Need help with EAP-MSCHAPv2 config
Hi, I am new to freeradius and hope someone here can help me with my setup. Thanks a lot! Here is what i got when running radiusd with -X option: (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "testing", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 2 length 66 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x065c081f075e1207 (8) eap: Finished EAP session with state 0x065c081f075e1207 (8) eap: Previous EAP request found for state 0x065c081f075e1207, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/default (8) eap_mschapv2: authenticate { (8) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (8) mschap: Creating challenge hash with username: testing (8) mschap: Client is using MS-CHAPv2 (8) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (8) mschap: ERROR: MS-CHAP2-Response is incorrect (8) eap_mschapv2: [mschap] = reject (8) eap_mschapv2: } # authenticate = reject (8) eap: Sending EAP Failure (code 4) ID 2 length 4 (8) eap: Freeing handler (8) [eap] = reject (8) } # authenticate = reject (8) Failed to authenticate the user If i run: radtest -t mschap ..., everything seems fine and it output 'Received Access-Accept'. I guess its because the radtest is running with mschap, and my client above is using mschapv2. I can't figure out what config i should do with mschapv2. The radius is running with mysql. user and password are insert to with sql: INSERT INTO `radcheck` VALUES (2,'testing','Cleartext-Password',':=','testuser_mypass'); Thanks a lot!
On Feb 10, 2020, at 5:29 PM, Yongqiang He <thehyq@gmail.com> wrote:
I am new to freeradius and hope someone here can help me with my setup. Thanks a lot!
Here is what i got when running radiusd with -X option:
No... you got a lot more than that. We will need ALL of the debug output to see what's going on.
If i run: radtest -t mschap ..., everything seems fine and it output 'Received Access-Accept'. I guess its because the radtest is running with mschap, and my client above is using mschapv2. I can't figure out what config i should do with mschapv2.
Don't guess. Read the debug output. Compare the debug output between the two kinds of authentication. What's different?
The radius is running with mysql. user and password are insert to with sql: INSERT INTO `radcheck` VALUES (2,'testing','Cleartext-Password',':=','testuser_mypass');
The piece of debug output that you posted shows *nothing* about SQL. Is it even querying the SQL server? Alan DeKok.
Thanks Alan! Here is full output with error connecting from the real client. (10) Received Access-Request Id 130 from 138.68.244.7:36409 to 138.68.244.7:1812 length 155 (10) User-Name = "testing" (10) NAS-Port-Type = Virtual (10) Service-Type = Framed-User (10) NAS-Port = 3 (10) NAS-Port-Id = "IOS_Mac_IKEv2" (10) NAS-IP-Address = 138.68.244.7 (10) Called-Station-Id = "138.68.244.7[4500]" (10) Calling-Station-Id = "76.126.66.227[46978]" (10) EAP-Message = 0x0200000c0174657374696e67 (10) NAS-Identifier = "my_test" (10) Message-Authenticator = 0x27460db81f1205bdfd1c97b652578ac7 (10) # Executing section authorize from file /etc/raddb/sites-enabled/default (10) authorize { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = notfound (10) } # policy filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "testing", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) eap: Peer sent EAP Response (code 2) ID 0 length 12 (10) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = eap (10) # Executing group from file /etc/raddb/sites-enabled/default (10) authenticate { (10) eap: Peer sent packet with method EAP Identity (1) (10) eap: Calling submodule eap_md5 to process data (10) eap_md5: Issuing MD5 Challenge (10) eap: Sending EAP Request (code 1) ID 1 length 22 (10) eap: EAP session adding &reply:State = 0xe6792945e6782dfc (10) [eap] = handled (10) } # authenticate = handled (10) Using Post-Auth-Type Challenge (10) # Executing group from file /etc/raddb/sites-enabled/default (10) Challenge { ... } # empty sub-section is ignored (10) Sent Access-Challenge Id 130 from 138.68.244.7:1812 to 138.68.244.7:36409 length 0 (10) EAP-Message = 0x0101001604105c8b2a8b71baf1533f70d0e36633bd68 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0xe6792945e6782dfc56843e1cf30c8716 (10) Finished request Waking up in 4.9 seconds. (11) Received Access-Request Id 131 from 138.68.244.7:36409 to 138.68.244.7:1812 length 167 (11) User-Name = "testing" (11) NAS-Port-Type = Virtual (11) Service-Type = Framed-User (11) NAS-Port = 3 (11) NAS-Port-Id = "IOS_Mac_IKEv2" (11) NAS-IP-Address = 138.68.244.7 (11) Called-Station-Id = "138.68.244.7[4500]" (11) Calling-Station-Id = "76.126.66.227[46978]" (11) EAP-Message = 0x02010006031a (11) NAS-Identifier = "my_test" (11) State = 0xe6792945e6782dfc56843e1cf30c8716 (11) Message-Authenticator = 0x57a28bbdd943c3ee77ca446adbe65d35 (11) session-state: No cached attributes (11) # Executing section authorize from file /etc/raddb/sites-enabled/default (11) authorize { (11) policy filter_username { (11) if (&User-Name) { (11) if (&User-Name) -> TRUE (11) if (&User-Name) { (11) if (&User-Name =~ / /) { (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@[^@]*@/ ) { (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11) if (&User-Name =~ /\.\./ ) { (11) if (&User-Name =~ /\.\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\.$/) { (11) if (&User-Name =~ /\.$/) -> FALSE (11) if (&User-Name =~ /@\./) { (11) if (&User-Name =~ /@\./) -> FALSE (11) } # if (&User-Name) = notfound (11) } # policy filter_username = notfound (11) [preprocess] = ok (11) [chap] = noop (11) [mschap] = noop (11) [digest] = noop (11) suffix: Checking for suffix after "@" (11) suffix: No '@' in User-Name = "testing", looking up realm NULL (11) suffix: No such realm "NULL" (11) [suffix] = noop (11) eap: Peer sent EAP Response (code 2) ID 1 length 6 (11) eap: No EAP Start, assuming it's an on-going EAP conversation (11) [eap] = updated (11) } # authorize = updated (11) Found Auth-Type = eap (11) # Executing group from file /etc/raddb/sites-enabled/default (11) authenticate { (11) eap: Expiring EAP session with state 0xe6792945e6782dfc (11) eap: Finished EAP session with state 0xe6792945e6782dfc (11) eap: Previous EAP request found for state 0xe6792945e6782dfc, released from the list (11) eap: Peer sent packet with method EAP NAK (3) (11) eap: Found mutually acceptable type MSCHAPv2 (26) (11) eap: Calling submodule eap_mschapv2 to process data (11) eap_mschapv2: Issuing Challenge (11) eap: Sending EAP Request (code 1) ID 2 length 43 (11) eap: EAP session adding &reply:State = 0xe6792945e77b33fc (11) [eap] = handled (11) } # authenticate = handled (11) Using Post-Auth-Type Challenge (11) # Executing group from file /etc/raddb/sites-enabled/default (11) Challenge { ... } # empty sub-section is ignored (11) Sent Access-Challenge Id 131 from 138.68.244.7:1812 to 138.68.244.7:36409 length 0 (11) EAP-Message = 0x0102002b1a01020026108bf74d1238cc6fb438d8463cbcae5781667265657261646975732d332e302e3230 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) State = 0xe6792945e77b33fc56843e1cf30c8716 (11) Finished request Waking up in 4.9 seconds. (12) Received Access-Request Id 132 from 138.68.244.7:36409 to 138.68.244.7:1812 length 227 (12) User-Name = "testing" (12) NAS-Port-Type = Virtual (12) Service-Type = Framed-User (12) NAS-Port = 3 (12) NAS-Port-Id = "IOS_Mac_IKEv2" (12) NAS-IP-Address = 138.68.244.7 (12) Called-Station-Id = "138.68.244.7[4500]" (12) Calling-Station-Id = "76.126.66.227[46978]" (12) EAP-Message = 0x020200421a0202003d3184998d176a1446dc46a5375cd3a7ab7200000000000000007d66204498f76c81b5aa6b18332d2fefe8c2ceb5cd9be0700074657374696e67 (12) NAS-Identifier = "my_test" (12) State = 0xe6792945e77b33fc56843e1cf30c8716 (12) Message-Authenticator = 0x9c7886f05a11be16e9382cd513c98f0a (12) session-state: No cached attributes (12) # Executing section authorize from file /etc/raddb/sites-enabled/default (12) authorize { (12) policy filter_username { (12) if (&User-Name) { (12) if (&User-Name) -> TRUE (12) if (&User-Name) { (12) if (&User-Name =~ / /) { (12) if (&User-Name =~ / /) -> FALSE (12) if (&User-Name =~ /@[^@]*@/ ) { (12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (12) if (&User-Name =~ /\.\./ ) { (12) if (&User-Name =~ /\.\./ ) -> FALSE (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (12) if (&User-Name =~ /\.$/) { (12) if (&User-Name =~ /\.$/) -> FALSE (12) if (&User-Name =~ /@\./) { (12) if (&User-Name =~ /@\./) -> FALSE (12) } # if (&User-Name) = notfound (12) } # policy filter_username = notfound (12) [preprocess] = ok (12) [chap] = noop (12) [mschap] = noop (12) [digest] = noop (12) suffix: Checking for suffix after "@" (12) suffix: No '@' in User-Name = "testing", looking up realm NULL (12) suffix: No such realm "NULL" (12) [suffix] = noop (12) eap: Peer sent EAP Response (code 2) ID 2 length 66 (12) eap: No EAP Start, assuming it's an on-going EAP conversation (12) [eap] = updated (12) } # authorize = updated (12) Found Auth-Type = eap (12) # Executing group from file /etc/raddb/sites-enabled/default (12) authenticate { (12) eap: Expiring EAP session with state 0xe6792945e77b33fc (12) eap: Finished EAP session with state 0xe6792945e77b33fc (12) eap: Previous EAP request found for state 0xe6792945e77b33fc, released from the list (12) eap: Peer sent packet with method EAP MSCHAPv2 (26) (12) eap: Calling submodule eap_mschapv2 to process data (12) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/default (12) eap_mschapv2: authenticate { (12) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (12) mschap: Creating challenge hash with username: testing (12) mschap: Client is using MS-CHAPv2 (12) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (12) mschap: ERROR: MS-CHAP2-Response is incorrect (12) eap_mschapv2: [mschap] = reject (12) eap_mschapv2: } # authenticate = reject (12) eap: Sending EAP Failure (code 4) ID 2 length 4 (12) eap: Freeing handler (12) [eap] = reject (12) } # authenticate = reject (12) Failed to authenticate the user (12) Using Post-Auth-Type Reject (12) # Executing group from file /etc/raddb/sites-enabled/default (12) Post-Auth-Type REJECT { (12) if ( no == "yes" ) { (12) if ( no == "yes" ) -> FALSE (12) attr_filter.access_reject: EXPAND %{User-Name} (12) attr_filter.access_reject: --> testing (12) attr_filter.access_reject: Matched entry DEFAULT at line 11 (12) [attr_filter.access_reject] = updated (12) [eap] = noop (12) policy remove_reply_message_if_eap { (12) if (&reply:EAP-Message && &reply:Reply-Message) { (12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (12) else { (12) [noop] = noop (12) } # else = noop (12) } # policy remove_reply_message_if_eap = noop (12) } # Post-Auth-Type REJECT = updated (12) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (12) Sending delayed response (12) Sent Access-Reject Id 132 from 138.68.244.7:1812 to 138.68.244.7:36409 length 127 (12) MS-CHAP-Error = "\002E=691 R=1 C=e8761a4b9b5c17800ee5e17ab8e67079 V=3 M=Authentication rejected" (12) EAP-Message = 0x04020004 (12) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (10) Cleaning up request packet ID 130 with timestamp +11689 (11) Cleaning up request packet ID 131 with timestamp +11689 (12) Cleaning up request packet ID 132 with timestamp +11689 And here is the full output from running radtest: (13) Received Access-Request Id 98 from 138.68.244.7:40926 to 138.68.244.7:1812 length 133 (13) User-Name = "testing" (13) NAS-IP-Address = 127.0.1.1 (13) NAS-Port = 1812 (13) Message-Authenticator = 0x3b4e57a573129d63a462a854a3f8b374 (13) MS-CHAP-Challenge = 0x31d98bba4411b626 (13) MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000071dac53034b42a03a735f807aa5917612dd95f43666cf8e2 (13) # Executing section authorize from file /etc/raddb/sites-enabled/default (13) authorize { (13) policy filter_username { (13) if (&User-Name) { (13) if (&User-Name) -> TRUE (13) if (&User-Name) { (13) if (&User-Name =~ / /) { (13) if (&User-Name =~ / /) -> FALSE (13) if (&User-Name =~ /@[^@]*@/ ) { (13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (13) if (&User-Name =~ /\.\./ ) { (13) if (&User-Name =~ /\.\./ ) -> FALSE (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (13) if (&User-Name =~ /\.$/) { (13) if (&User-Name =~ /\.$/) -> FALSE (13) if (&User-Name =~ /@\./) { (13) if (&User-Name =~ /@\./) -> FALSE (13) } # if (&User-Name) = notfound (13) } # policy filter_username = notfound (13) [preprocess] = ok (13) [chap] = noop (13) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (13) [mschap] = ok (13) [digest] = noop (13) suffix: Checking for suffix after "@" (13) suffix: No '@' in User-Name = "testing", looking up realm NULL (13) suffix: No such realm "NULL" (13) [suffix] = noop (13) eap: No EAP-Message, not doing EAP (13) [eap] = noop (13) [files] = noop (13) sql: EXPAND %{User-Name} (13) sql: --> testing (13) sql: SQL-User-Name set to 'testing' rlm_sql (sql): Closing connection (9): Hit idle_timeout, was idle for 11064 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (10): Hit idle_timeout, was idle for 11064 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (11): Hit idle_timeout, was idle for 11064 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (12), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on 138.68.244.7 via TCP/IP, server version 5.7.29-0ubuntu0.18.04.1, protocol version 10 rlm_sql (sql): Reserved connection (12) (13) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (13) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testing' ORDER BY id (13) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testing' ORDER BY id (13) sql: User found in radcheck table (13) sql: Conditional check items matched, merging assignment check items (13) sql: Cleartext-Password := "testuser_mypass" (13) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (13) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testing' ORDER BY id (13) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testing' ORDER BY id rlm_sql (sql): 1 of 1 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (13), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on 138.68.244.7 via TCP/IP, server version 5.7.29-0ubuntu0.18.04.1, protocol version 10 rlm_sql (sql): Reserved connection (13) rlm_sql (sql): Released connection (13) Need 1 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (14), 1 of 30 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on 138.68.244.7 via TCP/IP, server version 5.7.29-0ubuntu0.18.04.1, protocol version 10 (13) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (13) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testing' ORDER BY priority (13) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testing' ORDER BY priority (13) sql: User not found in any groups rlm_sql (sql): Released connection (12) (13) [sql] = ok (13) [expiration] = noop (13) [logintime] = noop (13) pap: WARNING: Auth-Type already set. Not setting to PAP (13) [pap] = noop (13) } # authorize = ok (13) Found Auth-Type = mschap (13) # Executing group from file /etc/raddb/sites-enabled/default (13) authenticate { (13) mschap: Found Cleartext-Password, hashing to create NT-Password (13) mschap: Client is using MS-CHAPv1 with NT-Password (13) mschap: adding MS-CHAPv1 MPPE keys (13) [mschap] = ok (13) } # authenticate = ok (13) # Executing section post-auth from file /etc/raddb/sites-enabled/default (13) post-auth { (13) update { (13) No attributes updated for RHS &session-state: (13) } # update = noop (13) if ( no == "yes" ) { (13) if ( no == "yes" ) -> FALSE (13) [exec] = noop (13) policy remove_reply_message_if_eap { (13) if (&reply:EAP-Message && &reply:Reply-Message) { (13) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (13) else { (13) [noop] = noop (13) } # else = noop (13) } # policy remove_reply_message_if_eap = noop (13) } # post-auth = noop (13) Sent Access-Accept Id 98 from 138.68.244.7:1812 to 138.68.244.7:40926 length 0 (13) MS-CHAP-MPPE-Keys = 0x0000000000000000b1ce5d77fca4da9e183b40b613ec5408 (13) MS-MPPE-Encryption-Policy = Encryption-Allowed (13) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (13) Finished request Waking up in 4.9 seconds. (13) Cleaning up request packet ID 98 with timestamp +12005 On Mon, Feb 10, 2020 at 5:17 PM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 10, 2020, at 5:29 PM, Yongqiang He <thehyq@gmail.com> wrote:
I am new to freeradius and hope someone here can help me with my setup. Thanks a lot!
Here is what i got when running radiusd with -X option:
No... you got a lot more than that. We will need ALL of the debug output to see what's going on.
If i run: radtest -t mschap ..., everything seems fine and it output 'Received Access-Accept'. I guess its because the radtest is running with mschap, and my client above is using mschapv2. I can't figure out what config i should do with mschapv2.
Don't guess. Read the debug output. Compare the debug output between the two kinds of authentication. What's different?
The radius is running with mysql. user and password are insert to with sql: INSERT INTO `radcheck` VALUES (2,'testing','Cleartext-Password',':=','testuser_mypass');
The piece of debug output that you posted shows *nothing* about SQL. Is it even querying the SQL server?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 10, 2020, at 8:31 PM, Yongqiang He <thehyq@gmail.com> wrote:
Here is full output with error connecting from the real client.
As I suggested, there's no call to the "sql" module when the client is doing EAP-MSCHAPv2.
(12) eap: No EAP Start, assuming it's an on-going EAP conversation (12) [eap] = updated (12) } # authorize = updated
It stops here... When the server receives just MS-CHAPv2, we see:
(13) [eap] = noop (13) [files] = noop (13) sql: EXPAND %{User-Name} (13) sql: --> testing
See? It calls "files" and "sql" after "eap". You'll have to edit the "default" virtual server: # The "updated" check is commented out for compatibility with # previous versions of this configuration, but you may wish to # uncomment it as well; this will further reduce the number of # LDAP and/or SQL queries for TTLS or PEAP. # eap { ok = return # updated = return } The above lines are in the default configuration. They work. You uncommented the "updated = return" line, which broke EAP-MSCHAPv2. Comment out that line again. Return it to the default configuration, and it will work. Alan DeKok.
Wow! It works now! Thank you so much, Alan! On Mon, Feb 10, 2020 at 5:40 PM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 10, 2020, at 8:31 PM, Yongqiang He <thehyq@gmail.com> wrote:
Here is full output with error connecting from the real client.
As I suggested, there's no call to the "sql" module when the client is doing EAP-MSCHAPv2.
(12) eap: No EAP Start, assuming it's an on-going EAP conversation (12) [eap] = updated (12) } # authorize = updated
It stops here...
When the server receives just MS-CHAPv2, we see:
(13) [eap] = noop (13) [files] = noop (13) sql: EXPAND %{User-Name} (13) sql: --> testing
See? It calls "files" and "sql" after "eap".
You'll have to edit the "default" virtual server:
# The "updated" check is commented out for compatibility with # previous versions of this configuration, but you may wish to # uncomment it as well; this will further reduce the number of # LDAP and/or SQL queries for TTLS or PEAP. # eap { ok = return # updated = return }
The above lines are in the default configuration. They work. You uncommented the "updated = return" line, which broke EAP-MSCHAPv2.
Comment out that line again. Return it to the default configuration, and it will work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Yongqiang He