rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Hi all We have a strange propmlem with our RADIUS Server. I'm not the RADIUS expert and take over this Server and configuration... :-(
From time to time the users are not able to login, sometime it works and sometime it works only from 1 or 2 accesspopints (we have 10 accesspoints).
Attached you'll find the configuration and a snap from the RADIUS-log in debugmode. Accesspoints are Linksys WRT54GL with Tomato 1.23 We are running FreeRadius 2.0.5 on Gentoo Linux 2.6.27-r27. Could it be if we running FreeRadius on another OS we have less problems ?!? Thanks a lot ! Best wishes, Frank Errormessages from radiusd -X: rad_recv: Access-Request packet from host 10.0.0.15 port 2048, id=6, length=139 User-Name = "hummel.daniel" NAS-IP-Address = 10.0.0.15 Called-Station-Id = "00226b8df369" Calling-Station-Id = "001de03c1333" NAS-Identifier = "00226b8df369" NAS-Port = 28 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000120168756d6d656c2e64616e69656c Message-Authenticator = 0xc4150c77c1b15ce73bb23597f026471a +- entering group authorize expand: %{User-Name} -> hummel.daniel rlm_sql (sql): sql_set_user escaped user --> 'hummel.daniel' rlm_sql (sql): Reserving sql socket id: 1 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'hummel.daniel' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'hummel.daniel' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'hummel.daniel' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[files] returns noop ++[mschap] returns noop rlm_eap: EAP packet type response id 0 length 18 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 6 to 10.0.0.15 port 2048 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe01ba3a4e01ab604a48cd5e81844c9b7 Finished request 92. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.15 port 2048, id=6, length=145 Cleaning up request 92 ID 6 with timestamp +1637 User-Name = "hummel.daniel" NAS-IP-Address = 10.0.0.15 Called-Station-Id = "00226b8df369" Calling-Station-Id = "001de03c1333" NAS-Identifier = "00226b8df369" NAS-Port = 28 Framed-MTU = 1400 State = 0xe01ba3a4e01ab604a48cd5e81844c9b7 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100060319 Message-Authenticator = 0x0b24d65028ad5d79b81610cd54488cfa +- entering group authorize expand: %{User-Name} -> hummel.daniel rlm_sql (sql): sql_set_user escaped user --> 'hummel.daniel' rlm_sql (sql): Reserving sql socket id: 0 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'hummel.daniel' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'hummel.daniel' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'hummel.daniel' ORDER BY priority rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[files] returns noop ++[mschap] returns noop rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 6 to 10.0.0.15 port 2048 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe01ba3a4e119ba04a48cd5e81844c9b7 Finished request 93. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.15 port 2048, id=6, length=295 Cleaning up request 93 ID 6 with timestamp +1637 User-Name = "hummel.daniel" NAS-IP-Address = 10.0.0.15 Called-Station-Id = "00226b8df369" Calling-Station-Id = "001de03c1333" NAS-Identifier = "00226b8df369" NAS-Port = 28 Framed-MTU = 1400 State = 0xe01ba3a4e119ba04a48cd5e81844c9b7 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202009c198000000092160301008d01000089030149f72cc806e92a43ee6904dca25525651e77e998da5d0ededbd5753bb07ed85220af386935a49b3f5b9c4783516e0333469c78eb2cfad74151d5b753d674ee628c0018002f00350005000ac009c00ac013c01400320038001300040100002800000012001000000d68756d6d656c2e64616e69656c000a00080006001700180019000b00020100 Message-Authenticator = 0xa26fd49f5c488c892a756621fb54de36 +- entering group authorize expand: %{User-Name} -> hummel.daniel rlm_sql (sql): sql_set_user escaped user --> 'hummel.daniel' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'hummel.daniel' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'hummel.daniel' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'hummel.daniel' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[files] returns noop ++[mschap] returns noop rlm_eap: EAP packet type response id 2 length 156 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 146 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 008d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 087d], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 6 to 10.0.0.15 port 2048 EAP-Message = 0x0103040019c0000008da160301004a02000046030149f71dc1279696bdfc3a39e5703d22d4088664135cd33f3acc30e4f54fe26fe520d50fe4ef8ff0d044ccaf9bae0ff85f02096806a0789312e930c82521d30dd182002f00160301087d0b0008790008760003b5308203b130820299a003020102020101300d06092a864886f70d0101040500308198310b3009060355040613024b53310e300c060355040813054d4e5446533111300f060355040713085355564152454b413111300f060355040a13085357495353434f59312b302906092a864886f70d010901161c434f4d43454e2e5357495353434f59405654472e41444d494e2e4348312630 EAP-Message = 0x240603550403131d5377697373496e74205377697373436f79204365727469666963617465301e170d3038313132363039333731375a170d3039313132363039333731375a308185310b3009060355040613024b53310e300c060355040813054d4e5446533111300f060355040a13085357495353434f59312630240603550403131d5377697373496e74205377697373436f79204365727469666963617465312b302906092a864886f70d010901161c434f4d43454e2e5357495353434f59405654472e41444d494e2e434830820122300d06092a864886f70d01010105000382010f003082010a0282010100a9f605a518d65a8f655d463a3ac5bc EAP-Message = 0xd0cfd1ba53f38d27ff83ffa6b817dee8c36d785ab3ff4073eaa7c083aa5b9e8c5850b2e3e42b19387a41db367dcf83922e36d5a7d3a65161faf295430975d3bfad5a05caed7476df6b7379f5abb50ac3bf5ba5a8e5fcbfeabb909b5eefb6064bdc08a4bb08b2e9b424bcdf78899961b1b589c30ce8844ec2fd1e7bb2f39e6fea73a6c24bd5c5637a6d0252204269ff643c70f4b25ceb139e96ef390ae158a020e8fa2536e267e82061635325f6fffd2efad24fe27138844fbdf0fa3d9e19445edd460967c2b06c27f82054449cde1e9dc4ce1019a0c6a4367a189cbeb6b9327a0d80b51d25711600e3bc9c9e29d3b5c75b0203010001a3173015301306 EAP-Message = 0x03551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009be1f41d9e69695373cba465b1b2351da861cbda4a7f2ab090190a4eeb1d34213396a433b5f2b91d2de5fec116446ccbf453a88dccdfb81ca7ecd82009fc8d22d7189db99494c33efd6fb3f0fef7cd936fb84102fc89a2b3358189621396c81739d7a2355602f5e1bd345aedb0418e6c565657811996940234d7c6815a199fcdea7930f351be5b7fd778f15f64ca729059445eab1af1b87c1129b27ae17c14a09c22ae483daf3f7d31bbecc93bbdc057c4a7a4313c65a5b8d3f27cd0a9ce6ce2150db313ea46d435e1fde6725e1d02a62c36d59704dd79 EAP-Message = 0x2828d76b689c221f2176580a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe01ba3a4e218ba04a48cd5e81844c9b7 Finished request 94. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.15 port 2048, id=6, length=145 Cleaning up request 94 ID 6 with timestamp +1637 User-Name = "hummel.daniel" NAS-IP-Address = 10.0.0.15 Called-Station-Id = "00226b8df369" Calling-Station-Id = "001de03c1333" NAS-Identifier = "00226b8df369" NAS-Port = 28 Framed-MTU = 1400 State = 0xe01ba3a4e218ba04a48cd5e81844c9b7 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0xb0cdf7b97da5aa0d76076441bf361fc1 +- entering group authorize expand: %{User-Name} -> hummel.daniel rlm_sql (sql): sql_set_user escaped user --> 'hummel.daniel' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'hummel.daniel' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'hummel.daniel' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'hummel.daniel' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[files] returns noop ++[mschap] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Radius Configuration: --------------------- FreeRADIUS Version 2.0.5, for host i486-pc-linux-gnu, built on Jan 10 2009 at 23:27:15 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sql/mysql/counter.conf including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 60 cleanup_delay = 5 max_requests = 51200 allow_core_dumps = no pidfile = "/var/run/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = yes auth_goodpass = yes } } client 10.0.0.9 { require_message_authenticator = no secret = "xxx" shortname = "TuXp_Test" nastype = "other" } client 10.0.0.10 { require_message_authenticator = no secret = "xxx" shortname = "Casa_A" nastype = "other" } client 10.0.0.11 { require_message_authenticator = no secret = "xxx" shortname = "Casa_B" nastype = "other" } client 10.0.0.12 { require_message_authenticator = no secret = "xxx" shortname = "Casa_C" nastype = "other" } client 10.0.0.13 { require_message_authenticator = no secret = "xxx" shortname = "Casa_D" nastype = "other" } client 10.0.0.14 { require_message_authenticator = no secret = "xxx" shortname = "Casa_E" nastype = "other" } client 10.0.0.15 { require_message_authenticator = no secret = "xxx" shortname = "Casa_F" nastype = "other" } client 10.0.0.16 { require_message_authenticator = no secret = "xxx" shortname = "Casa_G" nastype = "other" } client 10.0.0.17 { require_message_authenticator = no secret = "xxx" shortname = "Casa_H" nastype = "other" } client 10.0.0.18 { require_message_authenticator = no secret = "xxx" shortname = "Casa_I" nastype = "other" } client 10.0.0.19 { require_message_authenticator = no secret = "xxx" shortname = "Casa_J" nastype = "other" } client 127.0.0.1 { require_message_authenticator = no secret = "xxx" shortname = "Local" nastype = "other" } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Instantiating modules #### radiusd: #### Loading Virtual Servers #### server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "ttls" timer_expire = 90 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "ab3z742fg4med" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_sql Module: Instantiating sql sql { driver = "rlm_sql_mysql" server = "localhost" port = "" login = "radius" password = "XXXXX" radius_db = "radius" read_groups = yes sqltrace = no sqltracefile = "/var/log/radius/sqltrace.sql" readclients = no deletestalesessions = yes num_sql_socks = 5 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" postauth_query = "INSERT INTO userinfo (username, mac, date, tag) VALUES ( '%{User-Name}', '%{Calling-Station-Id}', '%S', '%{Nas-IP-Address}' )" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to radius@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" compat = "no" } Module: Checking post-auth {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 10.0.0.1 port = 1812 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address 10.0.0.1 port 1812 Listening on proxy address 10.0.0.1 port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.19 port 2048, id=13, length=137 User-Name = "host/WSL-SIR" NAS-IP-Address = 10.0.0.19 Called-Station-Id = "00226b7a37b5" Calling-Station-Id = "00242b2f525b" NAS-Identifier = "00226b7a37b5" NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200001101686f73742f57534c2d534952 Message-Authenticator = 0x9fb6b52c90e4c0f844dc91d5fbcea21d +- entering group authorize expand: %{User-Name} -> host/WSL-SIR rlm_sql (sql): sql_set_user escaped user --> 'host/WSL-SIR' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'host/WSL-SIR' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'host/WSL-SIR' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): User host/WSL-SIR not found ++[sql] returns notfound ++[files] returns noop ++[mschap] returns noop rlm_eap: EAP packet type response id 0 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 13 to 10.0.0.19 port 2048 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c4fd6cb9c4ec3f5023ff4254ba8f1d5 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.19 port 2048, id=13, length=137 Cleaning up request 0 ID 13 with timestamp +234 User-Name = "host/WSL-SIR" NAS-IP-Address = 10.0.0.19 Called-Station-Id = "00226b7a37b5" Calling-Station-Id = "00242b2f525b" NAS-Identifier = "00226b7a37b5" NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200001101686f73742f57534c2d534952 Message-Authenticator = 0xe77f186ef1912fceb5fd819815c11fa6 +- entering group authorize expand: %{User-Name} -> host/WSL-SIR rlm_sql (sql): sql_set_user escaped user --> 'host/WSL-SIR' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'host/WSL-SIR' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'host/WSL-SIR' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 rlm_sql (sql): User host/WSL-SIR not found ++[sql] returns notfound ++[files] returns noop ++[mschap] returns noop rlm_eap: EAP packet type response id 0 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 13 to 10.0.0.19 port 2048 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc2248484c2259113db17cab2dbadac35 Finished request 1.
Hi all We have a strange propmlem with our RADIUS Server. I'm not the RADIUS expert and take over this Server and configuration... :-(
From time to time the users are not able to login, sometime it works and sometime it works only from 1 or 2 accesspopints (we have 10 accesspoints).
Attached you'll find the configuration and a snap from the RADIUS-log in debugmode.
Accesspoints are Linksys WRT54GL with Tomato 1.23
We are running FreeRadius 2.0.5 on Gentoo Linux 2.6.27-r27. Could it be if we running FreeRadius on another OS we have less problems ?!?
The error from your headline does not appear in the debug you posted. Ivan Kalik Kalik Informatika ISP
participants (2)
-
Frank Reimann -
Ivan Kalik