Calling-Station-Id problem
While I am using Calling-Station-Id freeradius does not authenicate user. Without calling-station-id (user Rob) works Ok. Can anybody point me where is the problem? Checkval exists in radiusd.conf. Freeradius 1.1.7 user file: "Alan" User-Password == "12345", Calling-Station-Id == "000d88b7c2de" "Rob" User-Password == "123456" DEFAULT Auth-Type = EAP,EAP-Type == PEAP, Proxy-To-Realm = LOCAL Log from radius -X: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 130 main: cleanup_delay = 10 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/freeradius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/freeradius/radiusd.pid" main: user = "radius" main: group = "radius" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 172.31.24.5:3072, id=251, length=165 User-Name = "Alan" NAS-IP-Address = 172.31.24.5 NAS-Port = 0 Called-Station-Id = "004f620bb571" Calling-Station-Id = "000d88b7c2de" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000901416c616e Message-Authenticator = 0x36f26f3a7c8b798487109763eb96cd27 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry Alan at line 1 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 251 to 172.31.24.5 port 3072 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x854dad26886ed00ab4b5e6f6d19f6522 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 11 seconds... rad_recv: Access-Request packet from host 172.31.24.5:3072, id=252, length=248 User-Name = "Alan" NAS-IP-Address = 172.31.24.5 NAS-Port = 0 Called-Station-Id = "004f620bb571" Calling-Station-Id = "000d88b7c2de" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201005019800000004616030100410100003d030147cc3736db5e9f7b74ca06e03b0928e1538c857753c00714d5b6172b83a2f1c700001600040005000a000900640062000300060013001200630100 State = 0x854dad26886ed00ab4b5e6f6d19f6522 Message-Authenticator = 0xc0a2e10327eb7fd02dce5466a383720f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry Alan at line 1 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 068c], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 252 to 172.31.24.5 port 3072 EAP-Message = 0x0102040a19c0000006e9160301004a02000046030147cc3735c68f91743abcdcf4e62efe498cad33cd0e54dcb8917a76f615b93ea1205f43b914f688e84cb8018a0f31594d70111f77479ad3ac01c9ab2e430d4c03e8000400160301068c0b0006880006850002c3308202bf30820228a003020102020102300d06092a864886f70d010104050030819a310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e310d300b060355040b1304776f6c66311b301906035504031312436c69656e742063657274696669 EAP-Message = 0x636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3038303231333137343931385a170d3039303231323137343931385a308196310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e310d300b060355040b1304776f6c663119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100 EAP-Message = 0xd53e1d96341e171fe6e321579c4b2050b45432a75f542f1fd08c3e91bc7a5ece4a2fab8bdd9b95254a2640d98bde40cb3b8b141a429f1e5722dd7f468e6f28c9076924501b32bf1a26d0248b169d7d7707ef258c3a91ca914c27b50d1d134dd6ec3442724ee400bdf34de1aa81915541fabb78c551b482271f3f3a31400e56a50203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181000c6bacc2a9729353c7bcc9bf0c6af6c238a955e86d2239f9afbb9eb4673b35dda0d624f4b230b8fca3cc76d5b410b00fb288b51b5191b681d367346a381f3139a688907d5369929ce40e4381 EAP-Message = 0xfdf337efd1037903b93cbe136a0ec7cb824e8c1f24bf4a42730fe0a102999d005dbd9290d73e34408f73538f14f1637c0d0a94fa0003bc308203b830820321a003020102020900fe302b7473e56e25300d06092a864886f70d010104050030819a310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e310d300b060355040b1304776f6c66311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e EAP-Message = 0x170d3038303231333137343931375a170d3130303231 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x225dc9b0f53c788ee6abf494669e4a97 Finished request 1 Going to the next request Waking up in 11 seconds... rad_recv: Access-Request packet from host 172.31.24.5:3072, id=253, length=174 User-Name = "Alan" NAS-IP-Address = 172.31.24.5 NAS-Port = 0 Called-Station-Id = "004f620bb571" Calling-Station-Id = "000d88b7c2de" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200061900 State = 0x225dc9b0f53c788ee6abf494669e4a97 Message-Authenticator = 0xfddbf430d42c394438bf81081d3258d4 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry Alan at line 1 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 253 to 172.31.24.5 port 3072 EAP-Message = 0x010302ef1900323137343931375a30819a310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e310d300b060355040b1304776f6c66311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100c5288e75258711ea53b6272a3d9e1ac933659aee762f05f94ac91a37dd1e6212a25bbc5a625b8521414f5c72ff73b75a4e9c5d5e6c EAP-Message = 0x3bb9d52a5f4175690f53b8f916f400457e9446e4cdfc8b5b3c6283ee59680e76d76cfb5f63a91bd0ba6b87b457b447a9e2c3eb81f46f455b4828d330fb632512e8e13ee63501e915579be70203010001a38201023081ff301d0603551d0e041604144294adf9ac7fdc7368010e0b74b1567ca72bdaff3081cf0603551d230481c73081c480144294adf9ac7fdc7368010e0b74b1567ca72bdaffa181a0a4819d30819a310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e310d300b060355040b1304776f6c66 EAP-Message = 0x311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820900fe302b7473e56e25300c0603551d13040530030101ff300d06092a864886f70d0101040500038181003acdd2bd80994ed5ed556511893b756096f2e04a68bd76d3c808b863eefcdb336643503a98e703f236847ba53ef7d0fb3acb336d0ececfbe4db288b1e5dd761be647f6c41758a25d29893da193cf283927412d1f43a14732538fb6561f75053b8f614e405915f7e3a644a668fb0678b943a70267918a66253ac66ef2eb91946e16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x138e1ae94954e4ecf35ede84440ca72a Finished request 2 Going to the next request Waking up in 11 seconds... rad_recv: Access-Request packet from host 172.31.24.5:3072, id=254, length=360 User-Name = "Alan" NAS-IP-Address = 172.31.24.5 NAS-Port = 0 Called-Station-Id = "004f620bb571" Calling-Station-Id = "000d88b7c2de" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300c01980000000b61603010086100000820080d24cb08b0f54f55d667b22fa12fd17d8734c9f72f3bc1bc6194e7f06aa6049cce9a80537ba8e7a04c4b747f76d73369088d075e849121ae9671089615253f14b57fd288c87a3005b06f6892d2d5298c99805904b22a2a4d70e5b0a1043934edee17fb0fa87428da856994528c894bd334efc954a6ded4c2225dec522a919ac901403010001011603010020910db96549a895936f5a838ac163a5477eda49b8db627bf8f950e186af38b879 State = 0x138e1ae94954e4ecf35ede84440ca72a Message-Authenticator = 0x09248c2d678d08f21c7e6f1c709919b0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 3 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry Alan at line 1 modcall[authorize]: module "files" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 254 to 172.31.24.5 port 3072 EAP-Message = 0x010400311900140301000101160301002091832d731f9b611bad4849aa4b434dbe7a007f1b27c22eabfd50186def05aa59 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb28e18e11971bea114c5f33d9553be94 Finished request 3 Going to the next request Waking up in 11 seconds... rad_recv: Access-Request packet from host 172.31.24.5:3072, id=255, length=174 User-Name = "Alan" NAS-IP-Address = 172.31.24.5 NAS-Port = 0 Called-Station-Id = "004f620bb571" Calling-Station-Id = "000d88b7c2de" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0xb28e18e11971bea114c5f33d9553be94 Message-Authenticator = 0x25028b760b874b24fa5b230f2845c1e9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry Alan at line 1 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 255 to 172.31.24.5 port 3072 EAP-Message = 0x010500201900170301001503c7d257d00c2a8b66e61da33ac90e9f46e64008eb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x63a9a011cb440f1764c400829d620784 Finished request 4 Going to the next request Waking up in 11 seconds... rad_recv: Access-Request packet from host 172.31.24.5:3072, id=0, length=200 User-Name = "Alan" NAS-IP-Address = 172.31.24.5 NAS-Port = 0 Called-Station-Id = "004f620bb571" Calling-Station-Id = "000d88b7c2de" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02050020190017030100158062f4e6f0f82657148b728a47b27a1668346620a6 State = 0x63a9a011cb440f1764c400829d620784 Message-Authenticator = 0x667309eff9ae4429e7cb839d004862d2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 32 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry Alan at line 1 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - Alan rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of Alan PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to Alan Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "files" returns notfound for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 0 to 172.31.24.5 port 3072 EAP-Message = 0x010600351900170301002abf681cc96b5bfd18d9bd68643881c983e41fe0edd6db70cfda44a15d69331e6dc098430e91f0507a2fef Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5c95c2cb158dbcc00d17949a40db79e4 Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 10 seconds... rad_recv: Access-Request packet from host 172.31.24.5:3072, id=1, length=254 User-Name = "Alan" NAS-IP-Address = 172.31.24.5 NAS-Port = 0 Called-Station-Id = "004f620bb571" Calling-Station-Id = "000d88b7c2de" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020600561900170301004b280de7cbc04e2a2d0b5780a2d1191499d9c94090d976c0b7838820b67e679a5c9cfc45fdf68f26c79f6e0708ef896ad40f4d24e6054373546f84e2bdf063d2c882493b635280d29843d891 State = 0x5c95c2cb158dbcc00d17949a40db79e4 Message-Authenticator = 0x527e8d41e5049a9fd0cfd322f8f751e6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 86 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry Alan at line 1 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to Alan PEAP: Adding old state with 30 1d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 63 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "files" returns notfound for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for Alan with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: leaving group authenticate (returns reject) for request 6 auth: Failed to validate the user. Login incorrect: [Alan/<no User-Password attribute>] (from client localhost port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 1 to 172.31.24.5 port 3072 EAP-Message = 0x010700261900170301001bfa287419faaafdfc0c9559ffeac779d87e28498f8290d2471d1cb8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0756170755ef1f11e470046fdd2ddb21 Finished request 6 Going to the next request Waking up in 10 seconds... rad_recv: Access-Request packet from host 172.31.24.5:3072, id=2, length=206 User-Name = "Alan" NAS-IP-Address = 172.31.24.5 NAS-Port = 0 Called-Station-Id = "004f620bb571" Calling-Station-Id = "000d88b7c2de" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020700261900170301001b93d5724aed8c5542d7a5fa3ea9f781fb2aabf96b257048b2a6167e State = 0x0756170755ef1f11e470046fdd2ddb21 Message-Authenticator = 0x1fd54e8a78f50995009d1cb56386a5af Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 7 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry Alan at line 1 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Login incorrect: [Alan/<no User-Password attribute>] (from client Wifi2 port 0 cli 000d88b7c2de) Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 10 seconds... --- Walking the entire request list --- Sending Access-Reject of id 2 to 172.31.24.5 port 3072 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Cleaning up request 0 ID 251 with timestamp 47cc3735 Cleaning up request 1 ID 252 with timestamp 47cc3735 Cleaning up request 2 ID 253 with timestamp 47cc3735 Cleaning up request 3 ID 254 with timestamp 47cc3735 Cleaning up request 4 ID 255 with timestamp 47cc3735 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 0 with timestamp 47cc3736 Cleaning up request 6 ID 1 with timestamp 47cc3736 Cleaning up request 7 ID 2 with timestamp 47cc3736 Nothing to do. Sleeping until we see a request.
Fix obvious errors: - first line in eap.conf says not to use Auth-Type EAP - instructions in users file (FAQ etc.) suggest a different password attribute. Ivan Kalik Kalik Informatika ISP Dana 3/3/2008, "Rob" <robwro@gmail.com> piše:
While I am using Calling-Station-Id freeradius does not authenicate user. Without calling-station-id (user Rob) works Ok. Can anybody point me where is the problem? Checkval exists in radiusd.conf.
Freeradius 1.1.7 user file: "Alan" User-Password == "12345", Calling-Station-Id == "000d88b7c2de" "Rob" User-Password == "123456" DEFAULT Auth-Type = EAP,EAP-Type == PEAP, Proxy-To-Realm = LOCAL
Log from radius -X: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 130 main: cleanup_delay = 10 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/freeradius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/freeradius/radiusd.pid" main: user = "radius" main: group = "radius" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 172.31.24.5:3072, id=251, length=165 User-Name = "Alan" NAS-IP-Address = 172.31.24.5 NAS-Port = 0 Called-Station-Id = "004f620bb571" Calling-Station-Id = "000d88b7c2de" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000901416c616e Message-Authenticator = 0x36f26f3a7c8b798487109763eb96cd27 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry Alan at line 1 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 251 to 172.31.24.5 port 3072 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x854dad26886ed00ab4b5e6f6d19f6522 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 11 seconds... rad_recv: Access-Request packet from host 172.31.24.5:3072, id=252, length=248 User-Name = "Alan" NAS-IP-Address = 172.31.24.5 NAS-Port = 0 Called-Station-Id = "004f620bb571" Calling-Station-Id = "000d88b7c2de" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201005019800000004616030100410100003d030147cc3736db5e9f7b74ca06e03b0928e1538c857753c00714d5b6172b83a2f1c700001600040005000a000900640062000300060013001200630100 State = 0x854dad26886ed00ab4b5e6f6d19f6522 Message-Authenticator = 0xc0a2e10327eb7fd02dce5466a383720f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry Alan at line 1 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 068c], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 252 to 172.31.24.5 port 3072 EAP-Message = 0x0102040a19c0000006e9160301004a02000046030147cc3735c68f91743abcdcf4e62efe498cad33cd0e54dcb8917a76f615b93ea1205f43b914f688e84cb8018a0f31594d70111f77479ad3ac01c9ab2e430d4c03e8000400160301068c0b0006880006850002c3308202bf30820228a003020102020102300d06092a864886f70d010104050030819a310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e310d300b060355040b1304776f6c66311b301906035504031312436c69656e742063657274696669 EAP-Message = 0x636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3038303231333137343931385a170d3039303231323137343931385a308196310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e310d300b060355040b1304776f6c663119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100 EAP-Message = 0xd53e1d96341e171fe6e321579c4b2050b45432a75f542f1fd08c3e91bc7a5ece4a2fab8bdd9b95254a2640d98bde40cb3b8b141a429f1e5722dd7f468e6f28c9076924501b32bf1a26d0248b169d7d7707ef258c3a91ca914c27b50d1d134dd6ec3442724ee400bdf34de1aa81915541fabb78c551b482271f3f3a31400e56a50203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181000c6bacc2a9729353c7bcc9bf0c6af6c238a955e86d2239f9afbb9eb4673b35dda0d624f4b230b8fca3cc76d5b410b00fb288b51b5191b681d367346a381f3139a688907d5369929ce40e4381 EAP-Message = 0xfdf337efd1037903b93cbe136a0ec7cb824e8c1f24bf4a42730fe0a102999d005dbd9290d73e34408f73538f14f1637c0d0a94fa0003bc308203b830820321a003020102020900fe302b7473e56e25300d06092a864886f70d010104050030819a310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e310d300b060355040b1304776f6c66311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e EAP-Message = 0x170d3038303231333137343931375a170d3130303231 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x225dc9b0f53c788ee6abf494669e4a97 Finished request 1 Going to the next request Waking up in 11 seconds... rad_recv: Access-Request packet from host 172.31.24.5:3072, id=253, length=174 User-Name = "Alan" NAS-IP-Address = 172.31.24.5 NAS-Port = 0 Called-Station-Id = "004f620bb571" Calling-Station-Id = "000d88b7c2de" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200061900 State = 0x225dc9b0f53c788ee6abf494669e4a97 Message-Authenticator = 0xfddbf430d42c394438bf81081d3258d4 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry Alan at line 1 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 253 to 172.31.24.5 port 3072 EAP-Message = 0x010302ef1900323137343931375a30819a310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e310d300b060355040b1304776f6c66311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100c5288e75258711ea53b6272a3d9e1ac933659aee762f05f94ac91a37dd1e6212a25bbc5a625b8521414f5c72ff73b75a4e9c5d5e6c EAP-Message = 0x3bb9d52a5f4175690f53b8f916f400457e9446e4cdfc8b5b3c6283ee59680e76d76cfb5f63a91bd0ba6b87b457b447a9e2c3eb81f46f455b4828d330fb632512e8e13ee63501e915579be70203010001a38201023081ff301d0603551d0e041604144294adf9ac7fdc7368010e0b74b1567ca72bdaff3081cf0603551d230481c73081c480144294adf9ac7fdc7368010e0b74b1567ca72bdaffa181a0a4819d30819a310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e310d300b060355040b1304776f6c66 EAP-Message = 0x311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820900fe302b7473e56e25300c0603551d13040530030101ff300d06092a864886f70d0101040500038181003acdd2bd80994ed5ed556511893b756096f2e04a68bd76d3c808b863eefcdb336643503a98e703f236847ba53ef7d0fb3acb336d0ececfbe4db288b1e5dd761be647f6c41758a25d29893da193cf283927412d1f43a14732538fb6561f75053b8f614e405915f7e3a644a668fb0678b943a70267918a66253ac66ef2eb91946e16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x138e1ae94954e4ecf35ede84440ca72a Finished request 2 Going to the next request Waking up in 11 seconds... rad_recv: Access-Request packet from host 172.31.24.5:3072, id=254, length=360 User-Name = "Alan" NAS-IP-Address = 172.31.24.5 NAS-Port = 0 Called-Station-Id = "004f620bb571" Calling-Station-Id = "000d88b7c2de" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300c01980000000b61603010086100000820080d24cb08b0f54f55d667b22fa12fd17d8734c9f72f3bc1bc6194e7f06aa6049cce9a80537ba8e7a04c4b747f76d73369088d075e849121ae9671089615253f14b57fd288c87a3005b06f6892d2d5298c99805904b22a2a4d70e5b0a1043934edee17fb0fa87428da856994528c894bd334efc954a6ded4c2225dec522a919ac901403010001011603010020910db96549a895936f5a838ac163a5477eda49b8db627bf8f950e186af38b879 State = 0x138e1ae94954e4ecf35ede84440ca72a Message-Authenticator = 0x09248c2d678d08f21c7e6f1c709919b0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 3 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry Alan at line 1 modcall[authorize]: module "files" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 254 to 172.31.24.5 port 3072 EAP-Message = 0x010400311900140301000101160301002091832d731f9b611bad4849aa4b434dbe7a007f1b27c22eabfd50186def05aa59 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb28e18e11971bea114c5f33d9553be94 Finished request 3 Going to the next request Waking up in 11 seconds... rad_recv: Access-Request packet from host 172.31.24.5:3072, id=255, length=174 User-Name = "Alan" NAS-IP-Address = 172.31.24.5 NAS-Port = 0 Called-Station-Id = "004f620bb571" Calling-Station-Id = "000d88b7c2de" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0xb28e18e11971bea114c5f33d9553be94 Message-Authenticator = 0x25028b760b874b24fa5b230f2845c1e9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry Alan at line 1 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 255 to 172.31.24.5 port 3072 EAP-Message = 0x010500201900170301001503c7d257d00c2a8b66e61da33ac90e9f46e64008eb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x63a9a011cb440f1764c400829d620784 Finished request 4 Going to the next request Waking up in 11 seconds... rad_recv: Access-Request packet from host 172.31.24.5:3072, id=0, length=200 User-Name = "Alan" NAS-IP-Address = 172.31.24.5 NAS-Port = 0 Called-Station-Id = "004f620bb571" Calling-Station-Id = "000d88b7c2de" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02050020190017030100158062f4e6f0f82657148b728a47b27a1668346620a6 State = 0x63a9a011cb440f1764c400829d620784 Message-Authenticator = 0x667309eff9ae4429e7cb839d004862d2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 32 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry Alan at line 1 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - Alan rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of Alan PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to Alan Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "files" returns notfound for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 0 to 172.31.24.5 port 3072 EAP-Message = 0x010600351900170301002abf681cc96b5bfd18d9bd68643881c983e41fe0edd6db70cfda44a15d69331e6dc098430e91f0507a2fef Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5c95c2cb158dbcc00d17949a40db79e4 Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 10 seconds... rad_recv: Access-Request packet from host 172.31.24.5:3072, id=1, length=254 User-Name = "Alan" NAS-IP-Address = 172.31.24.5 NAS-Port = 0 Called-Station-Id = "004f620bb571" Calling-Station-Id = "000d88b7c2de" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020600561900170301004b280de7cbc04e2a2d0b5780a2d1191499d9c94090d976c0b7838820b67e679a5c9cfc45fdf68f26c79f6e0708ef896ad40f4d24e6054373546f84e2bdf063d2c882493b635280d29843d891 State = 0x5c95c2cb158dbcc00d17949a40db79e4 Message-Authenticator = 0x527e8d41e5049a9fd0cfd322f8f751e6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 86 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry Alan at line 1 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to Alan PEAP: Adding old state with 30 1d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 63 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "files" returns notfound for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for Alan with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: leaving group authenticate (returns reject) for request 6 auth: Failed to validate the user. Login incorrect: [Alan/<no User-Password attribute>] (from client localhost port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 1 to 172.31.24.5 port 3072 EAP-Message = 0x010700261900170301001bfa287419faaafdfc0c9559ffeac779d87e28498f8290d2471d1cb8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0756170755ef1f11e470046fdd2ddb21 Finished request 6 Going to the next request Waking up in 10 seconds... rad_recv: Access-Request packet from host 172.31.24.5:3072, id=2, length=206 User-Name = "Alan" NAS-IP-Address = 172.31.24.5 NAS-Port = 0 Called-Station-Id = "004f620bb571" Calling-Station-Id = "000d88b7c2de" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020700261900170301001b93d5724aed8c5542d7a5fa3ea9f781fb2aabf96b257048b2a6167e State = 0x0756170755ef1f11e470046fdd2ddb21 Message-Authenticator = 0x1fd54e8a78f50995009d1cb56386a5af Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "Alan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 7 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry Alan at line 1 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Login incorrect: [Alan/<no User-Password attribute>] (from client Wifi2 port 0 cli 000d88b7c2de) Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 10 seconds... --- Walking the entire request list --- Sending Access-Reject of id 2 to 172.31.24.5 port 3072 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Cleaning up request 0 ID 251 with timestamp 47cc3735 Cleaning up request 1 ID 252 with timestamp 47cc3735 Cleaning up request 2 ID 253 with timestamp 47cc3735 Cleaning up request 3 ID 254 with timestamp 47cc3735 Cleaning up request 4 ID 255 with timestamp 47cc3735 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 0 with timestamp 47cc3736 Cleaning up request 6 ID 1 with timestamp 47cc3736 Cleaning up request 7 ID 2 with timestamp 47cc3736 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rob wrote:
While I am using Calling-Station-Id freeradius does not authenicate user. Without calling-station-id (user Rob) works Ok. Can anybody point me where is the problem? Checkval exists in radiusd.conf.
Checkval isn't needed. I have no idea why you would use it here.
Freeradius 1.1.7 user file: "Alan" User-Password == "12345", Calling-Station-Id == "000d88b7c2de"
You don't need quotes around the user name. The examples in the "users" file show this. You need to use Cleartext-Password := ..., too. This is in the FAQ.
"Rob" User-Password == "123456" DEFAULT Auth-Type = EAP,EAP-Type == PEAP, Proxy-To-Realm = LOCAL
Delete that last line. I have no idea why so many people insist on setting Auth-Type. Can you please explain why you added it, and which documentation said it was a good idea? All of the documentation that is shipped with the server says that you are NOT supposed to add it.
Log from radius -X: ... peap: copy_request_to_tunnel = no
The Calling-Station-Id is *not* present in the tunneled request. So... unless you set this to "yes", the entry above in the "users" file will NOT match! And the debug log shows this: ...
modcall[authorize]: module "files" returns notfound for request 6
See? No match.
modcall: leaving group authorize (returns updated) for request 6 ... rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for Alan with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
And then authentication fails. Alan DeKok.
participants (3)
-
Alan DeKok -
Ivan Kalik -
Rob