i have problem with EAP authorization in file or sql mode
Help me i read full documentation of this server but problem remain i send you with last email in sql module log and i this maybe occurs with my sql configuration but in file mode module i have same problem FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Nov 14 2010 at 03:05:12 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/modules/files main { allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log_auth = no log_auth_badpass = no log_auth_goodpass = no log_stripped_names = no } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client 127.0.0.1 { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "aminahooradkpw" nastype = "other" } client 10.10.10.2 { require_message_authenticator = no secret = "aminahooradkpw" shortname = "SingleRouter" nastype = "mikrotik" } client 192.168.137.2 { require_message_authenticator = no secret = "aminahooradkpw" shortname = "SingleRouter" nastype = "mikrotik" } client 172.16.15.1 { require_message_authenticator = no secret = "dkpw" shortname = "wireless" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { } radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /usr/local/etc/raddb/radiusd.conf pap { encryption_scheme = "crypt" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /usr/local/etc/raddb/radiusd.conf Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/local/etc/raddb/radiusd.conf mschap { use_mppe = no require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no check_cert_cn = "%{User-Name}" cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_files Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/radiusd.conf acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } } # modules } # server radiusd: #### Opening IP addresses and Ports #### bind_address = * WARNING: The directive 'bind_address' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'. Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=176, length=127 User-Name = "10" NAS-IP-Address = 172.16.15.1 NAS-Identifier = "aminahoora.home.ir" Framed-MTU = 1496 Called-Station-Id = "40-4a-03-ad-0b-b0" Calling-Station-Id = "00-22-41-7d-9f-91" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02110007013130 Message-Authenticator = 0x04fff75e7f186f6ea10588cb2241d5d2 # Executing section authorize from file /usr/local/etc/raddb/radiusd.conf +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry 10 at line 204 ++[files] returns ok [eap] EAP packet type response id 17 length 7 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 176 to 172.16.15.1 port 1027 EAP-Message = 0x011200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9ca1a80e9cb3b165fbd692931fddb1e7 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=177, length=222 User-Name = "10" NAS-IP-Address = 172.16.15.1 NAS-Identifier = "aminahoora.home.ir" Framed-MTU = 1496 Called-Station-Id = "40-4a-03-ad-0b-b0" Calling-Station-Id = "00-22-41-7d-9f-91" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0212005419800000004a16030100450100004103014d150aea2b4d30a28baa51de77dde94e3089e861c19507aeb18d51fae369150b00001a002f000500040035000a000900030008003300390016001500140100 State = 0x9ca1a80e9cb3b165fbd692931fddb1e7 Message-Authenticator = 0x03f021f9c6cb610f8043acacd690bb14 # Executing section authorize from file /usr/local/etc/raddb/radiusd.conf +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry 10 at line 204 ++[files] returns ok [eap] EAP packet type response id 18 length 84 [eap] Continuing tunnel setup. ++[eap] returns ok ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 74 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0045], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 177 to 172.16.15.1 port 1027 EAP-Message = 0x0113040019c00000089b160301002a0200002603014d0d79121f619ae704fedcbf9402c4aed6108b549489614209008236d368e5b700002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039313131323130323732355a170d3130313131323130323732355a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ed4b1ec73b577eb4dd302dc0192331e6e40993f78258093329b68770e5e928e1461a574ce4132402dd833efec617ff947bc6da7606f3ea98e628113ad6cc EAP-Message = 0xabe291939f4b51566ff040429e307a26bea0beaea5ba59ddafe252c9eaee68ec220f0bf86d147dd1d20ba2257c168b0b9b1a4ca74417142b6a9c860552aa014cfd2ac15ec28ad1803eda7fe54e31bcf5fe774c9445337d94fa53a3638936a1edba4cedc9d7715919fade13eba12d84de71550a214ce20f985919cd4e4a3fc555f0117a0137eb93edeb98ff973367e1535737d76a62692870da46bbacd24c1f47a6f95594688a6c76a660e371d0ee68a6714389ee571e02283028d71161aad17aadef0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101007348a9f7eb447a0a18 EAP-Message = 0x1a35b4290a56356ef5bdd344c898ae5782513d75d21362e94f76c6adc2c9f119f49e142c786edcc26ffb9e1b9f67013c32f5b289c6963372be252bf780766be2861ec76e3b5afdbe6ff3486bf7ad65079b41c000c72d105b8c95d0bdf2c24553f9578d71beb518892510fc3205ef923fb02ed4ac3d282d8cfa9d173ba5cc3e47949ed06ef6fbc8328a86ff45c50061f0d0d5e41d7712a92a927497e5c9f7c6f5d07ead4e9ffe1a866ffa134d5f5aeae24fb6c9b350a025a0db619e6a2edabac6ef7e80b72ac02c87feea8f951c4ddd3292e087a52a8265e99dcd4cde088847424f21879c6d20f04e412363885aaec4973e7815fcfc53230004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9ca1a80e9db2b165fbd692931fddb1e7 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=178, length=144 User-Name = "10" NAS-IP-Address = 172.16.15.1 NAS-Identifier = "aminahoora.home.ir" Framed-MTU = 1496 Called-Station-Id = "40-4a-03-ad-0b-b0" Calling-Station-Id = "00-22-41-7d-9f-91" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021300061900 State = 0x9ca1a80e9db2b165fbd692931fddb1e7 Message-Authenticator = 0x1137081fd9ba42765a28a148ee37c3da # Executing section authorize from file /usr/local/etc/raddb/radiusd.conf +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry 10 at line 204 ++[files] returns ok [eap] EAP packet type response id 19 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 178 to 172.16.15.1 port 1027 EAP-Message = 0x011403fc194000dcdbb13f82d4ce56300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039313131323130323732355a170d3130313131323130323732355a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b4a62d9a3d9c2555520f25042b2a8b08ba1e61f07eee939363de3239d5d522b79938a269dae2eb5881c9e60fba117d1dcdbc83407a13bdde6a5d1ffd630e9613c34fad618dee5733d6ebc5df0ed3a641705baaa7250ce6a558ccef6f7def5f18f99bcc908f5a0e708f158ee77ecddc EAP-Message = 0x8969bdf71edf554961b83f8c719cb533f47a592d81e16e77b201ed464f09be9125da469bbb0e43bc76e23bc01f2eb78c7cca22e50382a384908b7fb1f416503d37b1c955303a144ca270259872f80c44ce20cf11a44e297ca763ac058de9cb83656ec62943d728f2c5499524542f3dbb61051d7e0a9a92d7fe883670624e751d7ec9fedc674cf73f4822361b8f263d2a650203010001a381fb3081f8301d0603551d0e041604146f2687e7262e22aecd2188eb6efb02eba39839fd3081c80603551d230481c03081bd80146f2687e7262e22aecd2188eb6efb02eba39839fda18199a48196308193310b3009060355040613024652310f300d06035504 EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900dcdbb13f82d4ce56300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100647c9fcfe32740d5d6df5d621dd28948d3b5ba585446ce00a3f175f3fb60177f372d72b57463fd28220023dcc8873bd56b4bc89c39acdb8e334aaf6ac6009a784d7c780bd79366113bfbdb7d3af852bd2b9d EAP-Message = 0x5759f29e94ec8aef Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9ca1a80e9eb5b165fbd692931fddb1e7 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=179, length=144 User-Name = "10" NAS-IP-Address = 172.16.15.1 NAS-Identifier = "aminahoora.home.ir" Framed-MTU = 1496 Called-Station-Id = "40-4a-03-ad-0b-b0" Calling-Station-Id = "00-22-41-7d-9f-91" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021400061900 State = 0x9ca1a80e9eb5b165fbd692931fddb1e7 Message-Authenticator = 0x312e182ce06032e4516f6d50a6c4c129 # Executing section authorize from file /usr/local/etc/raddb/radiusd.conf +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry 10 at line 204 ++[files] returns ok [eap] EAP packet type response id 20 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 179 to 172.16.15.1 port 1027 EAP-Message = 0x011500b51900bf21a0b69a3e67caac09ed7c1cfbe98ac4b9e2d992a78310ee9b777b568fc84698be69b725c44305c38668cbfdf2fc4d2bd20a0a2ccca4a713772ac2d5867ce172062d8dba01d5fae9b313874d1eb94c2489edd82862b33ef58e0e0558093917fed55cb1a9b0f8fe70811709ca05d6ed1549e6377527c4a2c68c3ff021ae6f52fa1ba9e4832dad7a71d1f6775fdecb48936a9fff5e5e0910dc5645e144ad54538828a11e269616030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9ca1a80e9fb4b165fbd692931fddb1e7 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=180, length=476 User-Name = "10" NAS-IP-Address = 172.16.15.1 NAS-Identifier = "aminahoora.home.ir" Framed-MTU = 1496 Called-Station-Id = "40-4a-03-ad-0b-b0" Calling-Station-Id = "00-22-41-7d-9f-91" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021501501980000001461603010106100001020100498a4854d4465ef574b4954c3c8ee6b9ae2d8ee5cf9aa79e64d7bc3cf81f0be4ad0a50782e0af7e23c14ba838680fbaf95cd58afe9d8d95d8f0a17cc7278f9841fa2334fab620dee7d4f97675b0d3f729104e25cd46051d0731ead475a45a4d22b9e60f5db2026ffe3a73facda7e5f45715de1560ca853fcf80c89dbf0b8608c5743d86ee6d02605dce1061a91b92be6c1602070ae49b93d48dbef5f41cdd81bf1a0dcbc647f2a3c5658035530d44e222a7659ad7d6a5492d5c39ab5bc75b7cc2b689af8cf9092b92833509df984b19f32d98d5345ad77717505760bdd5ed9295a3ce1da0aff0012 EAP-Message = 0xc119bae4349284a4ad2e9fb29ba4effba1c5e1697194040f1403010001011603010030333c379e1cebfa25f09bdd6df6ea7960b7cfbe9e378b62b682c6d05f0afc08e1b6ae003652ebe60bac4709d46ad0e4ae State = 0x9ca1a80e9fb4b165fbd692931fddb1e7 Message-Authenticator = 0xf40facdf859bf71c40af155b112cbf50 # Executing section authorize from file /usr/local/etc/raddb/radiusd.conf +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry 10 at line 204 ++[files] returns ok [eap] EAP packet type response id 21 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 180 to 172.16.15.1 port 1027 EAP-Message = 0x0116004119001403010001011603010030fb7d3c24d1c65b12dfa94d1ecdc6ddcc9d646faa4ecd36827418b2332203481407386ca214b13d7ab1b8cf9662552c07 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9ca1a80e98b7b165fbd692931fddb1e7 Finished request 4. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=181, length=144 User-Name = "10" NAS-IP-Address = 172.16.15.1 NAS-Identifier = "aminahoora.home.ir" Framed-MTU = 1496 Called-Station-Id = "40-4a-03-ad-0b-b0" Calling-Station-Id = "00-22-41-7d-9f-91" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021600061900 State = 0x9ca1a80e98b7b165fbd692931fddb1e7 Message-Authenticator = 0x2f0dd64255b0a8380e6a9b4871dfbdab # Executing section authorize from file /usr/local/etc/raddb/radiusd.conf +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry 10 at line 204 ++[files] returns ok [eap] EAP packet type response id 22 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 181 to 172.16.15.1 port 1027 EAP-Message = 0x0117002b190017030100207a938b37cd6503d215e4414cb1fd370240a2498818dfa70c7edc86e56bac80a1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9ca1a80e99b6b165fbd692931fddb1e7 Finished request 5. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=182, length=181 User-Name = "10" NAS-IP-Address = 172.16.15.1 NAS-Identifier = "aminahoora.home.ir" Framed-MTU = 1496 Called-Station-Id = "40-4a-03-ad-0b-b0" Calling-Station-Id = "00-22-41-7d-9f-91" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0217002b19001703010020e7748073d57a68c015f4fe8d1273a2e1212cff4a26e245f4d62330ca0ddca5e2 State = 0x9ca1a80e99b6b165fbd692931fddb1e7 Message-Authenticator = 0xf80a05119c3182a4c5097b214aeb7c37 # Executing section authorize from file /usr/local/etc/raddb/radiusd.conf +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry 10 at line 204 ++[files] returns ok [eap] EAP packet type response id 23 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - 10 [peap] Got inner identity '10' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02170007013130 server { PEAP: Setting User-Name to 10 Sending tunneled request EAP-Message = 0x02170007013130 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "10" server inner-tunnel { No such virtual server "inner-tunnel" } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 182 to 172.16.15.1 port 1027 EAP-Message = 0x0118002b19001703010020e922ee925838ed77c8b562883e7b7212c98e7180a9a9876b938d9d36de040ecd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9ca1a80e9ab9b165fbd692931fddb1e7 Finished request 6. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=183, length=181 User-Name = "10" NAS-IP-Address = 172.16.15.1 NAS-Identifier = "aminahoora.home.ir" Framed-MTU = 1496 Called-Station-Id = "40-4a-03-ad-0b-b0" Calling-Station-Id = "00-22-41-7d-9f-91" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0218002b1900170301002023f62825916276e5903af5875752449fa84f8fbba2c38c0814de3f094d11738e State = 0x9ca1a80e9ab9b165fbd692931fddb1e7 Message-Authenticator = 0x4271c9b17c0f2c3e8603ec2c6bbbc268 # Executing section authorize from file /usr/local/etc/raddb/radiusd.conf +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry 10 at line 204 ++[files] returns ok [eap] EAP packet type response id 24 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Sending Access-Reject of id 183 to 172.16.15.1 port 1027 EAP-Message = 0x04180004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 7. Going to the next request Waking up in 4.6 seconds. ################################################################################# and this is my radius configuration file prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid #user = freerad #group = freerad max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * #listen { # ipaddr = 172.16.15.1 # port = 1812 # type = auth # virtual_server = one # } port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = before lower_pass = before nospace_user = before nospace_pass = before checkrad = ${sbindir}/checkrad #security { # max_attributes = 200 # reject_delay = 1 # status_server = no #} proxy_requests = no $INCLUDE ${confdir}/clients.conf snmp = no thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } mschap { authtype = MS-CHAP use_mppe = no #require_encryption = yes #require_strong = yes # authtype = MS-CHAP } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } #$INCLUDE ${confdir}/sql.conf $INCLUDE ${confdir}/eap.conf $INCLUDE ${confdir}/modules/files counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } } instantiate { } authorize { #preprocess chap mschap #sql files eap pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap } preacct { acct_unique } accounting { #detail #sql } session { #sql } post-auth { #sql } THANK YOU WITH BEST REGARDS AMIN AHOORA
amin ahoora wrote:
Help me i read full documentation of this server but problem remain
You edited the default configuration, and broke it. Don't do that. For complete instructions on getting EAP to work, read my web page: http://deployingradius.com Alan DeKok.
i only remove comment line all config related to documentation and i want it use for az radius server for mikrotik hotspot and EAP server THANK YOU WITH BEST REGARDS AMIN AHOORA On Sat, Dec 25, 2010 at 1:01 AM, Alan DeKok <aland@deployingradius.com>wrote:
amin ahoora wrote:
Help me i read full documentation of this server but problem remain
You edited the default configuration, and broke it. Don't do that.
For complete instructions on getting EAP to work, read my web page:
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
i see your site but still error remain and use default configuration file can you introduced some debugger APP can use it for more information that i know with line error occurred because i don't know witch line is conflict for not work correctly THANK YOU WITH BEST REGARDS AMIN AHOORA On Sat, Dec 25, 2010 at 1:08 AM, amin ahoora <aminahoora@gmail.com> wrote:
i only remove comment line all config related to documentation and i want it use for az radius server for mikrotik hotspot and EAP server
THANK YOU WITH BEST REGARDS AMIN AHOORA
On Sat, Dec 25, 2010 at 1:01 AM, Alan DeKok <aland@deployingradius.com>wrote:
amin ahoora wrote:
Help me i read full documentation of this server but problem remain
You edited the default configuration, and broke it. Don't do that.
For complete instructions on getting EAP to work, read my web page:
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, I want to use FreeRadius for a set of WLAN AccessPoints. The general setup is done and seems to work well. Due to some demands of the local area network, I need to manipulate the local dhcp server every time a user eners this network via WLAN. This will be done via an external program that is called in the accounting-section of the default-server. This external program needs to know, which IP should be assigned to the Client. Therefore I need to set up an IP-Pool management - which IP is in use, which one not? The modules ippool and espacially sqlippool are very nice to use and configure. Is it possible to execute them manually? I'd like to retrieve the ip as a parameter that can be passed to this external program. The other way round I'd like to tell the module, which IP can be released. Is that possible and how? Thank you and merry christmas! Marten Pape
Hi Marten, Im no expert, and you probably realize this, but I thought I would mention it anyhow, the accounting start packet contains the ip and mac in it. Some dhcp servers are smart enough to receive them. On Dec 25, 2010, at 13:31, Marten Pape <Marten.Pape@pape-hn.de> wrote:
Hello, I want to use FreeRadius for a set of WLAN AccessPoints. The general setup is done and seems to work well. Due to some demands of the local area network, I need to manipulate the local dhcp server every time a user eners this network via WLAN. This will be done via an external program that is called in the accounting-section of the default-server.
This external program needs to know, which IP should be assigned to the Client. Therefore I need to set up an IP-Pool management - which IP is in use, which one not? The modules ippool and espacially sqlippool are very nice to use and configure. Is it possible to execute them manually? I'd like to retrieve the ip as a parameter that can be passed to this external program. The other way round I'd like to tell the module, which IP can be released.
Is that possible and how?
Thank you and merry christmas! Marten Pape
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ji Bryan, hi all, Does anyone know such a dhcp server (couldn't figure out such a feature in ISC dhcp server) or a script that transfers this? So I wouldn't have to script this on my own. Regards, Marten Bryan Rank schrieb:
Hi Marten, Im no expert, and you probably realize this, but I thought I would mention it anyhow, the accounting start packet contains the ip and mac in it. Some dhcp servers are smart enough to receive them.
On Dec 25, 2010, at 13:31, Marten Pape <Marten.Pape@pape-hn.de> wrote:
Hello, I want to use FreeRadius for a set of WLAN AccessPoints. The general setup is done and seems to work well. Due to some demands of the local area network, I need to manipulate the local dhcp server every time a user eners this network via WLAN. This will be done via an external program that is called in the accounting-section of the default-server.
This external program needs to know, which IP should be assigned to the Client. Therefore I need to set up an IP-Pool management - which IP is in use, which one not? The modules ippool and espacially sqlippool are very nice to use and configure. Is it possible to execute them manually? I'd like to retrieve the ip as a parameter that can be passed to this external program. The other way round I'd like to tell the module, which IP can be released.
Is that possible and how?
Thank you and merry christmas! Marten Pape
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Marten Pape wrote:
Ji Bryan, hi all, Does anyone know such a dhcp server (couldn't figure out such a feature in ISC dhcp server) or a script that transfers this? So I wouldn't have to script this on my own.
The ISC DHCP server doesn't have this feature. FreeRADIUS, however, can work as a DHCP server. :) Alan DeKok.
Alan DeKok schrieb:
Marten Pape wrote:
Ji Bryan, hi all, Does anyone know such a dhcp server (couldn't figure out such a feature in ISC dhcp server) or a script that transfers this? So I wouldn't have to script this on my own.
The ISC DHCP server doesn't have this feature.
FreeRADIUS, however, can work as a DHCP server. :)
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
But it's still marked as "experimental". And I need to set up a little bit more complex system than just using dhcp with freeradius. There's something more. Could be interesting to use freeradius-dhcp in future, but it looks as there's a lot of coding necessary to get this dhcp to work as I want to have it. Marten Pape
Alan DeKok schrieb:
Marten Pape wrote:
Ji Bryan, hi all, Does anyone know such a dhcp server (couldn't figure out such a feature in ISC dhcp server) or a script that transfers this? So I wouldn't have to script this on my own.
The ISC DHCP server doesn't have this feature.
FreeRADIUS, however, can work as a DHCP server. :)
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
But back to Topic: Is it possible to call a module manually in another section? I'd like to execute an ip-pool in accounting (start) instead of post-auth. This is, beaucse I'd like to use the attribute Framed-IP-Address in my own program (knowing that it won't have an effect on WLAN clients). So I need to make the ip-pool feeling like it were called during the post-auth state, so that it will give me a new IP-Address Best regards, Marten Pape
On 01/01/2011 08:56 PM, Marten Pape wrote:
But back to Topic: Is it possible to call a module manually in another section? I'd like to
Yes, IIRC: accounting { ippool.post-auth } This might fail for other reasons (for example, the accounting request might not contain required fields). And it will try to add a Framed-IP-Address to the accounting-response, which is invalid/illegal.
participants (5)
-
Alan DeKok -
amin ahoora -
Bryan Rank -
Marten Pape -
Phil Mayers