EAP-PEAP-GTC User-Password never set
Hello All, I've been trying to get this seemingly simple implementation working for the past week to no avail. I've been scouring the search in an attempt to find someone with the exact same problem, yet haven't found anyone. Hopefully someone here can help. Here is my attempted implementation: I'm trying to implement a sort of MobileOTP solution for testing using EAP-PEAP-GTC. A user has a time synchronized MobileOTP soft token (on their mobile phone) which they will use to generate a One Time Password. The user can then log onto a wireless networking using their given username and OTP. To make matters simpler, I thought I'd just use the users file to store the users username, seed Secret, PIN, and time offset. When a user tries to login using GTC, the PEAP tunnel will be created and then the users username will be checked against the users file in order to populate their data (Secret, PIN, Offset). Then the username, OTP, Secret, PIN, and Offset will be sent as arguments to an external script called otpverify.sh that will verify that the OTP entered for that user is correct. If it is it returns ACCEPT, otherwise FAIL. So far the PEAP tunnel is created without a problem, but when it enters the EAP/gtc phase 2 it seems to only populate the User-Name attribute. The User-Password, Secret, PIN, and Offset values all expand as empty. As a result, phase 2 GTC authentication fails because the gtc module says it needs a Cleartext-Password. I feel as though I need to populate those attributes somewhere, but I have no idea where... or how exactly to do it. I'm a little new to FreeRADIUS and this is the first time I've tried working with GTC and external scripts, so absolutely any help/direction/suggestions are greatly appreciated. I've tried a bunch of different things but I'm pretty stuck, my configuration is probably screwed up to the max so if you'd like me to start from a more default configuration I'd be happy to do that. Thank you in advance. Here is the radiusd debug output: FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on Oct 19 2010 at 19:44:32 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/inner-eap.rpmsave including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/ntlm_auth.rpmsave including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/mschap.rpmsave including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/otp.rpmsave including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 0 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client 172.16.1.90 { ipaddr = 172.16.1.90 require_message_authenticator = yes secret = "password" shortname = "OTP-Test" nastype = "cisco" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Instantiating module "motp" from file /etc/raddb/radiusd.conf exec motp { wait = yes program = "/etc/raddb/otpverify.sh %{User-Name} %{Cleartext-Password} %{control:Secret} %{control:PIN} %{control:Offset}" input_pairs = "request" output_pairs = "control" shell_escape = yes } Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 40 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "Local" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "gtc" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication interface eth0 address * port 1812 Listening on accounting interface eth0 address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.16.1.90 port 2048, id=0, length=121 User-Name = "test" NAS-IP-Address = 172.16.1.90 Called-Station-Id = "c0c1c006f0dd" Calling-Station-Id = "00215db88b02" NAS-Identifier = "c0c1c006f0dd" NAS-Port = 49 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000090174657374 Message-Authenticator = 0x876f576a5b5b78ed95ad794692dcc117 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 6 [files] expand: /etc/raddb/otpverify.sh %{User-Name} %{User-Password} %{control:Secret} %{control:PIN} %{control:Offset} -> /etc/raddb/otpverify.sh test ++[files] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.1.90 port 2048 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9e3d12709e3c0babdca8c79ba47c00ff Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.90 port 2048, id=0, length=235 Cleaning up request 0 ID 0 with timestamp +92 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x9e3d12709e3c0bab did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "test" NAS-IP-Address = 172.16.1.90 Called-Station-Id = "c0c1c006f0dd" Calling-Station-Id = "00215db88b02" NAS-Identifier = "c0c1c006f0dd" NAS-Port = 49 Framed-MTU = 1400 State = 0x9e3d12709e3c0babdca8c79ba47c00ff NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201006919800000005f160301005a0100005603014da4a8ff468cd476337a2c6b5a29b8ecde460a67c35f49756913e6064bb24d6a00002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100000400230000 Message-Authenticator = 0x6907d5788d78543f640e45b88407fbcb # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 1 length 105 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 95 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.1.90 port 2048 EAP-Message = 0x0102040019c000000ab416030100310200002d03014da4a8ff14e1c414d0690e2e0914be9243fca1350e871a25ce145696e9628be9000039010005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3131303431313139323931365a170d3131303631303139323931365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6de02483462cbca5993c01d76cc885b74f69ad25e7e2cea6c6b1296c979071ae6c4a73fc637c76c7d24f26c74eaba8250bd7ffbda56f4 EAP-Message = 0x23b83c6c8e33b0b6e0a022b4aa39467541ad056badb8b5ff4e3507fa07ab01a629602a9299a47567c64064d5f70648d16c7ef26f196164247623de48e405b1816feedb8279d54a34fd4c878d41344fbfee07ef31a446acbddaf13999c3b2999dc61e9b7c1896e1926e18793fe613aa707e2d93d1b8d0eaf6b98824f48144c5bcf3caccd1bc6e808b4fd0368cc3aca9315a00419acafa583ba36eaa3c64ea3ee82c66d6a3a09ffed1ec00f550f9012f2f8c531161cb50a0851fa36270f367186b3304e517cb4617f9f50203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101006353 EAP-Message = 0xdd59ed926f1df2e3d65c0b74f3aabc0b54e9a31a6ffb62c8673d2aa40e658dc1d142cf502b8e131bb27ac627ec7054c1171e5791a0027cfbca84e04953961e60110327ae560edb41d7cfa8ee4a2911db8978ee64b86925d95dcf89462d14fd8772bc3ff1d726c63485a9ebdb4e586aaa45fa9c29a9397a78c1bf8c85d35ecaec7cf2c78aa6d8896a7f99149e75cb3941aa03c999cbedea3c2b911f216498acedd0d110bf66be5cdfc46eb17903d4dcabdf420da6b59ca4b76fb56d3715d7e24d8e68eb90f2aa1a52f5fb05746e115f596406cf00eea2693d188db34c59d45300a04fa87ccb8b8ded9e7c023d393b21952a544c9c8070e563ef99d9e85e EAP-Message = 0xde0004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9e3d12709f3f0babdca8c79ba47c00ff Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.90 port 2048, id=0, length=136 Cleaning up request 1 ID 0 with timestamp +92 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x9e3d12709f3f0bab did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "test" NAS-IP-Address = 172.16.1.90 Called-Station-Id = "c0c1c006f0dd" Calling-Station-Id = "00215db88b02" NAS-Identifier = "c0c1c006f0dd" NAS-Port = 49 Framed-MTU = 1400 State = 0x9e3d12709f3f0babdca8c79ba47c00ff NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200061900 Message-Authenticator = 0xf9dc09ec41ee8d1ae0a607d314c3e050 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.1.90 port 2048 EAP-Message = 0x010303fc1940a003020102020900c71a902442245bf4300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303431313139323931365a170d3131303631303139323931365a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100f27bf00e05098e421ffbb334ef7ce3f28fce24d1d8d9873ca5506610de76e29990911ee2dce97c22668b98a3a0033bd6c0935bc5798a752b1454fe4e88cf458a23758fdcf2e8b5634a8327ae4346f88c9a862d8f8e580558a3634dbda8c739f83acbc87a8e111ac5 EAP-Message = 0xea8b88d3c29a9ef0c12437707c44a11df02531071d0bb77383dc5529b6498588460c1ccd2844e029c8121c27ef4c7da367e9d566f40a4d847580239cad93ad4e096c7b9d97fea08e7467205b9b497cd9e531cdfb54794f8bb30b34c84a1137e99e5ab3e5dd32686da27f7d5c083ce3f288b4c7de855b26ec1799c12d508af6c00a7bc5b895e211bec8859779b92647831edda0781c59221f0203010001a381fb3081f8301d0603551d0e04160414e02a9283cf3b95616c4032e918a08d50a6e1ced93081c80603551d230481c03081bd8014e02a9283cf3b95616c4032e918a08d50a6e1ced9a18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900c71a902442245bf4300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100d2f05795e6bce00b5c013c8164a2b555903869545a7c241fc5c67a7b2573da69092a6a492715f84e92ff1c4df9cb2c053852e427977769e60530a38b2ad11f708f7ec97be3ec4f1aad74ef EAP-Message = 0xf3258f9dc6b2d1e7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9e3d12709c3e0babdca8c79ba47c00ff Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.90 port 2048, id=0, length=136 Cleaning up request 2 ID 0 with timestamp +92 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x9e3d12709c3e0bab did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "test" NAS-IP-Address = 172.16.1.90 Called-Station-Id = "c0c1c006f0dd" Calling-Station-Id = "00215db88b02" NAS-Identifier = "c0c1c006f0dd" NAS-Port = 49 Framed-MTU = 1400 State = 0x9e3d12709c3e0babdca8c79ba47c00ff NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0x887133f8407500ad66d9c50abd8c3f4f # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.1.90 port 2048 EAP-Message = 0x010402ce1900063fdfe7e6e88d5d5b82e2a984c2d62daff8b4232d295263051776d0bb33af491c4062b1148f5f5995e2b7e32cb3931a1b63da290a774e211356a1f788b34c7c55b54e17f8e2428a806457108717a720091f9e868fdcec955260fecc1ea5fa784ad50768920ae5a3607ca8fb22fd5768c02a7e36e0eaa05518c0d0b699a83fd58c3c6f8aa09c3fe07ddc382e47f867558331741071cd6bc4f412e77fc8a52a12de327f9afc1845a4c34235b642160301020d0c0002090080c59123b029dcfe0c7ea376cca60abbe1d2f106a07074886e0a23570eaf4d1d1f8cdeb6be92f3826a212dd2f95b91984af05c753530a64a46f0cfdd9e31998f EAP-Message = 0x67806d1b2485839f12b7e32e9f9116cd667f2e171b8bb7534409d907cba639f803bbb3f2878ec825e5248bd8c0165b2ffa327bdd77db9cd9a326d11147d9958e330001020080ae97d85bd8408e4e24c27a3ac70378569b52d63af9c13129ad06b7d04e194fbd72d0771f6c0c2c5f6e1256b826beecb698e1e437711bf2cc5efb3f9f964cf2efb472e623235be26526c42b567224ba219f483e64f58104d445519f96eb11f20d62314b5046020471e87c76b9c43938cd8a5294a4491513d8b5c7dfd982ef930c010037fb23c405712db76ea671011868524e74e2f9b74c8ddcc1eb1fffb9c4eaf2bee3c401e30554e800b921db3311fcf6f9277a7db7fb EAP-Message = 0xe4d05f2330372649ebf24be69ab20cd7632c184d4decd4112585310fd68005b0da66e7415415c55906b0552467e0253a597c7c19c5132011dc0276170732f91ac24a29c7849a38a0e7115c8dd96d3bc064ab4fe9c13d57c5ef784944a074bbf4449c1278be447e1b116fc3ae219b08aad2582ac7850da36663edd744f4b61df6543356f2c0a21f8cd71f04104dcf00a801a3cd068027365abcb0ab8681007feff43d40cae3640a1cbfe06d6f4ff1d4e1c8250a958e3f113b38719da7b6fed0d5095a819cf04ad9afe9517a16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9e3d12709d390babdca8c79ba47c00ff Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.90 port 2048, id=0, length=338 Cleaning up request 3 ID 0 with timestamp +92 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x9e3d12709d390bab did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "test" NAS-IP-Address = 172.16.1.90 Called-Station-Id = "c0c1c006f0dd" Calling-Station-Id = "00215db88b02" NAS-Identifier = "c0c1c006f0dd" NAS-Port = 49 Framed-MTU = 1400 State = 0x9e3d12709d390babdca8c79ba47c00ff NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400d01980000000c61603010086100000820080be2de0246c97cd6cfd7d524abc7954ac55c2e140ee56d09cd04a07ca4e712657b9c8947c9b986735889d4af8805b4ad0c39744724dad66dca03897adb30c4b132502184ada4b3427f73f476299a44db9e10639f5f1b909d276227f0a8c2265b6b1dfd4e0eadafc3ae5c68b0a2cf13356bafb08f69db83b2f97b74d89b1b1e9a1140301000101160301003020395378a56ac35294ab30854251cf2bab2b11a79bcdc2455e6499b27da832243caa1b09dce4756177b5cd977ba00d98 Message-Authenticator = 0x71d7ce681ee0d42a4906c01ad3e460e0 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 4 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.1.90 port 2048 EAP-Message = 0x010500411900140301000101160301003001b1511229304c1492317db0ac3e3e665a3a653509fb492b7b0c494177622703dadece6c710b8312776442f4158af6a8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9e3d12709a380babdca8c79ba47c00ff Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.90 port 2048, id=0, length=136 Cleaning up request 4 ID 0 with timestamp +92 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x9e3d12709a380bab did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "test" NAS-IP-Address = 172.16.1.90 Called-Station-Id = "c0c1c006f0dd" Calling-Station-Id = "00215db88b02" NAS-Identifier = "c0c1c006f0dd" NAS-Port = 49 Framed-MTU = 1400 State = 0x9e3d12709a380babdca8c79ba47c00ff NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500061900 Message-Authenticator = 0x0768575bc48a5bd65b3a20c3fb0f2ea0 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.1.90 port 2048 EAP-Message = 0x0106002b190017030100205f89d26ae63a857ce7b275e3f939169a72eb8c69e9002e18aaa59307249c8960 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9e3d12709b3b0babdca8c79ba47c00ff Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.90 port 2048, id=0, length=210 Cleaning up request 5 ID 0 with timestamp +92 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x9e3d12709b3b0bab did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "test" NAS-IP-Address = 172.16.1.90 Called-Station-Id = "c0c1c006f0dd" Calling-Station-Id = "00215db88b02" NAS-Identifier = "c0c1c006f0dd" NAS-Port = 49 Framed-MTU = 1400 State = 0x9e3d12709b3b0babdca8c79ba47c00ff NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600501900170301002042c0f24a197ff61f3d399fc86aac46d775b41b409dae702c1a1ff6ed164dbaaa17030100200fc9c6092a58852f29956dd8a1b4f1138053bba4a4fa8e11ff33669ea9321ec3 Message-Authenticator = 0x48710670d0231b40321d559ee30e344e # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 6 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - test [peap] Got inner identity 'test' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x020600090174657374 server { PEAP: Setting User-Name to test Sending tunneled request EAP-Message = 0x020600090174657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[control] returns notfound expand: %{reply:User-Password} -> ++[request] returns notfound [eap] EAP packet type response id 6 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 6 [files] expand: /etc/raddb/otpverify.sh %{User-Name} %{User-Password} %{control:Secret} %{control:PIN} %{control:Offset} -> /etc/raddb/otpverify.sh test ++[files] returns ok ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type gtc ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 Exec-Program-Wait = "/etc/raddb/otpverify.sh test " EAP-Message = 0x0107000f0650617373776f72643a20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3251624832566479b9aa9de9f62dea64 [peap] Got tunneled reply RADIUS code 11 Exec-Program-Wait = "/etc/raddb/otpverify.sh test " EAP-Message = 0x0107000f0650617373776f72643a20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3251624832566479b9aa9de9f62dea64 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.1.90 port 2048 EAP-Message = 0x0107003b19001703010030f3c007d74514d74143c8a17e8c2401962c5b883bb5180848851f3b06bec85633cf9c74f263a6714f420b3dce176e0fe6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9e3d1270983a0babdca8c79ba47c00ff Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.90 port 2048, id=0, length=226 Cleaning up request 6 ID 0 with timestamp +92 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x9e3d1270983a0bab did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "test" NAS-IP-Address = 172.16.1.90 Called-Station-Id = "c0c1c006f0dd" Calling-Station-Id = "00215db88b02" NAS-Identifier = "c0c1c006f0dd" NAS-Port = 49 Framed-MTU = 1400 State = 0x9e3d1270983a0babdca8c79ba47c00ff NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020700601900170301002068528ef0a0fffd2faffef219c51180ca7072667db5fef4663823f2a2f479a957170301003061981f20fa1c976b99fca20f4730a01dc5cc4b44ff45465a4f0fa62b1dbac93e2a5cf3117fc55bd885d8b86b4127b477 Message-Authenticator = 0x29b8694b887bb261b7e2ab9c78738e61 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 7 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type gtc [peap] Got tunneled request EAP-Message = 0x0207000b06313233343536 server { PEAP: Setting User-Name to test Sending tunneled request EAP-Message = 0x0207000b06313233343536 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" State = 0x3251624832566479b9aa9de9f62dea64 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[control] returns notfound expand: %{reply:User-Password} -> ++[request] returns notfound [eap] EAP packet type response id 7 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 6 [files] expand: /etc/raddb/otpverify.sh %{User-Name} %{User-Password} %{control:Secret} %{control:PIN} %{control:Offset} -> /etc/raddb/otpverify.sh test ++[files] returns ok ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/gtc [eap] processing type gtc rlm_eap_gtc: ERROR: Cleartext-Password is required for authentication. [eap] Handler failed in EAP/gtc [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 Exec-Program-Wait = "/etc/raddb/otpverify.sh test " EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 Exec-Program-Wait = "/etc/raddb/otpverify.sh test " EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.1.90 port 2048 EAP-Message = 0x0108003b19001703010030e9ea2a4cd16429206867e099cd3328aed18fd003ea6a0ca0ca8146bba4868211d9c69e8ef14f3a816e0d4f561f69097f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9e3d127099350babdca8c79ba47c00ff Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.90 port 2048, id=0, length=226 Cleaning up request 7 ID 0 with timestamp +92 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x9e3d127099350bab did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "test" NAS-IP-Address = 172.16.1.90 Called-Station-Id = "c0c1c006f0dd" Calling-Station-Id = "00215db88b02" NAS-Identifier = "c0c1c006f0dd" NAS-Port = 49 Framed-MTU = 1400 State = 0x9e3d127099350babdca8c79ba47c00ff NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0208006019001703010020d30ca7563aab23811c54fc3d7ab6e511a891f418629e73894b6e91276aa443e21703010030a61b983ee8035ba2b9fcf9f0c77a366f03d7b70744089eb4dea43dfdea7dea8c65a58a04e4a42f6ffdfec2421b7af2c5 Message-Authenticator = 0xebcef736dd223b259ba6bae0736ae73b # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 8 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 0 to 172.16.1.90 port 2048 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 8. Going to the next request Waking up in 4.9 seconds. Cleaning up request 8 ID 0 with timestamp +92 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-PEAP-GTC-User-Password-never-set... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Carl Anderson wrote:
So far the PEAP tunnel is created without a problem, but when it enters the EAP/gtc phase 2 it seems to only populate the User-Name attribute. The User-Password, Secret, PIN, and Offset values all expand as empty. As a result, phase 2 GTC authentication fails because the gtc module says it needs a Cleartext-Password. I feel as though I need to populate those attributes somewhere, but I have no idea where... or how exactly to do it.
Read what you just wrote: the User-Password doesn't exist, and the gtc module says it needs a Cleartext-Password. They're not the same. The GTC module requires a Cleartext-Password to authenticate the user, as the "known good" password. It doesn't exist, because you're using a script. Your config is looking for a User-Password attribute to pass to the script. It doesn't exist becaue you're using GTC. In short, what you want to do isn't possible unless you modify the source code to the server. Alan DeKok.
Well, that's a shame, but thank you very much for the reply, I appreciate it. It'll at least save me countless hours of fiddling around with the config to no avail. Cheers, Carl From: Alan DeKok-2 [via FreeRadius] [mailto:ml-node+4299802-2066596580-197783@n5.nabble.com] Sent: Wednesday, April 13, 2011 1:09 AM To: Carl Anderson Subject: Re: EAP-PEAP-GTC User-Password never set Carl Anderson wrote:
So far the PEAP tunnel is created without a problem, but when it enters the EAP/gtc phase 2 it seems to only populate the User-Name attribute. The User-Password, Secret, PIN, and Offset values all expand as empty. As a result, phase 2 GTC authentication fails because the gtc module says it needs a Cleartext-Password. I feel as though I need to populate those attributes somewhere, but I have no idea where... or how exactly to do it.
Read what you just wrote: the User-Password doesn't exist, and the gtc module says it needs a Cleartext-Password. They're not the same. The GTC module requires a Cleartext-Password to authenticate the user, as the "known good" password. It doesn't exist, because you're using a script. Your config is looking for a User-Password attribute to pass to the script. It doesn't exist becaue you're using GTC. In short, what you want to do isn't possible unless you modify the source code to the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _____ If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/EAP-PEAP-GTC-User-Password-never-set -tp4298997p4299802.html To unsubscribe from EAP-PEAP-GTC User-Password never set, click here <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsu bscribe_by_code&node=4298997&code=Y3dhbmRlcnNvbjMzQGdtYWlsLmNvbXw0Mjk4OTk3fD g2ODYwMDMyOQ==> . -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-PEAP-GTC-User-Password-never-set... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (2)
-
Alan DeKok -
Carl Anderson