802.1x radius request reject.
Hi , I have created a user and added a node to that user. But im getting below access reject packet. :( Any clue ? rad_recv: Access-Request packet from host 192.168.13.45 port 1812, id=199, length=152 NAS-IP-Address = 192.168.13.45 NAS-Port = 50004 Cisco-NAS-Port = "FastEthernet0/4" NAS-Port-Type = Ethernet User-Name = "sampath" Called-Station-Id = "00-0A-B7-BC-5A-84" Calling-Station-Id = "78-45-C4-B5-AC-41" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200000c0173616d70617468 Message-Authenticator = 0xe791fd6ef5be4d1bbc964ebf48dcdefa server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "sampath", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 0 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair NAS-Port-Type = Ethernet rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Calling-Station-Id = 78-45-C4-B5-AC-41 rlm_perl: Added pair Called-Station-Id = 00-0A-B7-BC-5A-84 rlm_perl: Added pair Cisco-NAS-Port = FastEthernet0/4 rlm_perl: Added pair Message-Authenticator = 0xe791fd6ef5be4d1bbc964ebf48dcdefa rlm_perl: Added pair User-Name = sampath rlm_perl: Added pair EAP-Message = 0x0200000c0173616d70617468 rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 192.168.13.45 rlm_perl: Added pair NAS-Port = 50004 rlm_perl: Added pair Framed-MTU = 1500 rlm_perl: Added pair Auth-Type = EAP ++[packetfence] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 199 to 192.168.13.45 port 1812 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3cbd15d33cbc0cb31e5b71f340264f3a Finished request 54. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.13.45 port 1812, id=200, length=279 NAS-IP-Address = 192.168.13.45 NAS-Port = 50004 Cisco-NAS-Port = "FastEthernet0/4" NAS-Port-Type = Ethernet User-Name = "sampath" Called-Station-Id = "00-0A-B7-BC-5A-84" Calling-Station-Id = "78-45-C4-B5-AC-41" Service-Type = Framed-User Framed-MTU = 1500 State = 0x3cbd15d33cbc0cb31e5b71f340264f3a EAP-Message = 0x0201007919800000006f160301006a01000066030152fb07ded3e51b3a9c9aa55b0ba6f46016c14e1644de4fbd07186f436a4f3b4e000018002f00 350005000ac013c014c009c00a003200380013000401000025ff010001000000000c000a00000773616d70617468000a0006000400170018000b00020100 Message-Authenticator = 0x6aafb4e647c1076bc2b718e2181f6671 server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "sampath", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 1 length 121 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 111 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 006a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 049b], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 200 to 192.168.13.45 port 1812 EAP-Message = 0x0102040019c0000004df16030100310200002d030152fb07bc28df3e052535a0db2ea09acfb1e4bce937947a1f3b22eeb766292f1400002f000005 ff01000100160301049b0b0004970004940004913082048d30820375a003020102020900884ec713d33dcea8300d06092a864886f70d01010505003076310b3009060355040613 024341310b30090603550408130251433111300f060355040713084d6f6e747265616c3110300e060355040a1307496e766572736531123010060355040313093132372e302e30 2e313121301f06092a864886f70d0109011612737570706f727440696e76657273652e6361301e170d3134303133303038323134 EAP-Message = 0x325a170d3135303133303038323134325a3076310b3009060355040613024341310b30090603550408130251433111300f060355040713084d6f6e 747265616c3110300e060355040a1307496e766572736531123010060355040313093132372e302e302e313121301f06092a864886f70d0109011612737570706f727440696e76 657273652e636130820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6e98c86adb80fda9fe7c0396961929f7fb69fe2fe295ea79c8b71b9375ef 72feee48711980d5a8fd428e6e3233e0daf800f73b0b7095f2d669c6bce2faaeda9d4734c0a20aaeeb948771b6cbf52daef842d4 EAP-Message = 0xcc7c33a9c611e08be2ffe2c786ad1b685d607f90126c4d262bed4c683e97cdd39c6d03a7c3f2d2acea03542ce43004008518611445858caecde8e5 84104684170db2327c16861bdb2a7e6d827cf4c25197275278d702626a3b2bbcaf28d011d37252e79b7d041c2c0f715134ba4d92afdd9c9f09411877ba134798ff6d74c11ea95f e96c2f70e2c4c42333f750dc88cca9fb13c960eff392c7981f34ab6b27169db27f9f1a8832a8901ffcf29b0203010001a382011c30820118301d0603551d0e04160414d35fe892 a095707f22eee3cb19be4b6cab49ee3c3081a80603551d230481a030819d8014d35fe892a095707f22eee3cb19be4b6cab49ee3c EAP-Message = 0xa17aa4783076310b3009060355040613024341310b30090603550408130251433111300f060355040713084d6f6e747265616c3110300e06035504 0a1307496e766572736531123010060355040313093132372e302e302e313121301f06092a864886f70d0109011612737570706f727440696e76657273652e6361820900884ec7 13d33dcea8300c0603551d130101ff0402300030090603551d1204023000300b0603551d0f0404030205e030130603551d25040c300a06082b0601050507030130110609608648 0186f8420101040403020640300d06092a864886f70d010105050003820101009e1fdecc9821df724b9d9c78b12af5551673703f EAP-Message = 0xd588ff15429f1f34ed6b7926 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3cbd15d33dbf0cb31e5b71f340264f3a Finished request 55. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.13.45 port 1812, id=201, length=164 NAS-IP-Address = 192.168.13.45 NAS-Port = 50004 Cisco-NAS-Port = "FastEthernet0/4" NAS-Port-Type = Ethernet User-Name = "sampath" Called-Station-Id = "00-0A-B7-BC-5A-84" Calling-Station-Id = "78-45-C4-B5-AC-41" Service-Type = Framed-User Framed-MTU = 1500 State = 0x3cbd15d33dbf0cb31e5b71f340264f3a EAP-Message = 0x020200061900 Message-Authenticator = 0x353191b59561f9f1fe76fed6e28ef8a9 server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "sampath", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 201 to 192.168.13.45 port 1812 EAP-Message = 0x010300ef19007bb5e27c4da9bd39dfefc5c3402654575ff7204a10c5e4f018a975a2630c5599830e34267ba452b94ac1b7e2442ea616aecc99dc4b 47687b862d9b4df2fc607342e483df9231cd5c320f09ad144ba7980db161959853db1ca476fcdee76a1fae8744e7583d57291c42904a8c353f7f1ee417e4625efd2a6d8662301c 778e81f944fa4fa66deacb7f01d8687b39b7cc9054c58e4e0a43146042677aa701399ca609a08a9a4bf7a57c9bf36f03898dc606d7fd92cefd01b3976d1f2c217ce90a8dd1a956 c7b0e34d4e99e54f6278e229e3ed458dc2c4f7512023ccd6384a517bef16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3cbd15d33ebe0cb31e5b71f340264f3a Finished request 56. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.13.45 port 1812, id=202, length=496 NAS-IP-Address = 192.168.13.45 NAS-Port = 50004 Cisco-NAS-Port = "FastEthernet0/4" NAS-Port-Type = Ethernet User-Name = "sampath" Called-Station-Id = "00-0A-B7-BC-5A-84" Calling-Station-Id = "78-45-C4-B5-AC-41" Service-Type = Framed-User Framed-MTU = 1500 State = 0x3cbd15d33ebe0cb31e5b71f340264f3a EAP-Message = 0x02030150198000000146160301010610000102010059580f2ba30cc29dc5a15d7df2a9dead82de23679970708fb1c0ace280aee5f6db7256ef1b8f 659768e6e6959d71b576fd75c2d10e484741edf492f0fa72cf2144616a2591fa8bf10da5959fbbd6f98e9d1ae6005c890cb35f4038e0015a8fe69801f8c6601f096a1b5fed5ddf 07c16cdf1845a9bc0fea83db38aa4dba5ab0448f1b78e51230b7d3dadaf1b369882273d34c58ffd4e2d11ad96c5136019a2591a4a667b230511e776e954539b63327cacec28be8 84ffe88fee2be913ee19e0c69396495a1242a0fbaeb5d10536cb5b26670d7e32ee27a4715b402bda8bf497a8564e1832f28df7f5 EAP-Message = 0x31026b26edf1c7a46c69b5f35940c27541d48a52a1e235d91403010001011603010030d7cb7d641679a62d43055e25b36a2a4e2c487b7b313cb39d 38a3bd9d2dc5a4920a83fe83098070b6211205c38efa7b68 Message-Authenticator = 0x69c90a78fea5c6b936dbe253ccf88a43 server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "sampath", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 3 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 202 to 192.168.13.45 port 1812 EAP-Message = 0x01040041190014030100010116030100302d72e9da629993e710a01375e44f3ff6c496bc91aafe3b5efea86d1af805a7b9a01238efc53d2efc31a7 ff63472088bf Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3cbd15d33fb90cb31e5b71f340264f3a Finished request 57. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.13.45 port 1812, id=203, length=164 NAS-IP-Address = 192.168.13.45 NAS-Port = 50004 Cisco-NAS-Port = "FastEthernet0/4" NAS-Port-Type = Ethernet User-Name = "sampath" Called-Station-Id = "00-0A-B7-BC-5A-84" Calling-Station-Id = "78-45-C4-B5-AC-41" Service-Type = Framed-User Framed-MTU = 1500 State = 0x3cbd15d33fb90cb31e5b71f340264f3a EAP-Message = 0x020400061900 Message-Authenticator = 0x3c84ad083e4e9d0a8240786169b376cf server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "sampath", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 203 to 192.168.13.45 port 1812 EAP-Message = 0x0105002b19001703010020233ca5ac7fdbf4aee3541cb39f7899bb7e74ea734215947f14d822d238425e59 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3cbd15d338b80cb31e5b71f340264f3a Finished request 58. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 192.168.13.45 port 1812, id=204, length=201 NAS-IP-Address = 192.168.13.45 NAS-Port = 50004 Cisco-NAS-Port = "FastEthernet0/4" NAS-Port-Type = Ethernet User-Name = "sampath" Called-Station-Id = "00-0A-B7-BC-5A-84" Calling-Station-Id = "78-45-C4-B5-AC-41" Service-Type = Framed-User Framed-MTU = 1500 State = 0x3cbd15d338b80cb31e5b71f340264f3a EAP-Message = 0x0205002b19001703010020738e4cb80e9a4f1f0d240d62bd1cecdd81e2ceef1fcd8a736f92a620ab1e6827 Message-Authenticator = 0x4d5068c89b9e99b0fcac71687069f264 server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "sampath", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 5 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - sampath [peap] Got inner identity 'sampath' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0205000c0173616d70617468 server packetfence { [peap] Setting User-Name to sampath Sending tunneled request EAP-Message = 0x0205000c0173616d70617468 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "sampath" NAS-IP-Address = 192.168.13.45 NAS-Port = 50004 Cisco-NAS-Port = "FastEthernet0/4" NAS-Port-Type = Ethernet Called-Station-Id = "00-0A-B7-BC-5A-84" Calling-Station-Id = "78-45-C4-B5-AC-41" Service-Type = Framed-User Framed-MTU = 1500 server packetfence-tunnel { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence-tunnel +- entering group authorize {...} [suffix] No '@' in User-Name = "sampath", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "sampath", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 5 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server packetfence-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010600211a0106001c103c9631cb9240941b8ff7cb26b01cdccd73616d70617468 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb763a09fb765baae8b5ff4f7e1e703c3 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010600211a0106001c103c9631cb9240941b8ff7cb26b01cdccd73616d70617468 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb763a09fb765baae8b5ff4f7e1e703c3 [peap] Got tunneled Access-Challenge ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 204 to 192.168.13.45 port 1812 EAP-Message = 0x0106004b190017030100407ea62a6842f0b519ec0bf48a630b60f7e9f84151bee10b16cba686cd23951470367e059996c25fe5f9ab0312a3af8e05 222bd031372641bbc939adbacd345ea6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3cbd15d339bb0cb31e5b71f340264f3a Finished request 59. Going to the next request Waking up in 3.0 seconds. rad_recv: Access-Request packet from host 192.168.13.45 port 1812, id=205, length=265 NAS-IP-Address = 192.168.13.45 NAS-Port = 50004 Cisco-NAS-Port = "FastEthernet0/4" NAS-Port-Type = Ethernet User-Name = "sampath" Called-Station-Id = "00-0A-B7-BC-5A-84" Calling-Station-Id = "78-45-C4-B5-AC-41" Service-Type = Framed-User Framed-MTU = 1500 State = 0x3cbd15d339bb0cb31e5b71f340264f3a EAP-Message = 0x0206006b190017030100605c575006ef74492c6d35cf856541302dd4f1fb1272c048206638ab77315df28a5585a4cbd8fe6b9accf1e03d27ac3c2c 64d8052b1d08f12dcc61829dbddd05acb0dff7a2427b7fb0f096fe68defb30cecd74a4b9321c185184166c83c77f60a7 Message-Authenticator = 0xdaa88d9bc6343059a93a80ca449d11ae server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "sampath", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 6 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020600421a0206003d31e3766c4f25bb1e54194b8e8fc97544ed0000000000000000fead0628b2da8557a51d90b546624ef9f4ee5e1bdf2eec4400 73616d70617468 server packetfence { [peap] Setting User-Name to sampath Sending tunneled request EAP-Message = 0x020600421a0206003d31e3766c4f25bb1e54194b8e8fc97544ed0000000000000000fead0628b2da8557a51d90b546624ef9f4ee5e1bdf2eec4400 73616d70617468 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "sampath" State = 0xb763a09fb765baae8b5ff4f7e1e703c3 NAS-IP-Address = 192.168.13.45 NAS-Port = 50004 Cisco-NAS-Port = "FastEthernet0/4" NAS-Port-Type = Ethernet Called-Station-Id = "00-0A-B7-BC-5A-84" Calling-Station-Id = "78-45-C4-B5-AC-41" Service-Type = Framed-User Framed-MTU = 1500 server packetfence-tunnel { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence-tunnel +- entering group authorize {...} [suffix] No '@' in User-Name = "sampath", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "sampath", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 6 length 66 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: sampath [mschap] Client is using MS-CHAPv2 for sampath, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [sampath] (from client 192.168.13.45 port 50004 cli 78-45-C4-B5-AC-41 via TLS tunnel) } # server packetfence-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 205 to 192.168.13.45 port 1812 EAP-Message = 0x0107002b190017030100204facc5d6c6a20c7d1d8da40959527f726dbb84e495fd0ebc71ea913fc79b2b12 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3cbd15d33aba0cb31e5b71f340264f3a Finished request 60. Going to the next request Waking up in 2.2 seconds. rad_recv: Access-Request packet from host 192.168.13.45 port 1812, id=206, length=201 NAS-IP-Address = 192.168.13.45 NAS-Port = 50004 Cisco-NAS-Port = "FastEthernet0/4" NAS-Port-Type = Ethernet User-Name = "sampath" Called-Station-Id = "00-0A-B7-BC-5A-84" Calling-Station-Id = "78-45-C4-B5-AC-41" Service-Type = Framed-User Framed-MTU = 1500 State = 0x3cbd15d33aba0cb31e5b71f340264f3a EAP-Message = 0x0207002b19001703010020e803f872cda2fc4834ed5079ccedbc963ca3580ad74aada3ce4f6ef81e932f3a Message-Authenticator = 0x2b593816dc1b145744204630a7a77fee server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "sampath", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [sampath] (from client 192.168.13.45 port 50004 cli 78-45-C4-B5-AC-41) } # server packetfence Using Post-Auth-Type REJECT # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> sampath attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 61 for 1 seconds Going to the next request Waking up in 0.4 seconds. Cleaning up request 54 ID 199 with timestamp +2742 Cleaning up request 55 ID 200 with timestamp +2742 Cleaning up request 56 ID 201 with timestamp +2742 Cleaning up request 57 ID 202 with timestamp +2742 Waking up in 0.4 seconds. Sending delayed reject for request 61 Sending Access-Reject of id 206 to 192.168.13.45 port 1812 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Cleaning up request 58 ID 203 with timestamp +2743 Waking up in 1.2 seconds. Cleaning up request 59 ID 204 with timestamp +2744 Waking up in 0.8 seconds. Cleaning up request 60 ID 205 with timestamp +2745 Waking up in 2.7 seconds. Cleaning up request 61 ID 206 with timestamp +2747 Ready to process requests. Regards, Sampath Jayashantha
On 2/12/2014 2:11 AM, sampath jayashantha wrote:
I have created a user and added a node to that user. But im getting below access reject packet. :( Any clue ? ... [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: sampath [mschap] Client is using MS-CHAPv2 for sampath, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
This might have something to do with an Access-Reject - no password is configured.
Logs show failure clearly in the inner tunnel section (ie in EAP tunnel) with MSCHAPv2. How did you add the user (is what authentication source are you using? ). Alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
participants (3)
-
Alan Buxey -
Michael Lecuyer -
sampath jayashantha