Freeradius SQL: PEAP: Tunneled authentication was rejected.
Hi, i prepare freeradius with eap/peap and the users file that works fine. Now i setup a sql database, i can use radtest or radeapclient to check the user and password in the database and it works fine, but if i try to connect to freeradius the request will be rejected and i have no idea why So if you can give me some hints you are welcome... here the reject: PEAP: Tunneled authentication was rejected. here the total debug log: rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=0, length=194 Message-Authenticator = 0x6462a3c080bc0ee0af1d99a080b2d335 Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000c0173716c75736572 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop expand: %{User-Name} -> sqluser rlm_sql (sql): sql_set_user escaped user --> 'sqluser' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'sqluser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'sqluser' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'sqluser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'sqluser' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'sqluser' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'sqluser' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.0.50 port 1037 EAP-Message = 0x01010016041056977865b8f38f672c99a5c049338698 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeff176eaeff0727198f0e801bd7f42f1 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=1, length=206 Message-Authenticator = 0x97148f06ecd1d47d289947214042b441 Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 State = 0xeff176eaeff0727198f0e801bd7f42f1 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020100060319 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop expand: %{User-Name} -> sqluser rlm_sql (sql): sql_set_user escaped user --> 'sqluser' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'sqluser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'sqluser' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'sqluser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'sqluser' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'sqluser' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'sqluser' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.0.50 port 1037 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeff176eaeef36f7198f0e801bd7f42f1 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=2, length=337 Message-Authenticator = 0xf06fbed85cd7d6f9a7b00bc67df6ba87 Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 State = 0xeff176eaeef36f7198f0e801bd7f42f1 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200891900160301007e0100007a03014d41cf9c8c7503cfc4ac02ba74ce4c6a5b185d8c7ea7574f4d7b354e60026c0a2067de91fbb878785f4a07 302074edf8ef6ade9886e8f9428ecc0d84247b18c57f003200390038003500880087008400160013000a00330032002f004500440041000500040015001200090014001100080006 0003020100 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 137 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 007e], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.0.50 port 1037 EAP-Message = 0x0103040019c000000acd160301004a0200004603014d41cf9cfaed3d7fc78c6ba9b7d8bb11c01eb9b4921e04d0548b69bb81a108ae208f4f020fcd8a efcbc4748614f56ca619187eda3b33f4ff255e018e100378c655003901160301085e0b00085a0008570003a6308203a23082028aa003020102020102300d06092a864886f70d0101 040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d70 6c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303130373136323632365a170d323130313034313632 3632365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578 616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d 01010105000382010f003082010a0282010100bc734f9d3049b9ad29649bf5685fc25a07bee2149b4c8e417e165b2c6ed9 EAP-Message = 0xe5fbb2cf2d0a9f44f6b8e8c89cafb2cbc4a9968c1803966929f10af48996cdd46fb425caaf0a19e2f8e7d46550c1c7bc89bf9e1e0811bf39a527b7e2 80028c227a2e97a47d618735b1797a7dfd7f169ba3404dee104b7269db1a4e452fd526d6af1afad3a1ed3a0e807811a133101dbfa4f6edaacbf096aaf7a8b4196ed49671a749cd7b 75d079c717a16903d7dfb57c523adaeeab99f651831ecb262b86d49ad10e05b8e2a112190e3ec6039a477f0ae70f7975bc59d1c62898f34ca0a2f42febd2cf5c46e4f080e4176261 58c0122d711e068d966fdfd6f4a95dffc8cc3ee1ce270203010001a317301530130603551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d01010405000382010100877baa777876021f1268749453b9ab3513ad8b4c9f0ea68e6af12bb980d156a05a845392d0 0cc42a05f834dc6463ec2dbb990e68d890789fdfd5bf6897aa2ae6f03576f1cd412e5290e56b7024026aa5889095060b95b8305ae1d922dc6442d69f7ecfd82d01d8ac8407fe8b1e f6021d26aafc7d327eda89e48778c0e7c890284d78e4783b99a07907e0403156a023d08862471ed1b6cd6d506acc4e9e24b84112f3efdcdb76dbf63bdfeb749ea2faf5e8e67fbcd7 d7c1b179b9adfd97ad81eda2b68195ea19ad5e7c976e7eefecd16e45016ca70093732f101538df6deb4a0b28b0ac7816e5 EAP-Message = 0x3537f15a3e6d28557e50ced1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeff176eaedf26f7198f0e801bd7f42f1 Finished request 2. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=3, length=206 Message-Authenticator = 0xc0236583fb6cc1eff4e3692386b05cd5 Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 State = 0xeff176eaedf26f7198f0e801bd7f42f1 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300061900 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.0.50 port 1037 EAP-Message = 0x010403fc1940d76bf7348c65d017f49ee7a0e94f0004ab308204a73082038fa00302010202090088d6a04b914711cc300d06092a864886f70d010105 0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c 6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043657274696669636174652041 7574686f72697479301e170d3131303130373136323632365a170d3131303230363136323632365a308193310b30090603 EAP-Message = 0x55040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d70 6c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520 417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100af5bebdfb1e9fb1e943de80e9f0acbf563d7ca009ec112a9b5979e0b779a 681debed0535d03ea8e16523453e72b1912e6e1dada0d72053ccc2d96d6c4be07bac43c12f5c5348cc2e99ca85a793ff57 EAP-Message = 0x41aedc3a0ea690141f3b58c130da1aaad2223c421d6634fc7ce836180dbc2ac9ab5bf52abde87d9dd3cec84d65a8c1321abf381d2023bed5ac595f84 af770efe04ddaa417234d4e8f68498e02d67c2a4fb28fe4d2bac043d983446d12187de441bc5a5df6d9465cdeff6fead18d1a9b7cc0d8562caccd62e70f66a0507d04b678d2aadd0 8be6e6978cdd0d1e1a095889fbb7d98f1802a4eb0d5489b85b90ac8821bc243cbd7f9843152af22ba66645e2510203010001a381fb3081f8301d0603551d0e041604147f436e8fc5 e6a6b8437022ae88b879dc095cd18c3081c80603551d230481c03081bd80147f436e8fc5e6a6b8437022ae88b879dc095c EAP-Message = 0xd18ca18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d6577686572 6531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d457861 6d706c6520436572746966696361746520417574686f7269747982090088d6a04b914711cc300c0603551d13040530030101ff300d06092a864886f70d010105050003820101009e 4148e0bcfa4d3f6e5b607d864dad98650e482159aa8bb34b66c0c07fbf3e37c79cca55a2502a591cca0518411a47d0e296 EAP-Message = 0x70e0874d635f5cd3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeff176eaecf56f7198f0e801bd7f42f1 Finished request 3. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=4, length=206 Message-Authenticator = 0x28863aba9a3b7269b75e881aada8a924 Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 State = 0xeff176eaecf56f7198f0e801bd7f42f1 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020400061900 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.0.50 port 1037 EAP-Message = 0x010502e71900d8166dc7b99a4e27a679b04388e1d246bbb52beea9dcdeb033f596c10e980bc0ab99d92b013ccd79bd1115bd76604da368170c434737 b2a722331a510ae27009b20cb5e6888b63eccd479eca9e394d58404b78b285e706ba026f7a13318965a5d8d4d1ceb679d3443b4e90f45ec1d6e83980f7f42ab5427402b449025a22 ae48ec63ac38974337165677b17b7dd589d716bd572add065073662ed1b6e656159049e6dada7066205e19c8c15baa2b85af112353df2f278813b6f55682ca273882b54876b8330c 160301020d0c0002090080fe5ee9d93c834c61b96c084a22ea6cdd00107bc59f9e391af41618125b59f81f241f831ea90c EAP-Message = 0x94a3627f3c424a82fbc20778144b62e9731fd7ef82c1fad8c33b82d29df918153c00834cdaeb332b03b1f4bbf40b7d2201f881e5f5accedc938bff2b f316465677806e17e69d7334aeb1e45ce13367c66f9283e675c998940f5300010200802a468d7356edf3171caef4c97454274ac86d38f3a0a87b9bd4dd05b2f9f36118342129453f 8cff65fb71b7bf4008e64ccc0b371902304eb6a58d86da4e5c9b84b49c89fe8a3deba167f623d5fa28a35cdd4b7bed3e85d29c0542384a59aac5095d098330f567e409b0f60cd657 802085b4d612d49b29cb869693f0efd6d1502c010053160d171ed2021760e5e4d39b4572f57dd58e5391524e95cf70e701 EAP-Message = 0x8c85fdc2598764461eb216d3f7c285f4a8bf91c8f475971ec5ea7314a6bc6a6b77ec3587172b1a4e27d41342aca759e13be98f3dc794eb542e7649cb 282e4e2d74fe7c8f7761da3ec1a5172b944a26cd65f6f75eb1663dc95350019be71b5411af14fc43361cc6a5965f7aa3d90483cbc1c2402ad0e09bff52db746fb56a4f66490c740c 9957c687258a2c81f8b3a80bcc8065939ef509e710161d438da1779763f6ba5b14db8d8ce577753ea592ac5402a0cec04b7626908692f718899fafe44b434a1ebcae72194c94a849 2e1e0b9b14354c23344f3b9bee005fecc3cd3da82dea5db316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeff176eaebf46f7198f0e801bd7f42f1 Finished request 4. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=5, length=404 Message-Authenticator = 0x63c5e1ff1a1d9df1b0bbdad7714b8c9a Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 State = 0xeff176eaebf46f7198f0e801bd7f42f1 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020500cc19001603010086100000820080a5a12e9fb29344c07d155ed199dce1f532ec737a672c18187595b8a616d7006dddbfd6f9bb3460dafac218 b07e5ce0fa0bdf78bf0a2af0259a3fe1aa31c1f4297fc1a2df94ae090a7e9f4ff5296baae51ca8d7b99f98361e8f33943e8473d6c713461f26f8263a1effe2887e6e417e106522ae 35bf38844286cec0bdba5df74614030100010116030100301fcbd83169e23e468af5113d1eef78760b4ec6de5f4d18548159af3a0a914df0c65ac7493db98a95ff31816202441083 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 204 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 5 to 192.168.0.50 port 1037 EAP-Message = 0x010600411900140301000101160301003084f98267ce99a87e36417d12793cd01d1320e28f73eed0b310fe35e98fb08f638aa96e46f1173378a09936 14cba69952 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeff176eaeaf76f7198f0e801bd7f42f1 Finished request 5. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=6, length=206 Message-Authenticator = 0xbb693480b8c053732ac09c3354cddf7d Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 State = 0xeff176eaeaf76f7198f0e801bd7f42f1 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020600061900 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.0.50 port 1037 EAP-Message = 0x0107002b19001703010020132e756d08ced7e45da425ed9248e8578c3988d758aeca13d08753171d6288fd Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeff176eae9f66f7198f0e801bd7f42f1 Finished request 6. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=7, length=296 Message-Authenticator = 0xa6e6a2d92ae86919ede0b3fbf1d3588a Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 State = 0xeff176eae9f66f7198f0e801bd7f42f1 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0207006019001703010020f23c5c5bff65e357c1d04750e77a02a3018ec1e29f452f8b40744b4a781f41a6170301003087cb3edea87d9ae896ee6a1b a1f110beaae1ac3fd3b15e17511bde8ee9f19afd54ef63376f466842f3662048ee5485f7 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 7 length 96 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - sqluser PEAP: Got tunneled EAP-Message EAP-Message = 0x0207000c0173716c75736572 PEAP: Got tunneled identity of sqluser PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to sqluser PEAP: Sending tunneled request EAP-Message = 0x0207000c0173716c75736572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "sqluser" server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 7 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x010800211a0108001c101b48646fa92543913807a5b05f32e72473716c75736572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0b632abc0be28c6482b7cb6c82ab8d2 PEAP: Processing from tunneled session code 0x81bd2b0 11 EAP-Message = 0x010800211a0108001c101b48646fa92543913807a5b05f32e72473716c75736572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0b632abc0be28c6482b7cb6c82ab8d2 PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 7 to 192.168.0.50 port 1037 EAP-Message = 0x0108004b190017030100402003024634e4f8ec66529bbf55bbcbdf55e9b2de71df4307a92425182981824df1d671e2cc670be268bf621066d6d46388 0ac2ebe173ac6cf5d2ad2a927172c6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeff176eae8f96f7198f0e801bd7f42f1 Finished request 7. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=8, length=344 Message-Authenticator = 0x6d830a81d5020493951deab84388b73b Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 State = 0xeff176eae8f96f7198f0e801bd7f42f1 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0208009019001703010020fd154ad5033bc10deb9affe6269fbb4e011fb48b4955855c6d1a6cb884edc9fb1703010060325cf7f4956a0f450c4124d0 eadcfc46b3f7346bd768d367985c39b79d8ade99e37783cb5ddc062e795602cd3b965a3cc446365ea8cd6fc1dd7c98a6d11921c9018c77621c798adbbe1711e4100e3e341de47b09 28105cb056ea7dcf93e5ad68 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 8 length 144 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Got tunneled EAP-Message EAP-Message = 0x020800421a0208003d31d8329bd18d2b3c48b3e9dcd414628b6a000000000000000025c5f8448290bf0b3b376400dc3862cc7a50e4bc5f7583e20073 716c75736572 PEAP: Setting User-Name to sqluser PEAP: Sending tunneled request EAP-Message = 0x020800421a0208003d31d8329bd18d2b3c48b3e9dcd414628b6a000000000000000025c5f8448290bf0b3b376400dc3862cc7a50e4bc5f7583e20073 716c75736572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "sqluser" State = 0xc0b632abc0be28c6482b7cb6c82ab8d2 server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 8 length 66 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for sqluser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [sqluser/<via Auth-Type = EAP>] (from client dlink-private-network port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x81bd288 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 8 to 192.168.0.50 port 1037 EAP-Message = 0x0109003b1900170301003034751d74d2db85e76a4a09990bc079aabf886c33adbae4de36aa4b998d1437564e312ceb4f3ef2e602a0ec1b74c34c8b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeff176eae7f86f7198f0e801bd7f42f1 Finished request 8. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=9, length=296 Message-Authenticator = 0xcf9f988ac3da6a9784a700bd6e8bd235 Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 State = 0xeff176eae7f86f7198f0e801bd7f42f1 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0209006019001703010020b4f42681cb8004c329ba3e6eb3f20af6ab64a075776fd142c83e827add1a8e531703010030f9a9c64a35e6e5b5327b4c2e 91499e1a3897f2202d67ff4db4b2e03510edaa39019a712075a32f6ef78368edcc2e3bb6 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 9 length 96 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [sqluser/<via Auth-Type = EAP>] (from client dlink-private-network port 1 cli 00-18-DE-E1-85-89) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> sqluser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 9 to 192.168.0.50 port 1037 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.4 seconds. Cleaning up request 0 ID 0 with timestamp +24 Cleaning up request 1 ID 1 with timestamp +24 Waking up in 0.3 seconds. Cleaning up request 2 ID 2 with timestamp +24 Cleaning up request 3 ID 3 with timestamp +24 Cleaning up request 4 ID 4 with timestamp +24 Waking up in 0.1 seconds. Cleaning up request 5 ID 5 with timestamp +24 Cleaning up request 6 ID 6 with timestamp +24 Cleaning up request 7 ID 7 with timestamp +24 Cleaning up request 8 ID 8 with timestamp +24 Waking up in 1.0 seconds. Cleaning up request 9 ID 9 with timestamp +24 Ready to process requests. Tell me if you need more information thx Chris -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-SQL-PEAP-Tunneled-authent... Sent from the FreeRadius - User mailing list archive at Nabble.com.
chris wrote:
i prepare freeradius with eap/peap and the users file that works fine.
Now i setup a sql database, i can use radtest or radeapclient to check the user and password in the database and it works fine, but if i try to connect to freeradius the request will be rejected and i have no idea why
The information is in the debug output you posted. Please read it. Also past the debug output into the web page: http://networkradius.com/freeradius.html
So if you can give me some hints you are welcome...
You probably need to list "sql" in the "inner-tunnel" virtual server. In 2.1.10, you can test the inner-tunnel directly, without using PEAP. See the comments at the top of the file. Alan DeKok.
Hi Alan, thx for the response, and yes i read the debug output and i also found the side you mentioned, to get more information about the output but, as you see in the number of my posting counts, i'm an newbie in using radius. And i didn't understood what these messages should occur in my mind or how it can be fixed... rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for sqluser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [sqluser/] (from client dlink-private-network port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x81bd288 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. You give me a hint: thx: "You probably need to list "sql" in the "inner-tunnel" virtual server. In 2.1.10, you can test the inner-tunnel directly, without using PEAP. See the comments at the top of the file. " I will try and give an answer thx Chris -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-SQL-PEAP-Tunneled-authent... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi, Does anyone know what "nabble.com" is and why the mail looks like this? Clicking the link below the email does show a properly formatted response... On 2011/01/28 12:21 PM, chris wrote:
Hi Alan, thx for the response, and yes i read the debug output and i also found the side you mentioned, to get more information about the output but, as you see in the number of my posting counts, i'm an newbie in using radius. And i didn't understood what these messages should occur in my mind or how it can be fixed... rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for sqluser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [sqluser/] (from client dlink-private-network port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x81bd288 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. You give me a hint: thx: "You probably need to list "sql" in the "inner-tunnel" virtual server. In 2.1.10, you can test the inner-tunnel directly, without using PEAP. See the comments at the top of the file. " I will try and give an answer thx Chris ---------------------------------------------------------------------------- View this message in context: Re: Freeradius SQL: PEAP: Tunneled authentication was rejected. <http://freeradius.1045715.n5.nabble.com/Freeradius-SQL-PEAP-Tunneled-authentication-was-rejected-tp3360430p3361206.html> Sent from the FreeRadius - User mailing list archive <http://freeradius.1045715.n5.nabble.com/FreeRadius-User-f2740693.html> at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782
Hi Alan, thx for the response, and yes i read the debug output and i also found the side you mentioned, to get more information about the output but, as you see in the number of my posting counts, i'm an newbie in using radius. And i didn't understood what these messages should occur in my mind or how it can be fixed... rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for sqluser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [sqluser/<via Auth-Type = EAP>] (from client dlink-private-network port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x81bd288 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. You give me a hint: thx: "You probably need to list "sql" in the "inner-tunnel" virtual server. In 2.1.10, you can test the inner-tunnel directly, without using PEAP. See the comments at the top of the file. " I will try and give an answer thx Chris -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-SQL-PEAP-Tunneled-authent... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi Alan, its work great thx Chris -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-SQL-PEAP-Tunneled-authent... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (4)
-
Alan DeKok -
chris -
Johan Meiring -
Phil Mayers