Hi! I'm receiving a "rlm_eap_peap: Had sent TLV failure, rejecting." on the end of the debug when trying to auth EAP/PEAP XP-SP2 client. Looking earlier, on the debug, i'd see: ----- rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ----- But... now i don't know if the mschapv2 is the value that is "Unknow" or what value is unknow for the auth? Please, help me telling me what i doing wrong? Thanks in advice for your help. radiusd.conf: ----- prefix = /programas/freeradius2 exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = no $INCLUDE ${confdir}/clients.conf snmp = no thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP } ldap { server = "ldap.your.domain" basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } with_cisco_vsa_hack = no files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { eap } authenticate { eap } preacct { acct_unique } accounting { detail radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { } ----- eap.conf: ----- eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/tls/cert-srv.pem certificate_file = ${raddbdir}/certs/tls/cert-srv.pem CA_file = ${raddbdir}/certs/tls/CA/cacert.pem dh_file = ${raddbdir}/certs/tls/dh random_file = ${raddbdir}/certs/tls/random fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no } mschapv2 { } } ----- debug log: ----- + LD_LIBRARY_PATH=/usr/local/openssl/lib + LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so + export LD_LIBRARY_PATH LD_PRELOAD + /programas/freeradius2/sbin/radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /programas/freeradius2/etc/raddb/clients.conf Config: including file: /programas/freeradius2/etc/raddb/eap.conf Config: including file: /programas/freeradius2/etc/raddb/sql.conf main: prefix = "/programas/freeradius2" main: localstatedir = "/programas/freeradius2/var" main: logdir = "/programas/freeradius2/var/log/radius" main: libdir = "/programas/freeradius2/lib" main: radacctdir = "/programas/freeradius2/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/programas/freeradius2/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/programas/freeradius2/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/programas/freeradius2/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /programas/freeradius2/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/programas/freeradius2/etc/raddb/certs/tls/cert-srv.pem" tls: certificate_file = "/programas/freeradius2/etc/raddb/certs/tls/cert-srv.pem" tls: CA_file = "/programas/freeradius2/etc/raddb/certs/tls/CA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/programas/freeradius2/etc/raddb/certs/tls/dh" tls: random_file = "/programas/freeradius2/etc/raddb/certs/tls/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/programas/freeradius2/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/programas/freeradius2/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.20.7:55049, id=141, length=134 User-Name = "pepe" NAS-IP-Address = 192.168.20.7 Called-Station-Id = "00-0c-41-b1-37-07" Calling-Station-Id = "00-0b-7d-0f-f7-35" NAS-Identifier = "Linksys BEFW11S4-V4.X" Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x023200090170657065 Message-Authenticator = 0x3fe87643717488557b8e86a44a4929c6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_eap: EAP packet type response id 50 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 141 to 192.168.20.7:55049 EAP-Message = 0x013300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x15018a8667aa6f2bf399348682539a27 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.7:55048, id=142, length=255 User-Name = "pepe" NAS-IP-Address = 192.168.20.7 Called-Station-Id = "00-0c-41-b1-37-07" Calling-Station-Id = "00-0b-7d-0f-f7-35" NAS-Identifier = "Linksys BEFW11S4-V4.X" State = 0x15018a8667aa6f2bf399348682539a27 Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0233007019800000006616030100610100005d030142d40537ab2cf5b1ffa5776b3b8f68665e174ed49548c109ad68f86f7a0cd1d120e0cbf6c19dcd9b3581e28dbd6a1c2353a68b22d555b27765d568d1f260b5ac04001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x1b8c51e62702793dfd50c8837d3c4b0f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 rlm_eap: EAP packet type response id 51 length 112 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0662], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 142 to 192.168.20.7:55048 EAP-Message = 0x0134040a19c0000006bf160301004a02000046030142d40500bd0530d47bb9f0bf7d0466dff46308e08dc3535d98837308a00fad2920b108b434da5eb62bf266f75260a4fe1061477acffb72dc08e8f4bd96a54f60f800040016030106620b00065e00065b0002c4308202c030820229a003020102020900f12ab1347a5cd9e1300d06092a864886f70d010104050030818c310b300906035504061302434f311830160603550408130f56616c6c652064656c204361756361310d300b0603550407130443616c69311e301c060355040a1315556e6976657273696461642064656c2056616c6c6531343032060355040b132b4f666963696e61206465 EAP-Message = 0x20496e666f726d617469636120792054656c65636f6d756e69636163696f6e6573301e170d3035303632323138333932335a170d3036303632323138333932335a30819d310b300906035504061302434f311830160603550408130f56616c6c652064656c204361756361310d300b0603550407130443616c69311e301c060355040a1315556e6976657273696461642064656c2056616c6c6531343032060355040b132b4f666963696e6120646520496e666f726d617469636120792054656c65636f6d756e69636163696f6e6573310f300d060355040313066f6e65626f7830819f300d06092a864886f70d010101050003818d00308189028181 EAP-Message = 0x00d30db19c37a7284f5f673101f2773ac3924fc774d15b7f55bc563b955b73aff9ac4f61d88aadaab244f47e944cdba13890f54008bd9ef1c553229e671ac5f4ffe6bb9bea797ac67188e37b9db3fb60006b68a8b3d01f73e9600612ae2d6bd4f0ce313e761bbdd177d9344579bd17565cc7b12a944820f52ab29365d22e4a24d30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181000795bf4630d57fde5f57eb8b0d4f0ceab17fd13b31437e09d666c1a5f7e3c6bc095b29442d889460764b7108194e06cc690a8b4e5ce1bc45744d57ffff07a9326ff1ac7e0d066e2cc86f83 EAP-Message = 0x8db90cbfa1ecd56e767573304003569d1693f6cf224e9a651d9d2e78a208ce2aed4ac4f0da6187ca561c946c98d24aa0161d9bf2080003913082038d308202f6a003020102020900f12ab1347a5cd9df300d06092a864886f70d010104050030818c310b300906035504061302434f311830160603550408130f56616c6c652064656c204361756361310d300b0603550407130443616c69311e301c060355040a1315556e6976657273696461642064656c2056616c6c6531343032060355040b132b4f666963696e6120646520496e666f726d617469636120792054656c65636f6d756e69636163696f6e6573301e170d3035303632323138333631 EAP-Message = 0x395a170d3037303632323138333631395a30818c310b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4f23eb8f5f09f1a8c84ebb931550b4bd Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.7:55050, id=143, length=149 User-Name = "pepe" NAS-IP-Address = 192.168.20.7 Called-Station-Id = "00-0c-41-b1-37-07" Calling-Station-Id = "00-0b-7d-0f-f7-35" NAS-Identifier = "Linksys BEFW11S4-V4.X" State = 0x4f23eb8f5f09f1a8c84ebb931550b4bd Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x023400061900 Message-Authenticator = 0x830d6a0c2dcc38bb22d7a1400948e4fe Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 rlm_eap: EAP packet type response id 52 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 143 to 192.168.20.7:55050 EAP-Message = 0x013502c51900300906035504061302434f311830160603550408130f56616c6c652064656c204361756361310d300b0603550407130443616c69311e301c060355040a1315556e6976657273696461642064656c2056616c6c6531343032060355040b132b4f666963696e6120646520496e666f726d617469636120792054656c65636f6d756e69636163696f6e657330819f300d06092a864886f70d010101050003818d0030818902818100a4d3a6bb7f0b08a448a8b84fe5236a0ef724951374d6320389f264f2c5007aee8cfc1cfd319e16e1cb910c5cfd07821ac809e1ac9baade2e618b7addf29844732d923ca1103395642bd3f9c230d4aace EAP-Message = 0xb77b9b2e3f96436860556ece59ee48b29a57b7824847e851a6829cc9dbefe96b24e9fb66d03e368cdcd4e40c7a7b66230203010001a381f43081f1301d0603551d0e0416041433bfd1100827d8643dcde9ca1ce76b25f46446913081c10603551d230481b93081b6801433bfd1100827d8643dcde9ca1ce76b25f4644691a18192a4818f30818c310b300906035504061302434f311830160603550408130f56616c6c652064656c204361756361310d300b0603550407130443616c69311e301c060355040a1315556e6976657273696461642064656c2056616c6c6531343032060355040b132b4f666963696e6120646520496e666f726d61746963 EAP-Message = 0x6120792054656c65636f6d756e69636163696f6e6573820900f12ab1347a5cd9df300c0603551d13040530030101ff300d06092a864886f70d0101040500038181003e06154dfd6945605d183a420498b80e43472ddc37ba210af99451122c28c0f9c0fe3a8c35e5fbf834e8c9359cab9c8a5178c6e93656d1aa4a90a40114d600bdc2698199b4adb031c83633ac990f05f42244a771769d888393d4c183f71cfdbaad74a467189ae89427f68d1e55ac68320bc63370dac576cfeaa005fc9855ef5e16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb649f7b9cfb7b8ccdb805d8a851a27d4 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.7:55049, id=144, length=335 User-Name = "pepe" NAS-IP-Address = 192.168.20.7 Called-Station-Id = "00-0c-41-b1-37-07" Calling-Station-Id = "00-0b-7d-0f-f7-35" NAS-Identifier = "Linksys BEFW11S4-V4.X" State = 0xb649f7b9cfb7b8ccdb805d8a851a27d4 Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x023500c01980000000b616030100861000008200804c70cebbcbafc5324563c330bf527a29c11a0483bfbfe450087e2531c08d2b8e713189e5555aeb166d477c9d8358ce9ca819b1afd8c491420cab162935ec1b80c69d3af8474a71b3460afbd52372954f74d977897c13698b53c4cf5209caafaf2fa6d7ba8cd952252e7697c0cdcd7731ee589048bbc1475bae28bc1aae0f0a0a1403010001011603010020096180b7dfa708498a1aeae672b4551b669c5fc6ae79622650efb3a10336b136 Message-Authenticator = 0xf47a9e90b06d8a38556ab39d5d345e7d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 rlm_eap: EAP packet type response id 53 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 144 to 192.168.20.7:55049 EAP-Message = 0x0136003119001403010001011603010020d03bfe69fdf6584b1d6882152fe7eb203fa22ba4852aae206dfc4196ab7659cd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6500c067b47a56e3d7eb39eb1f51f75d Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.7:55048, id=145, length=149 User-Name = "pepe" NAS-IP-Address = 192.168.20.7 Called-Station-Id = "00-0c-41-b1-37-07" Calling-Station-Id = "00-0b-7d-0f-f7-35" NAS-Identifier = "Linksys BEFW11S4-V4.X" State = 0x6500c067b47a56e3d7eb39eb1f51f75d Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x023600061900 Message-Authenticator = 0xc9b738b4a99d700ff9f05aacd6343fdf Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 rlm_eap: EAP packet type response id 54 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 145 to 192.168.20.7:55048 EAP-Message = 0x0137002019001703010015139bfe6db0aca01e9c03e24c58b78467857d4be279 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e15c0c8c154169e15a6597e59ff063f Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.7:55048, id=146, length=175 User-Name = "pepe" NAS-IP-Address = 192.168.20.7 Called-Station-Id = "00-0c-41-b1-37-07" Calling-Station-Id = "00-0b-7d-0f-f7-35" NAS-Identifier = "Linksys BEFW11S4-V4.X" State = 0x0e15c0c8c154169e15a6597e59ff063f Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0237002019001703010015c074abf8e34854264935655f3a9f33dc72cf409bca Message-Authenticator = 0x33d50e786188aa6c15d1d581e93976c7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 rlm_eap: EAP packet type response id 55 length 32 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - pepe rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of pepe PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to pepe Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 rlm_eap: EAP packet type response id 55 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: group authenticate returns handled for request 5 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: group authenticate returns handled for request 5 Sending Access-Challenge of id 146 to 192.168.20.7:55048 EAP-Message = 0x013800351900170301002a0d4aa1f3ae3837a8cb3f1823ce849e91f05b2b62a808621970c414f055fd2a41e83218f896985e63e9f2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbc2a6b2ebc6704039852f97fd53633f3 Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.7:55050, id=147, length=229 User-Name = "pepe" NAS-IP-Address = 192.168.20.7 Called-Station-Id = "00-0c-41-b1-37-07" Calling-Station-Id = "00-0b-7d-0f-f7-35" NAS-Identifier = "Linksys BEFW11S4-V4.X" State = 0xbc2a6b2ebc6704039852f97fd53633f3 Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x023800561900170301004b0c6b58d944b8e5207dcc18641ebdd59dfe6c2c5e2cdeeb8c566316839b67d6279030b3480e61e635b0abe6862b2725c463ff23de791f75b5fd563cd0e41f0b9cc88dbb3a7a11c699547f93 Message-Authenticator = 0xf56c53360d6d6b4d44c2d586bb6027d6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 rlm_eap: EAP packet type response id 56 length 86 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to pepe PEAP: Adding old state with 71 1d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 rlm_eap: EAP packet type response id 56 length 63 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 147 to 192.168.20.7:55050 EAP-Message = 0x013900261900170301001b8f31916149f1767ba59d80746534182ee04d12cd8bc72aa59d0310 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2518cc6fe36775cf22af6b0801873445 Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.7:55050, id=148, length=181 User-Name = "pepe" NAS-IP-Address = 192.168.20.7 Called-Station-Id = "00-0c-41-b1-37-07" Calling-Station-Id = "00-0b-7d-0f-f7-35" NAS-Identifier = "Linksys BEFW11S4-V4.X" State = 0x2518cc6fe36775cf22af6b0801873445 Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x023900261900170301001bf5d93fbbc88f93d5d9886ccd2e16d37fc67244f08b25213e49d54b Message-Authenticator = 0xf510098b504d463f41750e04aae0ed5d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 rlm_eap: EAP packet type response id 57 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: group authenticate returns invalid for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 141 with timestamp 42d40500 Cleaning up request 1 ID 142 with timestamp 42d40500 Cleaning up request 2 ID 143 with timestamp 42d40500 Cleaning up request 3 ID 144 with timestamp 42d40500 Cleaning up request 4 ID 145 with timestamp 42d40500 Cleaning up request 5 ID 146 with timestamp 42d40500 Cleaning up request 6 ID 147 with timestamp 42d40500 Sending Access-Reject of id 148 to 192.168.20.7:55050 EAP-Message = 0x04390004 Message-Authenticator = 0x00000000000000000000000000000000 Cleaning up request 7 ID 148 with timestamp 42d40500 Nothing to do. Sleeping until we see a request. -----
Mario Alberto Cruz Gartner <mario.cruz@gmail.com> wrote:
Looking earlier, on the debug, i'd see:
----- ... rlm_eap: processing type mschapv2 ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. ... But... now i don't know if the mschapv2 is the value that is "Unknow" or what value is unknow for the auth?
The EAP-MSCHAPv2 code uses the mschap module for authentication.
Please, help me telling me what i doing wrong?
You deleted the mschap module from radiusd.conf. Don't do that. Alan DeKok.
Thks for the reply. Just below the eap.conf include line: ----- $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP ----- That, with the commented lines would be: ----- $INCLUDE ${confdir}/eap.conf # Microsoft CHAP authentication # # This module supports MS-CHAP and MS-CHAPv2 authentication. # It also enforces the SMB-Account-Ctrl attribute. # mschap { # # As of 0.9, the mschap module does NOT support # reading from /etc/smbpasswd. # # If you are using /etc/smbpasswd, see the 'passwd' # module for an example of how to use /etc/smbpasswd # authtype value, if present, will be used # to overwrite (or add) Auth-Type during # authorization. Normally should be MS-CHAP authtype = MS-CHAP # if use_mppe is not set to no mschap will # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 # #use_mppe = no # if mppe is enabled require_encryption makes # encryption moderate # #require_encryption = yes # require_strong always requires 128 bit key # encryption # #require_strong = yes # Windows sends us a username in the form of # DOMAIN\user, but sends the challenge response # based on only the user portion. This hack # corrects for that incorrect behavior. # #with_ntdomain_hack = no # The module can perform authentication itself, OR # use a Windows Domain Controller. This configuration # directive tells the module to call the ntlm_auth # program, which will do the authentication, and return # the NT-Key. Note that you MUST have "winbindd" and # "nmbd" running on the local machine for ntlm_auth # to work. See the ntlm_auth program documentation # for details. # # Be VERY careful when editing the following line! # #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-% {User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } ---- That's the module definition from radiusd.conf. No? On 7/12/05, Alan DeKok <aland@ox.org> wrote:
Mario Alberto Cruz Gartner <mario.cruz@gmail.com> wrote:
Looking earlier, on the debug, i'd see:
----- ... rlm_eap: processing type mschapv2 ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. ... But... now i don't know if the mschapv2 is the value that is "Unknow" or what value is unknow for the auth?
The EAP-MSCHAPv2 code uses the mschap module for authentication.
Please, help me telling me what i doing wrong?
You deleted the mschap module from radiusd.conf. Don't do that.
Alan DeKok.
Mario Alberto Cruz Gartner <mario.cruz@gmail.com> wrote:
That's the module definition from radiusd.conf. No?
Yes. Read the REST of radiusd.conf to see where else "mschap" is used. As always, the default configuration works. If your system doesn't work, it's a site-local problem. Alan DeKok.
participants (2)
-
Alan DeKok -
Mario Alberto Cruz Gartner