First time using freeradius, attempting to setup freeradius server on a RPi to create a testing environment for WPA2 Enterprise use on an IoT device. Any help to understand where I am going wrong gratefully received. Included below is the debug output on startup and when an attempt to connect using PEAP-MSCHAPv2 using just username and password (no certificate). The startup contains a few warnings which I assume are not material. The login debug has an error MS-CHAP2-Response is incorrect which comes after a WARNING: Auth-Type already set. Not setting to PAP? FreeRADIUS Version 3.0.12 [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". Ready to process requests Below is what debug output when trying to connect to the WAP. (0) Received Access-Request Id 37 from 192.168.1.38:52437 to 192.168.1.33:1812 length 172 (0) User-Name = "particle" (0) NAS-IP-Address = 192.168.1.38 (0) NAS-Identifier = "b4fbe4c348ab" (0) NAS-Port = 0 (0) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (0) Calling-Station-Id = "E0-4F-43-36-B1-F1" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) EAP-Message = 0x0205000d017061727469636c65 (0) Message-Authenticator = 0x3d7c5462881eb85ae3c3e8b1e7f2dcd8 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "particle", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 5 length 13 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 6 length 22 (0) eap: EAP session adding &reply:State = 0x792e584479285c88 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Sent Access-Challenge Id 37 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (0) EAP-Message = 0x0106001604101e0a216dfaac8434a1e13f61d8e18c5f (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x792e584479285c88d729d5f4b5ba04a4 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 38 from 192.168.1.38:52437 to 192.168.1.33:1812 length 183 (1) User-Name = "particle" (1) NAS-IP-Address = 192.168.1.38 (1) NAS-Identifier = "b4fbe4c348ab" (1) NAS-Port = 0 (1) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (1) Calling-Station-Id = "E0-4F-43-36-B1-F1" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) EAP-Message = 0x020600060319 (1) State = 0x792e584479285c88d729d5f4b5ba04a4 (1) Message-Authenticator = 0x81a3bc304acaf36767e74474836e1265 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "particle", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 6 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) files: users: Matched entry particle at line 1 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x792e584479285c88 (1) eap: Finished EAP session with state 0x792e584479285c88 (1) eap: Previous EAP request found for state 0x792e584479285c88, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new EAP-TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 7 length 6 (1) eap: EAP session adding &reply:State = 0x792e584478294188 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Sent Access-Challenge Id 38 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (1) EAP-Message = 0x010700061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x792e584478294188d729d5f4b5ba04a4 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 39 from 192.168.1.38:52437 to 192.168.1.33:1812 length 273 (2) User-Name = "particle" (2) NAS-IP-Address = 192.168.1.38 (2) NAS-Identifier = "b4fbe4c348ab" (2) NAS-Port = 0 (2) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (2) Calling-Station-Id = "E0-4F-43-36-B1-F1" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) EAP-Message = 0x0207006019800000005616030300510100004d030300000013d1a5ed06c133a6582eb8f8b59713a271b38c51af54d5ef2e0cc8b6d6000004003c002f01000020000a000400020017000b00020100000d000e000c020102030301030304010403 (2) State = 0x792e584478294188d729d5f4b5ba04a4 (2) Message-Authenticator = 0xbf54c5bcfb0c4aae623b313a7cec24bf (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "particle", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 7 length 96 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x792e584478294188 (2) eap: Finished EAP session with state 0x792e584478294188 (2) eap: Previous EAP request found for state 0x792e584478294188, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 86 bytes (2) eap_peap: Got complete TLS record (86 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: <<< recv TLS 1.2 [length 0051] (2) eap_peap: TLS_accept: SSLv3/TLS read client hello (2) eap_peap: >>> send TLS 1.2 [length 002a] (2) eap_peap: TLS_accept: SSLv3/TLS write server hello (2) eap_peap: >>> send TLS 1.2 [length 02f1] (2) eap_peap: TLS_accept: SSLv3/TLS write certificate (2) eap_peap: >>> send TLS 1.2 [length 0004] (2) eap_peap: TLS_accept: SSLv3/TLS write server done (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (2) eap_peap: In SSL Handshake Phase (2) eap_peap: In SSL Accept mode (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 8 length 820 (2) eap: EAP session adding &reply:State = 0x792e58447b264188 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Sent Access-Challenge Id 39 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (2) EAP-Message = 0x010803341900160303002a0200002603035010c628e6c3e571ecdfcb7ed14e02f944e131af1f1483cff17b618c02935b4200003c0016030302f10b0002ed0002ea0002e7308202e3308201cba003020102020900a170e33eaa8a04e7300d06092a864886f70d01010b0500301b3119301706035504030c (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x792e58447b264188d729d5f4b5ba04a4 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 40 from 192.168.1.38:52437 to 192.168.1.33:1812 length 547 (3) User-Name = "particle" (3) NAS-IP-Address = 192.168.1.38 (3) NAS-Identifier = "b4fbe4c348ab" (3) NAS-Port = 0 (3) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (3) Calling-Station-Id = "E0-4F-43-36-B1-F1" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) EAP-Message = 0x02080170198000000166160303010610000102010070ac8a7222a41f5fab40c2a114f343932b699e7629ee25a0ef96616b1582f4e105812e9efb79e3696823f69a931188eeb04bd2f4d9b67869db2d585364c2515a1d44414cc41bc6d87ba8df2ad36e6ba1e57e10fbeb14fc76837d57b50d95a780dc67 (3) State = 0x792e58447b264188d729d5f4b5ba04a4 (3) Message-Authenticator = 0xe80722a96c83d29962b7c6216f7a1b24 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "particle", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 8 length 368 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x792e58447b264188 (3) eap: Finished EAP session with state 0x792e58447b264188 (3) eap: Previous EAP request found for state 0x792e58447b264188, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer indicated complete TLS record size will be 358 bytes (3) eap_peap: Got complete TLS record (358 bytes) (3) eap_peap: [eaptls verify] = length included (3) eap_peap: TLS_accept: SSLv3/TLS write server done (3) eap_peap: <<< recv TLS 1.2 [length 0106] (3) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (3) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (3) eap_peap: <<< recv TLS 1.2 [length 0010] (3) eap_peap: TLS_accept: SSLv3/TLS read finished (3) eap_peap: >>> send TLS 1.2 [length 0001] (3) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (3) eap_peap: >>> send TLS 1.2 [length 0010] (3) eap_peap: TLS_accept: SSLv3/TLS write finished (3) eap_peap: (other): SSL negotiation finished successfully (3) eap_peap: SSL Connection Established (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 9 length 97 (3) eap: EAP session adding &reply:State = 0x792e58447a274188 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Sent Access-Challenge Id 40 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (3) EAP-Message = 0x0109006119001403030001011603030050e4ccfeb29d521f23bceec5b5a6d2086989af54bf30c104ebd10fcadeda3e144e401aeac50e2f2d6fb28711841f9bff03cac82c6e94eb8082d4da10ef0950f6eae7f637b23f93d14e28952fa0735e8273 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x792e58447a274188d729d5f4b5ba04a4 (3) Finished request Waking up in 4.8 seconds. (4) Received Access-Request Id 41 from 192.168.1.38:52437 to 192.168.1.33:1812 length 183 (4) User-Name = "particle" (4) NAS-IP-Address = 192.168.1.38 (4) NAS-Identifier = "b4fbe4c348ab" (4) NAS-Port = 0 (4) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (4) Calling-Station-Id = "E0-4F-43-36-B1-F1" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) EAP-Message = 0x020900061900 (4) State = 0x792e58447a274188d729d5f4b5ba04a4 (4) Message-Authenticator = 0x95b4fe0eef8a5368d718ba97543624d1 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "particle", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 9 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x792e58447a274188 (4) eap: Finished EAP session with state 0x792e58447a274188 (4) eap: Previous EAP request found for state 0x792e58447a274188, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer ACKed our handshake fragment. handshake is finished (4) eap_peap: [eaptls verify] = success (4) eap_peap: [eaptls process] = success (4) eap_peap: Session established. Decoding tunneled attributes (4) eap_peap: PEAP state TUNNEL ESTABLISHED (4) eap: Sending EAP Request (code 1) ID 10 length 75 (4) eap: EAP session adding &reply:State = 0x792e58447d244188 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Sent Access-Challenge Id 41 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (4) EAP-Message = 0x010a004b19001703030040876f919e5b6f69b08d7d8082925085f96d9d4dc5d287be8a2220d788f3d81410117ac9b30cfe5bf1fdbd3fa127a1c59c9f43f811e9a1ed62184e6b52111b2cc9 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x792e58447d244188d729d5f4b5ba04a4 (4) Finished request Waking up in 4.8 seconds. (5) Received Access-Request Id 42 from 192.168.1.38:52437 to 192.168.1.33:1812 length 252 (5) User-Name = "particle" (5) NAS-IP-Address = 192.168.1.38 (5) NAS-Identifier = "b4fbe4c348ab" (5) NAS-Port = 0 (5) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (5) Calling-Station-Id = "E0-4F-43-36-B1-F1" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) EAP-Message = 0x020a004b19001703030040fdcdeff9a7da7077eb3784b51917dbb3f4b705b340e03a3feaf97f3de31941cb2864a9b7a6363f305b5c239727284a9e38bf34deab83141d8393bbc165f2cee7 (5) State = 0x792e58447d244188d729d5f4b5ba04a4 (5) Message-Authenticator = 0x16e198c5d18d50d6db5da8dc8ea94e23 (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "particle", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 10 length 75 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x792e58447d244188 (5) eap: Finished EAP session with state 0x792e58447d244188 (5) eap: Previous EAP request found for state 0x792e58447d244188, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: [eaptls verify] = ok (5) eap_peap: Done initial handshake (5) eap_peap: [eaptls process] = ok (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state WAITING FOR INNER IDENTITY (5) eap_peap: Identity - particle (5) eap_peap: Got inner identity 'particle' (5) eap_peap: Setting default EAP type for tunneled EAP session (5) eap_peap: Got tunneled request (5) eap_peap: EAP-Message = 0x020a000d017061727469636c65 (5) eap_peap: Setting User-Name to particle (5) eap_peap: Sending tunneled request to inner-tunnel (5) eap_peap: EAP-Message = 0x020a000d017061727469636c65 (5) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (5) eap_peap: User-Name = "particle" (5) Virtual server inner-tunnel received request (5) EAP-Message = 0x020a000d017061727469636c65 (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) User-Name = "particle" (5) WARNING: Outer and inner identities are the same. User privacy is compromised. (5) server inner-tunnel { (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [chap] = noop (5) [mschap] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "particle", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop (5) eap: Peer sent EAP Response (code 2) ID 10 length 13 (5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authenticate { (5) eap: Peer sent packet with method EAP Identity (1) (5) eap: Calling submodule eap_mschapv2 to process data (5) eap_mschapv2: Issuing Challenge (5) eap: Sending EAP Request (code 1) ID 11 length 43 (5) eap: EAP session adding &reply:State = 0x9ed5137a9ede0992 (5) [eap] = handled (5) } # authenticate = handled (5) } # server inner-tunnel (5) Virtual server sending reply (5) EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (5) eap_peap: Got tunneled reply code 11 (5) eap_peap: EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132 (5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (5) eap_peap: State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (5) eap_peap: Got tunneled reply RADIUS code 11 (5) eap_peap: EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132 (5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (5) eap_peap: State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (5) eap_peap: Got tunneled Access-Challenge (5) eap: Sending EAP Request (code 1) ID 11 length 107 (5) eap: EAP session adding &reply:State = 0x792e58447c254188 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Sent Access-Challenge Id 42 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (5) EAP-Message = 0x010b006b19001703030060427e72f2a75ff426efd53ee1f42bf29ba4aae389d83bc4b7e8f1257e772430ede3cb69944b24e4f7b6280ffa62e224b27be20c2c641b0fbf6a77cab9ef38ba1f47e79470ecca8368ca25beda56349c1e21e3d49b1db8bc2bd749aab8bf3aa3cb (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x792e58447c254188d729d5f4b5ba04a4 (5) Finished request Waking up in 4.7 seconds. (6) Received Access-Request Id 43 from 192.168.1.38:52437 to 192.168.1.33:1812 length 300 (6) User-Name = "particle" (6) NAS-IP-Address = 192.168.1.38 (6) NAS-Identifier = "b4fbe4c348ab" (6) NAS-Port = 0 (6) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (6) Calling-Station-Id = "E0-4F-43-36-B1-F1" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Connect-Info = "CONNECT 0Mbps 802.11b" (6) EAP-Message = 0x020b007b19001703030070fdcdeff9a7da7077eb3784b51917dbb344ede7b63a9b0f5b11eb7701e504139b09564427efbb43c2ec17f8b42b4124f8fbfc5b440c1c050ff8aa9b8badfaedf539c727f4dfa655815cc469a0812b494ea16db3c4e1ffb49720bdf58408642e7387e7d103393cc91e2db29818 (6) State = 0x792e58447c254188d729d5f4b5ba04a4 (6) Message-Authenticator = 0x9d932302c8a3d3979d08ad610dcc59e7 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "particle", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 11 length 123 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x9ed5137a9ede0992 (6) eap: Finished EAP session with state 0x792e58447c254188 (6) eap: Previous EAP request found for state 0x792e58447c254188, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state phase2 (6) eap_peap: EAP method MSCHAPv2 (26) (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65 (6) eap_peap: Setting User-Name to particle (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "particle" (6) eap_peap: State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "particle" (6) State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "particle", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 11 length 67 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) files: users: Matched entry particle at line 1 (6) [files] = ok (6) [expiration] = noop (6) [logintime] = noop (6) pap: WARNING: Auth-Type already set. Not setting to PAP (6) [pap] = noop (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Expiring EAP session with state 0x9ed5137a9ede0992 (6) eap: Finished EAP session with state 0x9ed5137a9ede0992 (6) eap: Previous EAP request found for state 0x9ed5137a9ede0992, released from the list (6) eap: Peer sent packet with method EAP MSCHAPv2 (26) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) eap_mschapv2: authenticate { (6) mschap: Found Cleartext-Password, hashing to create NT-Password (6) mschap: Found Cleartext-Password, hashing to create LM-Password (6) mschap: Creating challenge hash with username: particle (6) mschap: Client is using MS-CHAPv2 (6) mschap: ERROR: MS-CHAP2-Response is incorrect (6) [mschap] = reject (6) } # authenticate = reject (6) eap: Sending EAP Failure (code 4) ID 11 length 4 (6) eap: Freeing handler (6) [eap] = reject (6) } # authenticate = reject (6) Failed to authenticate the user (6) Using Post-Auth-Type Reject (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) Post-Auth-Type REJECT { (6) attr_filter.access_reject: EXPAND %{User-Name} (6) attr_filter.access_reject: --> particle (6) attr_filter.access_reject: Matched entry DEFAULT at line 11 (6) [attr_filter.access_reject] = updated (6) update outer.session-state { (6) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: MS-CHAP2-Response is incorrect' (6) } # update outer.session-state = noop (6) } # Post-Auth-Type REJECT = updated (6) } # server inner-tunnel (6) Virtual server sending reply (6) MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed" (6) EAP-Message = 0x040b0004 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: Got tunneled reply code 3 (6) eap_peap: MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed" (6) eap_peap: EAP-Message = 0x040b0004 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: Got tunneled reply RADIUS code 3 (6) eap_peap: MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed" (6) eap_peap: EAP-Message = 0x040b0004 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: Tunneled authentication was rejected (6) eap_peap: FAILURE (6) eap: Sending EAP Request (code 1) ID 12 length 75 (6) eap: EAP session adding &reply:State = 0x792e58447f224188 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) session-state: Saving cached attributes (6) Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect" (6) Sent Access-Challenge Id 43 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (6) EAP-Message = 0x010c004b190017030300400c78fe983c5dd192db59da8240896c96033a7305a8f101405d8d1c04a6b8b77542214f016ab70bfe1a2c9039ff65e7c215f722faedc84912623688cb283b2cbd (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x792e58447f224188d729d5f4b5ba04a4 (6) Finished request Waking up in 4.7 seconds. (7) Received Access-Request Id 44 from 192.168.1.38:52437 to 192.168.1.33:1812 length 252 (7) User-Name = "particle" (7) NAS-IP-Address = 192.168.1.38 (7) NAS-Identifier = "b4fbe4c348ab" (7) NAS-Port = 0 (7) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (7) Calling-Station-Id = "E0-4F-43-36-B1-F1" (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) EAP-Message = 0x020c004b19001703030040fdcdeff9a7da7077eb3784b51917dbb315f7e335a9c8a19767c1033ff9329c5f037450eba6f2eb7a9b9347ed8606cef0ce75ae3f03a9518a7ecf3c4b642716ea (7) State = 0x792e58447f224188d729d5f4b5ba04a4 (7) Message-Authenticator = 0xc6525ab028d9d5e9459c8d3d25442ff7 (7) Restoring &session-state (7) &session-state:Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect" (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "particle", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 12 length 75 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x792e58447f224188 (7) eap: Finished EAP session with state 0x792e58447f224188 (7) eap: Previous EAP request found for state 0x792e58447f224188, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state send tlv failure (7) eap_peap: Received EAP-TLV response (7) eap_peap: The users session was previously rejected: returning reject (again.) (7) eap_peap: This means you need to read the PREVIOUS messages in the debug output (7) eap_peap: to find out the reason why the user was rejected (7) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (7) eap_peap: what went wrong, and how to fix the problem (7) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (7) eap: Sending EAP Failure (code 4) ID 12 length 4 (7) eap: Failed in EAP select (7) [eap] = invalid (7) } # authenticate = invalid (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Post-Auth-Type REJECT { (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> particle (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) [eap] = noop (7) policy remove_reply_message_if_eap { (7) if (&reply:EAP-Message && &reply:Reply-Message) { (7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (7) else { (7) [noop] = noop (7) } # else = noop (7) } # policy remove_reply_message_if_eap = noop (7) } # Post-Auth-Type REJECT = updated (7) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (7) Sending delayed response (7) Sent Access-Reject Id 44 from 192.168.1.33:1812 to 192.168.1.38:52437 length 44 (7) EAP-Message = 0x040c0004 (7) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. (0) Cleaning up request packet ID 37 with timestamp +37 (1) Cleaning up request packet ID 38 with timestamp +37 (2) Cleaning up request packet ID 39 with timestamp +37 Waking up in 0.1 seconds. (3) Cleaning up request packet ID 40 with timestamp +37 (4) Cleaning up request packet ID 41 with timestamp +37 (5) Cleaning up request packet ID 42 with timestamp +37 (6) Cleaning up request packet ID 43 with timestamp +37 (7) Cleaning up request packet ID 44 with timestamp +37 Thanks in advance for any help. Will wjsteen@talktalk.net
On Mon, 2019-05-20 at 09:45 +0100, william steen via Freeradius-Users wrote:
Included below is the debug output on startup and when an attempt to connect using PEAP-MSCHAPv2 using just username and password (no certificate). The startup contains a few warnings which I assume are not material. The login debug has an error MS-CHAP2-Response is incorrect
i.e. the password is wrong
which comes after a WARNING: Auth-Type already set. Not setting to PAP?
That's fine - it's telling you that something else (in this case the eap module) already set Auth-Type.
(6) Virtual server inner-tunnel received request (6) EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd2000000000000000 05984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "particle" (6) State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6)
...
(6) files: users: Matched entry particle at line 1 (6) [files] = ok
Does the password in the users file on line 1 exactly match what you're sending? You could add a call to debug_control here to check that Cleartext- Password is correctly set.
(6) pap: WARNING: Auth-Type already set. Not setting to PAP (6) [pap] = noop
Set by...
(6) } # authorize = updated (6) Found Auth-Type = eap
...eap.
(6) eap_mschapv2: authenticate { (6) mschap: Found Cleartext-Password, hashing to create NT-Password (6) mschap: Found Cleartext-Password, hashing to create LM-Password (6) mschap: Creating challenge hash with username: particle (6) mschap: Client is using MS-CHAPv2 (6) mschap: ERROR: MS-CHAP2-Response is incorrect
So Cleartext-Password is set, which pretty much means that the passwords don't match. Try with eapol_test and see if that works? If that works OK then there's an issue with the device you're trying to connect. -- Matthew
hello. you must use the attribute ntpassword. that's why mschap protocol is a standard microsoft and it works only using this password type. Atenciosamente. Manoel Bezerra da Costa Neto Analista de infraestruta em Redes de Computadores. Em seg, 20 de mai de 2019 às 05:46, william steen via Freeradius-Users < freeradius-users@lists.freeradius.org> escreveu:
First time using freeradius, attempting to setup freeradius server on a RPi to create a testing environment for WPA2 Enterprise use on an IoT device. Any help to understand where I am going wrong gratefully received.
Included below is the debug output on startup and when an attempt to connect using PEAP-MSCHAPv2 using just username and password (no certificate). The startup contains a few warnings which I assume are not material. The login debug has an error MS-CHAP2-Response is incorrect which comes after a WARNING: Auth-Type already set. Not setting to PAP?
FreeRADIUS Version 3.0.12
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
Ready to process requests
Below is what debug output when trying to connect to the WAP.
(0) Received Access-Request Id 37 from 192.168.1.38:52437 to 192.168.1.33:1812 length 172 (0) User-Name = "particle" (0) NAS-IP-Address = 192.168.1.38 (0) NAS-Identifier = "b4fbe4c348ab" (0) NAS-Port = 0 (0) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (0) Calling-Station-Id = "E0-4F-43-36-B1-F1" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) EAP-Message = 0x0205000d017061727469636c65 (0) Message-Authenticator = 0x3d7c5462881eb85ae3c3e8b1e7f2dcd8 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "particle", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 5 length 13 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 6 length 22 (0) eap: EAP session adding &reply:State = 0x792e584479285c88 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Sent Access-Challenge Id 37 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (0) EAP-Message = 0x0106001604101e0a216dfaac8434a1e13f61d8e18c5f (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x792e584479285c88d729d5f4b5ba04a4 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 38 from 192.168.1.38:52437 to 192.168.1.33:1812 length 183 (1) User-Name = "particle" (1) NAS-IP-Address = 192.168.1.38 (1) NAS-Identifier = "b4fbe4c348ab" (1) NAS-Port = 0 (1) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (1) Calling-Station-Id = "E0-4F-43-36-B1-F1" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) EAP-Message = 0x020600060319 (1) State = 0x792e584479285c88d729d5f4b5ba04a4 (1) Message-Authenticator = 0x81a3bc304acaf36767e74474836e1265 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "particle", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 6 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) files: users: Matched entry particle at line 1 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x792e584479285c88 (1) eap: Finished EAP session with state 0x792e584479285c88 (1) eap: Previous EAP request found for state 0x792e584479285c88, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new EAP-TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 7 length 6 (1) eap: EAP session adding &reply:State = 0x792e584478294188 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Sent Access-Challenge Id 38 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (1) EAP-Message = 0x010700061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x792e584478294188d729d5f4b5ba04a4 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 39 from 192.168.1.38:52437 to 192.168.1.33:1812 length 273 (2) User-Name = "particle" (2) NAS-IP-Address = 192.168.1.38 (2) NAS-Identifier = "b4fbe4c348ab" (2) NAS-Port = 0 (2) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (2) Calling-Station-Id = "E0-4F-43-36-B1-F1" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) EAP-Message = 0x0207006019800000005616030300510100004d030300000013d1a5ed06c133a6582eb8f8b59713a271b38c51af54d5ef2e0cc8b6d6000004003c002f01000020000a000400020017000b00020100000d000e000c020102030301030304010403 (2) State = 0x792e584478294188d729d5f4b5ba04a4 (2) Message-Authenticator = 0xbf54c5bcfb0c4aae623b313a7cec24bf (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "particle", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 7 length 96 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x792e584478294188 (2) eap: Finished EAP session with state 0x792e584478294188 (2) eap: Previous EAP request found for state 0x792e584478294188, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 86 bytes (2) eap_peap: Got complete TLS record (86 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: <<< recv TLS 1.2 [length 0051] (2) eap_peap: TLS_accept: SSLv3/TLS read client hello (2) eap_peap: >>> send TLS 1.2 [length 002a] (2) eap_peap: TLS_accept: SSLv3/TLS write server hello (2) eap_peap: >>> send TLS 1.2 [length 02f1] (2) eap_peap: TLS_accept: SSLv3/TLS write certificate (2) eap_peap: >>> send TLS 1.2 [length 0004] (2) eap_peap: TLS_accept: SSLv3/TLS write server done (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (2) eap_peap: In SSL Handshake Phase (2) eap_peap: In SSL Accept mode (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 8 length 820 (2) eap: EAP session adding &reply:State = 0x792e58447b264188 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Sent Access-Challenge Id 39 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (2) EAP-Message = 0x010803341900160303002a0200002603035010c628e6c3e571ecdfcb7ed14e02f944e131af1f1483cff17b618c02935b4200003c0016030302f10b0002ed0002ea0002e7308202e3308201cba003020102020900a170e33eaa8a04e7300d06092a864886f70d01010b0500301b3119301706035504030c (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x792e58447b264188d729d5f4b5ba04a4 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 40 from 192.168.1.38:52437 to 192.168.1.33:1812 length 547 (3) User-Name = "particle" (3) NAS-IP-Address = 192.168.1.38 (3) NAS-Identifier = "b4fbe4c348ab" (3) NAS-Port = 0 (3) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (3) Calling-Station-Id = "E0-4F-43-36-B1-F1" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) EAP-Message = 0x02080170198000000166160303010610000102010070ac8a7222a41f5fab40c2a114f343932b699e7629ee25a0ef96616b1582f4e105812e9efb79e3696823f69a931188eeb04bd2f4d9b67869db2d585364c2515a1d44414cc41bc6d87ba8df2ad36e6ba1e57e10fbeb14fc76837d57b50d95a780dc67 (3) State = 0x792e58447b264188d729d5f4b5ba04a4 (3) Message-Authenticator = 0xe80722a96c83d29962b7c6216f7a1b24 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "particle", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 8 length 368 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x792e58447b264188 (3) eap: Finished EAP session with state 0x792e58447b264188 (3) eap: Previous EAP request found for state 0x792e58447b264188, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer indicated complete TLS record size will be 358 bytes (3) eap_peap: Got complete TLS record (358 bytes) (3) eap_peap: [eaptls verify] = length included (3) eap_peap: TLS_accept: SSLv3/TLS write server done (3) eap_peap: <<< recv TLS 1.2 [length 0106] (3) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (3) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (3) eap_peap: <<< recv TLS 1.2 [length 0010] (3) eap_peap: TLS_accept: SSLv3/TLS read finished (3) eap_peap: >>> send TLS 1.2 [length 0001] (3) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (3) eap_peap: >>> send TLS 1.2 [length 0010] (3) eap_peap: TLS_accept: SSLv3/TLS write finished (3) eap_peap: (other): SSL negotiation finished successfully (3) eap_peap: SSL Connection Established (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 9 length 97 (3) eap: EAP session adding &reply:State = 0x792e58447a274188 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Sent Access-Challenge Id 40 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (3) EAP-Message = 0x0109006119001403030001011603030050e4ccfeb29d521f23bceec5b5a6d2086989af54bf30c104ebd10fcadeda3e144e401aeac50e2f2d6fb28711841f9bff03cac82c6e94eb8082d4da10ef0950f6eae7f637b23f93d14e28952fa0735e8273 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x792e58447a274188d729d5f4b5ba04a4 (3) Finished request Waking up in 4.8 seconds. (4) Received Access-Request Id 41 from 192.168.1.38:52437 to 192.168.1.33:1812 length 183 (4) User-Name = "particle" (4) NAS-IP-Address = 192.168.1.38 (4) NAS-Identifier = "b4fbe4c348ab" (4) NAS-Port = 0 (4) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (4) Calling-Station-Id = "E0-4F-43-36-B1-F1" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) EAP-Message = 0x020900061900 (4) State = 0x792e58447a274188d729d5f4b5ba04a4 (4) Message-Authenticator = 0x95b4fe0eef8a5368d718ba97543624d1 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "particle", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 9 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x792e58447a274188 (4) eap: Finished EAP session with state 0x792e58447a274188 (4) eap: Previous EAP request found for state 0x792e58447a274188, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer ACKed our handshake fragment. handshake is finished (4) eap_peap: [eaptls verify] = success (4) eap_peap: [eaptls process] = success (4) eap_peap: Session established. Decoding tunneled attributes (4) eap_peap: PEAP state TUNNEL ESTABLISHED (4) eap: Sending EAP Request (code 1) ID 10 length 75 (4) eap: EAP session adding &reply:State = 0x792e58447d244188 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Sent Access-Challenge Id 41 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (4) EAP-Message = 0x010a004b19001703030040876f919e5b6f69b08d7d8082925085f96d9d4dc5d287be8a2220d788f3d81410117ac9b30cfe5bf1fdbd3fa127a1c59c9f43f811e9a1ed62184e6b52111b2cc9 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x792e58447d244188d729d5f4b5ba04a4 (4) Finished request Waking up in 4.8 seconds. (5) Received Access-Request Id 42 from 192.168.1.38:52437 to 192.168.1.33:1812 length 252 (5) User-Name = "particle" (5) NAS-IP-Address = 192.168.1.38 (5) NAS-Identifier = "b4fbe4c348ab" (5) NAS-Port = 0 (5) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (5) Calling-Station-Id = "E0-4F-43-36-B1-F1" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) EAP-Message = 0x020a004b19001703030040fdcdeff9a7da7077eb3784b51917dbb3f4b705b340e03a3feaf97f3de31941cb2864a9b7a6363f305b5c239727284a9e38bf34deab83141d8393bbc165f2cee7 (5) State = 0x792e58447d244188d729d5f4b5ba04a4 (5) Message-Authenticator = 0x16e198c5d18d50d6db5da8dc8ea94e23 (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "particle", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 10 length 75 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x792e58447d244188 (5) eap: Finished EAP session with state 0x792e58447d244188 (5) eap: Previous EAP request found for state 0x792e58447d244188, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: [eaptls verify] = ok (5) eap_peap: Done initial handshake (5) eap_peap: [eaptls process] = ok (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state WAITING FOR INNER IDENTITY (5) eap_peap: Identity - particle (5) eap_peap: Got inner identity 'particle' (5) eap_peap: Setting default EAP type for tunneled EAP session (5) eap_peap: Got tunneled request (5) eap_peap: EAP-Message = 0x020a000d017061727469636c65 (5) eap_peap: Setting User-Name to particle (5) eap_peap: Sending tunneled request to inner-tunnel (5) eap_peap: EAP-Message = 0x020a000d017061727469636c65 (5) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (5) eap_peap: User-Name = "particle" (5) Virtual server inner-tunnel received request (5) EAP-Message = 0x020a000d017061727469636c65 (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) User-Name = "particle" (5) WARNING: Outer and inner identities are the same. User privacy is compromised. (5) server inner-tunnel { (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [chap] = noop (5) [mschap] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "particle", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop (5) eap: Peer sent EAP Response (code 2) ID 10 length 13 (5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authenticate { (5) eap: Peer sent packet with method EAP Identity (1) (5) eap: Calling submodule eap_mschapv2 to process data (5) eap_mschapv2: Issuing Challenge (5) eap: Sending EAP Request (code 1) ID 11 length 43 (5) eap: EAP session adding &reply:State = 0x9ed5137a9ede0992 (5) [eap] = handled (5) } # authenticate = handled (5) } # server inner-tunnel (5) Virtual server sending reply (5) EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (5) eap_peap: Got tunneled reply code 11 (5) eap_peap: EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132 (5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (5) eap_peap: State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (5) eap_peap: Got tunneled reply RADIUS code 11 (5) eap_peap: EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132 (5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (5) eap_peap: State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (5) eap_peap: Got tunneled Access-Challenge (5) eap: Sending EAP Request (code 1) ID 11 length 107 (5) eap: EAP session adding &reply:State = 0x792e58447c254188 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Sent Access-Challenge Id 42 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (5) EAP-Message = 0x010b006b19001703030060427e72f2a75ff426efd53ee1f42bf29ba4aae389d83bc4b7e8f1257e772430ede3cb69944b24e4f7b6280ffa62e224b27be20c2c641b0fbf6a77cab9ef38ba1f47e79470ecca8368ca25beda56349c1e21e3d49b1db8bc2bd749aab8bf3aa3cb (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x792e58447c254188d729d5f4b5ba04a4 (5) Finished request Waking up in 4.7 seconds. (6) Received Access-Request Id 43 from 192.168.1.38:52437 to 192.168.1.33:1812 length 300 (6) User-Name = "particle" (6) NAS-IP-Address = 192.168.1.38 (6) NAS-Identifier = "b4fbe4c348ab" (6) NAS-Port = 0 (6) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (6) Calling-Station-Id = "E0-4F-43-36-B1-F1" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Connect-Info = "CONNECT 0Mbps 802.11b" (6) EAP-Message = 0x020b007b19001703030070fdcdeff9a7da7077eb3784b51917dbb344ede7b63a9b0f5b11eb7701e504139b09564427efbb43c2ec17f8b42b4124f8fbfc5b440c1c050ff8aa9b8badfaedf539c727f4dfa655815cc469a0812b494ea16db3c4e1ffb49720bdf58408642e7387e7d103393cc91e2db29818 (6) State = 0x792e58447c254188d729d5f4b5ba04a4 (6) Message-Authenticator = 0x9d932302c8a3d3979d08ad610dcc59e7 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "particle", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 11 length 123 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x9ed5137a9ede0992 (6) eap: Finished EAP session with state 0x792e58447c254188 (6) eap: Previous EAP request found for state 0x792e58447c254188, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state phase2 (6) eap_peap: EAP method MSCHAPv2 (26) (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65 (6) eap_peap: Setting User-Name to particle (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "particle" (6) eap_peap: State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "particle" (6) State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "particle", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 11 length 67 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) files: users: Matched entry particle at line 1 (6) [files] = ok (6) [expiration] = noop (6) [logintime] = noop (6) pap: WARNING: Auth-Type already set. Not setting to PAP (6) [pap] = noop (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Expiring EAP session with state 0x9ed5137a9ede0992 (6) eap: Finished EAP session with state 0x9ed5137a9ede0992 (6) eap: Previous EAP request found for state 0x9ed5137a9ede0992, released from the list (6) eap: Peer sent packet with method EAP MSCHAPv2 (26) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) eap_mschapv2: authenticate { (6) mschap: Found Cleartext-Password, hashing to create NT-Password (6) mschap: Found Cleartext-Password, hashing to create LM-Password (6) mschap: Creating challenge hash with username: particle (6) mschap: Client is using MS-CHAPv2 (6) mschap: ERROR: MS-CHAP2-Response is incorrect (6) [mschap] = reject (6) } # authenticate = reject (6) eap: Sending EAP Failure (code 4) ID 11 length 4 (6) eap: Freeing handler (6) [eap] = reject (6) } # authenticate = reject (6) Failed to authenticate the user (6) Using Post-Auth-Type Reject (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) Post-Auth-Type REJECT { (6) attr_filter.access_reject: EXPAND %{User-Name} (6) attr_filter.access_reject: --> particle (6) attr_filter.access_reject: Matched entry DEFAULT at line 11 (6) [attr_filter.access_reject] = updated (6) update outer.session-state { (6) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: MS-CHAP2-Response is incorrect' (6) } # update outer.session-state = noop (6) } # Post-Auth-Type REJECT = updated (6) } # server inner-tunnel (6) Virtual server sending reply (6) MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed" (6) EAP-Message = 0x040b0004 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: Got tunneled reply code 3 (6) eap_peap: MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed" (6) eap_peap: EAP-Message = 0x040b0004 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: Got tunneled reply RADIUS code 3 (6) eap_peap: MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed" (6) eap_peap: EAP-Message = 0x040b0004 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: Tunneled authentication was rejected (6) eap_peap: FAILURE (6) eap: Sending EAP Request (code 1) ID 12 length 75 (6) eap: EAP session adding &reply:State = 0x792e58447f224188 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) session-state: Saving cached attributes (6) Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect" (6) Sent Access-Challenge Id 43 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (6) EAP-Message = 0x010c004b190017030300400c78fe983c5dd192db59da8240896c96033a7305a8f101405d8d1c04a6b8b77542214f016ab70bfe1a2c9039ff65e7c215f722faedc84912623688cb283b2cbd (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x792e58447f224188d729d5f4b5ba04a4 (6) Finished request Waking up in 4.7 seconds. (7) Received Access-Request Id 44 from 192.168.1.38:52437 to 192.168.1.33:1812 length 252 (7) User-Name = "particle" (7) NAS-IP-Address = 192.168.1.38 (7) NAS-Identifier = "b4fbe4c348ab" (7) NAS-Port = 0 (7) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (7) Calling-Station-Id = "E0-4F-43-36-B1-F1" (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) EAP-Message = 0x020c004b19001703030040fdcdeff9a7da7077eb3784b51917dbb315f7e335a9c8a19767c1033ff9329c5f037450eba6f2eb7a9b9347ed8606cef0ce75ae3f03a9518a7ecf3c4b642716ea (7) State = 0x792e58447f224188d729d5f4b5ba04a4 (7) Message-Authenticator = 0xc6525ab028d9d5e9459c8d3d25442ff7 (7) Restoring &session-state (7) &session-state:Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect" (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "particle", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 12 length 75 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x792e58447f224188 (7) eap: Finished EAP session with state 0x792e58447f224188 (7) eap: Previous EAP request found for state 0x792e58447f224188, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state send tlv failure (7) eap_peap: Received EAP-TLV response (7) eap_peap: The users session was previously rejected: returning reject (again.) (7) eap_peap: This means you need to read the PREVIOUS messages in the debug output (7) eap_peap: to find out the reason why the user was rejected (7) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (7) eap_peap: what went wrong, and how to fix the problem (7) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (7) eap: Sending EAP Failure (code 4) ID 12 length 4 (7) eap: Failed in EAP select (7) [eap] = invalid (7) } # authenticate = invalid (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Post-Auth-Type REJECT { (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> particle (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) [eap] = noop (7) policy remove_reply_message_if_eap { (7) if (&reply:EAP-Message && &reply:Reply-Message) { (7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (7) else { (7) [noop] = noop (7) } # else = noop (7) } # policy remove_reply_message_if_eap = noop (7) } # Post-Auth-Type REJECT = updated (7) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (7) Sending delayed response (7) Sent Access-Reject Id 44 from 192.168.1.33:1812 to 192.168.1.38:52437 length 44 (7) EAP-Message = 0x040c0004 (7) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. (0) Cleaning up request packet ID 37 with timestamp +37 (1) Cleaning up request packet ID 38 with timestamp +37 (2) Cleaning up request packet ID 39 with timestamp +37 Waking up in 0.1 seconds. (3) Cleaning up request packet ID 40 with timestamp +37 (4) Cleaning up request packet ID 41 with timestamp +37 (5) Cleaning up request packet ID 42 with timestamp +37 (6) Cleaning up request packet ID 43 with timestamp +37 (7) Cleaning up request packet ID 44 with timestamp +37
Thanks in advance for any help.
Will
wjsteen@talktalk.net
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 20, 2019, at 1:15 PM, Manoel bezerra <maneo.ufrn@gmail.com> wrote:
hello. you must use the attribute ntpassword. that's why mschap protocol is a standard microsoft and it works only using this password type.
You can use Cleartext-Password, too. See: http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok.
but it is not advisable to store clear text passwords Atenciosamente. Manoel Bezerra da Costa Neto Analista de infraestruta em Redes de Computadores. Em seg, 20 de mai de 2019 às 14:18, Alan DeKok <aland@deployingradius.com> escreveu:
On May 20, 2019, at 1:15 PM, Manoel bezerra <maneo.ufrn@gmail.com> wrote:
hello. you must use the attribute ntpassword. that's why mschap protocol is a standard microsoft and it works only using this password type.
You can use Cleartext-Password, too. See:
http://deployingradius.com/documents/protocols/compatibility.html
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 20, 2019, at 1:20 PM, Manoel bezerra <maneo.ufrn@gmail.com> wrote:
but it is not advisable to store clear text passwords
It's 2019. NT hashed passwords are entirely equivalent to clear text passwords. Thinking otherwise is just security theatre. Among other references: https://www.theregister.co.uk/2019/02/14/password_length/ "Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs" Use *real* security. Not fake security. Alan DeKok.
So, do you suggest using/storage clear-text instead ntpassword? Atenciosamente. Manoel Bezerra da Costa Neto Analista de infraestruta em Redes de Computadores. Em seg, 20 de mai de 2019 às 14:24, Alan DeKok <aland@deployingradius.com> escreveu:
On May 20, 2019, at 1:20 PM, Manoel bezerra <maneo.ufrn@gmail.com> wrote:
but it is not advisable to store clear text passwords
It's 2019. NT hashed passwords are entirely equivalent to clear text passwords. Thinking otherwise is just security theatre.
Among other references:
https://www.theregister.co.uk/2019/02/14/password_length/
"Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs"
Use *real* security. Not fake security.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 20, 2019, at 1:37 PM, Manoel bezerra <maneo.ufrn@gmail.com> wrote:
So, do you suggest using/storage clear-text instead ntpassword?
My messages (and my suggestions) were pretty clear to anyone willing to read them. There's no need for you to (a) give wrong advice, (b) be argumentative, and (c) ask leading questions about what I'm suggesting. You're working hard to being a problem. Stop it. Alan DeKok.
Sorry man! Atenciosamente. Manoel Bezerra da Costa Neto Analista de infraestruta em Redes de Computadores. Em seg, 20 de mai de 2019 às 15:13, Alan DeKok <aland@deployingradius.com> escreveu:
On May 20, 2019, at 1:37 PM, Manoel bezerra <maneo.ufrn@gmail.com> wrote:
So, do you suggest using/storage clear-text instead ntpassword?
My messages (and my suggestions) were pretty clear to anyone willing to read them.
There's no need for you to (a) give wrong advice, (b) be argumentative, and (c) ask leading questions about what I'm suggesting.
You're working hard to being a problem. Stop it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matthew Thank you for the observations. Mea cupla - the password was wrong. Having corrected that I am getting a WICED 1064 error back on the device which I believe means EAPOL_KEY_FAILURE. I am really struggling the read the full debug and understand why it is not working. I can’t see anything in the output that says it is not working in fact I see at the end SUCCESS - so is this a device issue? (36) Received Access-Request Id 208 from 192.168.1.38:55602 to 192.168.1.33:1812 length 174 (36) User-Name = "anonymous" (36) NAS-IP-Address = 192.168.1.38 (36) NAS-Identifier = "b4fbe4c348ab" (36) NAS-Port = 0 (36) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (36) Calling-Station-Id = "E0-4F-43-36-B1-F1" (36) Framed-MTU = 1400 (36) NAS-Port-Type = Wireless-802.11 (36) Connect-Info = "CONNECT 0Mbps 802.11b" (36) EAP-Message = 0x02b5000e01616e6f6e796d6f7573 (36) Message-Authenticator = 0x25509f16a2da40b886f964a9fb289b2a (36) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (36) authorize { (36) policy filter_username { (36) if (&User-Name) { (36) if (&User-Name) -> TRUE (36) if (&User-Name) { (36) if (&User-Name =~ / /) { (36) if (&User-Name =~ / /) -> FALSE (36) if (&User-Name =~ /@[^@]*@/ ) { (36) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (36) if (&User-Name =~ /\.\./ ) { (36) if (&User-Name =~ /\.\./ ) -> FALSE (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (36) if (&User-Name =~ /\.$/) { (36) if (&User-Name =~ /\.$/) -> FALSE (36) if (&User-Name =~ /@\./) { (36) if (&User-Name =~ /@\./) -> FALSE (36) } # if (&User-Name) = notfound (36) } # policy filter_username = notfound (36) [preprocess] = ok (36) [chap] = noop (36) [mschap] = noop (36) [digest] = noop (36) suffix: Checking for suffix after "@" (36) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (36) suffix: No such realm "NULL" (36) [suffix] = noop (36) eap: Peer sent EAP Response (code 2) ID 181 length 14 (36) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (36) [eap] = ok (36) } # authorize = ok (36) Found Auth-Type = eap (36) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (36) authenticate { (36) eap: Peer sent packet with method EAP Identity (1) (36) eap: Calling submodule eap_md5 to process data (36) eap_md5: Issuing MD5 Challenge (36) eap: Sending EAP Request (code 1) ID 182 length 22 (36) eap: EAP session adding &reply:State = 0x2a8581bd2a3385df (36) [eap] = handled (36) } # authenticate = handled (36) Using Post-Auth-Type Challenge (36) Post-Auth-Type sub-section not found. Ignoring. (36) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (36) Sent Access-Challenge Id 208 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0 (36) EAP-Message = 0x01b600160410ff129213cf36dc9899010133da42091f (36) Message-Authenticator = 0x00000000000000000000000000000000 (36) State = 0x2a8581bd2a3385df1e814808369ac970 (36) Finished request Waking up in 4.9 seconds. (37) Received Access-Request Id 209 from 192.168.1.38:55602 to 192.168.1.33:1812 length 184 (37) User-Name = "anonymous" (37) NAS-IP-Address = 192.168.1.38 (37) NAS-Identifier = "b4fbe4c348ab" (37) NAS-Port = 0 (37) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (37) Calling-Station-Id = "E0-4F-43-36-B1-F1" (37) Framed-MTU = 1400 (37) NAS-Port-Type = Wireless-802.11 (37) Connect-Info = "CONNECT 0Mbps 802.11b" (37) EAP-Message = 0x02b600060319 (37) State = 0x2a8581bd2a3385df1e814808369ac970 (37) Message-Authenticator = 0x8119d40b649a68faa58453efa4c195eb (37) session-state: No cached attributes (37) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (37) authorize { (37) policy filter_username { (37) if (&User-Name) { (37) if (&User-Name) -> TRUE (37) if (&User-Name) { (37) if (&User-Name =~ / /) { (37) if (&User-Name =~ / /) -> FALSE (37) if (&User-Name =~ /@[^@]*@/ ) { (37) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (37) if (&User-Name =~ /\.\./ ) { (37) if (&User-Name =~ /\.\./ ) -> FALSE (37) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (37) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (37) if (&User-Name =~ /\.$/) { (37) if (&User-Name =~ /\.$/) -> FALSE (37) if (&User-Name =~ /@\./) { (37) if (&User-Name =~ /@\./) -> FALSE (37) } # if (&User-Name) = notfound (37) } # policy filter_username = notfound (37) [preprocess] = ok (37) [chap] = noop (37) [mschap] = noop (37) [digest] = noop (37) suffix: Checking for suffix after "@" (37) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (37) suffix: No such realm "NULL" (37) [suffix] = noop (37) eap: Peer sent EAP Response (code 2) ID 182 length 6 (37) eap: No EAP Start, assuming it's an on-going EAP conversation (37) [eap] = updated (37) [files] = noop (37) [expiration] = noop (37) [logintime] = noop (37) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (37) pap: WARNING: Authentication will fail unless a "known good" password is available (37) [pap] = noop (37) } # authorize = updated (37) Found Auth-Type = eap (37) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (37) authenticate { (37) eap: Expiring EAP session with state 0x2a8581bd2a3385df (37) eap: Finished EAP session with state 0x2a8581bd2a3385df (37) eap: Previous EAP request found for state 0x2a8581bd2a3385df, released from the list (37) eap: Peer sent packet with method EAP NAK (3) (37) eap: Found mutually acceptable type PEAP (25) (37) eap: Calling submodule eap_peap to process data (37) eap_peap: Initiating new EAP-TLS session (37) eap_peap: [eaptls start] = request (37) eap: Sending EAP Request (code 1) ID 183 length 6 (37) eap: EAP session adding &reply:State = 0x2a8581bd2b3298df (37) [eap] = handled (37) } # authenticate = handled (37) Using Post-Auth-Type Challenge (37) Post-Auth-Type sub-section not found. Ignoring. (37) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (37) Sent Access-Challenge Id 209 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0 (37) EAP-Message = 0x01b700061920 (37) Message-Authenticator = 0x00000000000000000000000000000000 (37) State = 0x2a8581bd2b3298df1e814808369ac970 (37) Finished request Waking up in 4.9 seconds. (38) Received Access-Request Id 210 from 192.168.1.38:55602 to 192.168.1.33:1812 length 274 (38) User-Name = "anonymous" (38) NAS-IP-Address = 192.168.1.38 (38) NAS-Identifier = "b4fbe4c348ab" (38) NAS-Port = 0 (38) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (38) Calling-Station-Id = "E0-4F-43-36-B1-F1" (38) Framed-MTU = 1400 (38) NAS-Port-Type = Wireless-802.11 (38) Connect-Info = "CONNECT 0Mbps 802.11b" (38) EAP-Message = 0x02b7006019800000005616030300510100004d0303000000281cdc9b2252c07aa2864276d5d684b9f771cff5a17b5c280169d1bf8a000004003c002f01000020000a000400020017000b00020100000d000e000c020102030301030304010403 (38) State = 0x2a8581bd2b3298df1e814808369ac970 (38) Message-Authenticator = 0xb616b97bb086ec34a2c8ef9911d0ea09 (38) session-state: No cached attributes (38) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (38) authorize { (38) policy filter_username { (38) if (&User-Name) { (38) if (&User-Name) -> TRUE (38) if (&User-Name) { (38) if (&User-Name =~ / /) { (38) if (&User-Name =~ / /) -> FALSE (38) if (&User-Name =~ /@[^@]*@/ ) { (38) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (38) if (&User-Name =~ /\.\./ ) { (38) if (&User-Name =~ /\.\./ ) -> FALSE (38) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (38) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (38) if (&User-Name =~ /\.$/) { (38) if (&User-Name =~ /\.$/) -> FALSE (38) if (&User-Name =~ /@\./) { (38) if (&User-Name =~ /@\./) -> FALSE (38) } # if (&User-Name) = notfound (38) } # policy filter_username = notfound (38) [preprocess] = ok (38) [chap] = noop (38) [mschap] = noop (38) [digest] = noop (38) suffix: Checking for suffix after "@" (38) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (38) suffix: No such realm "NULL" (38) [suffix] = noop (38) eap: Peer sent EAP Response (code 2) ID 183 length 96 (38) eap: Continuing tunnel setup (38) [eap] = ok (38) } # authorize = ok (38) Found Auth-Type = eap (38) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (38) authenticate { (38) eap: Expiring EAP session with state 0x2a8581bd2b3298df (38) eap: Finished EAP session with state 0x2a8581bd2b3298df (38) eap: Previous EAP request found for state 0x2a8581bd2b3298df, released from the list (38) eap: Peer sent packet with method EAP PEAP (25) (38) eap: Calling submodule eap_peap to process data (38) eap_peap: Continuing EAP-TLS (38) eap_peap: Peer indicated complete TLS record size will be 86 bytes (38) eap_peap: Got complete TLS record (86 bytes) (38) eap_peap: [eaptls verify] = length included (38) eap_peap: (other): before SSL initialization (38) eap_peap: TLS_accept: before SSL initialization (38) eap_peap: TLS_accept: before SSL initialization (38) eap_peap: <<< recv TLS 1.2 [length 0051] (38) eap_peap: TLS_accept: SSLv3/TLS read client hello (38) eap_peap: >>> send TLS 1.2 [length 002a] (38) eap_peap: TLS_accept: SSLv3/TLS write server hello (38) eap_peap: >>> send TLS 1.2 [length 02f1] (38) eap_peap: TLS_accept: SSLv3/TLS write certificate (38) eap_peap: >>> send TLS 1.2 [length 0004] (38) eap_peap: TLS_accept: SSLv3/TLS write server done (38) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (38) eap_peap: In SSL Handshake Phase (38) eap_peap: In SSL Accept mode (38) eap_peap: [eaptls process] = handled (38) eap: Sending EAP Request (code 1) ID 184 length 820 (38) eap: EAP session adding &reply:State = 0x2a8581bd283d98df (38) [eap] = handled (38) } # authenticate = handled (38) Using Post-Auth-Type Challenge (38) Post-Auth-Type sub-section not found. Ignoring. (38) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (38) Sent Access-Challenge Id 210 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0 (38) EAP-Message = 0x01b803341900160303002a020000260303cf3c4b0e5ed60e104aad4ed9b51fb76b9896b63ef4a31d3e772041f6e35b257200003c0016030302f10b0002ed0002ea0002e7308202e3308201cba003020102020900a170e33eaa8a04e7300d06092a864886f70d01010b0500301b3119301706035504030c (38) Message-Authenticator = 0x00000000000000000000000000000000 (38) State = 0x2a8581bd283d98df1e814808369ac970 (38) Finished request Waking up in 4.9 seconds. (39) Received Access-Request Id 211 from 192.168.1.38:55602 to 192.168.1.33:1812 length 548 (39) User-Name = "anonymous" (39) NAS-IP-Address = 192.168.1.38 (39) NAS-Identifier = "b4fbe4c348ab" (39) NAS-Port = 0 (39) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (39) Calling-Station-Id = "E0-4F-43-36-B1-F1" (39) Framed-MTU = 1400 (39) NAS-Port-Type = Wireless-802.11 (39) Connect-Info = "CONNECT 0Mbps 802.11b" (39) EAP-Message = 0x02b80170198000000166160303010610000102010071e19621b125c24ad8dad747ca68b5f71eedd73d928788b92dcffb97d102f453587e37ecc1fa3d8fd8b80b6db2ef5bb91b0452e39652df4324e7251c3ca8401dc5d7565b8b87187452af469f979e0f7e89441a02251a4da163c0cd6fcd7faa357fac (39) State = 0x2a8581bd283d98df1e814808369ac970 (39) Message-Authenticator = 0x04bed256ea91148ae84b66643a916080 (39) session-state: No cached attributes (39) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (39) authorize { (39) policy filter_username { (39) if (&User-Name) { (39) if (&User-Name) -> TRUE (39) if (&User-Name) { (39) if (&User-Name =~ / /) { (39) if (&User-Name =~ / /) -> FALSE (39) if (&User-Name =~ /@[^@]*@/ ) { (39) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (39) if (&User-Name =~ /\.\./ ) { (39) if (&User-Name =~ /\.\./ ) -> FALSE (39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (39) if (&User-Name =~ /\.$/) { (39) if (&User-Name =~ /\.$/) -> FALSE (39) if (&User-Name =~ /@\./) { (39) if (&User-Name =~ /@\./) -> FALSE (39) } # if (&User-Name) = notfound (39) } # policy filter_username = notfound (39) [preprocess] = ok (39) [chap] = noop (39) [mschap] = noop (39) [digest] = noop (39) suffix: Checking for suffix after "@" (39) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (39) suffix: No such realm "NULL" (39) [suffix] = noop (39) eap: Peer sent EAP Response (code 2) ID 184 length 368 (39) eap: Continuing tunnel setup (39) [eap] = ok (39) } # authorize = ok (39) Found Auth-Type = eap (39) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (39) authenticate { (39) eap: Expiring EAP session with state 0x2a8581bd283d98df (39) eap: Finished EAP session with state 0x2a8581bd283d98df (39) eap: Previous EAP request found for state 0x2a8581bd283d98df, released from the list (39) eap: Peer sent packet with method EAP PEAP (25) (39) eap: Calling submodule eap_peap to process data (39) eap_peap: Continuing EAP-TLS (39) eap_peap: Peer indicated complete TLS record size will be 358 bytes (39) eap_peap: Got complete TLS record (358 bytes) (39) eap_peap: [eaptls verify] = length included (39) eap_peap: TLS_accept: SSLv3/TLS write server done (39) eap_peap: <<< recv TLS 1.2 [length 0106] (39) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (39) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (39) eap_peap: <<< recv TLS 1.2 [length 0010] (39) eap_peap: TLS_accept: SSLv3/TLS read finished (39) eap_peap: >>> send TLS 1.2 [length 0001] (39) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (39) eap_peap: >>> send TLS 1.2 [length 0010] (39) eap_peap: TLS_accept: SSLv3/TLS write finished (39) eap_peap: (other): SSL negotiation finished successfully (39) eap_peap: SSL Connection Established (39) eap_peap: [eaptls process] = handled (39) eap: Sending EAP Request (code 1) ID 185 length 97 (39) eap: EAP session adding &reply:State = 0x2a8581bd293c98df (39) [eap] = handled (39) } # authenticate = handled (39) Using Post-Auth-Type Challenge (39) Post-Auth-Type sub-section not found. Ignoring. (39) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (39) Sent Access-Challenge Id 211 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0 (39) EAP-Message = 0x01b9006119001403030001011603030050b0b0d9af69f459f35b4b47f71ed961ad39a4d03368daf9ae1b1438e2c5f6586f3396151c1e6d9b8d815db52d93a0b1df8be145d56c2a3dd6b1133e231ee64be468f9dafc1529bac1bb8da84d57fe81d0 (39) Message-Authenticator = 0x00000000000000000000000000000000 (39) State = 0x2a8581bd293c98df1e814808369ac970 (39) Finished request Waking up in 4.8 seconds. (40) Received Access-Request Id 212 from 192.168.1.38:55602 to 192.168.1.33:1812 length 184 (40) User-Name = "anonymous" (40) NAS-IP-Address = 192.168.1.38 (40) NAS-Identifier = "b4fbe4c348ab" (40) NAS-Port = 0 (40) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (40) Calling-Station-Id = "E0-4F-43-36-B1-F1" (40) Framed-MTU = 1400 (40) NAS-Port-Type = Wireless-802.11 (40) Connect-Info = "CONNECT 0Mbps 802.11b" (40) EAP-Message = 0x02b900061900 (40) State = 0x2a8581bd293c98df1e814808369ac970 (40) Message-Authenticator = 0xe886a2afdad2cabad78f25fbe33d4914 (40) session-state: No cached attributes (40) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (40) authorize { (40) policy filter_username { (40) if (&User-Name) { (40) if (&User-Name) -> TRUE (40) if (&User-Name) { (40) if (&User-Name =~ / /) { (40) if (&User-Name =~ / /) -> FALSE (40) if (&User-Name =~ /@[^@]*@/ ) { (40) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (40) if (&User-Name =~ /\.\./ ) { (40) if (&User-Name =~ /\.\./ ) -> FALSE (40) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (40) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (40) if (&User-Name =~ /\.$/) { (40) if (&User-Name =~ /\.$/) -> FALSE (40) if (&User-Name =~ /@\./) { (40) if (&User-Name =~ /@\./) -> FALSE (40) } # if (&User-Name) = notfound (40) } # policy filter_username = notfound (40) [preprocess] = ok (40) [chap] = noop (40) [mschap] = noop (40) [digest] = noop (40) suffix: Checking for suffix after "@" (40) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (40) suffix: No such realm "NULL" (40) [suffix] = noop (40) eap: Peer sent EAP Response (code 2) ID 185 length 6 (40) eap: Continuing tunnel setup (40) [eap] = ok (40) } # authorize = ok (40) Found Auth-Type = eap (40) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (40) authenticate { (40) eap: Expiring EAP session with state 0x2a8581bd293c98df (40) eap: Finished EAP session with state 0x2a8581bd293c98df (40) eap: Previous EAP request found for state 0x2a8581bd293c98df, released from the list (40) eap: Peer sent packet with method EAP PEAP (25) (40) eap: Calling submodule eap_peap to process data (40) eap_peap: Continuing EAP-TLS (40) eap_peap: Peer ACKed our handshake fragment. handshake is finished (40) eap_peap: [eaptls verify] = success (40) eap_peap: [eaptls process] = success (40) eap_peap: Session established. Decoding tunneled attributes (40) eap_peap: PEAP state TUNNEL ESTABLISHED (40) eap: Sending EAP Request (code 1) ID 186 length 75 (40) eap: EAP session adding &reply:State = 0x2a8581bd2e3f98df (40) [eap] = handled (40) } # authenticate = handled (40) Using Post-Auth-Type Challenge (40) Post-Auth-Type sub-section not found. Ignoring. (40) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (40) Sent Access-Challenge Id 212 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0 (40) EAP-Message = 0x01ba004b1900170303004050c7ff5a029d65ebb5f58ad75a43ea64eac1cd728a20be159fe3b332033e212a25fff20cf216db3542a33712cec541299cc1be4e818a681e6170a7ef0f0b36fd (40) Message-Authenticator = 0x00000000000000000000000000000000 (40) State = 0x2a8581bd2e3f98df1e814808369ac970 (40) Finished request Waking up in 4.7 seconds. (41) Received Access-Request Id 213 from 192.168.1.38:55602 to 192.168.1.33:1812 length 253 (41) User-Name = "anonymous" (41) NAS-IP-Address = 192.168.1.38 (41) NAS-Identifier = "b4fbe4c348ab" (41) NAS-Port = 0 (41) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (41) Calling-Station-Id = "E0-4F-43-36-B1-F1" (41) Framed-MTU = 1400 (41) NAS-Port-Type = Wireless-802.11 (41) Connect-Info = "CONNECT 0Mbps 802.11b" (41) EAP-Message = 0x02ba004b190017030300400afc0335cdebda0b8aedef718917f7a9266c20e51e93d29843d1d72b4692f912508ecd700311673ed582be464091945f62ecef71c226614b11d7520ed1411b3e (41) State = 0x2a8581bd2e3f98df1e814808369ac970 (41) Message-Authenticator = 0x9fb73be30fe0f94516f4b1eb6ca07baf (41) session-state: No cached attributes (41) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (41) authorize { (41) policy filter_username { (41) if (&User-Name) { (41) if (&User-Name) -> TRUE (41) if (&User-Name) { (41) if (&User-Name =~ / /) { (41) if (&User-Name =~ / /) -> FALSE (41) if (&User-Name =~ /@[^@]*@/ ) { (41) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (41) if (&User-Name =~ /\.\./ ) { (41) if (&User-Name =~ /\.\./ ) -> FALSE (41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (41) if (&User-Name =~ /\.$/) { (41) if (&User-Name =~ /\.$/) -> FALSE (41) if (&User-Name =~ /@\./) { (41) if (&User-Name =~ /@\./) -> FALSE (41) } # if (&User-Name) = notfound (41) } # policy filter_username = notfound (41) [preprocess] = ok (41) [chap] = noop (41) [mschap] = noop (41) [digest] = noop (41) suffix: Checking for suffix after "@" (41) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (41) suffix: No such realm "NULL" (41) [suffix] = noop (41) eap: Peer sent EAP Response (code 2) ID 186 length 75 (41) eap: Continuing tunnel setup (41) [eap] = ok (41) } # authorize = ok (41) Found Auth-Type = eap (41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (41) authenticate { (41) eap: Expiring EAP session with state 0x2a8581bd2e3f98df (41) eap: Finished EAP session with state 0x2a8581bd2e3f98df (41) eap: Previous EAP request found for state 0x2a8581bd2e3f98df, released from the list (41) eap: Peer sent packet with method EAP PEAP (25) (41) eap: Calling submodule eap_peap to process data (41) eap_peap: Continuing EAP-TLS (41) eap_peap: [eaptls verify] = ok (41) eap_peap: Done initial handshake (41) eap_peap: [eaptls process] = ok (41) eap_peap: Session established. Decoding tunneled attributes (41) eap_peap: PEAP state WAITING FOR INNER IDENTITY (41) eap_peap: Identity - particle (41) eap_peap: Got inner identity 'particle' (41) eap_peap: Setting default EAP type for tunneled EAP session (41) eap_peap: Got tunneled request (41) eap_peap: EAP-Message = 0x02ba000d017061727469636c65 (41) eap_peap: Setting User-Name to particle (41) eap_peap: Sending tunneled request to inner-tunnel (41) eap_peap: EAP-Message = 0x02ba000d017061727469636c65 (41) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (41) eap_peap: User-Name = "particle" (41) Virtual server inner-tunnel received request (41) EAP-Message = 0x02ba000d017061727469636c65 (41) FreeRADIUS-Proxied-To = 127.0.0.1 (41) User-Name = "particle" (41) server inner-tunnel { (41) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (41) authorize { (41) policy filter_username { (41) if (&User-Name) { (41) if (&User-Name) -> TRUE (41) if (&User-Name) { (41) if (&User-Name =~ / /) { (41) if (&User-Name =~ / /) -> FALSE (41) if (&User-Name =~ /@[^@]*@/ ) { (41) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (41) if (&User-Name =~ /\.\./ ) { (41) if (&User-Name =~ /\.\./ ) -> FALSE (41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (41) if (&User-Name =~ /\.$/) { (41) if (&User-Name =~ /\.$/) -> FALSE (41) if (&User-Name =~ /@\./) { (41) if (&User-Name =~ /@\./) -> FALSE (41) } # if (&User-Name) = notfound (41) } # policy filter_username = notfound (41) [chap] = noop (41) [mschap] = noop (41) suffix: Checking for suffix after "@" (41) suffix: No '@' in User-Name = "particle", looking up realm NULL (41) suffix: No such realm "NULL" (41) [suffix] = noop (41) update control { (41) &Proxy-To-Realm := LOCAL (41) } # update control = noop (41) eap: Peer sent EAP Response (code 2) ID 186 length 13 (41) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (41) [eap] = ok (41) } # authorize = ok (41) Found Auth-Type = eap (41) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (41) authenticate { (41) eap: Peer sent packet with method EAP Identity (1) (41) eap: Calling submodule eap_mschapv2 to process data (41) eap_mschapv2: Issuing Challenge (41) eap: Sending EAP Request (code 1) ID 187 length 43 (41) eap: EAP session adding &reply:State = 0xc826a0d6c89dba78 (41) [eap] = handled (41) } # authenticate = handled (41) } # server inner-tunnel (41) Virtual server sending reply (41) EAP-Message = 0x01bb002b1a01bb0026106f4ce167e77644b791c3f64990af9d0a667265657261646975732d332e302e3132 (41) Message-Authenticator = 0x00000000000000000000000000000000 (41) State = 0xc826a0d6c89dba78a72f2090812f4b12 (41) eap_peap: Got tunneled reply code 11 (41) eap_peap: EAP-Message = 0x01bb002b1a01bb0026106f4ce167e77644b791c3f64990af9d0a667265657261646975732d332e302e3132 (41) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (41) eap_peap: State = 0xc826a0d6c89dba78a72f2090812f4b12 (41) eap_peap: Got tunneled reply RADIUS code 11 (41) eap_peap: EAP-Message = 0x01bb002b1a01bb0026106f4ce167e77644b791c3f64990af9d0a667265657261646975732d332e302e3132 (41) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (41) eap_peap: State = 0xc826a0d6c89dba78a72f2090812f4b12 (41) eap_peap: Got tunneled Access-Challenge (41) eap: Sending EAP Request (code 1) ID 187 length 107 (41) eap: EAP session adding &reply:State = 0x2a8581bd2f3e98df (41) [eap] = handled (41) } # authenticate = handled (41) Using Post-Auth-Type Challenge (41) Post-Auth-Type sub-section not found. Ignoring. (41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (41) Sent Access-Challenge Id 213 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0 (41) EAP-Message = 0x01bb006b1900170303006079feffc6710fc43792c394a4889d930fe8c6c16d764af16d1d3976d6e621e36843745d0bffc55524283b9bd53ea806ced6df2dbbdde549e3e5cc38979d5cb49ad0da91db6f806722c0e8a4d302d8271e25e76be953888bdd43cae59c2735c288 (41) Message-Authenticator = 0x00000000000000000000000000000000 (41) State = 0x2a8581bd2f3e98df1e814808369ac970 (41) Finished request Waking up in 4.7 seconds. (42) Received Access-Request Id 214 from 192.168.1.38:55602 to 192.168.1.33:1812 length 301 (42) User-Name = "anonymous" (42) NAS-IP-Address = 192.168.1.38 (42) NAS-Identifier = "b4fbe4c348ab" (42) NAS-Port = 0 (42) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (42) Calling-Station-Id = "E0-4F-43-36-B1-F1" (42) Framed-MTU = 1400 (42) NAS-Port-Type = Wireless-802.11 (42) Connect-Info = "CONNECT 0Mbps 802.11b" (42) EAP-Message = 0x02bb007b190017030300700afc0335cdebda0b8aedef718917f7a9c3609e53fed2947c5461a170ad04e646ead20718e53d64b3e64bfa32cbc4920565fd84e50ee59a599ef81f5b234f495ceb2429aed13228f79886d1231139863a94e38688d4bf00844977159f1ab54839398774564992f36bdca50f16 (42) State = 0x2a8581bd2f3e98df1e814808369ac970 (42) Message-Authenticator = 0x03cd878b5c6e2070f2fe065228980db3 (42) session-state: No cached attributes (42) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (42) authorize { (42) policy filter_username { (42) if (&User-Name) { (42) if (&User-Name) -> TRUE (42) if (&User-Name) { (42) if (&User-Name =~ / /) { (42) if (&User-Name =~ / /) -> FALSE (42) if (&User-Name =~ /@[^@]*@/ ) { (42) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (42) if (&User-Name =~ /\.\./ ) { (42) if (&User-Name =~ /\.\./ ) -> FALSE (42) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (42) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (42) if (&User-Name =~ /\.$/) { (42) if (&User-Name =~ /\.$/) -> FALSE (42) if (&User-Name =~ /@\./) { (42) if (&User-Name =~ /@\./) -> FALSE (42) } # if (&User-Name) = notfound (42) } # policy filter_username = notfound (42) [preprocess] = ok (42) [chap] = noop (42) [mschap] = noop (42) [digest] = noop (42) suffix: Checking for suffix after "@" (42) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (42) suffix: No such realm "NULL" (42) [suffix] = noop (42) eap: Peer sent EAP Response (code 2) ID 187 length 123 (42) eap: Continuing tunnel setup (42) [eap] = ok (42) } # authorize = ok (42) Found Auth-Type = eap (42) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (42) authenticate { (42) eap: Expiring EAP session with state 0xc826a0d6c89dba78 (42) eap: Finished EAP session with state 0x2a8581bd2f3e98df (42) eap: Previous EAP request found for state 0x2a8581bd2f3e98df, released from the list (42) eap: Peer sent packet with method EAP PEAP (25) (42) eap: Calling submodule eap_peap to process data (42) eap_peap: Continuing EAP-TLS (42) eap_peap: [eaptls verify] = ok (42) eap_peap: Done initial handshake (42) eap_peap: [eaptls process] = ok (42) eap_peap: Session established. Decoding tunneled attributes (42) eap_peap: PEAP state phase2 (42) eap_peap: EAP method MSCHAPv2 (26) (42) eap_peap: Got tunneled request (42) eap_peap: EAP-Message = 0x02bb00431a02bb003e312f2fa421ed073e5f4e6ffa2ac0392cf50000000000000000fd328695c49903d233c34dacdd44570b0aa2ef23d5078df9007061727469636c65 (42) eap_peap: Setting User-Name to particle (42) eap_peap: Sending tunneled request to inner-tunnel (42) eap_peap: EAP-Message = 0x02bb00431a02bb003e312f2fa421ed073e5f4e6ffa2ac0392cf50000000000000000fd328695c49903d233c34dacdd44570b0aa2ef23d5078df9007061727469636c65 (42) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (42) eap_peap: User-Name = "particle" (42) eap_peap: State = 0xc826a0d6c89dba78a72f2090812f4b12 (42) Virtual server inner-tunnel received request (42) EAP-Message = 0x02bb00431a02bb003e312f2fa421ed073e5f4e6ffa2ac0392cf50000000000000000fd328695c49903d233c34dacdd44570b0aa2ef23d5078df9007061727469636c65 (42) FreeRADIUS-Proxied-To = 127.0.0.1 (42) User-Name = "particle" (42) State = 0xc826a0d6c89dba78a72f2090812f4b12 (42) server inner-tunnel { (42) session-state: No cached attributes (42) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (42) authorize { (42) policy filter_username { (42) if (&User-Name) { (42) if (&User-Name) -> TRUE (42) if (&User-Name) { (42) if (&User-Name =~ / /) { (42) if (&User-Name =~ / /) -> FALSE (42) if (&User-Name =~ /@[^@]*@/ ) { (42) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (42) if (&User-Name =~ /\.\./ ) { (42) if (&User-Name =~ /\.\./ ) -> FALSE (42) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (42) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (42) if (&User-Name =~ /\.$/) { (42) if (&User-Name =~ /\.$/) -> FALSE (42) if (&User-Name =~ /@\./) { (42) if (&User-Name =~ /@\./) -> FALSE (42) } # if (&User-Name) = notfound (42) } # policy filter_username = notfound (42) [chap] = noop (42) [mschap] = noop (42) suffix: Checking for suffix after "@" (42) suffix: No '@' in User-Name = "particle", looking up realm NULL (42) suffix: No such realm "NULL" (42) [suffix] = noop (42) update control { (42) &Proxy-To-Realm := LOCAL (42) } # update control = noop (42) eap: Peer sent EAP Response (code 2) ID 187 length 67 (42) eap: No EAP Start, assuming it's an on-going EAP conversation (42) [eap] = updated (42) files: users: Matched entry particle at line 1 (42) [files] = ok (42) [expiration] = noop (42) [logintime] = noop (42) pap: WARNING: Auth-Type already set. Not setting to PAP (42) [pap] = noop (42) } # authorize = updated (42) Found Auth-Type = eap (42) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (42) authenticate { (42) eap: Expiring EAP session with state 0xc826a0d6c89dba78 (42) eap: Finished EAP session with state 0xc826a0d6c89dba78 (42) eap: Previous EAP request found for state 0xc826a0d6c89dba78, released from the list (42) eap: Peer sent packet with method EAP MSCHAPv2 (26) (42) eap: Calling submodule eap_mschapv2 to process data (42) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (42) eap_mschapv2: authenticate { (42) mschap: Found Cleartext-Password, hashing to create NT-Password (42) mschap: Found Cleartext-Password, hashing to create LM-Password (42) mschap: Creating challenge hash with username: particle (42) mschap: Client is using MS-CHAPv2 (42) mschap: Adding MS-CHAPv2 MPPE keys (42) [mschap] = ok (42) } # authenticate = ok (42) MSCHAP Success (42) eap: Sending EAP Request (code 1) ID 188 length 51 (42) eap: EAP session adding &reply:State = 0xc826a0d6c99aba78 (42) [eap] = handled (42) } # authenticate = handled (42) } # server inner-tunnel (42) Virtual server sending reply (42) EAP-Message = 0x01bc00331a03bb002e533d46394438374233353045373638353639363642334230453831344530314234394638393739463836 (42) Message-Authenticator = 0x00000000000000000000000000000000 (42) State = 0xc826a0d6c99aba78a72f2090812f4b12 (42) eap_peap: Got tunneled reply code 11 (42) eap_peap: EAP-Message = 0x01bc00331a03bb002e533d46394438374233353045373638353639363642334230453831344530314234394638393739463836 (42) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (42) eap_peap: State = 0xc826a0d6c99aba78a72f2090812f4b12 (42) eap_peap: Got tunneled reply RADIUS code 11 (42) eap_peap: EAP-Message = 0x01bc00331a03bb002e533d46394438374233353045373638353639363642334230453831344530314234394638393739463836 (42) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (42) eap_peap: State = 0xc826a0d6c99aba78a72f2090812f4b12 (42) eap_peap: Got tunneled Access-Challenge (42) eap: Sending EAP Request (code 1) ID 188 length 107 (42) eap: EAP session adding &reply:State = 0x2a8581bd2c3998df (42) [eap] = handled (42) } # authenticate = handled (42) Using Post-Auth-Type Challenge (42) Post-Auth-Type sub-section not found. Ignoring. (42) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (42) Sent Access-Challenge Id 214 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0 (42) EAP-Message = 0x01bc006b19001703030060b9f4e0a42efec0bee4d249cc360bda244ef5eb4368b4b4f327f7a7f7576312b11aae4a061cc97e76ec3e4c0e9082190d0bc9a581a909759c1c2baf22bb29c97fc63d71bd9b875c4bddb657eaa082997f34f48f5fce577bf5132ae26e47af86da (42) Message-Authenticator = 0x00000000000000000000000000000000 (42) State = 0x2a8581bd2c3998df1e814808369ac970 (42) Finished request Waking up in 4.7 seconds. (43) Received Access-Request Id 215 from 192.168.1.38:55602 to 192.168.1.33:1812 length 253 (43) User-Name = "anonymous" (43) NAS-IP-Address = 192.168.1.38 (43) NAS-Identifier = "b4fbe4c348ab" (43) NAS-Port = 0 (43) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (43) Calling-Station-Id = "E0-4F-43-36-B1-F1" (43) Framed-MTU = 1400 (43) NAS-Port-Type = Wireless-802.11 (43) Connect-Info = "CONNECT 0Mbps 802.11b" (43) EAP-Message = 0x02bc004b190017030300400afc0335cdebda0b8aedef718917f7a9b9754affb9dde8383a0f060aa61ccd734c8dbe21fb029818558ea1f8df0577fb7e74b2b1209df846f6fc5555f5161caf (43) State = 0x2a8581bd2c3998df1e814808369ac970 (43) Message-Authenticator = 0xbf55ee3fc671fa161a966a884ed075db (43) session-state: No cached attributes (43) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (43) authorize { (43) policy filter_username { (43) if (&User-Name) { (43) if (&User-Name) -> TRUE (43) if (&User-Name) { (43) if (&User-Name =~ / /) { (43) if (&User-Name =~ / /) -> FALSE (43) if (&User-Name =~ /@[^@]*@/ ) { (43) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (43) if (&User-Name =~ /\.\./ ) { (43) if (&User-Name =~ /\.\./ ) -> FALSE (43) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (43) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (43) if (&User-Name =~ /\.$/) { (43) if (&User-Name =~ /\.$/) -> FALSE (43) if (&User-Name =~ /@\./) { (43) if (&User-Name =~ /@\./) -> FALSE (43) } # if (&User-Name) = notfound (43) } # policy filter_username = notfound (43) [preprocess] = ok (43) [chap] = noop (43) [mschap] = noop (43) [digest] = noop (43) suffix: Checking for suffix after "@" (43) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (43) suffix: No such realm "NULL" (43) [suffix] = noop (43) eap: Peer sent EAP Response (code 2) ID 188 length 75 (43) eap: Continuing tunnel setup (43) [eap] = ok (43) } # authorize = ok (43) Found Auth-Type = eap (43) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (43) authenticate { (43) eap: Expiring EAP session with state 0xc826a0d6c99aba78 (43) eap: Finished EAP session with state 0x2a8581bd2c3998df (43) eap: Previous EAP request found for state 0x2a8581bd2c3998df, released from the list (43) eap: Peer sent packet with method EAP PEAP (25) (43) eap: Calling submodule eap_peap to process data (43) eap_peap: Continuing EAP-TLS (43) eap_peap: [eaptls verify] = ok (43) eap_peap: Done initial handshake (43) eap_peap: [eaptls process] = ok (43) eap_peap: Session established. Decoding tunneled attributes (43) eap_peap: PEAP state phase2 (43) eap_peap: EAP method MSCHAPv2 (26) (43) eap_peap: Got tunneled request (43) eap_peap: EAP-Message = 0x02bc00061a03 (43) eap_peap: Setting User-Name to particle (43) eap_peap: Sending tunneled request to inner-tunnel (43) eap_peap: EAP-Message = 0x02bc00061a03 (43) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (43) eap_peap: User-Name = "particle" (43) eap_peap: State = 0xc826a0d6c99aba78a72f2090812f4b12 (43) Virtual server inner-tunnel received request (43) EAP-Message = 0x02bc00061a03 (43) FreeRADIUS-Proxied-To = 127.0.0.1 (43) User-Name = "particle" (43) State = 0xc826a0d6c99aba78a72f2090812f4b12 (43) server inner-tunnel { (43) session-state: No cached attributes (43) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (43) authorize { (43) policy filter_username { (43) if (&User-Name) { (43) if (&User-Name) -> TRUE (43) if (&User-Name) { (43) if (&User-Name =~ / /) { (43) if (&User-Name =~ / /) -> FALSE (43) if (&User-Name =~ /@[^@]*@/ ) { (43) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (43) if (&User-Name =~ /\.\./ ) { (43) if (&User-Name =~ /\.\./ ) -> FALSE (43) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (43) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (43) if (&User-Name =~ /\.$/) { (43) if (&User-Name =~ /\.$/) -> FALSE (43) if (&User-Name =~ /@\./) { (43) if (&User-Name =~ /@\./) -> FALSE (43) } # if (&User-Name) = notfound (43) } # policy filter_username = notfound (43) [chap] = noop (43) [mschap] = noop (43) suffix: Checking for suffix after "@" (43) suffix: No '@' in User-Name = "particle", looking up realm NULL (43) suffix: No such realm "NULL" (43) [suffix] = noop (43) update control { (43) &Proxy-To-Realm := LOCAL (43) } # update control = noop (43) eap: Peer sent EAP Response (code 2) ID 188 length 6 (43) eap: No EAP Start, assuming it's an on-going EAP conversation (43) [eap] = updated (43) files: users: Matched entry particle at line 1 (43) [files] = ok (43) [expiration] = noop (43) [logintime] = noop (43) pap: WARNING: Auth-Type already set. Not setting to PAP (43) [pap] = noop (43) } # authorize = updated (43) Found Auth-Type = eap (43) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (43) authenticate { (43) eap: Expiring EAP session with state 0xc826a0d6c99aba78 (43) eap: Finished EAP session with state 0xc826a0d6c99aba78 (43) eap: Previous EAP request found for state 0xc826a0d6c99aba78, released from the list (43) eap: Peer sent packet with method EAP MSCHAPv2 (26) (43) eap: Calling submodule eap_mschapv2 to process data (43) eap: Sending EAP Success (code 3) ID 188 length 4 (43) eap: Freeing handler (43) [eap] = ok (43) } # authenticate = ok (43) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (43) post-auth { ... } # empty sub-section is ignored (43) } # server inner-tunnel (43) Virtual server sending reply (43) MS-MPPE-Encryption-Policy = Encryption-Allowed (43) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (43) MS-MPPE-Send-Key = 0xa3fa08811509145500a1ebcdf3d7eb5d (43) MS-MPPE-Recv-Key = 0xc972a035aa182fad81e28936609efb98 (43) EAP-Message = 0x03bc0004 (43) Message-Authenticator = 0x00000000000000000000000000000000 (43) User-Name = "particle" (43) eap_peap: Got tunneled reply code 2 (43) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (43) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (43) eap_peap: MS-MPPE-Send-Key = 0xa3fa08811509145500a1ebcdf3d7eb5d (43) eap_peap: MS-MPPE-Recv-Key = 0xc972a035aa182fad81e28936609efb98 (43) eap_peap: EAP-Message = 0x03bc0004 (43) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (43) eap_peap: User-Name = "particle" (43) eap_peap: Got tunneled reply RADIUS code 2 (43) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (43) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (43) eap_peap: MS-MPPE-Send-Key = 0xa3fa08811509145500a1ebcdf3d7eb5d (43) eap_peap: MS-MPPE-Recv-Key = 0xc972a035aa182fad81e28936609efb98 (43) eap_peap: EAP-Message = 0x03bc0004 (43) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (43) eap_peap: User-Name = "particle" (43) eap_peap: Tunneled authentication was successful (43) eap_peap: SUCCESS (43) eap: Sending EAP Request (code 1) ID 189 length 75 (43) eap: EAP session adding &reply:State = 0x2a8581bd2d3898df (43) [eap] = handled (43) } # authenticate = handled (43) Using Post-Auth-Type Challenge (43) Post-Auth-Type sub-section not found. Ignoring. (43) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (43) Sent Access-Challenge Id 215 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0 (43) EAP-Message = 0x01bd004b19001703030040b9bfa8da3c157aefbb79072add6550d5c358cb82d3e35524a00affd2bac853f94e6bab78f4d1ff4a9a67f2887ef428052762834010a626cdf516ba109ff8dd11 (43) Message-Authenticator = 0x00000000000000000000000000000000 (43) State = 0x2a8581bd2d3898df1e814808369ac970 (43) Finished request William Steen wjsteen@talktalk.net
On 20 May 2019, at 09:45, william steen via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
First time using freeradius, attempting to setup freeradius server on a RPi to create a testing environment for WPA2 Enterprise use on an IoT device. Any help to understand where I am going wrong gratefully received.
Included below is the debug output on startup and when an attempt to connect using PEAP-MSCHAPv2 using just username and password (no certificate). The startup contains a few warnings which I assume are not material. The login debug has an error MS-CHAP2-Response is incorrect which comes after a WARNING: Auth-Type already set. Not setting to PAP?
FreeRADIUS Version 3.0.12
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
Ready to process requests
Below is what debug output when trying to connect to the WAP.
(0) Received Access-Request Id 37 from 192.168.1.38:52437 to 192.168.1.33:1812 length 172 (0) User-Name = "particle" (0) NAS-IP-Address = 192.168.1.38 (0) NAS-Identifier = "b4fbe4c348ab" (0) NAS-Port = 0 (0) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (0) Calling-Station-Id = "E0-4F-43-36-B1-F1" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) EAP-Message = 0x0205000d017061727469636c65 (0) Message-Authenticator = 0x3d7c5462881eb85ae3c3e8b1e7f2dcd8 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "particle", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 5 length 13 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 6 length 22 (0) eap: EAP session adding &reply:State = 0x792e584479285c88 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Sent Access-Challenge Id 37 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (0) EAP-Message = 0x0106001604101e0a216dfaac8434a1e13f61d8e18c5f (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x792e584479285c88d729d5f4b5ba04a4 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 38 from 192.168.1.38:52437 to 192.168.1.33:1812 length 183 (1) User-Name = "particle" (1) NAS-IP-Address = 192.168.1.38 (1) NAS-Identifier = "b4fbe4c348ab" (1) NAS-Port = 0 (1) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (1) Calling-Station-Id = "E0-4F-43-36-B1-F1" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) EAP-Message = 0x020600060319 (1) State = 0x792e584479285c88d729d5f4b5ba04a4 (1) Message-Authenticator = 0x81a3bc304acaf36767e74474836e1265 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "particle", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 6 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) files: users: Matched entry particle at line 1 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x792e584479285c88 (1) eap: Finished EAP session with state 0x792e584479285c88 (1) eap: Previous EAP request found for state 0x792e584479285c88, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new EAP-TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 7 length 6 (1) eap: EAP session adding &reply:State = 0x792e584478294188 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Sent Access-Challenge Id 38 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (1) EAP-Message = 0x010700061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x792e584478294188d729d5f4b5ba04a4 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 39 from 192.168.1.38:52437 to 192.168.1.33:1812 length 273 (2) User-Name = "particle" (2) NAS-IP-Address = 192.168.1.38 (2) NAS-Identifier = "b4fbe4c348ab" (2) NAS-Port = 0 (2) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (2) Calling-Station-Id = "E0-4F-43-36-B1-F1" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) EAP-Message = 0x0207006019800000005616030300510100004d030300000013d1a5ed06c133a6582eb8f8b59713a271b38c51af54d5ef2e0cc8b6d6000004003c002f01000020000a000400020017000b00020100000d000e000c020102030301030304010403 (2) State = 0x792e584478294188d729d5f4b5ba04a4 (2) Message-Authenticator = 0xbf54c5bcfb0c4aae623b313a7cec24bf (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "particle", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 7 length 96 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x792e584478294188 (2) eap: Finished EAP session with state 0x792e584478294188 (2) eap: Previous EAP request found for state 0x792e584478294188, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 86 bytes (2) eap_peap: Got complete TLS record (86 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: <<< recv TLS 1.2 [length 0051] (2) eap_peap: TLS_accept: SSLv3/TLS read client hello (2) eap_peap: >>> send TLS 1.2 [length 002a] (2) eap_peap: TLS_accept: SSLv3/TLS write server hello (2) eap_peap: >>> send TLS 1.2 [length 02f1] (2) eap_peap: TLS_accept: SSLv3/TLS write certificate (2) eap_peap: >>> send TLS 1.2 [length 0004] (2) eap_peap: TLS_accept: SSLv3/TLS write server done (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (2) eap_peap: In SSL Handshake Phase (2) eap_peap: In SSL Accept mode (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 8 length 820 (2) eap: EAP session adding &reply:State = 0x792e58447b264188 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Sent Access-Challenge Id 39 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (2) EAP-Message = 0x010803341900160303002a0200002603035010c628e6c3e571ecdfcb7ed14e02f944e131af1f1483cff17b618c02935b4200003c0016030302f10b0002ed0002ea0002e7308202e3308201cba003020102020900a170e33eaa8a04e7300d06092a864886f70d01010b0500301b3119301706035504030c (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x792e58447b264188d729d5f4b5ba04a4 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 40 from 192.168.1.38:52437 to 192.168.1.33:1812 length 547 (3) User-Name = "particle" (3) NAS-IP-Address = 192.168.1.38 (3) NAS-Identifier = "b4fbe4c348ab" (3) NAS-Port = 0 (3) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (3) Calling-Station-Id = "E0-4F-43-36-B1-F1" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) EAP-Message = 0x02080170198000000166160303010610000102010070ac8a7222a41f5fab40c2a114f343932b699e7629ee25a0ef96616b1582f4e105812e9efb79e3696823f69a931188eeb04bd2f4d9b67869db2d585364c2515a1d44414cc41bc6d87ba8df2ad36e6ba1e57e10fbeb14fc76837d57b50d95a780dc67 (3) State = 0x792e58447b264188d729d5f4b5ba04a4 (3) Message-Authenticator = 0xe80722a96c83d29962b7c6216f7a1b24 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "particle", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 8 length 368 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x792e58447b264188 (3) eap: Finished EAP session with state 0x792e58447b264188 (3) eap: Previous EAP request found for state 0x792e58447b264188, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer indicated complete TLS record size will be 358 bytes (3) eap_peap: Got complete TLS record (358 bytes) (3) eap_peap: [eaptls verify] = length included (3) eap_peap: TLS_accept: SSLv3/TLS write server done (3) eap_peap: <<< recv TLS 1.2 [length 0106] (3) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (3) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (3) eap_peap: <<< recv TLS 1.2 [length 0010] (3) eap_peap: TLS_accept: SSLv3/TLS read finished (3) eap_peap: >>> send TLS 1.2 [length 0001] (3) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (3) eap_peap: >>> send TLS 1.2 [length 0010] (3) eap_peap: TLS_accept: SSLv3/TLS write finished (3) eap_peap: (other): SSL negotiation finished successfully (3) eap_peap: SSL Connection Established (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 9 length 97 (3) eap: EAP session adding &reply:State = 0x792e58447a274188 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Sent Access-Challenge Id 40 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (3) EAP-Message = 0x0109006119001403030001011603030050e4ccfeb29d521f23bceec5b5a6d2086989af54bf30c104ebd10fcadeda3e144e401aeac50e2f2d6fb28711841f9bff03cac82c6e94eb8082d4da10ef0950f6eae7f637b23f93d14e28952fa0735e8273 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x792e58447a274188d729d5f4b5ba04a4 (3) Finished request Waking up in 4.8 seconds. (4) Received Access-Request Id 41 from 192.168.1.38:52437 to 192.168.1.33:1812 length 183 (4) User-Name = "particle" (4) NAS-IP-Address = 192.168.1.38 (4) NAS-Identifier = "b4fbe4c348ab" (4) NAS-Port = 0 (4) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (4) Calling-Station-Id = "E0-4F-43-36-B1-F1" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) EAP-Message = 0x020900061900 (4) State = 0x792e58447a274188d729d5f4b5ba04a4 (4) Message-Authenticator = 0x95b4fe0eef8a5368d718ba97543624d1 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "particle", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 9 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x792e58447a274188 (4) eap: Finished EAP session with state 0x792e58447a274188 (4) eap: Previous EAP request found for state 0x792e58447a274188, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer ACKed our handshake fragment. handshake is finished (4) eap_peap: [eaptls verify] = success (4) eap_peap: [eaptls process] = success (4) eap_peap: Session established. Decoding tunneled attributes (4) eap_peap: PEAP state TUNNEL ESTABLISHED (4) eap: Sending EAP Request (code 1) ID 10 length 75 (4) eap: EAP session adding &reply:State = 0x792e58447d244188 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Sent Access-Challenge Id 41 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (4) EAP-Message = 0x010a004b19001703030040876f919e5b6f69b08d7d8082925085f96d9d4dc5d287be8a2220d788f3d81410117ac9b30cfe5bf1fdbd3fa127a1c59c9f43f811e9a1ed62184e6b52111b2cc9 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x792e58447d244188d729d5f4b5ba04a4 (4) Finished request Waking up in 4.8 seconds. (5) Received Access-Request Id 42 from 192.168.1.38:52437 to 192.168.1.33:1812 length 252 (5) User-Name = "particle" (5) NAS-IP-Address = 192.168.1.38 (5) NAS-Identifier = "b4fbe4c348ab" (5) NAS-Port = 0 (5) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (5) Calling-Station-Id = "E0-4F-43-36-B1-F1" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) EAP-Message = 0x020a004b19001703030040fdcdeff9a7da7077eb3784b51917dbb3f4b705b340e03a3feaf97f3de31941cb2864a9b7a6363f305b5c239727284a9e38bf34deab83141d8393bbc165f2cee7 (5) State = 0x792e58447d244188d729d5f4b5ba04a4 (5) Message-Authenticator = 0x16e198c5d18d50d6db5da8dc8ea94e23 (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "particle", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 10 length 75 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x792e58447d244188 (5) eap: Finished EAP session with state 0x792e58447d244188 (5) eap: Previous EAP request found for state 0x792e58447d244188, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: [eaptls verify] = ok (5) eap_peap: Done initial handshake (5) eap_peap: [eaptls process] = ok (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state WAITING FOR INNER IDENTITY (5) eap_peap: Identity - particle (5) eap_peap: Got inner identity 'particle' (5) eap_peap: Setting default EAP type for tunneled EAP session (5) eap_peap: Got tunneled request (5) eap_peap: EAP-Message = 0x020a000d017061727469636c65 (5) eap_peap: Setting User-Name to particle (5) eap_peap: Sending tunneled request to inner-tunnel (5) eap_peap: EAP-Message = 0x020a000d017061727469636c65 (5) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (5) eap_peap: User-Name = "particle" (5) Virtual server inner-tunnel received request (5) EAP-Message = 0x020a000d017061727469636c65 (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) User-Name = "particle" (5) WARNING: Outer and inner identities are the same. User privacy is compromised. (5) server inner-tunnel { (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [chap] = noop (5) [mschap] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "particle", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop (5) eap: Peer sent EAP Response (code 2) ID 10 length 13 (5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authenticate { (5) eap: Peer sent packet with method EAP Identity (1) (5) eap: Calling submodule eap_mschapv2 to process data (5) eap_mschapv2: Issuing Challenge (5) eap: Sending EAP Request (code 1) ID 11 length 43 (5) eap: EAP session adding &reply:State = 0x9ed5137a9ede0992 (5) [eap] = handled (5) } # authenticate = handled (5) } # server inner-tunnel (5) Virtual server sending reply (5) EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (5) eap_peap: Got tunneled reply code 11 (5) eap_peap: EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132 (5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (5) eap_peap: State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (5) eap_peap: Got tunneled reply RADIUS code 11 (5) eap_peap: EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132 (5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (5) eap_peap: State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (5) eap_peap: Got tunneled Access-Challenge (5) eap: Sending EAP Request (code 1) ID 11 length 107 (5) eap: EAP session adding &reply:State = 0x792e58447c254188 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Sent Access-Challenge Id 42 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (5) EAP-Message = 0x010b006b19001703030060427e72f2a75ff426efd53ee1f42bf29ba4aae389d83bc4b7e8f1257e772430ede3cb69944b24e4f7b6280ffa62e224b27be20c2c641b0fbf6a77cab9ef38ba1f47e79470ecca8368ca25beda56349c1e21e3d49b1db8bc2bd749aab8bf3aa3cb (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x792e58447c254188d729d5f4b5ba04a4 (5) Finished request Waking up in 4.7 seconds. (6) Received Access-Request Id 43 from 192.168.1.38:52437 to 192.168.1.33:1812 length 300 (6) User-Name = "particle" (6) NAS-IP-Address = 192.168.1.38 (6) NAS-Identifier = "b4fbe4c348ab" (6) NAS-Port = 0 (6) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (6) Calling-Station-Id = "E0-4F-43-36-B1-F1" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Connect-Info = "CONNECT 0Mbps 802.11b" (6) EAP-Message = 0x020b007b19001703030070fdcdeff9a7da7077eb3784b51917dbb344ede7b63a9b0f5b11eb7701e504139b09564427efbb43c2ec17f8b42b4124f8fbfc5b440c1c050ff8aa9b8badfaedf539c727f4dfa655815cc469a0812b494ea16db3c4e1ffb49720bdf58408642e7387e7d103393cc91e2db29818 (6) State = 0x792e58447c254188d729d5f4b5ba04a4 (6) Message-Authenticator = 0x9d932302c8a3d3979d08ad610dcc59e7 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "particle", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 11 length 123 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x9ed5137a9ede0992 (6) eap: Finished EAP session with state 0x792e58447c254188 (6) eap: Previous EAP request found for state 0x792e58447c254188, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state phase2 (6) eap_peap: EAP method MSCHAPv2 (26) (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65 (6) eap_peap: Setting User-Name to particle (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "particle" (6) eap_peap: State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "particle" (6) State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "particle", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 11 length 67 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) files: users: Matched entry particle at line 1 (6) [files] = ok (6) [expiration] = noop (6) [logintime] = noop (6) pap: WARNING: Auth-Type already set. Not setting to PAP (6) [pap] = noop (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Expiring EAP session with state 0x9ed5137a9ede0992 (6) eap: Finished EAP session with state 0x9ed5137a9ede0992 (6) eap: Previous EAP request found for state 0x9ed5137a9ede0992, released from the list (6) eap: Peer sent packet with method EAP MSCHAPv2 (26) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) eap_mschapv2: authenticate { (6) mschap: Found Cleartext-Password, hashing to create NT-Password (6) mschap: Found Cleartext-Password, hashing to create LM-Password (6) mschap: Creating challenge hash with username: particle (6) mschap: Client is using MS-CHAPv2 (6) mschap: ERROR: MS-CHAP2-Response is incorrect (6) [mschap] = reject (6) } # authenticate = reject (6) eap: Sending EAP Failure (code 4) ID 11 length 4 (6) eap: Freeing handler (6) [eap] = reject (6) } # authenticate = reject (6) Failed to authenticate the user (6) Using Post-Auth-Type Reject (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) Post-Auth-Type REJECT { (6) attr_filter.access_reject: EXPAND %{User-Name} (6) attr_filter.access_reject: --> particle (6) attr_filter.access_reject: Matched entry DEFAULT at line 11 (6) [attr_filter.access_reject] = updated (6) update outer.session-state { (6) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: MS-CHAP2-Response is incorrect' (6) } # update outer.session-state = noop (6) } # Post-Auth-Type REJECT = updated (6) } # server inner-tunnel (6) Virtual server sending reply (6) MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed" (6) EAP-Message = 0x040b0004 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: Got tunneled reply code 3 (6) eap_peap: MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed" (6) eap_peap: EAP-Message = 0x040b0004 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: Got tunneled reply RADIUS code 3 (6) eap_peap: MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed" (6) eap_peap: EAP-Message = 0x040b0004 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: Tunneled authentication was rejected (6) eap_peap: FAILURE (6) eap: Sending EAP Request (code 1) ID 12 length 75 (6) eap: EAP session adding &reply:State = 0x792e58447f224188 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) session-state: Saving cached attributes (6) Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect" (6) Sent Access-Challenge Id 43 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (6) EAP-Message = 0x010c004b190017030300400c78fe983c5dd192db59da8240896c96033a7305a8f101405d8d1c04a6b8b77542214f016ab70bfe1a2c9039ff65e7c215f722faedc84912623688cb283b2cbd (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x792e58447f224188d729d5f4b5ba04a4 (6) Finished request Waking up in 4.7 seconds. (7) Received Access-Request Id 44 from 192.168.1.38:52437 to 192.168.1.33:1812 length 252 (7) User-Name = "particle" (7) NAS-IP-Address = 192.168.1.38 (7) NAS-Identifier = "b4fbe4c348ab" (7) NAS-Port = 0 (7) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (7) Calling-Station-Id = "E0-4F-43-36-B1-F1" (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) EAP-Message = 0x020c004b19001703030040fdcdeff9a7da7077eb3784b51917dbb315f7e335a9c8a19767c1033ff9329c5f037450eba6f2eb7a9b9347ed8606cef0ce75ae3f03a9518a7ecf3c4b642716ea (7) State = 0x792e58447f224188d729d5f4b5ba04a4 (7) Message-Authenticator = 0xc6525ab028d9d5e9459c8d3d25442ff7 (7) Restoring &session-state (7) &session-state:Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect" (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "particle", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 12 length 75 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x792e58447f224188 (7) eap: Finished EAP session with state 0x792e58447f224188 (7) eap: Previous EAP request found for state 0x792e58447f224188, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state send tlv failure (7) eap_peap: Received EAP-TLV response (7) eap_peap: The users session was previously rejected: returning reject (again.) (7) eap_peap: This means you need to read the PREVIOUS messages in the debug output (7) eap_peap: to find out the reason why the user was rejected (7) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (7) eap_peap: what went wrong, and how to fix the problem (7) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (7) eap: Sending EAP Failure (code 4) ID 12 length 4 (7) eap: Failed in EAP select (7) [eap] = invalid (7) } # authenticate = invalid (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Post-Auth-Type REJECT { (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> particle (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) [eap] = noop (7) policy remove_reply_message_if_eap { (7) if (&reply:EAP-Message && &reply:Reply-Message) { (7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (7) else { (7) [noop] = noop (7) } # else = noop (7) } # policy remove_reply_message_if_eap = noop (7) } # Post-Auth-Type REJECT = updated (7) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (7) Sending delayed response (7) Sent Access-Reject Id 44 from 192.168.1.33:1812 to 192.168.1.38:52437 length 44 (7) EAP-Message = 0x040c0004 (7) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. (0) Cleaning up request packet ID 37 with timestamp +37 (1) Cleaning up request packet ID 38 with timestamp +37 (2) Cleaning up request packet ID 39 with timestamp +37 Waking up in 0.1 seconds. (3) Cleaning up request packet ID 40 with timestamp +37 (4) Cleaning up request packet ID 41 with timestamp +37 (5) Cleaning up request packet ID 42 with timestamp +37 (6) Cleaning up request packet ID 43 with timestamp +37 (7) Cleaning up request packet ID 44 with timestamp +37
Thanks in advance for any help.
Will
wjsteen@talktalk.net
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 21, 2019, at 3:33 PM, william steen via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Thank you for the observations. Mea cupla - the password was wrong. Having corrected that I am getting a WICED 1064 error back on the device which I believe means EAPOL_KEY_FAILURE. I am really struggling the read the full debug and understand why it is not working. I can’t see anything in the output that says it is not working in fact I see at the end SUCCESS - so is this a device issue?
You see MS-CHAP success, but the client doesn't send any more packets. Which means that the device doesn't like the MS-CHAP success, and has dropped the authentication session. It's hard to understand why it's not working from the debug log. Because the error messages are on the device, and not in the debug log. The only signal that's in the debug log is the *absence* of continued packets from the device. Which then means that the device didn't like *something* about the exchange. Since the last packet was sending MS-CHAP success, it means that the device didn't like the MS-CHAP success. Why? Magic. The error message is buried in the device. And Microsoft is very good about giving the user *zero* useful information. Alan DeKok.
Alan Many thanks for explaining this to me. I need to have another go at the device maker who claim WPA2 Enterprise WiFi support - the error on the device was EAPOL_KEY_FAILURE - which is from the WICED software stack and not well explained! Regards William Steen wjsteen@talktalk.net
On 21 May 2019, at 23:10, Alan DeKok <aland@deployingradius.com> wrote:
On May 21, 2019, at 3:33 PM, william steen via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Thank you for the observations. Mea cupla - the password was wrong. Having corrected that I am getting a WICED 1064 error back on the device which I believe means EAPOL_KEY_FAILURE. I am really struggling the read the full debug and understand why it is not working. I can’t see anything in the output that says it is not working in fact I see at the end SUCCESS - so is this a device issue?
You see MS-CHAP success, but the client doesn't send any more packets. Which means that the device doesn't like the MS-CHAP success, and has dropped the authentication session.
It's hard to understand why it's not working from the debug log. Because the error messages are on the device, and not in the debug log. The only signal that's in the debug log is the *absence* of continued packets from the device.
Which then means that the device didn't like *something* about the exchange. Since the last packet was sending MS-CHAP success, it means that the device didn't like the MS-CHAP success.
Why? Magic. The error message is buried in the device. And Microsoft is very good about giving the user *zero* useful information.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
Manoel bezerra -
Matthew Newton -
william steen