e610bd87e0edad1a7efaffbbab3ec06b4c4f775ca04660df1b09f654d6f61b67af23ad5098e37440002ae308202aa30820213a0030201020209008830ae147680554c300d06092a864886f70d01010505003043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374 EAP-Message = 0x696e31133011060355040a130a49542046726565646f6d301e170d3037303631383135303435315a170d3137303631353135303435315a3043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d30819f300d06092a864886f70d010101050003818d0030818902818100c5acdaf11ba8a3d0201544c60b08411c4a9e8fd2daf55c967d4918da50faa20b7301746d128f26d49e62cfa694be25f6ee5fd067db4aaa851a0f85e49ce5180377d981a35b5869aa4cb1a325b5fbb19efcde699ee112028503f0a8ba21cf36d2a55765a2 EAP-Message = 0x8bcf453bc58cbc621f2c93bffa3c802435d0ef96af8f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdb7e976ee5b705e695f599c38b37c3ff Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=2, length=196 Message-Authenticator = 0xfe7be571e4388b7f6070941972326855 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0xdb7e976ee5b705e695f599c38b37c3ff Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200061900 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 2 to 10.1.22.10 port 2626 EAP-Message = 0x01030155190041c9f615db2b0203010001a381a53081a2301d0603551d0e04160414c7c37e5eb8041d453578465052e5ee5064d4778630730603551d23046c306a8014c7c37e5eb8041d453578465052e5ee5064d47786a147a4453043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d8209008830ae147680554c300c0603551d13040530030101ff300d06092a864886f70d0101050500038181006a97ee175a18622c2bace0c431706ec598f7ea3766cb8f7980ebcc0e2ec7138e2ed6c08f598f27c2e0a22ab81e48127aeb EAP-Message = 0x730816c95730f262d998622fef7ab67085b11171fcf91eedc0c722978688b4d95cc733f75cc8129c379c68664c1d4b25f86f4bfe077e3f816874b5164236b79ad98f7f21bff654afa0f389c860452416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa59e16e46b5a6ec02559580464dcdfc7 Finished request 2 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=3, length=382 Message-Authenticator = 0x4fcb37f77d06f6b896b44d378446425a Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0xa59e16e46b5a6ec02559580464dcdfc7 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300c01980000000b61603010086100000820080035f438a01efd8ab7c7a294a61aa7e875d7f06a8b634a2a73a3ec20b5069ec4dc0137747833e1252a070c6a3ce81917fd9dd1b712aaccd042e95790c91f15f1dd2408872453cb91d824630458d5b1546a2c60bcaee1207ddc57472ffc6afe456a82c452e1b3efc2f786ed598851a0a86be44c9dd31ba87d5c21cba7ef7e30d3a1403010001011603010020b3d94931dfd1413c9c4cb7248eaa9bfa185de0ce13cda40c4b717e7ac0271ba8 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 3 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 3 to 10.1.22.10 port 2626 EAP-Message = 0x0104003119001403010001011603010020935e4cc86eaaa1072ebd4e4c8e29ec031c939675d0c8c4d896dd671395d3fa1f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd79c6820132ebef7cf1548ab25a93afa Finished request 3 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=4, length=196 Message-Authenticator = 0x4064e5721fc1c83e994ee45dc66e4fb4 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0xd79c6820132ebef7cf1548ab25a93afa Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020400061900 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 4 to 10.1.22.10 port 2626 EAP-Message = 0x0105002019001703010015182fff1e23fe4e9d74e4dd55b6a10b80d9cb1b6f3e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x890db137000563152da88540de2781e1 Finished request 4 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=5, length=226 Message-Authenticator = 0x7ad74000bf14f349569c0ccfb1540c0d Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0x890db137000563152da88540de2781e1 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0205002419001703010019125b45ef09a64c9d64c8b7704291bcf4e8b811339b0138b716 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 36 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - cjarrett rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x0205000d01636a617272657474 PEAP: Got tunneled identity of cjarrett PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to cjarrett PEAP: Sending tunneled request EAP-Message = 0x0205000d01636a617272657474 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "cjarrett" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "files" returns notfound for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x010600221a0106001d1058699d07aa7a08377307f1c5ed250f94636a617272657474 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6a6983e73566293debc28f9785f4ba2c PEAP: Processing from tunneled session code 0x9c06760 11 EAP-Message = 0x010600221a0106001d1058699d07aa7a08377307f1c5ed250f94636a617272657474 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6a6983e73566293debc28f9785f4ba2c PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 5 to 10.1.22.10 port 2626 EAP-Message = 0x010600391900170301002ef2c5b8b197e6c26f51f804007aeffa9201509b57c8efb035180baa21bb94725c31867049409c85079be2e3428678 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb9a3bd04514836a4cba31c175e9c77e6 Finished request 5 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=6, length=280 Message-Authenticator = 0xc08fd8e4919b60e5bd7e5470be52c475 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0xb9a3bd04514836a4cba31c175e9c77e6 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0206005a1900170301004f9d20dcfecf2d949b98e83b0ef8ed9db381e1102982367126820039e03f3c11fb6d43998ca6a01e65a19e9ea7d823bd743bd8eb1d732d8dae19c82f39c08ad02e9d63fe13d0c25900ac075cdc3ada61 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 90 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020600431a0206003e31177b8b92c88cf3358dc9dce769bb3fe80000000000000000c4134ec0576a1f17704daad6e18e3a3b5f08dec2a3b5f1ba00636a617272657474 PEAP: Setting User-Name to cjarrett PEAP: Adding old state with 6a 69 PEAP: Sending tunneled request EAP-Message = 0x020600431a0206003e31177b8b92c88cf3358dc9dce769bb3fe80000000000000000c4134ec0576a1f17704daad6e18e3a3b5f08dec2a3b5f1ba00636a617272657474 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "cjarrett" State = 0x6a6983e73566293debc28f9785f4ba2c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 67 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "files" returns notfound for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for cjarrett with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: leaving group authenticate (returns reject) for request 6 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x9c06198 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 6 to 10.1.22.10 port 2626 EAP-Message = 0x010700261900170301001bf1f9bd115db78bcad8de732871f5282e1a0754b687ddc300965f0f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56c5dd00772486e492f840877441be62 Finished request 6 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=7, length=228 Message-Authenticator = 0x55ab371942148ebc1eed6c3b87d626de Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0x56c5dd00772486e492f840877441be62 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020700261900170301001b4fbf51c05fb105bb02792f87fba4e8cd787ff2beafe7d334716e53 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 7 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=7, length=228 Sending Access-Reject of id 7 to 10.1.22.10 port 2626 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 4676f842 Waking up in 1 seconds... tnt@kalik.co.yu wrote:
You are forcing Auth-Type PAM and doing EAP. Where is Auth-Type coming from? One of the DEFAULT entries? Don't set Auth-Type! Let the server swich to one that's needed.
Ivan Kalik Kalik Informatika ISP
Dana 18/6/2007, "Cody Jarrett" <cody.jarrett@itfreedom.com> piše:
Sorry, 10.1.22.10 is the ip of my 3com.
rad_recv: Access-Request packet from host 10.1.22.10:2458, id=0, length=185 Message-Authenticator = 0xb0ba1aec817dfd6ab3fc3b0e49fb1125 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000d01636a617272657474 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 177 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type pam auth: type "PAM" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_pam: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "pam" returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 10.1.22.10 port 2458 Waking up in 4 seconds...
On Monday 18 June 2007 16:31:37 Cody Jarrett wrote:
I found a few topics on this issue but nothing quite informative enough. I'm trying to get freeradius auth working with pam and peap. When I test my config with radtest, I get Access-accept. When I use a windows XP supplicant with a 3com access point, I get:
rlm_pam: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "pam" returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user.
Is the 3com not sending User-Password attributes in the packets, or is something else wrong? Run FreeRADIUS in debug mode (radiusd -X) to verify. We cannot guess what your NAS/client is sending.
-Kevin
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Kevin Bonner wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
And where is your user/pass stored? It's not in users file and I don't see any database configured. Ivan Kalik Kalik Informatika ISP Dana 18/6/2007, "Cody Jarrett" <cody.jarrett@itfreedom.com> piše:
Oh, I had "Default auth-type := pam" in users. I removed that line and get a much longer debug output when I try to connect with the xp machine to the wireless. radtest fails with this message "auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. I have a feeling something is wrong with my eap.conf, I have debug below, any input would be appreciated.
eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no md5 { }
gtc { auth_type = PAP } tls { private_key_password = testing123 private_key_file = ${dbdir}/certs/pem/server.pem certificate_file = ${dbdir}/certs/pem/server.pem CA_file = /etc/raddb/certs/pem/root.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom } ttls { default_eap_type = md5 } peap { default_eap_type = mschapv2 proxy_tunneled_request_as_eap = no } mschapv2 { } }
users: DEFAULT Service-Type == Framed-User Framed-Protocol == PPP, Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP
rad_recv: Access-Request packet from host 10.1.22.10:2626, id=0, length=185 Message-Authenticator = 0x381988b4c12ff0f1e3fa2e7e018b8ae5 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000d01636a617272657474 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 10.1.22.10 port 2626 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x36ba98c6e90e487eb0cfe88fcb5d879a Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=1, length=270 Message-Authenticator = 0x43e1cd5ba6e967f5717089de44e05384 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0x36ba98c6e90e487eb0cfe88fcb5d879a Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201005019800000004616030100410100003d03014676f85e6be1d378fdbdbe6213a94362bd4453b8699af3896b955781d14034be00001600040005000a000900640062000300060013001200630100 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 04f2], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 1 to 10.1.22.10 port 2626 EAP-Message = 0x0102040a19c00000054f160301004a0200004603014676f843d803483c15d36e93f5903c5cc8e52cbb90fc704442d65da40223da252005d814e7158dcfd27bf3ca5c85ae01dd827440aee3ab5505601792296939c1e400040016030104f20b0004ee0004eb000237308202333082019ca003020102020108300d06092a864886f70d01010505003043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d301e170d3037303631383135303533315a170d3038303631373135303533315a3063310b3009060355040613025553310e EAP-Message = 0x300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d311e301c060355040313156a7573746963652e697466726565646f6d2e636f6d30819f300d06092a864886f70d010101050003818d00308189028181009e6c73fe997b3baf2228a324bbb2f80c3ffeab664c08c2894e57a3c38cb5fc8d7299f642c27381fecf697b41b086f496fccc8153a6ac97654b560c49dda4115a56c66ea4e024678a787eabcf507a4d46b811aa27740106137123510fe0959c5bd8e0260a418ef4d7252a90054aa4f60d800cbef287370213a413e90f73b7acef0203010001a3173015301306 EAP-Message = 0x03551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100acc5695fa41984981e249e0631d35841f88973893c13a2e6830367d1304fbf4713b4618265bf5f5fb77b36a79c75e80a6f00dc89b2b78bfa26c4ff48e58d9e090362c60fb4aa414b5a570f2f5740ca2d983aa2183e29c6413e610bd87e0edad1a7efaffbbab3ec06b4c4f775ca04660df1b09f654d6f61b67af23ad5098e37440002ae308202aa30820213a0030201020209008830ae147680554c300d06092a864886f70d01010505003043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374 EAP-Message = 0x696e31133011060355040a130a49542046726565646f6d301e170d3037303631383135303435315a170d3137303631353135303435315a3043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d30819f300d06092a864886f70d010101050003818d0030818902818100c5acdaf11ba8a3d0201544c60b08411c4a9e8fd2daf55c967d4918da50faa20b7301746d128f26d49e62cfa694be25f6ee5fd067db4aaa851a0f85e49ce5180377d981a35b5869aa4cb1a325b5fbb19efcde699ee112028503f0a8ba21cf36d2a55765a2 EAP-Message = 0x8bcf453bc58cbc621f2c93bffa3c802435d0ef96af8f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdb7e976ee5b705e695f599c38b37c3ff Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=2, length=196 Message-Authenticator = 0xfe7be571e4388b7f6070941972326855 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0xdb7e976ee5b705e695f599c38b37c3ff Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200061900 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 2 to 10.1.22.10 port 2626 EAP-Message = 0x01030155190041c9f615db2b0203010001a381a53081a2301d0603551d0e04160414c7c37e5eb8041d453578465052e5ee5064d4778630730603551d23046c306a8014c7c37e5eb8041d453578465052e5ee5064d47786a147a4453043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d8209008830ae147680554c300c0603551d13040530030101ff300d06092a864886f70d0101050500038181006a97ee175a18622c2bace0c431706ec598f7ea3766cb8f7980ebcc0e2ec7138e2ed6c08f598f27c2e0a22ab81e48127aeb EAP-Message = 0x730816c95730f262d998622fef7ab67085b11171fcf91eedc0c722978688b4d95cc733f75cc8129c379c68664c1d4b25f86f4bfe077e3f816874b5164236b79ad98f7f21bff654afa0f389c860452416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa59e16e46b5a6ec02559580464dcdfc7 Finished request 2 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=3, length=382 Message-Authenticator = 0x4fcb37f77d06f6b896b44d378446425a Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0xa59e16e46b5a6ec02559580464dcdfc7 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300c01980000000b61603010086100000820080035f438a01efd8ab7c7a294a61aa7e875d7f06a8b634a2a73a3ec20b5069ec4dc0137747833e1252a070c6a3ce81917fd9dd1b712aaccd042e95790c91f15f1dd2408872453cb91d824630458d5b1546a2c60bcaee1207ddc57472ffc6afe456a82c452e1b3efc2f786ed598851a0a86be44c9dd31ba87d5c21cba7ef7e30d3a1403010001011603010020b3d94931dfd1413c9c4cb7248eaa9bfa185de0ce13cda40c4b717e7ac0271ba8 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 3 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 3 to 10.1.22.10 port 2626 EAP-Message = 0x0104003119001403010001011603010020935e4cc86eaaa1072ebd4e4c8e29ec031c939675d0c8c4d896dd671395d3fa1f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd79c6820132ebef7cf1548ab25a93afa Finished request 3 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=4, length=196 Message-Authenticator = 0x4064e5721fc1c83e994ee45dc66e4fb4 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0xd79c6820132ebef7cf1548ab25a93afa Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020400061900 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 4 to 10.1.22.10 port 2626 EAP-Message = 0x0105002019001703010015182fff1e23fe4e9d74e4dd55b6a10b80d9cb1b6f3e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x890db137000563152da88540de2781e1 Finished request 4 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=5, length=226 Message-Authenticator = 0x7ad74000bf14f349569c0ccfb1540c0d Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0x890db137000563152da88540de2781e1 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0205002419001703010019125b45ef09a64c9d64c8b7704291bcf4e8b811339b0138b716 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 36 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - cjarrett rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x0205000d01636a617272657474 PEAP: Got tunneled identity of cjarrett PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to cjarrett PEAP: Sending tunneled request EAP-Message = 0x0205000d01636a617272657474 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "cjarrett" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "files" returns notfound for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x010600221a0106001d1058699d07aa7a08377307f1c5ed250f94636a617272657474 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6a6983e73566293debc28f9785f4ba2c PEAP: Processing from tunneled session code 0x9c06760 11 EAP-Message = 0x010600221a0106001d1058699d07aa7a08377307f1c5ed250f94636a617272657474 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6a6983e73566293debc28f9785f4ba2c PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 5 to 10.1.22.10 port 2626 EAP-Message = 0x010600391900170301002ef2c5b8b197e6c26f51f804007aeffa9201509b57c8efb035180baa21bb94725c31867049409c85079be2e3428678 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb9a3bd04514836a4cba31c175e9c77e6 Finished request 5 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=6, length=280 Message-Authenticator = 0xc08fd8e4919b60e5bd7e5470be52c475 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0xb9a3bd04514836a4cba31c175e9c77e6 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0206005a1900170301004f9d20dcfecf2d949b98e83b0ef8ed9db381e1102982367126820039e03f3c11fb6d43998ca6a01e65a19e9ea7d823bd743bd8eb1d732d8dae19c82f39c08ad02e9d63fe13d0c25900ac075cdc3ada61 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 90 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020600431a0206003e31177b8b92c88cf3358dc9dce769bb3fe80000000000000000c4134ec0576a1f17704daad6e18e3a3b5f08dec2a3b5f1ba00636a617272657474 PEAP: Setting User-Name to cjarrett PEAP: Adding old state with 6a 69 PEAP: Sending tunneled request EAP-Message = 0x020600431a0206003e31177b8b92c88cf3358dc9dce769bb3fe80000000000000000c4134ec0576a1f17704daad6e18e3a3b5f08dec2a3b5f1ba00636a617272657474 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "cjarrett" State = 0x6a6983e73566293debc28f9785f4ba2c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 67 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "files" returns notfound for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for cjarrett with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: leaving group authenticate (returns reject) for request 6 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x9c06198 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 6 to 10.1.22.10 port 2626 EAP-Message = 0x010700261900170301001bf1f9bd115db78bcad8de732871f5282e1a0754b687ddc300965f0f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56c5dd00772486e492f840877441be62 Finished request 6 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=7, length=228 Message-Authenticator = 0x55ab371942148ebc1eed6c3b87d626de Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0x56c5dd00772486e492f840877441be62 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020700261900170301001b4fbf51c05fb105bb02792f87fba4e8cd787ff2beafe7d334716e53 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 7 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=7, length=228 Sending Access-Reject of id 7 to 10.1.22.10 port 2626 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 4676f842 Waking up in 1 seconds...
tnt@kalik.co.yu wrote:
You are forcing Auth-Type PAM and doing EAP. Where is Auth-Type coming from? One of the DEFAULT entries? Don't set Auth-Type! Let the server swich to one that's needed.
Ivan Kalik Kalik Informatika ISP
Dana 18/6/2007, "Cody Jarrett" <cody.jarrett@itfreedom.com> piše:
Sorry, 10.1.22.10 is the ip of my 3com.
rad_recv: Access-Request packet from host 10.1.22.10:2458, id=0, length=185 Message-Authenticator = 0xb0ba1aec817dfd6ab3fc3b0e49fb1125 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000d01636a617272657474 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 177 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type pam auth: type "PAM" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_pam: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "pam" returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 10.1.22.10 port 2458 Waking up in 4 seconds...
On Monday 18 June 2007 16:31:37 Cody Jarrett wrote:
I found a few topics on this issue but nothing quite informative enough. I'm trying to get freeradius auth working with pam and peap. When I test my config with radtest, I get Access-accept. When I use a windows XP supplicant with a 3com access point, I get:
rlm_pam: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "pam" returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user.
Is the 3com not sending User-Password attributes in the packets, or is something else wrong? Run FreeRADIUS in debug mode (radiusd -X) to verify. We cannot guess what your NAS/client is sending.
-Kevin
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Kevin Bonner wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tnt@kalik.co.yu wrote:
And where is your user/pass stored? It's not in users file and I don't see any database configured.
Ivan Kalik Kalik Informatika ISP
Dana 18/6/2007, "Cody Jarrett" <cody.jarrett@itfreedom.com> piše:
Oh, I had "Default auth-type := pam" in users. I removed that line and get a much longer debug output when I try to connect with the xp machine to the wireless. radtest fails with this message "auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. I have a feeling something is wrong with my eap.conf, I have debug below, any input would be appreciated.
eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no md5 { }
gtc { auth_type = PAP } tls { private_key_password = testing123 private_key_file = ${dbdir}/certs/pem/server.pem certificate_file = ${dbdir}/certs/pem/server.pem CA_file = /etc/raddb/certs/pem/root.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom } ttls { default_eap_type = md5 } peap { default_eap_type = mschapv2 proxy_tunneled_request_as_eap = no } mschapv2 { } }
users: DEFAULT Service-Type == Framed-User Framed-Protocol == PPP, Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP
rad_recv: Access-Request packet from host 10.1.22.10:2626, id=0, length=185 Message-Authenticator = 0x381988b4c12ff0f1e3fa2e7e018b8ae5 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000d01636a617272657474 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 10.1.22.10 port 2626 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x36ba98c6e90e487eb0cfe88fcb5d879a Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=1, length=270 Message-Authenticator = 0x43e1cd5ba6e967f5717089de44e05384 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0x36ba98c6e90e487eb0cfe88fcb5d879a Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201005019800000004616030100410100003d03014676f85e6be1d378fdbdbe6213a94362bd4453b8699af3896b955781d14034be00001600040005000a000900640062000300060013001200630100 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 04f2], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 1 to 10.1.22.10 port 2626 EAP-Message = 0x0102040a19c00000054f160301004a0200004603014676f843d803483c15d36e93f5903c5cc8e52cbb90fc704442d65da40223da252005d814e7158dcfd27bf3ca5c85ae01dd827440aee3ab5505601792296939c1e400040016030104f20b0004ee0004eb000237308202333082019ca003020102020108300d06092a864886f70d01010505003043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d301e170d3037303631383135303533315a170d3038303631373135303533315a3063310b3009060355040613025553310e EAP-Message = 0x300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d311e301c060355040313156a7573746963652e697466726565646f6d2e636f6d30819f300d06092a864886f70d010101050003818d00308189028181009e6c73fe997b3baf2228a324bbb2f80c3ffeab664c08c2894e57a3c38cb5fc8d7299f642c27381fecf697b41b086f496fccc8153a6ac97654b560c49dda4115a56c66ea4e024678a787eabcf507a4d46b811aa27740106137123510fe0959c5bd8e0260a418ef4d7252a90054aa4f60d800cbef287370213a413e90f73b7acef0203010001a3173015301306 EAP-Message = 0x03551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100acc5695fa41984981e249e0631d35841f88973893c13a2e6830367d1304fbf4713b4618265bf5f5fb77b36a79c75e80a6f00dc89b2b78bfa26c4ff48e58d9e090362c60fb4aa414b5a570f2f5740ca2d983aa2183e29c6413e610bd87e0edad1a7efaffbbab3ec06b4c4f775ca04660df1b09f654d6f61b67af23ad5098e37440002ae308202aa30820213a0030201020209008830ae147680554c300d06092a864886f70d01010505003043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374 EAP-Message = 0x696e31133011060355040a130a49542046726565646f6d301e170d3037303631383135303435315a170d3137303631353135303435315a3043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d30819f300d06092a864886f70d010101050003818d0030818902818100c5acdaf11ba8a3d0201544c60b08411c4a9e8fd2daf55c967d4918da50faa20b7301746d128f26d49e62cfa694be25f6ee5fd067db4aaa851a0f85e49ce5180377d981a35b5869aa4cb1a325b5fbb19efcde699ee112028503f0a8ba21cf36d2a55765a2 EAP-Message = 0x8bcf453bc58cbc621f2c93bffa3c802435d0ef96af8f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdb7e976ee5b705e695f599c38b37c3ff Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=2, length=196 Message-Authenticator = 0xfe7be571e4388b7f6070941972326855 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0xdb7e976ee5b705e695f599c38b37c3ff Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200061900 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 2 to 10.1.22.10 port 2626 EAP-Message = 0x01030155190041c9f615db2b0203010001a381a53081a2301d0603551d0e04160414c7c37e5eb8041d453578465052e5ee5064d4778630730603551d23046c306a8014c7c37e5eb8041d453578465052e5ee5064d47786a147a4453043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d8209008830ae147680554c300c0603551d13040530030101ff300d06092a864886f70d0101050500038181006a97ee175a18622c2bace0c431706ec598f7ea3766cb8f7980ebcc0e2ec7138e2ed6c08f598f27c2e0a22ab81e48127aeb EAP-Message = 0x730816c95730f262d998622fef7ab67085b11171fcf91eedc0c722978688b4d95cc733f75cc8129c379c68664c1d4b25f86f4bfe077e3f816874b5164236b79ad98f7f21bff654afa0f389c860452416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa59e16e46b5a6ec02559580464dcdfc7 Finished request 2 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=3, length=382 Message-Authenticator = 0x4fcb37f77d06f6b896b44d378446425a Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0xa59e16e46b5a6ec02559580464dcdfc7 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300c01980000000b61603010086100000820080035f438a01efd8ab7c7a294a61aa7e875d7f06a8b634a2a73a3ec20b5069ec4dc0137747833e1252a070c6a3ce81917fd9dd1b712aaccd042e95790c91f15f1dd2408872453cb91d824630458d5b1546a2c60bcaee1207ddc57472ffc6afe456a82c452e1b3efc2f786ed598851a0a86be44c9dd31ba87d5c21cba7ef7e30d3a1403010001011603010020b3d94931dfd1413c9c4cb7248eaa9bfa185de0ce13cda40c4b717e7ac0271ba8 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 3 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 3 to 10.1.22.10 port 2626 EAP-Message = 0x0104003119001403010001011603010020935e4cc86eaaa1072ebd4e4c8e29ec031c939675d0c8c4d896dd671395d3fa1f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd79c6820132ebef7cf1548ab25a93afa Finished request 3 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=4, length=196 Message-Authenticator = 0x4064e5721fc1c83e994ee45dc66e4fb4 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0xd79c6820132ebef7cf1548ab25a93afa Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020400061900 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 4 to 10.1.22.10 port 2626 EAP-Message = 0x0105002019001703010015182fff1e23fe4e9d74e4dd55b6a10b80d9cb1b6f3e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x890db137000563152da88540de2781e1 Finished request 4 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=5, length=226 Message-Authenticator = 0x7ad74000bf14f349569c0ccfb1540c0d Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0x890db137000563152da88540de2781e1 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0205002419001703010019125b45ef09a64c9d64c8b7704291bcf4e8b811339b0138b716 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 36 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - cjarrett rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x0205000d01636a617272657474 PEAP: Got tunneled identity of cjarrett PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to cjarrett PEAP: Sending tunneled request EAP-Message = 0x0205000d01636a617272657474 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "cjarrett" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "files" returns notfound for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x010600221a0106001d1058699d07aa7a08377307f1c5ed250f94636a617272657474 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6a6983e73566293debc28f9785f4ba2c PEAP: Processing from tunneled session code 0x9c06760 11 EAP-Message = 0x010600221a0106001d1058699d07aa7a08377307f1c5ed250f94636a617272657474 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6a6983e73566293debc28f9785f4ba2c PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 5 to 10.1.22.10 port 2626 EAP-Message = 0x010600391900170301002ef2c5b8b197e6c26f51f804007aeffa9201509b57c8efb035180baa21bb94725c31867049409c85079be2e3428678 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb9a3bd04514836a4cba31c175e9c77e6 Finished request 5 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=6, length=280 Message-Authenticator = 0xc08fd8e4919b60e5bd7e5470be52c475 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0xb9a3bd04514836a4cba31c175e9c77e6 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0206005a1900170301004f9d20dcfecf2d949b98e83b0ef8ed9db381e1102982367126820039e03f3c11fb6d43998ca6a01e65a19e9ea7d823bd743bd8eb1d732d8dae19c82f39c08ad02e9d63fe13d0c25900ac075cdc3ada61 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 90 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020600431a0206003e31177b8b92c88cf3358dc9dce769bb3fe80000000000000000c4134ec0576a1f17704daad6e18e3a3b5f08dec2a3b5f1ba00636a617272657474 PEAP: Setting User-Name to cjarrett PEAP: Adding old state with 6a 69 PEAP: Sending tunneled request EAP-Message = 0x020600431a0206003e31177b8b92c88cf3358dc9dce769bb3fe80000000000000000c4134ec0576a1f17704daad6e18e3a3b5f08dec2a3b5f1ba00636a617272657474 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "cjarrett" State = 0x6a6983e73566293debc28f9785f4ba2c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 67 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "files" returns notfound for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for cjarrett with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: leaving group authenticate (returns reject) for request 6 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x9c06198 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 6 to 10.1.22.10 port 2626 EAP-Message = 0x010700261900170301001bf1f9bd115db78bcad8de732871f5282e1a0754b687ddc300965f0f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56c5dd00772486e492f840877441be62 Finished request 6 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=7, length=228 Message-Authenticator = 0x55ab371942148ebc1eed6c3b87d626de Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0x56c5dd00772486e492f840877441be62 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020700261900170301001b4fbf51c05fb105bb02792f87fba4e8cd787ff2beafe7d334716e53 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 7 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=7, length=228 Sending Access-Reject of id 7 to 10.1.22.10 port 2626 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 4676f842 Waking up in 1 seconds...
tnt@kalik.co.yu wrote:
You are forcing Auth-Type PAM and doing EAP. Where is Auth-Type coming from? One of the DEFAULT entries? Don't set Auth-Type! Let the server swich to one that's needed.
Ivan Kalik Kalik Informatika ISP
Dana 18/6/2007, "Cody Jarrett" <cody.jarrett@itfreedom.com> piše:
Sorry, 10.1.22.10 is the ip of my 3com.
rad_recv: Access-Request packet from host 10.1.22.10:2458, id=0, length=185 Message-Authenticator = 0xb0ba1aec817dfd6ab3fc3b0e49fb1125 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000d01636a617272657474 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 177 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type pam auth: type "PAM" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_pam: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "pam" returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 10.1.22.10 port 2458 Waking up in 4 seconds...
Kevin Bonner wrote:
On Monday 18 June 2007 16:31:37 Cody Jarrett wrote:
I found a few topics on this issue but nothing quite informative enough. I'm trying to get freeradius auth working with pam and peap. When I test my config with radtest, I get Access-accept. When I use a windows XP supplicant with a 3com access point, I get:
rlm_pam: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "pam" returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user.
Is the 3com not sending User-Password attributes in the packets, or is something else wrong?
Run FreeRADIUS in debug mode (radiusd -X) to verify. We cannot guess what your NAS/client is sending.
-Kevin
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Password has to be in plaintext, or ntPassword (md4(unicode(passphrase)) for PEAP. Inner encryption module used for authentication is usually MSCHAPv2 which will search for the check items NT-Password / Cleartext-Password. You must provide these from a database/directory/configuration file.
Arran Cudbard-Bell wrote:
tnt@kalik.co.yu wrote:
And where is your user/pass stored? It's not in users file and I don't see any database configured.
I originally had "Default Auth-type := pam" but I removed that. Users are stored in an ldap database and I am basically trying to get radius to use pam for auth info, is this wrong? I don't understand how radius will use pam if I don't specify it somewhere.
Ivan Kalik Kalik Informatika ISP
Dana 18/6/2007, "Cody Jarrett" <cody.jarrett@itfreedom.com> piše:
Oh, I had "Default auth-type := pam" in users. I removed that line and get a much longer debug output when I try to connect with the xp machine to the wireless. radtest fails with this message "auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. I have a feeling something is wrong with my eap.conf, I have debug below, any input would be appreciated.
eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no md5 { }
gtc { auth_type = PAP } tls { private_key_password = testing123 private_key_file = ${dbdir}/certs/pem/server.pem certificate_file = ${dbdir}/certs/pem/server.pem CA_file = /etc/raddb/certs/pem/root.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom } ttls { default_eap_type = md5 } peap { default_eap_type = mschapv2 proxy_tunneled_request_as_eap = no } mschapv2 { } }
users: DEFAULT Service-Type == Framed-User Framed-Protocol == PPP, Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP
rad_recv: Access-Request packet from host 10.1.22.10:2626, id=0, length=185 Message-Authenticator = 0x381988b4c12ff0f1e3fa2e7e018b8ae5 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000d01636a617272657474 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 10.1.22.10 port 2626 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x36ba98c6e90e487eb0cfe88fcb5d879a Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=1, length=270 Message-Authenticator = 0x43e1cd5ba6e967f5717089de44e05384 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0x36ba98c6e90e487eb0cfe88fcb5d879a Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201005019800000004616030100410100003d03014676f85e6be1d378fdbdbe6213a94362bd4453b8699af3896b955781d14034be00001600040005000a000900640062000300060013001200630100 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 04f2], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 1 to 10.1.22.10 port 2626 EAP-Message = 0x0102040a19c00000054f160301004a0200004603014676f843d803483c15d36e93f5903c5cc8e52cbb90fc704442d65da40223da252005d814e7158dcfd27bf3ca5c85ae01dd827440aee3ab5505601792296939c1e400040016030104f20b0004ee0004eb000237308202333082019ca003020102020108300d06092a864886f70d01010505003043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d301e170d3037303631383135303533315a170d3038303631373135303533315a3063310b3009060355040613025553310e EAP-Message = 0x300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d311e301c060355040313156a7573746963652e697466726565646f6d2e636f6d30819f300d06092a864886f70d010101050003818d00308189028181009e6c73fe997b3baf2228a324bbb2f80c3ffeab664c08c2894e57a3c38cb5fc8d7299f642c27381fecf697b41b086f496fccc8153a6ac97654b560c49dda4115a56c66ea4e024678a787eabcf507a4d46b811aa27740106137123510fe0959c5bd8e0260a418ef4d7252a90054aa4f60d800cbef287370213a413e90f73b7acef0203010001a3173015301306 EAP-Message = 0x03551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100acc5695fa41984981e249e0631d35841f88973893c13a2e6830367d1304fbf4713b4618265bf5f5fb77b36a79c75e80a6f00dc89b2b78bfa26c4ff48e58d9e090362c60fb4aa414b5a570f2f5740ca2d983aa2183e29c6413e610bd87e0edad1a7efaffbbab3ec06b4c4f775ca04660df1b09f654d6f61b67af23ad5098e37440002ae308202aa30820213a0030201020209008830ae147680554c300d06092a864886f70d01010505003043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374 EAP-Message = 0x696e31133011060355040a130a49542046726565646f6d301e170d3037303631383135303435315a170d3137303631353135303435315a3043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d30819f300d06092a864886f70d010101050003818d0030818902818100c5acdaf11ba8a3d0201544c60b08411c4a9e8fd2daf55c967d4918da50faa20b7301746d128f26d49e62cfa694be25f6ee5fd067db4aaa851a0f85e49ce5180377d981a35b5869aa4cb1a325b5fbb19efcde699ee112028503f0a8ba21cf36d2a55765a2 EAP-Message = 0x8bcf453bc58cbc621f2c93bffa3c802435d0ef96af8f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdb7e976ee5b705e695f599c38b37c3ff Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=2, length=196 Message-Authenticator = 0xfe7be571e4388b7f6070941972326855 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0xdb7e976ee5b705e695f599c38b37c3ff Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200061900 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 2 to 10.1.22.10 port 2626 EAP-Message = 0x01030155190041c9f615db2b0203010001a381a53081a2301d0603551d0e04160414c7c37e5eb8041d453578465052e5ee5064d4778630730603551d23046c306a8014c7c37e5eb8041d453578465052e5ee5064d47786a147a4453043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d8209008830ae147680554c300c0603551d13040530030101ff300d06092a864886f70d0101050500038181006a97ee175a18622c2bace0c431706ec598f7ea3766cb8f7980ebcc0e2ec7138e2ed6c08f598f27c2e0a22ab81e48127aeb EAP-Message = 0x730816c95730f262d998622fef7ab67085b11171fcf91eedc0c722978688b4d95cc733f75cc8129c379c68664c1d4b25f86f4bfe077e3f816874b5164236b79ad98f7f21bff654afa0f389c860452416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa59e16e46b5a6ec02559580464dcdfc7 Finished request 2 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=3, length=382 Message-Authenticator = 0x4fcb37f77d06f6b896b44d378446425a Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0xa59e16e46b5a6ec02559580464dcdfc7 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300c01980000000b61603010086100000820080035f438a01efd8ab7c7a294a61aa7e875d7f06a8b634a2a73a3ec20b5069ec4dc0137747833e1252a070c6a3ce81917fd9dd1b712aaccd042e95790c91f15f1dd2408872453cb91d824630458d5b1546a2c60bcaee1207ddc57472ffc6afe456a82c452e1b3efc2f786ed598851a0a86be44c9dd31ba87d5c21cba7ef7e30d3a1403010001011603010020b3d94931dfd1413c9c4cb7248eaa9bfa185de0ce13cda40c4b717e7ac0271ba8 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 3 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 3 to 10.1.22.10 port 2626 EAP-Message = 0x0104003119001403010001011603010020935e4cc86eaaa1072ebd4e4c8e29ec031c939675d0c8c4d896dd671395d3fa1f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd79c6820132ebef7cf1548ab25a93afa Finished request 3 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=4, length=196 Message-Authenticator = 0x4064e5721fc1c83e994ee45dc66e4fb4 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0xd79c6820132ebef7cf1548ab25a93afa Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020400061900 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 4 to 10.1.22.10 port 2626 EAP-Message = 0x0105002019001703010015182fff1e23fe4e9d74e4dd55b6a10b80d9cb1b6f3e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x890db137000563152da88540de2781e1 Finished request 4 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=5, length=226 Message-Authenticator = 0x7ad74000bf14f349569c0ccfb1540c0d Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0x890db137000563152da88540de2781e1 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0205002419001703010019125b45ef09a64c9d64c8b7704291bcf4e8b811339b0138b716 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 36 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - cjarrett rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x0205000d01636a617272657474 PEAP: Got tunneled identity of cjarrett PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to cjarrett PEAP: Sending tunneled request EAP-Message = 0x0205000d01636a617272657474 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "cjarrett" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "files" returns notfound for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x010600221a0106001d1058699d07aa7a08377307f1c5ed250f94636a617272657474 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6a6983e73566293debc28f9785f4ba2c PEAP: Processing from tunneled session code 0x9c06760 11 EAP-Message = 0x010600221a0106001d1058699d07aa7a08377307f1c5ed250f94636a617272657474 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6a6983e73566293debc28f9785f4ba2c PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 5 to 10.1.22.10 port 2626 EAP-Message = 0x010600391900170301002ef2c5b8b197e6c26f51f804007aeffa9201509b57c8efb035180baa21bb94725c31867049409c85079be2e3428678 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb9a3bd04514836a4cba31c175e9c77e6 Finished request 5 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=6, length=280 Message-Authenticator = 0xc08fd8e4919b60e5bd7e5470be52c475 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0xb9a3bd04514836a4cba31c175e9c77e6 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0206005a1900170301004f9d20dcfecf2d949b98e83b0ef8ed9db381e1102982367126820039e03f3c11fb6d43998ca6a01e65a19e9ea7d823bd743bd8eb1d732d8dae19c82f39c08ad02e9d63fe13d0c25900ac075cdc3ada61 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 90 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020600431a0206003e31177b8b92c88cf3358dc9dce769bb3fe80000000000000000c4134ec0576a1f17704daad6e18e3a3b5f08dec2a3b5f1ba00636a617272657474 PEAP: Setting User-Name to cjarrett PEAP: Adding old state with 6a 69 PEAP: Sending tunneled request EAP-Message = 0x020600431a0206003e31177b8b92c88cf3358dc9dce769bb3fe80000000000000000c4134ec0576a1f17704daad6e18e3a3b5f08dec2a3b5f1ba00636a617272657474 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "cjarrett" State = 0x6a6983e73566293debc28f9785f4ba2c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 67 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "files" returns notfound for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for cjarrett with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: leaving group authenticate (returns reject) for request 6 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x9c06198 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 6 to 10.1.22.10 port 2626 EAP-Message = 0x010700261900170301001bf1f9bd115db78bcad8de732871f5282e1a0754b687ddc300965f0f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56c5dd00772486e492f840877441be62 Finished request 6 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=7, length=228 Message-Authenticator = 0x55ab371942148ebc1eed6c3b87d626de Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 State = 0x56c5dd00772486e492f840877441be62 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020700261900170301001b4fbf51c05fb105bb02792f87fba4e8cd787ff2beafe7d334716e53 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 7 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=7, length=228 Sending Access-Reject of id 7 to 10.1.22.10 port 2626 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 4676f842 Waking up in 1 seconds...
tnt@kalik.co.yu wrote:
You are forcing Auth-Type PAM and doing EAP. Where is Auth-Type coming from? One of the DEFAULT entries? Don't set Auth-Type! Let the server swich to one that's needed.
Ivan Kalik Kalik Informatika ISP
Dana 18/6/2007, "Cody Jarrett" <cody.jarrett@itfreedom.com> piše:
Sorry, 10.1.22.10 is the ip of my 3com.
rad_recv: Access-Request packet from host 10.1.22.10:2458, id=0, length=185 Message-Authenticator = 0xb0ba1aec817dfd6ab3fc3b0e49fb1125 Service-Type = Framed-User User-Name = "cjarrett" Framed-MTU = 1488 Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test" Calling-Station-Id = "00-0E-35-FF-2A-82" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000d01636a617272657474 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 177 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type pam auth: type "PAM" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_pam: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "pam" returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 10.1.22.10 port 2458 Waking up in 4 seconds...
Kevin Bonner wrote:
On Monday 18 June 2007 16:31:37 Cody Jarrett wrote:
> I found a few topics on this issue but nothing quite informative enough. > I'm trying to get freeradius auth working with pam and peap. When I test > my config with radtest, I get Access-accept. When I use a windows XP > supplicant with a 3com access point, I get: > > rlm_pam: Attribute "User-Password" is required for authentication. > modcall[authenticate]: module "pam" returns invalid for request 4 > modcall: leaving group authenticate (returns invalid) for request 4 > auth: Failed to validate the user. > > Is the 3com not sending User-Password attributes in the packets, or is > something else wrong? > > Run FreeRADIUS in debug mode (radiusd -X) to verify. We cannot guess what your NAS/client is sending.
-Kevin
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Password has to be in plaintext, or ntPassword (md4(unicode(passphrase)) for PEAP. Inner encryption module used for authentication is usually MSCHAPv2 which will search for the check items NT-Password / Cleartext-Password. You must provide these from a database/directory/configuration file.
All the passwords stored in the ldap database are md5, is that going to work with peap?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cody Jarrett wrote:
I originally had "Default Auth-type := pam" but I removed that. Users are stored in an ldap database and I am basically trying to get radius to use pam for auth info, is this wrong? I don't understand how radius will use pam if I don't specify it somewhere.
You cannot use PAM to authenticate PEAP sessions. If users are stored in an LDAP database, then configure the server to read their cleartext passwords from the LDAP database. The server will do the rest. If the passwords aren't available in LDAP, or are encrypted, then you need to make the passwords available in LDAP. You're trying to force a particular solution, for reasons that are unclear. Alan DeKok.
Phil Mayers wrote:
All the passwords stored in the ldap database are md5, is that going to work with peap?
No. It's cryptographically impossible, sorry.
Your only real option is TTLS+PAP, which will require installing supplicant software on windows machines e.g. SecureW2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What we did here was setup a transparent capture of passwords when users logged into one of our popular services. We then took the captured passwords and populated a second attribute in the LDAP directory with them (ntPassword). Now all operations involving a change of users passwords write the SSHA form of the password and the NT Hash form of the passwords, which is nice because it means we can hang Samba off our OpenLDAP server too :) -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
participants (6)
-
Alan DeKok -
Arran Cudbard-Bell -
Cody Jarrett -
Kevin Bonner -
Phil Mayers -
tnt@kalik.co.yu