I did this question yesterday, but since im new i did a lot of wrong things, like no subject, etc etc.So here is the deal, we use freeradius on a hotspot service with wireless and it works all fine, but we are trying to put 802.1x (its better)So the thing is, it always say "login/pass incorrect" So i did the debug thing, and i couldnt find the error (im new on linux) I did the radtest and the results are the following: radtest -t mschap <user> <pass> 127.0.0.1:1812 0 t3st3 (our pass)and i got this Sending Access-Request of id 193 to 127.0.0.1 port 1812 User-Name = "1085" NAS-IP-Address = 192.168.80.2 NAS-Port = 0 MS-CHAP-Challenge = 0x826bf8043e1d4ecf MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000cb7fdf6848ca0b2df86e5060da2c2b8e80329c405855233a rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=193, length=20 " so i did another test like this: radtest -t eap-md5 <user> <pass> 127.0.0.1:1812 0 t3st3 and i got this Sending Access-Request packet to host 127.0.0.1 port 1812, id=54, length=0 User-Name = "1085" User-Password = "XXXXXXX" NAS-IP-Address = 192.168.80.2 NAS-Port = 0 EAP-Code = Response EAP-Type-Identity = "1085" Message-Authenticator = 0x00 EAP-Message = 0x023500090131303835Received Access-Challenge packet from host 127.0.0.1 port 1812, id=54, length=64 EAP-Message = 0x013600061520 Message-Authenticator = 0x56eff2711d27219b78bc42ad7db31808 State = 0x028cb41e02baa1b18a40110649d7000f EAP-Id = 54 EAP-Code = Request EAP-Type-LEAP = 0x20 I dont know what is wrong, i THINK its our SQL BD that is not accepting mschap.I would appreciate that people dont answer like "read this, read that, its all explained", like i said, im new on linux, i read everything i found, but didnt got the problemAppreciate any help. Below is my debug trying to access by the wireless. [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 179 to 172.23.54.2 port 32784 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa52ffbdea42de2a3ddda2e08b2ef9a8e Finished request 17. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.23.54.2 port 32784, id=180, length=320 User-Name = "1085" Calling-Station-Id = "00-1E-64-27-2F-52" NAS-IP-Address = 172.23.54.2 NAS-Port = 1 Called-Station-Id = "68-92-34-91-91-48:UNIFEBE-1X" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "68-92-34-91-91-48" Connect-Info = "CONNECT 802.11b/g" WISPr-Location-Name = "2o-Andar" EAP-Message = 0x0202006919800000005f160301005a010000560301509d3fc22ba4ec181253508b1a9031d084a6ab63dfc0f57196d85dccbddd6bb0000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 State = 0xa52ffbdea42de2a3ddda2e08b2ef9a8e Vendor-25053-Attr-3 = 0x554e49464542452d3158 Message-Authenticator = 0xb15471a260ff863b5df11a42d1b7ffaf # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "1085", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 105 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 95 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 02a8], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 180 to 172.23.54.2 port 32784 EAP-Message = 0x010302f2190016030100310200002d0301509d3ef1415eda32ffcebd3266fe173cbfff89917ae81eda6972831a026a39a700002f000005ff0100010016030102a80b0002a40002a100029e3082029a30820182020900bd56242da73748dd300d06092a864886f70d0101050500300f310d300b0603550403130464617274301e170d3132303632383139343531345a170d3232303632363139343531345a300f310d300b060355040313046461727430820122300d06092a864886f70d01010105000382010f003082010a0282010100ca6b2f404628ab86daf42a6fc6bf84841fc22515227dff73a183a6f51a2a22db61143afc8486ff59813449b110 EAP-Message = 0x463c624fe05f1a79e5f347cc1a4ae49a551195f31db873c60037978a2873ec1b990d3c3508d0a5380dd2c013755ba5771905a9e6b9e119a7d58981e7125f745ec893c416a2299c44dfac6ce81ff226ea6154b601a56285572c4658a045b8e160ff29ada8bf9fbd3aab84f6988155b52bf1e8691d7629e7d77cdf1bacf0fb062a7a826d02726fadace6d3ccdb84338d2e05a7867a6bc236f942bf2109a41b8289a9b1214571007a84a0ec2835dfac79beca7faf858ddf2b0483398effde1112e04540a8b83c6f4f3464aec1f10d66ffec7c837b0203010001300d06092a864886f70d010105050003820101000310c2505daf381e21004471bf7cf5ae8a EAP-Message = 0xe16a72c80fb15970c51859f996942e88e6a675834788ab9aa5a57af1a335b4513acd5c39cf3b63151368dac86c6ad0ba965a52636b998d220534d3c913a6f2d64baa46a14d877a6f1a1afdedd7dcc9f990b0ba6b0181cc15abbcab5de4ae2adf002de566cac739b11c770b727a104b4359905dbbf0889cad18af0f31e5be5f28b6619edefff2edc1a5ea6683805b51d1cbeb05c250d23a402de0f4443f01d4a7ddc4bf4ea950151f42aee22dc1c9a81f18aa219499adff4095f9fb6dc2e44f89fe14c0e2f30007748bd4deba341982af01ed8d09dad9bbfcc0ceaa2f4b3d3d94add25259cba48886d837b49af75a8f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa52ffbdea72ce2a3ddda2e08b2ef9a8e Finished request 18. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.23.54.2 port 32784, id=181, length=553 User-Name = "1085" Calling-Station-Id = "00-1E-64-27-2F-52" NAS-IP-Address = 172.23.54.2 NAS-Port = 1 Called-Station-Id = "68-92-34-91-91-48:UNIFEBE-1X" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "68-92-34-91-91-48" Connect-Info = "CONNECT 802.11b/g" WISPr-Location-Name = "2o-Andar" EAP-Message = 0x020301501980000001461603010106100001020100406f5aabae4fb470053ee7cb8a80f8c8dc8f30040d4466009eca6d20f732623e0b4e1e9f8e9a675b81a68adbbdc8a9f05e460f841eea9234efbc9ae86e1c2d5f7de46b73718103e4d495253e86b9d945d1a97fc5ca13b14ca421b5b4f032f65567a027b202a18591d2bf3d5f05bc08dd2c7314c5d3291b55d255135cd1e08bdfb81e37e23bed31b6ef9bbc20face7f65b9679030f889cf3b7fcc3c5b442372b46b50744c8ae4d28bf1417b45900aed22e1f76d0f679bc83186008c10902140b38de9e40ac8b9074c4438479cfba8ecc58fb1c0eca7581fdfb2fc2221ca3cccfd3c379bd0415f0523 EAP-Message = 0x469ea987e74a634ffd9f974fd85c4cf550cfc184882b10d31403010001011603010030c7823f5df8656cb4ecee2830f2dd532e33febb88329d8078398bcf9fc3729371e6acabeeee9022d11176d95facb50e26 State = 0xa52ffbdea72ce2a3ddda2e08b2ef9a8e Vendor-25053-Attr-3 = 0x554e49464542452d3158 Message-Authenticator = 0x6b79b9cd6b15dfedbf49ba57b7edcc45 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "1085", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 181 to 172.23.54.2 port 32784 EAP-Message = 0x01040041190014030100010116030100305da09efb263d6a8e920ffd363a784a928bc392a6b80309b6f3f3d78becca6e3f7f2f20b3fb0b62520e46decd844eafec Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa52ffbdea62be2a3ddda2e08b2ef9a8e Finished request 19. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.23.54.2 port 32784, id=182, length=221 User-Name = "1085" Calling-Station-Id = "00-1E-64-27-2F-52" NAS-IP-Address = 172.23.54.2 NAS-Port = 1 Called-Station-Id = "68-92-34-91-91-48:UNIFEBE-1X" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "68-92-34-91-91-48" Connect-Info = "CONNECT 802.11b/g" WISPr-Location-Name = "2o-Andar" EAP-Message = 0x020400061900 State = 0xa52ffbdea62be2a3ddda2e08b2ef9a8e Vendor-25053-Attr-3 = 0x554e49464542452d3158 Message-Authenticator = 0x21e270d06fa3b618166b474599d92c03 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "1085", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 182 to 172.23.54.2 port 32784 EAP-Message = 0x0105002b190017030100209c58a55d01f6f8ea2ebd4dcf6b707ac1854afc0ae1184210876df755426cdebb Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa52ffbdea12ae2a3ddda2e08b2ef9a8e Finished request 20. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.23.54.2 port 32784, id=183, length=258 User-Name = "1085" Calling-Station-Id = "00-1E-64-27-2F-52" NAS-IP-Address = 172.23.54.2 NAS-Port = 1 Called-Station-Id = "68-92-34-91-91-48:UNIFEBE-1X" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "68-92-34-91-91-48" Connect-Info = "CONNECT 802.11b/g" WISPr-Location-Name = "2o-Andar" EAP-Message = 0x0205002b1900170301002045585f4e63ddae7a1c000e31e0a2eeece7eaa624f2806a9e70e2d046f1391fc7 State = 0xa52ffbdea12ae2a3ddda2e08b2ef9a8e Vendor-25053-Attr-3 = 0x554e49464542452d3158 Message-Authenticator = 0x69f09f61ebca4c76283b5dca004e7ef0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "1085", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - 1085 [peap] Got inner identity '1085' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x020500090131303835 server { PEAP: Setting User-Name to 1085 Sending tunneled request EAP-Message = 0x020500090131303835 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "1085" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "1085", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 5 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0106001e1a0106001910fe55d9294cefdac440362e653915a34d31303835 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0ae4ec900ae2f69ac6f652def380e816 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0106001e1a0106001910fe55d9294cefdac440362e653915a34d31303835 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0ae4ec900ae2f69ac6f652def380e816 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 183 to 172.23.54.2 port 32784 EAP-Message = 0x0106003b190017030100301000c355cc2c2884bf2f175908e52361b9e5f41b4a0e9a0435c322c46fe8a3c1bc2ddc42ac866a83ae30421b91059630 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa52ffbdea029e2a3ddda2e08b2ef9a8e Finished request 21. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.23.54.2 port 32784, id=184, length=306 User-Name = "1085" Calling-Station-Id = "00-1E-64-27-2F-52" NAS-IP-Address = 172.23.54.2 NAS-Port = 1 Called-Station-Id = "68-92-34-91-91-48:UNIFEBE-1X" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "68-92-34-91-91-48" Connect-Info = "CONNECT 802.11b/g" WISPr-Location-Name = "2o-Andar" EAP-Message = 0x0206005b19001703010050ae4fea85f3a5973a84f9b5e1abc47fb5a19be28af5e27780d39c7c29b91526c26e3972a03bee2657e96c715084bd5a5cf5da7d84cda132385eaa3a0d1733b5618ee6286e6e3670119927319542bcb7d2 State = 0xa52ffbdea029e2a3ddda2e08b2ef9a8e Vendor-25053-Attr-3 = 0x554e49464542452d3158 Message-Authenticator = 0x687b1f3b1c9e04fc75d21d0f741b661f # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "1085", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0206003f1a0206003a312198129fe508198faceab807ca41f5580000000000000000bb3261067e2d36651cf535d4d562658d61830fcce9f2a88f0031303835 server { PEAP: Setting User-Name to 1085 Sending tunneled request EAP-Message = 0x0206003f1a0206003a312198129fe508198faceab807ca41f5580000000000000000bb3261067e2d36651cf535d4d562658d61830fcce9f2a88f0031303835 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "1085" State = 0x0ae4ec900ae2f69ac6f652def380e816 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "1085", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: 1085 [mschap] Told to do MS-CHAPv2 for 1085 with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [1085/<via Auth-Type = EAP>] (from client ruckus-controller port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 184 to 172.23.54.2 port 32784 EAP-Message = 0x0107002b19001703010020712d9a3c89066e09d12514449c4e4e166e62bd3626ba278d1cb473bacd1b31aa Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa52ffbdea328e2a3ddda2e08b2ef9a8e Finished request 22. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.23.54.2 port 32784, id=185, length=258 User-Name = "1085" Calling-Station-Id = "00-1E-64-27-2F-52" NAS-IP-Address = 172.23.54.2 NAS-Port = 1 Called-Station-Id = "68-92-34-91-91-48:UNIFEBE-1X" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "68-92-34-91-91-48" Connect-Info = "CONNECT 802.11b/g" WISPr-Location-Name = "2o-Andar" EAP-Message = 0x0207002b190017030100205bce9ac93410e019700dbd986065e5a9a84301906e4611ad246471a284fc7e81 State = 0xa52ffbdea328e2a3ddda2e08b2ef9a8e Vendor-25053-Attr-3 = 0x554e49464542452d3158 Message-Authenticator = 0x71c3a73b038b1f0a51e530baba2afc96 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "1085", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [1085/<via Auth-Type = EAP>] (from client ruckus-controller port 1 cli 00-1E-64-27-2F-52) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 1085 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 23 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 23 Sending Access-Reject of id 185 to 172.23.54.2 port 32784 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 16 ID 178 with timestamp +2309 Cleaning up request 17 ID 179 with timestamp +2309 Cleaning up request 18 ID 180 with timestamp +2309 Cleaning up request 19 ID 181 with timestamp +2309 Cleaning up request 20 ID 182 with timestamp +2309 Cleaning up request 21 ID 183 with timestamp +2309 Cleaning up request 22 ID 184 with timestamp +2309 Waking up in 1.0 seconds. Cleaning up request 23 ID 185 with timestamp +2309 Ready to process requests.
Hi on 20.11.2012 16:22, Brekler Custodio wrote:
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: 1085
[mschap] Told to do MS-CHAPv2 for 1085 with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
looks like your authentication data is missing on the server side. cheers Erich
So you mean that my MYSQL Server has a problem with my authentication ? Date: Tue, 20 Nov 2012 16:47:07 +0100 From: erich.titl@think.ch To: freeradius-users@lists.freeradius.org Subject: Re: Problems with 802.1x Hi looks like your authentication data is missing on the server side. cheers Erich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please send plain text messages. There's no need to send HTML messages with everything bold. Brekler Custodio wrote:
*So i did the debug thing, and i couldnt find the error (im new on linux)*
You were told to read the comments at the top of raddb/sites-available/inner-tunnel. It gives DETAILED INSTRUCTIONS for how to debug this issue. You need to follow instructions, or you will be unsubscribed and banned from the list. Not following instructions means you won't get the problem solved. It means you're wasting your time, and ours. You haven't told the server what the users "known good" password is. How do you expect the server to authenticate anyone, if it doesn't know who the user is? If your users are in sql, you need to edit raddb/sites-available/inner-tunnel. READ IT. Look for "sql", and follow the instructions. It honestly isn't hard. It doesn't require much knowledge about anything. But it DOES require that you read the instructions, and then follow them. Alan DeKok.
Im sorry Alan, im learning how to use this forum. So, i read everything there, BUT there is one thing you dont know, my native language isnt english, so its not that easy to understand everything there.On the Inner-tunnel i already put the SQL. So, here is another question, how can i create an user on freeradius database and do a radtest with mschap ?Is that possible ? Below is the part of inner-tunnel saying about SQL as i said i took off comment. # This module takes care of EAP-MSCHAPv2 authentication. # # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. # # The example below uses module failover to avoid querying all # of the following modules if the EAP module returns "ok". # Therefore, your LDAP and/or SQL servers will not be queried # for the many packets that go back and forth to set up TTLS # or PEAP. The load on those servers will therefore be reduced. # eap { ok = return } # # Read the 'users' file files # # Look in an SQL database. The schema of the database # is meant to mirror the "users" file. # # See "Authorization Queries" in sql.conf sql
Brekler Custodio wrote:
So, i read everything there, BUT there is one thing you dont know, my native language isnt english, so its not that easy to understand everything there.
That's OK.
On the Inner-tunnel i already put the SQL.
Well, it didn't show up in the debug log. So you didn't enable sql in that file.
So, here is another question, how can i create an user on freeradius database and do a radtest with mschap ? Is that possible ?
Of course it's possible. See the rlm_sql documentation. It's on the Wiki.
Below is the part of inner-tunnel saying about SQL as i said i took off comment.
OK... you did that AFTER you posted the previous message. Did you provision a user in SQL, as documented in the Wiki? http://wiki.freeradius.org/modules/Rlm_sql Alan DeKok.
Hi,
I did this question yesterday, but since im new i did a lot of wrong things, like no subject, etc etc.
but you still got a couple of answers.
I dont know what is wrong, i THINK its our SQL BD that is not accepting mschap. I would appreciate that people dont answer like "read this, read that, its all explained", like i said, im new on linux, i read everything i found, but didnt got the problem
right. firstly, we say 'rad this' or 'read that' because by reading this or that you will know what to send - for example, dont bother sending the output of radtest because it doesnt matter - you need to post the output of radiusd -X secondly, as per the response you got to your first email
server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
look, server is using the 'inner-tunnel' virtual server ....but finds no suitable user. because you havent enabled 'sql' function in the inner-tunnel. look at the 'default' virtual server file. see where it mentions 'sql' - then edit the inner-tunnel and make sure IT ALSO mentions SQL. then go and read the docs on deployingradius.org - and at least buy a good book about FreeRADIUS - only by reading/learning can you get better - or all we are doing is your job for you - in which case, please start paying us :| alan
hi, ..as there seems to be some doubts about how your system is actually working for non-EAP methods (ie whether or not you actually use SQL at all.....) it would be best if you actually sent the 'radiusd -X' output for when a successful authentication occurs. alan
So here is a debug again. Like i said, SQL is uncommented on inner-tunnel. [sql] sql_set_user escaped user --> '1085'rlm_sql (sql): Reserving sql socket id: 3[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1085' ORDER BY id[sql] User found in radcheck table[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1085' ORDER BY id[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '1085' ORDER BY priority[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'sessaounica' ORDER BY id[sql] User found in group sessaounica[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'sessaounica' ORDER BY idrlm_sql (sql): Released sql socket id: 3++[sql] returns ok++[expiration] returns noop++[logintime] returns noopFound Auth-Type = EAP# Executing group from file /etc/freeradius/sites-enabled/default+- entering group authenticate {...}[eap] Request found, released from the list[eap] EAP NAK[eap] EAP-NAK asked for EAP-Type/peap[eap] processing type tls[tls] Initiate[tls] Start returned 1++[eap] returns handledSending Access-Challenge of id 112 to 172.23.54.2 port 32784 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x50f0e12251f2f8eb3c4e11280c2e9be4Finished request 1.Going to the next requestWaking up in 4.9 seconds.rad_recv: Access-Request packet from host 172.23.54.2 port 32784, id=113, length=320 User-Name = "1085" Calling-Station-Id = "00-1E-64-27-2F-52" NAS-IP-Address = 172.23.54.2 NAS-Port = 1 Called-Station-Id = "68-92-34-91-91-48:UNIFEBE-1X" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "68-92-34-91-91-48" Connect-Info = "CONNECT 802.11b/g" WISPr-Location-Name = "2o-Andar" EAP-Message = 0x0202006919800000005f160301005a01000056030150abbcee3aef4bebb6b083e4ebab3f9771fcceaa242bf28aacd0410787d9666f000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 State = 0x50f0e12251f2f8eb3c4e11280c2e9be4 Vendor-25053-Attr-3 = 0x554e49464542452d3158 Message-Authenticator = 0x61f1b2f6f26748268340109333843769# Executing section authorize from file /etc/freeradius/sites-enabled/default+- entering group authorize {...}++[mschap] returns noop[eap] EAP packet type response id 2 length 105[eap] Continuing tunnel setup.++[eap] returns okFound Auth-Type = EAP# Executing group from file /etc/freeradius/sites-enabled/default+- entering group authenticate {...}[eap] Request found, released from the list[eap] EAP/peap[eap] processing type peap[peap] processing EAP-TLS TLS Length 95[peap] Length Included[peap] eaptls_verify returned 11 [peap] (other): before/accept initialization[peap] TLS_accept: before/accept initialization[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello [peap] TLS_accept: SSLv3 read client hello A[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A[peap] >>> TLS 1.0 Handshake [length 02a8], Certificate [peap] TLS_accept: SSLv3 write certificate A[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A[peap] TLS_accept: SSLv3 flush data[peap] TLS_accept: Need to read more data: SSLv3 read client certificate AIn SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED++[eap] returns handledSending Access-Challenge of id 113 to 172.23.54.2 port 32784 EAP-Message = 0x010302f2190016030100310200002d030150abbc056cfc4dc4309294b9ba9790a0730cea2809b7cd66f21c39b632becc0c00002f000005ff0100010016030102a80b0002a40002a100029e3082029a30820182020900bd56242da73748dd300d06092a864886f70d0101050500300f310d300b0603550403130464617274301e170d3132303632383139343531345a170d3232303632363139343531345a300f310d300b060355040313046461727430820122300d06092a864886f70d01010105000382010f003082010a0282010100ca6b2f404628ab86daf42a6fc6bf84841fc22515227dff73a183a6f51a2a22db61143afc8486ff59813449b110 EAP-Message = 0x463c624fe05f1a79e5f347cc1a4ae49a551195f31db873c60037978a2873ec1b990d3c3508d0a5380dd2c013755ba5771905a9e6b9e119a7d58981e7125f745ec893c416a2299c44dfac6ce81ff226ea6154b601a56285572c4658a045b8e160ff29ada8bf9fbd3aab84f6988155b52bf1e8691d7629e7d77cdf1bacf0fb062a7a826d02726fadace6d3ccdb84338d2e05a7867a6bc236f942bf2109a41b8289a9b1214571007a84a0ec2835dfac79beca7faf858ddf2b0483398effde1112e04540a8b83c6f4f3464aec1f10d66ffec7c837b0203010001300d06092a864886f70d010105050003820101000310c2505daf381e21004471bf7cf5ae8a EAP-Message = 0xe16a72c80fb15970c51859f996942e88e6a675834788ab9aa5a57af1a335b4513acd5c39cf3b63151368dac86c6ad0ba965a52636b998d220534d3c913a6f2d64baa46a14d877a6f1a1afdedd7dcc9f990b0ba6b0181cc15abbcab5de4ae2adf002de566cac739b11c770b727a104b4359905dbbf0889cad18af0f31e5be5f28b6619edefff2edc1a5ea6683805b51d1cbeb05c250d23a402de0f4443f01d4a7ddc4bf4ea950151f42aee22dc1c9a81f18aa219499adff4095f9fb6dc2e44f89fe14c0e2f30007748bd4deba341982af01ed8d09dad9bbfcc0ceaa2f4b3d3d94add25259cba48886d837b49af75a8f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x50f0e12252f3f8eb3c4e11280c2e9be4Finished request 2.Going to the next requestWaking up in 4.9 seconds.rad_recv: Access-Request packet from host 172.23.54.2 port 32784, id=114, length=553 User-Name = "1085" Calling-Station-Id = "00-1E-64-27-2F-52" NAS-IP-Address = 172.23.54.2 NAS-Port = 1 Called-Station-Id = "68-92-34-91-91-48:UNIFEBE-1X" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "68-92-34-91-91-48" Connect-Info = "CONNECT 802.11b/g" WISPr-Location-Name = "2o-Andar" EAP-Message = 0x02030150198000000146160301010610000102010052fc6ab5f74faed88f732a0538d77a48fa3deb9108503ec40f8206531f39609c71e35f66c5a66a0ec49efd6945fe33735405a3887c61bee06040eba9898deceabd87deec376645dddb631d3f6e0e3dc6bedad223cc551409e2830be55372e2784f2c413ddb86f63f5d0754a951d8c0003715d9ee327de78a7bd5b06c50ea9a13da60a0e7c88a0686b4703dcfc1862fa84cb8b51c621addd342444b193d72b33615cf0cb23b0825dd07e01c815e3cf23b6b424a87d0734ea286950d1990947f3ae4e33a5809b099021e03f6a8f558b74e2dfb1428a5a0d1a27b8d30638924ce15d8ea236bdf875706 EAP-Message = 0x596949b445b93cf2827465ceb48a5e5b8a5dd9d4e73226c81403010001011603010030f08b6f3ee2cb0addcd2252806d376fd1b3cbe2e533e27c48464edb2c69265975be1e02ed758ab215437c268db670c720 State = 0x50f0e12252f3f8eb3c4e11280c2e9be4 Vendor-25053-Attr-3 = 0x554e49464542452d3158 Message-Authenticator = 0xe1dd9db2033641f680b15352a87e92fb# Executing section authorize from file /etc/freeradius/sites-enabled/default+- entering group authorize {...}++[mschap] returns noop[eap] EAP packet type response id 3 length 253[eap] Continuing tunnel setup.++[eap] returns okFound Auth-Type = EAP# Executing group from file /etc/freeradius/sites-enabled/default+- entering group authenticate {...}[eap] Request found, released from the list[eap] EAP/peap[eap] processing type peap[peap] processing EAP-TLS TLS Length 326[peap] Length Included[peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A[peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A[peap] TLS_accept: SSLv3 flush data[peap] (other): SSL negotiation finished successfullySSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED++[eap] returns handledSending Access-Challenge of id 114 to 172.23.54.2 port 32784 EAP-Message = 0x01040041190014030100010116030100300e22d49dbb6f214669d8a30b3c78c585ec453e27cb5169517b5524e86bd8148129dd47dffa51940ac878e293a93c885e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x50f0e12253f4f8eb3c4e11280c2e9be4Finished request 3.Going to the next requestWaking up in 4.9 seconds.rad_recv: Access-Request packet from host 172.23.54.2 port 32784, id=115, length=221 User-Name = "1085" Calling-Station-Id = "00-1E-64-27-2F-52" NAS-IP-Address = 172.23.54.2 NAS-Port = 1 Called-Station-Id = "68-92-34-91-91-48:UNIFEBE-1X" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "68-92-34-91-91-48" Connect-Info = "CONNECT 802.11b/g" WISPr-Location-Name = "2o-Andar" EAP-Message = 0x020400061900 State = 0x50f0e12253f4f8eb3c4e11280c2e9be4 Vendor-25053-Attr-3 = 0x554e49464542452d3158 Message-Authenticator = 0xee53cacd4d77e7dcb22fca47427888b4# Executing section authorize from file /etc/freeradius/sites-enabled/default+- entering group authorize {...}++[mschap] returns noop[eap] EAP packet type response id 4 length 6[eap] Continuing tunnel setup.++[eap] returns okFound Auth-Type = EAP# Executing group from file /etc/freeradius/sites-enabled/default+- entering group authenticate {...}[eap] Request found, released from the list[eap] EAP/peap[eap] processing type peap[peap] processing EAP-TLS[peap] Received TLS ACK[peap] ACK handshake is finished[peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS[peap] Session established. Decoding tunneled attributes.[peap] Peap state TUNNEL ESTABLISHED++[eap] returns handledSending Access-Challenge of id 115 to 172.23.54.2 port 32784 EAP-Message = 0x0105002b1900170301002067eb8854081d00e79e60f40c710668bbe9bb1cb23ae3ddf315aba15c96664b81 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x50f0e12254f5f8eb3c4e11280c2e9be4Finished request 4.Going to the next requestWaking up in 4.9 seconds.rad_recv: Access-Request packet from host 172.23.54.2 port 32784, id=116, length=258 User-Name = "1085" Calling-Station-Id = "00-1E-64-27-2F-52" NAS-IP-Address = 172.23.54.2 NAS-Port = 1 Called-Station-Id = "68-92-34-91-91-48:UNIFEBE-1X" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "68-92-34-91-91-48" Connect-Info = "CONNECT 802.11b/g" WISPr-Location-Name = "2o-Andar" EAP-Message = 0x0205002b1900170301002011f25d1de4573a4d6b607382b7937ad72dcfdc8025c35ffc8262d6c575a332ef State = 0x50f0e12254f5f8eb3c4e11280c2e9be4 Vendor-25053-Attr-3 = 0x554e49464542452d3158 Message-Authenticator = 0x422fb2bc93adee1824c2743f0cb6ac9e# Executing section authorize from file /etc/freeradius/sites-enabled/default+- entering group authorize {...}++[mschap] returns noop[eap] EAP packet type response id 5 length 43[eap] Continuing tunnel setup.++[eap] returns okFound Auth-Type = EAP# Executing group from file /etc/freeradius/sites-enabled/default+- entering group authenticate {...}[eap] Request found, released from the list[eap] EAP/peap[eap] processing type peap[peap] processing EAP-TLS[peap] eaptls_verify returned 7 [peap] Done initial handshake[peap] eaptls_process returned 7 [peap] EAPTLS_OK[peap] Session established. Decoding tunneled attributes.[peap] Peap state WAITING FOR INNER IDENTITY[peap] Identity - 1085[peap] Got inner identity '1085'[peap] Setting default EAP type for tunneled EAP session.[peap] Got tunneled request EAP-Message = 0x020500090131303835server { PEAP: Setting User-Name to 1085Sending tunneled request EAP-Message = 0x020500090131303835 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "1085"server inner-tunnel {# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel+- entering group authorize {...}++[chap] returns noop++[mschap] returns noop[suffix] No '@' in User-Name = "1085", looking up realm NULL[suffix] No such realm "NULL"++[suffix] returns noop[eap] EAP packet type response id 5 length 9[eap] No EAP Start, assuming it's an on-going EAP conversation++[eap] returns updated++[files] returns noop[sql] expand: %{User-Name} -> 1085[sql] sql_set_user escaped user --> '1085'rlm_sql (sql): Reserving sql socket id: 2[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1085' ORDER BY id[sql] User found in radcheck table[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1085' ORDER BY id[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '1085' ORDER BY priority[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'sessaounica' ORDER BY id[sql] User found in group sessaounica[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'sessaounica' ORDER BY idrlm_sql (sql): Released sql socket id: 2++[sql] returns ok[pap] Normalizing MD5-Password from hex encoding[pap] WARNING: Auth-Type already set. Not setting to PAP++[pap] returns noopFound Auth-Type = EAP# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel+- entering group authenticate {...}[eap] EAP Identity[eap] processing type mschapv2rlm_eap_mschapv2: Issuing Challenge++[eap] returns handled} # server inner-tunnel[peap] Got tunneled reply code 11 EAP-Message = 0x0106001e1a0106001910a5427c3c57af2b4b0df19dfd7c05e1fc31303835 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9e6fb2559e69a859a38761d07782575e[peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0106001e1a0106001910a5427c3c57af2b4b0df19dfd7c05e1fc31303835 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9e6fb2559e69a859a38761d07782575e[peap] Got tunneled Access-Challenge++[eap] returns handledSending Access-Challenge of id 116 to 172.23.54.2 port 32784 EAP-Message = 0x0106003b19001703010030d06d3dec2d35df98b7712e3479fee7d2b4a51a486939e1f64e88d3129cac05448752ee312195fc1a5dad896fa683a9f2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x50f0e12255f6f8eb3c4e11280c2e9be4Finished request 5.Going to the next requestWaking up in 4.9 seconds.rad_recv: Access-Request packet from host 172.23.54.2 port 32784, id=117, length=306 User-Name = "1085" Calling-Station-Id = "00-1E-64-27-2F-52" NAS-IP-Address = 172.23.54.2 NAS-Port = 1 Called-Station-Id = "68-92-34-91-91-48:UNIFEBE-1X" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "68-92-34-91-91-48" Connect-Info = "CONNECT 802.11b/g" WISPr-Location-Name = "2o-Andar" EAP-Message = 0x0206005b190017030100506d6e23eb43fc72b6e140432c2f6bd259024e97bd499fb404a85aa2cc502bf31f878bc4d161645bc508e5360bb7e3b3a3b14fa6806f59cde513d6358cf2676b5213da39441b9c6e06146c4277e264788d State = 0x50f0e12255f6f8eb3c4e11280c2e9be4 Vendor-25053-Attr-3 = 0x554e49464542452d3158 Message-Authenticator = 0x01c4189ede0cf29450868b76d88b4a03# Executing section authorize from file /etc/freeradius/sites-enabled/default+- entering group authorize {...}++[mschap] returns noop[eap] EAP packet type response id 6 length 91[eap] Continuing tunnel setup.++[eap] returns okFound Auth-Type = EAP# Executing group from file /etc/freeradius/sites-enabled/default+- entering group authenticate {...}[eap] Request found, released from the list[eap] EAP/peap[eap] processing type peap[peap] processing EAP-TLS[peap] eaptls_verify returned 7 [peap] Done initial handshake[peap] eaptls_process returned 7 [peap] EAPTLS_OK[peap] Session established. Decoding tunneled attributes.[peap] Peap state phase2[peap] EAP type mschapv2[peap] Got tunneled request EAP-Message = 0x0206003f1a0206003a31f3f264be3a0bd9e7f5ee5d29877771f100000000000000008363cf519598a6d75f816d09036f1af9c4f0743b6766ab1c0031303835server { PEAP: Setting User-Name to 1085Sending tunneled request EAP-Message = 0x0206003f1a0206003a31f3f264be3a0bd9e7f5ee5d29877771f100000000000000008363cf519598a6d75f816d09036f1af9c4f0743b6766ab1c0031303835 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "1085" State = 0x9e6fb2559e69a859a38761d07782575eserver inner-tunnel {# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel+- entering group authorize {...}++[chap] returns noop++[mschap] returns noop[suffix] No '@' in User-Name = "1085", looking up realm NULL[suffix] No such realm "NULL"++[suffix] returns noop[eap] EAP packet type response id 6 length 63[eap] No EAP Start, assuming it's an on-going EAP conversation++[eap] returns updated++[files] returns noop[sql] expand: %{User-Name} -> 1085[sql] sql_set_user escaped user --> '1085'rlm_sql (sql): Reserving sql socket id: 1[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1085' ORDER BY id[sql] User found in radcheck table[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1085' ORDER BY id[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '1085' ORDER BY priority[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'sessaounica' ORDER BY id[sql] User found in group sessaounica[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'sessaounica' ORDER BY idrlm_sql (sql): Released sql socket id: 1++[sql] returns ok[pap] Normalizing MD5-Password from hex encoding[pap] WARNING: Auth-Type already set. Not setting to PAP++[pap] returns noopFound Auth-Type = EAP# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel+- entering group authenticate {...}[eap] Request found, released from the list[eap] EAP/mschapv2[eap] processing type mschapv2[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel[mschapv2] +- entering group MS-CHAP {...}[mschap] No Cleartext-Password configured. Cannot create LM-Password.[mschap] No Cleartext-Password configured. Cannot create NT-Password.[mschap] Creating challenge hash with username: 1085[mschap] Told to do MS-CHAPv2 for 1085 with NT-Password[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.[mschap] FAILED: MS-CHAP2-Response is incorrect++[mschap] returns reject[eap] Freeing handler++[eap] returns rejectFailed to authenticate the user.Login incorrect: [1085/<via Auth-Type = EAP>] (from client ruckus-controller port 0 via TLS tunnel)} # server inner-tunnel[peap] Got tunneled reply code 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000[peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000[peap] Tunneled authentication was rejected.[peap] FAILURE++[eap] returns handledSending Access-Challenge of id 117 to 172.23.54.2 port 32784 EAP-Message = 0x0107002b19001703010020a8870087794c4593f6772475d7a48ca632eacf969e37b8182db633804c1a121d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x50f0e12256f7f8eb3c4e11280c2e9be4Finished request 6.Going to the next requestWaking up in 4.9 seconds.rad_recv: Access-Request packet from host 172.23.54.2 port 32784, id=118, length=258 User-Name = "1085" Calling-Station-Id = "00-1E-64-27-2F-52" NAS-IP-Address = 172.23.54.2 NAS-Port = 1 Called-Station-Id = "68-92-34-91-91-48:UNIFEBE-1X" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "68-92-34-91-91-48" Connect-Info = "CONNECT 802.11b/g" WISPr-Location-Name = "2o-Andar" EAP-Message = 0x0207002b190017030100207ecb93aa8a87194cb12dcd7b82b245a4418b0ecc8b2f058b84011aa1679ecb5d State = 0x50f0e12256f7f8eb3c4e11280c2e9be4 Vendor-25053-Attr-3 = 0x554e49464542452d3158 Message-Authenticator = 0x04f4a2945af002dc6b57443fbdc704e6# Executing section authorize from file /etc/freeradius/sites-enabled/default+- entering group authorize {...}++[mschap] returns noop[eap] EAP packet type response id 7 length 43[eap] Continuing tunnel setup.++[eap] returns okFound Auth-Type = EAP# Executing group from file /etc/freeradius/sites-enabled/default+- entering group authenticate {...}[eap] Request found, released from the list[eap] EAP/peap[eap] processing type peap[peap] processing EAP-TLS[peap] eaptls_verify returned 7 [peap] Done initial handshake[peap] eaptls_process returned 7 [peap] EAPTLS_OK[peap] Session established. Decoding tunneled attributes.[peap] Peap state send tlv failure[peap] Received EAP-TLV response.[peap] The users session was previously rejected: returning reject (again.)[peap] *** This means you need to read the PREVIOUS messages in the debug output[peap] *** to find out the reason why the user was rejected.[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.[peap] *** what went wrong, and how to fix the problem.[eap] Handler failed in EAP/peap[eap] Failed in EAP select++[eap] returns invalidFailed to authenticate the user.Login incorrect: [1085/<via Auth-Type = EAP>] (from client ruckus-controller port 1 cli 00-1E-64-27-2F-52)Using Post-Auth-Type Reject# Executing group from file /etc/freeradius/sites-enabled/default+- entering group REJECT {...}[attr_filter.access_reject] expand: %{User-Name} -> 1085 attr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject] returns updatedDelaying reject of request 7 for 1 secondsGoing to the next requestWaking up in 0.9 seconds.Sending delayed reject for request 7Sending Access-Reject of id 118 to 172.23.54.2 port 32784 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000Waking up in 3.9 seconds.Cleaning up request 0 ID 111 with timestamp +25Cleaning up request 1 ID 112 with timestamp +25Cleaning up request 2 ID 113 with timestamp +25Cleaning up request 3 ID 114 with timestamp +25Cleaning up request 4 ID 115 with timestamp +25Cleaning up request 5 ID 116 with timestamp +25Cleaning up request 6 ID 117 with timestamp +25Waking up in 1.0 seconds.Cleaning up request 7 ID 118 with timestamp +25Ready to process requests.
Hi,
So here is a debug again. Like i said, SQL is uncommented on inner-tunnel.
that better - and yes it is uncommented..the debug shows that nicely :-)
++[sql] returns ok
ok
[pap] Normalizing MD5-Password from hex encoding
the password is MD5 encrypted.
rlm_eap_mschapv2: Issuing Challenge
and thats your problem. 802.1X methods like PEAPv0/MSCHAPv2 (standard microsoft PEAP) DO NOT send the password to the server. instead, they use a challenge-response method. which means that you need to be able to KNOW the actual password - so you need to have a copy of it. this all comes down to compatability....which, once again, highlights the requirements to read the documentation - particularly the web site which I have already mentioned: http://deployingradius.com/documents/protocols/compatibility.html so....the passwords in DB need to be clear or NT-hash your current non 802.1X stuff works becaus the captive portal actually sends the user-password across to the RADIUS server...so it can do an MD5 and see that it just matches the database value. alan
Thanks a lot man! We will test now, thats was my first tought, but i wasnt sure.And the guy that is reponsable for the MYSQL BD doesnt have time to change it.He will test it for me and i will have a response and give a feedback here.
Thanks everyone for the help.We will be looking for a solution.The guy that take cares of our BD said that all our passwords are MD5 and he dont know how to change to MSCHAPv2 or how to generate.And windows dont allow us to connect on 802.1x with MD5. =/
on 20.11.2012 19:21, Brekler Custodio wrote:
Thanks everyone for the help. We will be looking for a solution. The guy that take cares of our BD said that all our passwords are MD5 and he dont know how to change to MSCHAPv2 or how to generate. And windows dont allow us to connect on 802.1x with MD5.
Well, all you have to do is to find the credentials in the database. AFAIK FR looks them up in the radtest table with an attribute of NT-Password. If you have another table where they are located you will either need to adapt the sql query or replicate the credentials. cheers Erich Titl
Hi Eric, sorry, but i didnt understand that very well...Let me see, the FR should do what ?The guy that takes care of our database said "all passwords were generated in MD5 and i dont know how to convert"But the 802.1x on microsoft windows works with MSCHAPv2....Is there a solution for that ? Can FR translate the MD5 to MSCHAPv2 ?
Am 21.11.2012 23:20, schrieb Brekler Custodio:
Hi Eric, sorry, but i didnt understand that very well... Let me see, the FR should do what ? The guy that takes care of our database said "all passwords were generated in MD5 and i dont know how to convert" But the 802.1x on microsoft windows works with MSCHAPv2.... Is there a solution for that ? Can FR translate the MD5 to MSCHAPv2 ?
No.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Brekler Custodio wrote:
Hi Eric, sorry, but i didnt understand that very well... Let me see, the FR should do what ? The guy that takes care of our database said "all passwords were generated in MD5 and i dont know how to convert"
You don't convert them. You can't.
But the 802.1x on microsoft windows works with MSCHAPv2.... Is there a solution for that ? Can FR translate the MD5 to MSCHAPv2 ?
The web page posted earlier says it's impossible. This means "impossible". Alan DeKok.
Hi everybody!! I'm using Freeradius since 6 months ago, and It works great. I'm Using freeradus + MySQL to store my users data in a database and authenticate it with an user and a password. Now I Have to attach to each user, 3 MAC-Address, so I'm editting my database (radcheck table) id username attribute op value 1 user1 User-Password := password1 2 user1 Calling-Station-Id = 00:11:22:33:44:55 It works great. Only user1 with password1 can access from the device with MAC-Addr 00:11:22:33:44:55, but I need to attach 3 MAC to each user, so I edit my databe: id username attribute op value 1 user1 User-Password := password1 2 user1 Calling-Station-Id = 00:11:22:33:44:55 3 user1 Calling-Station-Id = 33:44:55:66:77:88 And, in that moment user1 can't logging never. The user1 can't logging from a device with MAC-Addr 00:11:22:33:44:55 or MAC-Addr 33:44:55:66:77:88, or anyone. How can I do this? Thanks a lot!! Andres
Andres Gomez Ruiz wrote:
I'm using Freeradius since 6 months ago, and It works great. I'm Using freeradus + MySQL to store my users data in a database and authenticate it with an user and a password.
Now I Have to attach to each user, 3 MAC-Address, so I'm editting my database (radcheck table)
id username attribute op value 1 user1 User-Password := password1
Use Cleartext-Password. Not User-Password. This has been the recommended configuration for 6 years.
2 user1 Calling-Station-Id = 00:11:22:33:44:55
And see the rlm_sql documentation. The "=" operator is probably not what you want.
It works great. Only user1 with password1 can access from the device with MAC-Addr 00:11:22:33:44:55, but I need to attach 3 MAC to each user, so I edit my databe:
id username attribute op value 1 user1 User-Password := password1 2 user1 Calling-Station-Id = 00:11:22:33:44:55 3 user1 Calling-Station-Id = 33:44:55:66:77:88
And, in that moment user1 can't logging never. The user1 can't logging from a device with MAC-Addr 00:11:22:33:44:55 or MAC-Addr 33:44:55:66:77:88, or anyone.
Read the rlm_sql documentation. All of the check conditions are logically ANDed together. The above configuration says Calling-Station-Id X AND Y. Which is never true, so it always fails. If you want to allow multiple values of an attribute, you're better of putting them into a different SQL table. i.e. create a table of just username && calling-station-Id value. Then, do something like: if ("%{sql: SELECT from... username %{Calling-Station-ID}}" == "") reject } i.e. search the table for User-Name AND Calling-Station-Id value. If an entry isn't found, then reject the user. Alan DeKok.
participants (6)
-
alan buxey -
Alan DeKok -
Andres Gomez Ruiz -
Brekler Custodio -
Erich Titl -
Stephan Kirsten