I am sure it is simple. I did do some research and one of the posts was about some of the auth modules not starting. Any suggestions ? Testing on localhost. Please see end of file - I have included the begining bit where I have started radius -X filename = "/var/log/radius/linelog" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{Packet-Type}:-default}" } # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/line log linelog log_accounting { filename = "/var/log/radius/linelog-accounting" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes } # Instantiating module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --usern ame=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_pap # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Loaded module rlm_preprocess # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preproce ss preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Loaded module rlm_radutmp # Instantiating module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Instantiating module "replicate" from file /etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Instantiating module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Instantiating module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Instantiating module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } # Loaded module rlm_unpack # Instantiating module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8 } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server default { # from file /etc/raddb/sites-enabled/default # Creating Auth-Type = digest # Loading authenticate {...} # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 as server default Listening on acct address * port 1813 as server default Listening on auth address :: port 1812 as server default Listening on acct address :: port 1813 as server default Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 43825 Ready to process requests Received Access-Request Id 180 from 127.0.0.1:59304 to 127.0.0.1:1812 length 73 User-Name = 'bob' User-Password = 'hello' NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x773faf53acb2a0cfec2b328e3f1d8fb3 (9) Received Access-Request packet from host 127.0.0.1 port 59304, id=180, length=73 (9) User-Name = 'bob' (9) User-Password = 'hello' (9) NAS-IP-Address = 127.0.0.1 (9) NAS-Port = 0 (9) Message-Authenticator = 0x773faf53acb2a0cfec2b328e3f1d8fb3 (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) filter_username filter_username { (9) if (!&User-Name) (9) if (!&User-Name) -> FALSE (9) if (&User-Name =~ / /) (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@.*@/ ) (9) if (&User-Name =~ /@.*@/ ) -> FALSE (9) if (&User-Name =~ /\\.\\./ ) (9) if (&User-Name =~ /\\.\\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\\.$/) (9) if (&User-Name =~ /\\.$/) -> FALSE (9) if (&User-Name =~ /@\\./) (9) if (&User-Name =~ /@\\./) -> FALSE (9) } # filter_username filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix : Checking for suffix after "@" (9) suffix : No '@' in User-Name = "bob", looking up realm NULL (9) suffix : No such realm "NULL" (9) [suffix] = noop (9) eap : No EAP-Message, not doing EAP (9) [eap] = noop (9) [files] = noop (9) [expiration] = noop (9) [logintime] = noop (9) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (9) WARNING: pap : Authentication will fail unless a "known good" password is available (9) [pap] = noop (9) } # authorize = ok (9) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/raddb/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject : EXPAND %{User-Name} (9) attr_filter.access_reject : --> bob (9) attr_filter.access_reject : Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (9) [eap] = noop (9) remove_reply_message_if_eap remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else else { (9) [noop] = noop (9) } # else else = noop (9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response (9) Sending Access-Reject packet to host 127.0.0.1 port 59304, id=180, length=0 Sending Access-Reject Id 180 from 127.0.0.1:1812 to 127.0.0.1:59304 Waking up in 3.9 seconds. (9) Cleaning up request packet ID 180 with timestamp +1307 Ready to process requests Received Access-Request Id 222 from 127.0.0.1:49629 to 127.0.0.1:1812 length 77 User-Name = 'testing' User-Password = 'password' NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0xef77888032042b26cdc7e39baf267ee8 (10) Received Access-Request packet from host 127.0.0.1 port 49629, id=222, length=77 (10) User-Name = 'testing' (10) User-Password = 'password' (10) NAS-IP-Address = 127.0.0.1 (10) NAS-Port = 0 (10) Message-Authenticator = 0xef77888032042b26cdc7e39baf267ee8 (10) # Executing section authorize from file /etc/raddb/sites-enabled/default (10) authorize { (10) filter_username filter_username { (10) if (!&User-Name) (10) if (!&User-Name) -> FALSE (10) if (&User-Name =~ / /) (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@.*@/ ) (10) if (&User-Name =~ /@.*@/ ) -> FALSE (10) if (&User-Name =~ /\\.\\./ ) (10) if (&User-Name =~ /\\.\\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\\.$/) (10) if (&User-Name =~ /\\.$/) -> FALSE (10) if (&User-Name =~ /@\\./) (10) if (&User-Name =~ /@\\./) -> FALSE (10) } # filter_username filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix : Checking for suffix after "@" (10) suffix : No '@' in User-Name = "testing", looking up realm NULL (10) suffix : No such realm "NULL" (10) [suffix] = noop (10) eap : No EAP-Message, not doing EAP (10) [eap] = noop (10) [files] = noop (10) [expiration] = noop (10) [logintime] = noop (10) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (10) WARNING: pap : Authentication will fail unless a "known good" password is available (10) [pap] = noop (10) } # authorize = ok (10) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (10) Failed to authenticate the user (10) Using Post-Auth-Type Reject (10) # Executing group from file /etc/raddb/sites-enabled/default (10) Post-Auth-Type REJECT { (10) attr_filter.access_reject : EXPAND %{User-Name} (10) attr_filter.access_reject : --> testing (10) attr_filter.access_reject : Matched entry DEFAULT at line 11 (10) [attr_filter.access_reject] = updated (10) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (10) [eap] = noop (10) remove_reply_message_if_eap remove_reply_message_if_eap { (10) if (&reply:EAP-Message && &reply:Reply-Message) (10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (10) else else { (10) [noop] = noop (10) } # else else = noop (10) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (10) } # Post-Auth-Type REJECT = updated (10) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (10) Sending delayed response (10) Sending Access-Reject packet to host 127.0.0.1 port 49629, id=222, length=0 Sending Access-Reject Id 222 from 127.0.0.1:1812 to 127.0.0.1:49629 Waking up in 3.9 seconds. (10) Cleaning up request packet ID 222 with timestamp +1676 Ready to process requests Please consider the environment before printing this email
On Jul 9, 2015, at 7:57 AM, Ross c6 <ross@convergingtrails.com> wrote:
I am sure it is simple. I did do some research and one of the posts was about some of the auth modules not starting. Any suggestions ?
Read the debug output you posted here?
(10) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type
(10) WARNING: pap : Authentication will fail unless a "known good" password is available
So... how should the server authenticate a user if it doesn't know (a) who the user is, and (b) what the correct password is for that user? This is documented: http://freeradius.org/doc/getting_started.html Alan DeKok.
Alan, Thanks for this. I had slavishly followed the testing instructions you refer to. I had uncommented the "bob" user and added in the "testing" user at the top of the users file. I had monitored the testing using -X. I had also pasted in the debugging system with no intelligible response (from my layman perspective). From the debug both the following were received by freeRadius so no issues with firewall or corruption experienced by other. "(9) User-Name = 'bob' (9) User-Password = 'hello'" And (10) User-Name = 'testing' (10) User-Password = 'password' I have now reread the technical guide. Other than a knowledge of freeradius what am I missing ? Your comment: "So... how should the server authenticate a user if it doesn't know (a) who the user is, and (b) what the correct password is for that user?" is valid. I had added these users in the user file and am asking for a hint as to why they are not been seen by freeradius. I have attached the config file and pasted in the bits of interest below. "testing Cleartest-Password := "password" # # Configuration file for the rlm_files module." And bob Cleartext-Password := "hello" Reply-Message := "Hello, %{User-Name}" I am sure it is something so obvious that it is possibly not in the how-to ? -----Original Message----- From: Alan DeKok [mailto:aland@deployingradius.com] Sent: Friday, 10 July 2015 12:14 AM To: ross@convergingtrails.com; FreeRadius users mailing list Subject: Re: no-auth type error On Jul 9, 2015, at 7:57 AM, Ross c6 <ross@convergingtrails.com> wrote:
I am sure it is simple. I did do some research and one of the posts was about some of the auth modules not starting. Any suggestions ?
Read the debug output you posted here?
(10) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type
(10) WARNING: pap : Authentication will fail unless a "known good" password is available
So... how should the server authenticate a user if it doesn't know (a) who the user is, and (b) what the correct password is for that user? This is documented: http://freeradius.org/doc/getting_started.html Alan DeKok.
Get rid of the quotes Also. Read the output of the radiusd -X and ensure that you are editing the same users file that the server is reading. Also you need to restart the server after editing the users file alan
Hi, I am doing eap-peap-mschap2 authentication in v3.0.9. I am trying to log the failure message in linelog when auth. fails. Does anyone get logging failure message working with the "Multi-packet session state" mentioned in: http://lists.freeradius.org/pipermail/freeradius-users/2014-October/074522.h... I tested v3.0.9 with the default configuration template for default and inner-tunnel virtual servers and added my LDAP settings in them. I found that with incorrect username/password, I could see the failed message "mschap: MS-CHAP2-Response is incorrect" in debug log. But "Module-Failure-Message" is always empty, even within inner-tunnel when I called %{Module-Failure-Message} in linelog in post-auth-type reject. What else is missing? What other changes are needed other than default and inner-tunnel files? Any help/pointer is appreciated. The relevant debug log is attached below. Fu (8) Received Access-Request Id 37 from 10.28.123.29:3629 to 10.28.235.64:1812 length 304 (8) User-Name = "hjkk" (8) Framed-MTU = 1450 (8) EAP-Message = 0x0209005b19001703010050734f6f4d1064d84a3f94094275321919b869bb34d8fcd9ab79ddb89f5c5968545009377889406ac5174f2be9d9f5ea6e792797d33ac352d329450d5c4c220c62f586f55060a97722bcfe2f746dddd4c2 (8) Message-Authenticator = 0x132de909371fe1c630d7198832881c5c (8) Chargeable-User-Identity = 0x00 (8) NAS-IP-Address = 10.28.123.29 (8) NAS-Identifier = "ITS-TEST" (8) NAS-Port = 33779942 (8) NAS-Port-Id = "slot=2;subslot=0;port=55;vlanid=230" (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) Framed-Protocol = PPP (8) Calling-Station-Id = "10-1C-0C-79-26-49" (8) Called-Station-Id = "58-6A-B1-2A-F5-E0:its-test" (8) Acct-Session-Id = "11506101629790" (8) State = 0xd0f2ff51d7fbe675d0d3651812ae64d4 (8) session-state: No cached attributes (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@.*@/ ) { (8) if (&User-Name =~ /@.*@/ ) -> FALSE (8) if (&User-Name =~ /\\.\\./ ) { (8) if (&User-Name =~ /\\.\\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\\.$/) { (8) if (&User-Name =~ /\\.$/) -> FALSE (8) if (&User-Name =~ /@\\./) { (8) if (&User-Name =~ /@\\./) -> FALSE (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "hjkk", looking up realm NULL (8) suffix: Found realm "NULL" (8) suffix: Adding Stripped-User-Name = "hjkk" (8) suffix: Adding Realm = "NULL" (8) suffix: Authentication realm is LOCAL (8) [suffix] = ok (8) eap: Peer sent EAP Response (code 2) ID 9 length 91 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x4472bda9447ba76b (8) eap: Finished EAP session with state 0xd0f2ff51d7fbe675 (8) eap: Previous EAP request found for state 0xd0f2ff51d7fbe675, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x0209003f1a0209003a316f628f361abe6d88fb33842b3de381960000000000000000bd78decc0bc9bb5a3b8c7b907dec1d9633e58d29b10cb98e00686a6b6b (8) eap_peap: Setting User-Name to hjkk (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x0209003f1a0209003a316f628f361abe6d88fb33842b3de381960000000000000000bd78decc0bc9bb5a3b8c7b907dec1d9633e58d29b10cb98e00686a6b6b (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "hjkk" (8) eap_peap: State = 0x4472bda9447ba76bd8632d7ad5b1698f (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x0209003f1a0209003a316f628f361abe6d88fb33842b3de381960000000000000000bd78decc0bc9bb5a3b8c7b907dec1d9633e58d29b10cb98e00686a6b6b (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "hjkk" (8) State = 0x4472bda9447ba76bd8632d7ad5b1698f (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "hjkk", looking up realm NULL (8) suffix: Found realm "NULL" (8) suffix: Adding Stripped-User-Name = "hjkk" (8) suffix: Adding Realm = "NULL" (8) suffix: Authentication realm is LOCAL (8) [suffix] = ok (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 9 length 63 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Reserved connection (0) (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (uid=hjkk) (8) ldap: Performing search in "ou=radius,o=test,c=hk" with filter "(uid=hjkk)", scope "sub" (8) ldap: Waiting for search result... (8) ldap: Search returned no results rlm_ldap (ldap): Released connection (0) (8) [ldap] = notfound (8) redundant ldap_DB_redundant { rlm_ldap (ldap_DB_1): Reserved connection (0) (8) ldap_DB_1: EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})) (8) ldap_DB_1: --> (&(uid=hjkk) (8) ldap_DB_1: Performing search in "ou=radius,o=test,c=hk" with filter "(&(uid=hjkk))", scope "sub" (8) ldap_DB_1: Waiting for search result... (8) ldap_DB_1: Search returned no results rlm_ldap (ldap_DB_1): Released connection (0) (8) [ldap_DB_1] = notfound (8) } # redundant ldap_DB_redundant = notfound (8) } # authorize = notfound (8) Found Auth-Type = EAP (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0x4472bda9447ba76b (8) eap: Finished EAP session with state 0x4472bda9447ba76b (8) eap: Previous EAP request found for state 0x4472bda9447ba76b, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) eap_mschapv2: Auth-Type MS-CHAP { (8) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (8) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (8) mschap: Creating challenge hash with username: hjkk (8) mschap: Client is using MS-CHAPv2 (8) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (8) mschap: ERROR: MS-CHAP2-Response is incorrect (8) [mschap] = reject (8) } # Auth-Type MS-CHAP = reject (8) MSCHAP-Error: E=691 R=1 (8) Could not parse new challenge from MS-CHAP-Error: 2 (8) ERROR: MSCHAP Failure (8) eap: Sending EAP Request (code 1) ID 10 length 18 (8) eap: EAP session adding &reply:State = 0x4472bda94578a76b (8) [eap] = handled (8) } # authenticate = handled (8) } # server inner-tunnel (8) Virtual server sending reply (8) EAP-Message = 0x010a00121a0409000d453d36393120523d31 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x4472bda94578a76bd8632d7ad5b1698f (8) eap_peap: Got tunneled reply code 11 (8) eap_peap: EAP-Message = 0x010a00121a0409000d453d36393120523d31 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: State = 0x4472bda94578a76bd8632d7ad5b1698f (8) eap_peap: Got tunneled reply RADIUS code 11 (8) eap_peap: EAP-Message = 0x010a00121a0409000d453d36393120523d31 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: State = 0x4472bda94578a76bd8632d7ad5b1698f (8) eap_peap: Got tunneled Access-Challenge (8) eap: Sending EAP Request (code 1) ID 10 length 59 (8) eap: EAP session adding &reply:State = 0xd0f2ff51d8f8e675 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8) Sent Access-Challenge Id 37 from 10.28.235.64:1812 to 10.28.123.29:3629 length 0 (8) EAP-Message = 0x010a003b19001703010030c0ef9777349d844241a9edc933b3addc585704359d08ab78a35194fd5bc5cde05f88638a9fe1508f3ce9bb22e39bcbf0 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xd0f2ff51d8f8e675d0d3651812ae64d4 (8) Finished request Waking up in 4.8 seconds. (9) Received Access-Request Id 38 from 10.28.123.29:3629 to 10.28.235.64:1812 length 256 (9) User-Name = "hjkk" (9) Framed-MTU = 1450 (9) EAP-Message = 0x020a002b1900170301002012e475052c4413b52c418471e8a8d310de04b302ca35e9a0587593afdb804d1a (9) Message-Authenticator = 0xb723576d45a0404b72f7c165300d3d64 (9) Chargeable-User-Identity = 0x00 (9) NAS-IP-Address = 10.28.123.29 (9) NAS-Identifier = "ITS-TEST" (9) NAS-Port = 33779942 (9) NAS-Port-Id = "slot=2;subslot=0;port=55;vlanid=230" (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) Framed-Protocol = PPP (9) Calling-Station-Id = "10-1C-0C-79-26-49" (9) Called-Station-Id = "58-6A-B1-2A-F5-E0:its-test" (9) Acct-Session-Id = "11506101629790" (9) State = 0xd0f2ff51d8f8e675d0d3651812ae64d4 (9) session-state: No cached attributes (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@.*@/ ) { (9) if (&User-Name =~ /@.*@/ ) -> FALSE (9) if (&User-Name =~ /\\.\\./ ) { (9) if (&User-Name =~ /\\.\\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\\.$/) { (9) if (&User-Name =~ /\\.$/) -> FALSE (9) if (&User-Name =~ /@\\./) { (9) if (&User-Name =~ /@\\./) -> FALSE (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "hjkk", looking up realm NULL (9) suffix: Found realm "NULL" (9) suffix: Adding Stripped-User-Name = "hjkk" (9) suffix: Adding Realm = "NULL" (9) suffix: Authentication realm is LOCAL (9) [suffix] = ok (9) eap: Peer sent EAP Response (code 2) ID 10 length 43 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x4472bda94578a76b (9) eap: Finished EAP session with state 0xd0f2ff51d8f8e675 (9) eap: Previous EAP request found for state 0xd0f2ff51d8f8e675, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state phase2 (9) eap_peap: EAP method MSCHAPv2 (26) (9) eap_peap: Got tunneled request (9) eap_peap: EAP-Message = 0x020a00091a04090004 (9) eap_peap: Setting User-Name to hjkk (9) eap_peap: Sending tunneled request to inner-tunnel (9) eap_peap: EAP-Message = 0x020a00091a04090004 (9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (9) eap_peap: User-Name = "hjkk" (9) eap_peap: State = 0x4472bda94578a76bd8632d7ad5b1698f (9) Virtual server inner-tunnel received request (9) EAP-Message = 0x020a00091a04090004 (9) FreeRADIUS-Proxied-To = 127.0.0.1 (9) User-Name = "hjkk" (9) State = 0x4472bda94578a76bd8632d7ad5b1698f (9) server inner-tunnel { (9) session-state: No cached attributes (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) [chap] = noop (9) [mschap] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "hjkk", looking up realm NULL (9) suffix: Found realm "NULL" (9) suffix: Adding Stripped-User-Name = "hjkk" (9) suffix: Adding Realm = "NULL" (9) suffix: Authentication realm is LOCAL (9) [suffix] = ok (9) update control { (9) &Proxy-To-Realm := LOCAL (9) } # update control = noop (9) eap: Peer sent EAP Response (code 2) ID 10 length 9 (9) eap: No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) [files] = noop rlm_ldap (ldap): Reserved connection (1) (9) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (9) ldap: --> (uid=hjkk) (9) ldap: Performing search in "ou=radius,o=test,c=hk" with filter "(uid=hjkk)", scope "sub" (9) ldap: Waiting for search result... (9) ldap: Search returned no results rlm_ldap (ldap): Released connection (1) (9) [ldap] = notfound (9) redundant ldap_DB_redundant { rlm_ldap (ldap_DB_1): Reserved connection (1) (9) ldap_DB_1: EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})) (9) ldap_DB_1: --> (&(uid=hjkk)) (9) ldap_DB_1: Performing search in "ou=radius,o=test,c=hk" with filter "(&(uid=hjkk))", scope "sub" (9) ldap_DB_1: Waiting for search result... (9) ldap_DB_1: Search returned no results rlm_ldap (ldap_DB_1): Released connection (1) (9) [ldap_DB_1] = notfound (9) } # redundant ldap_DB_redundant = notfound (9) } # authorize = notfound (9) Found Auth-Type = EAP (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap: Expiring EAP session with state 0x4472bda94578a76b (9) eap: Finished EAP session with state 0x4472bda94578a76b (9) eap: Previous EAP request found for state 0x4472bda94578a76b, released from the list (9) eap: Peer sent packet with method EAP MSCHAPv2 (26) (9) eap: Calling submodule eap_mschapv2 to process data (9) eap: Sending EAP Failure (code 4) ID 10 length 4 (9) eap: Freeing handler (9) [eap] = reject (9) } # authenticate = reject (9) Failed to authenticate the user (9) Login incorrect: [hjkk] (from client wifi-test-13.29 port 0 via TLS tunnel) (9) Using Post-Auth-Type Reject (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> hjkk (9) attr_filter.access_reject: Matched entry DEFAULT at line 16 (9) [attr_filter.access_reject] = updated (9) update outer.session-state { (9) No attributes updated (9) } # update outer.session-state = noop (9) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default} (9) linelog: --> messages.Access-Reject (9) linelog: EXPAND /usr/local/var/log/radius/log/linelog-%Y%m%d (9) linelog: --> /usr/local/var/log/radius/log/linelog-20150710 (9) linelog: EXPAND %S,%{reply:Packet-Type},%{Packet-Src-IP-Address},%{NAS-IP-Address},%{User-Name},%{Calling-Station-Id},%{%{Aruba-Essid-Name}:-%{Called-Station-Id}},%{reply:Reply-Message},%{%{session-state:Module-Failure-Message}:-%{Module-Failure-Message}} (9) linelog: --> 2015-07-10 16:34:09,Access-Reject,10.28.123.29,,hjkk,,,, (9) [linelog] = ok (9) } # Post-Auth-Type REJECT = updated (9) } # server inner-tunnel (9) Virtual server sending reply (9) EAP-Message = 0x040a0004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap: Got tunneled reply code 3 (9) eap_peap: EAP-Message = 0x040a0004 (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap: Got tunneled reply RADIUS code 3 (9) eap_peap: EAP-Message = 0x040a0004 (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap: Tunneled authentication was rejected (9) eap_peap: FAILURE (9) eap: Sending EAP Request (code 1) ID 11 length 43 (9) eap: EAP session adding &reply:State = 0xd0f2ff51d9f9e675 (9) [eap] = handled (9) } # authenticate = handled (9) Using Post-Auth-Type Challenge (9) Post-Auth-Type sub-section not found. Ignoring. (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (9) Sent Access-Challenge Id 38 from 10.28.235.64:1812 to 10.28.123.29:3629 length 0 (9) EAP-Message = 0x010b002b19001703010020fce42371f591a9cd4075aac9d4852261963c568adb079dad4ed6ba87dd83e232 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0xd0f2ff51d9f9e675d0d3651812ae64d4 (9) Finished request
participants (4)
-
Alan Buxey -
Alan DeKok -
Lai Fu Keung -
Ross c6