No Aoth Type problem again
Hi Ivan: The password is in the ldap server as one of attributes binded to the user (userPassword: {CRYPT}something). I posted the debugging info here and thanks a lot for your help! Andy ------------The radiusd -X debugging info for a failed authentication request : rad_recv: Access-Request packet from host 10.10.10.228 port 1059, id=90, length=156 User-Name = "andyan" NAS-IP-Address = 10.10.10.228 NAS-Port = 1 Called-Station-Id = "00-14-6C-CC-93-E8:ECIeduroam" Calling-Station-Id = "00-17-F2-52-8A-C7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000b01616e6479616e Message-Authenticator = 0x1b640e34d5907297f26e0150e954b295 +- entering group authorize expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.10.10.228/auth-detail-20080619 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.10.228/auth-detail-20080619 expand: %t -> Thu Jun 19 16:09:10 2008 ++[auth_log] returns ok rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for andyan WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=andyan) expand: ou=People,dc=eciad,dc=ca -> ou=People,dc=eciad,dc=ca rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.eciad.ca:389, authentication 0 rlm_ldap: bind as / to ldap1.eciad.ca:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=eciad,dc=ca, with filter (uid=andyan) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user andyan authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 90 to 10.10.10.228 port 1059 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xce343774ce3522073b392edc718830e4 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.228 port 1059, id=91, length=275 User-Name = "andyan" NAS-IP-Address = 10.10.10.228 NAS-Port = 1 Called-Station-Id = "00-14-6C-CC-93-E8:ECIeduroam" Calling-Station-Id = "00-17-F2-52-8A-C7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201007015800000006616030100610100005d0301485ae7246df7cad8b3977bcb702121baac84e2a85197943b52e273243aa1543a000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100 State = 0xce343774ce3522073b392edc718830e4 Message-Authenticator = 0xcb10e2b9445f9958feaab918576268bc +- entering group authorize expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.10.10.228/auth-detail-20080619 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.10.228/auth-detail-20080619 expand: %t -> Thu Jun 19 16:09:11 2008 ++[auth_log] returns ok rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 112 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS TLS Length 102 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 91 to 10.10.10.228 port 1059 EAP-Message = 0x0102040015c0000008bb160301004a020000460301485ae717624920311e0af361309e5511218e8ea118be1011bdb69298297e6bc620d3e32b8f78ff7c31566794a16b1267cba749c6950eb8651a1e7211ac9cc9c4ad002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303631383232303934315a170d3039303631383232303934315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c5d8f1bfb0aec2555c5e034ee4677c814ac120afc2c6737fae65f755df4a EAP-Message = 0x2af9434f85596064fc5bcd9b5f2e16f426c39ff51614c80a65c2e067a3a4c7911a38a3b8839007ea4d03cbda93410f383e643cd8bd788e9e14d2b3abd1067ad10efcc6eb0f8b8c0302ff00327e8604af8c16debd1e6ca2195d2b8187ca25e77d5f7bd4c84b985981baf5fd0be7cabe98da5d14817bd3ad62f2ac4f281098433100a22663ddb348f2a6ed0dd82f1de13a8ad2a57a3afe6d1e82eca0bf7f708ef7b7999a1af5b78b30171d2a40ce03d8b4daedcacd5bd389559f4b7fc82a4c411712829a3b5a09686b33a1c50abe21e8cff6189d8a481e19871e6f8b629e79dbf5ff590203010001a317301530130603551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d01010405000382010100abdc8d29f0855dd309bd358b192e5c368fa45e161de5671519a4ae6db6c8ed586c8a6c3565dbc39b7c3c648061daabd6d1a220997c7caf6d105df85affd385a5dbae3b9b9040f59b066fa399496d909f04ffbe88e13cb90791e3fa8cb66577101e2967fe5a9d562b5c903c7f3625c59de375241836391ccb85aaad9d02a15af33203b928cdff6276ad00bfdaf17f5ef12d0370926d5dee595b22f0dd8a332ffe2c6e3f80d55551787a6b58e31933c44a6282f6eaaefc8c454955db064b742cf6907cf558d08da46b3a3e1925581fee05bb6ca641511d4f35c7880bbedfed8ea20f0276b21a85 EAP-Message = 0x2889877f5db3c70defc739be Message-Authenticator = 0x00000000000000000000000000000000 State = 0xce343774cf3622073b392edc718830e4 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.228 port 1059, id=92, length=169 User-Name = "andyan" NAS-IP-Address = 10.10.10.228 NAS-Port = 1 Called-Station-Id = "00-14-6C-CC-93-E8:ECIeduroam" Calling-Station-Id = "00-17-F2-52-8A-C7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200061500 State = 0xce343774cf3622073b392edc718830e4 Message-Authenticator = 0x5e4e63959239fca2486e0190d9d3c54a +- entering group authorize expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.10.10.228/auth-detail-20080619 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.10.228/auth-detail-20080619 expand: %t -> Thu Jun 19 16:09:11 2008 ++[auth_log] returns ok rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 92 to 10.10.10.228 port 1059 EAP-Message = 0x0103040015c0000008bbcef8e8135051d22c8e604c46bbe50004ab308204a73082038fa003020102020900964407b7ca8a72e7300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303631383232303933395a170d3038303731383232303933395a308193310b EAP-Message = 0x3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e71a28d861d1bc000ead67dda77fc24c88fd7f4e6b154ec39e6c1328da93acb45c4203d45485a76bd3ebf28e55486d785b45f54c81ee601a8e73e1c07d16f606a1b6146055903f54ebc8a5 EAP-Message = 0x06d421fb703b664bc1a37493d95559d894f04a2ca09c3c5292e9d82cff10a031177cab034ab883b3871e6c2460325a0d8a2a68322698cde33ad81ed808a429177249ff720932bea36f3558c8037fba4110a20451ed263bdd7021686bc816249ff209de18ebc36a923977b852b198a70b3601fb87b263c740a0d191a59591300981709f9beb6987b67bdfa820db88dcb3c3af3fa827552afb43f6accf386739f292c311b7f6287609afec629a4b8f1c0c0d4a9e165d0203010001a381fb3081f8301d0603551d0e041604148fc1ab4304f6a473ea66c4512ef6f9a078dbe3623081c80603551d230481c03081bd80148fc1ab4304f6a473ea66c4512ef6 EAP-Message = 0xf9a078dbe362a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900964407b7ca8a72e7300c0603551d13040530030101ff300d06092a864886f70d010105050003820101008c2687a029f098693008dbc4ee9968c7e71b0a4792003dc2d62403a142c75c227df610ac8979ffd430cf55103bab EAP-Message = 0xb78977c9a55b9a3571e655a3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xce343774cc3722073b392edc718830e4 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.228 port 1059, id=93, length=169 User-Name = "andyan" NAS-IP-Address = 10.10.10.228 NAS-Port = 1 Called-Station-Id = "00-14-6C-CC-93-E8:ECIeduroam" Calling-Station-Id = "00-17-F2-52-8A-C7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300061500 State = 0xce343774cc3722073b392edc718830e4 Message-Authenticator = 0x3d44409ada91a802ad38c9516b7bd15f +- entering group authorize expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.10.10.228/auth-detail-20080619 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.10.228/auth-detail-20080619 expand: %t -> Thu Jun 19 16:09:11 2008 ++[auth_log] returns ok rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 93 to 10.10.10.228 port 1059 EAP-Message = 0x010400d91580000008bb04ae601515d34e563c02cc3de859401a836dc8d5b9e0c675cc610078839fc238a6f3ca30ce79381a61c588416489587635fe1fa874b66bc643d652e322305ad54f40382d23f7fe74c6df9df734c099780d8604e304ca13d8bc9e2bb3ebd9221731634de6099bb36ff584bae8b16bfd00d3b19ffe67c20b40e9d66366325f55810904fc6fa593c6186bf3cedd075e3c447a65a23d444547c434ec02220b377133980437496ee79601f296ea241e10ed902bcdf83adac9980a26ac91f4b034ef1e88febcd2e3a416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xce343774cd3022073b392edc718830e4 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.228 port 1059, id=94, length=501 User-Name = "andyan" NAS-IP-Address = 10.10.10.228 NAS-Port = 1 Called-Station-Id = "00-14-6C-CC-93-E8:ECIeduroam" Calling-Station-Id = "00-17-F2-52-8A-C7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0204015015800000014616030101061000010201006f8b4a08f82354917c986395fa9a274fdae1c99fa5016c83526d76183458f4f18db894c0602c67f245007cda75b0bc6267972a5ec6b7b9be1d2bcbf7f8e86d5532a48e861efdc5e232d31e8bf91a4c5edf9c68ffa4c193312122387311da7af75adf30ed6ed034f9a1a57785455f2673482e9339b36ff9784f924f0b50ebaf6bdccdd15f3f1c075208eea7e9f7bc178b0eeb91b1aa5f515b597886566c4f5ff34f45437fd9e810c2699daf33ec51902a7ba4bc7578271b3bf71ccb99e08e7308978bbf09ef9ccf1b63ef0651397222bb58be67099dbc7b8e37627f204ceb641a30382a1e11a7fd2f EAP-Message = 0x991c03d2e3f57e56e36db67b21563e3f97502d4fba252d8a1403010001011603010030cf151f5b366eda1330659c1f3f5e55339fdc3d1e066553f4e1617ef016a82b2051a71cabd5dd256233a3c13b835765ac State = 0xce343774cd3022073b392edc718830e4 Message-Authenticator = 0x5b6d9e9a04ef65ad4b374225d10a39f0 +- entering group authorize expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.10.10.228/auth-detail-20080619 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.10.228/auth-detail-20080619 expand: %t -> Thu Jun 19 16:09:11 2008 ++[auth_log] returns ok rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 253 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS TLS Length 326 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 94 to 10.10.10.228 port 1059 EAP-Message = 0x0105004515800000003b1403010001011603010030dcbc638acd36ffa613cef9ef9af25c610a95b3484085d983ad7512401dfb83682e456974cac1172d9fc413f44fcaebac Message-Authenticator = 0x00000000000000000000000000000000 State = 0xce343774ca3122073b392edc718830e4 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.10.10.228 port 1059, id=95, length=322 User-Name = "andyan" NAS-IP-Address = 10.10.10.228 NAS-Port = 1 Called-Station-Id = "00-14-6C-CC-93-E8:ECIeduroam" Calling-Station-Id = "00-17-F2-52-8A-C7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0205009f1580000000951703010090987fd6d5cc5864599d5ca410f41de2a2044d322da2a89e7460dee718bd49305e426f8dedf5e8487d84e977a7c3a9206c6de4d1824fada2d41244382e57d30b801ebda16a9ebb3e74dd6b62a2bdcc36755a8f8b26fb36454ed404c3d9eb4f13b8337e25e6c7a4fa21f8497db0a782833b513c8335207e868ac0bfa876fc3db0414a4ae8deccd03be7748f5907fbe04d36 State = 0xce343774ca3122073b392edc718830e4 Message-Authenticator = 0xa2874e59a7ffafb2940d2853a2fbe36e +- entering group authorize expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.10.10.228/auth-detail-20080619 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.10.228/auth-detail-20080619 expand: %t -> Thu Jun 19 16:09:11 2008 ++[auth_log] returns ok rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 159 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS TLS Length 149 rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. +- entering group authorize rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for andyan WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=andyan) expand: ou=People,dc=eciad,dc=ca -> ou=People,dc=eciad,dc=ca rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=eciad,dc=ca, with filter (uid=andyan) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user andyan authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> andyan attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 95 to 10.10.10.228 port 1059 EAP-Message = 0x04050004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 5. Going to the next request Waking up in 4.4 seconds. Cleaning up request 0 ID 90 with timestamp +72 Cleaning up request 1 ID 91 with timestamp +73 Cleaning up request 2 ID 92 with timestamp +73 Cleaning up request 3 ID 93 with timestamp +73 Cleaning up request 4 ID 94 with timestamp +73 Waking up in 0.3 seconds. Cleaning up request 5 ID 95 with timestamp +73 Ready to process requests. --
Andy An wrote:
Hi Ivan: The password is in the ldap server as one of attributes binded to the user (userPassword: {CRYPT}something). ... rlm_ldap: performing search in ou=People,dc=eciad,dc=ca, with filter (uid=andyan) ... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
The debug output disagrees with you. There is no known good password available. Again, it helps to READ the debug output yourself. The warning messages are clear, and are written in simple English. Alan DeKok.
Hi, I know it's plain English but I still can't figure out where the warning is comming from and what I have to change. It finds the password, but still gives the auth(failure): auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. I'm using the default config-files with PEAP auth. Can somebody give me a hint in the right direction? Where/what config file should I look in and what to edit? THANKS! Here are my logs... Listening on authentication address 172.16.27.103 port 1812 Ready to process requests. rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0, length=141 User-Name = "userX" NAS-IP-Address = 172.16.27.37 Called-Station-Id = "001c1066a106" Calling-Station-Id = "001cdf77bb4d" NAS-Identifier = "001c1066a106" NAS-Port = 1 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02000013016a656c6c656c616e6762726f656b Message-Authenticator = 0x933439cddca44559a4ee3c2b327aaac5 +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 172.16.27.37/auth-detail-20080620 expand: %t -> Fri Jun 20 15:25:59 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "userX", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated expand: %{User-Name} -> userX rlm_sql (sql): sql_set_user escaped user --> 'userX' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = 'userX' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = 'userX' ORDER BY id expand: SELECT 'dynamic' as groupname FROM customers WHERE name = '%{SQL-User-Name}' ORDER BY id -> SELECT 'dynamic' as groupname FROM customers WHERE name = 'userX' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.27.37 port 3072 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9baa2d299bab34161e655ea3ece36f0c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0, length=233 Cleaning up request 0 ID 0 with timestamp +41 User-Name = "userX" NAS-IP-Address = 172.16.27.37 Called-Station-Id = "001c1066a106" Calling-Station-Id = "001cdf77bb4d" NAS-Identifier = "001c1066a106" NAS-Port = 1 Framed-MTU = 1400 State = 0x9baa2d299bab34161e655ea3ece36f0c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201005d190016030100520100004e0301485baf3e8e15e57593e3e1819134ab3ad55c2a65dbdd6278dadce70ffee5409a00002600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100 Message-Authenticator = 0xda28b5bb86c975ef4fd3c5bf45e4bba5 +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 172.16.27.37/auth-detail-20080620 expand: %t -> Fri Jun 20 15:25:59 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "userX", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 93 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0052], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.27.37 port 3072 EAP-Message = 0x0102040019c000000acd160301004a020000460301485bafe7c5b0d88a48309c43edcd95ad1a7074078f255e9ae50b996f1652ccb920a16607e93eaa7110ee032225ce8e42a2f268a83d10b15c608aaa906a0983b761003901160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303631383134323133315a170d3039303631383134323133315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e51de7b82469cbac2af9f14199eb4c8ebc3f2c3102c669d669d474b3c8a9 EAP-Message = 0x10af6d0ed5e1d33fdca7a6fd55b046f135a4d7fce70cce39f1e2378ef0e137638ba9fa1dc376347d313f64f63d5955437faad9f0898028cd6386e91cc7305583103b82f4614092c960a0a0bced39a7cbdfc2267da2ffc5e29b607d9f47169ca043d4aa054efccb590ee0f0eb0c3825d5d72595f3afc15a59b39c3eaebee214108bbfdd4a5f3787b9d434219b11a62e59fdbeb53e2d962333c53483821af4d69d282dabeb36117b5b99cedb3800652d4901f44ae12e9eedd6e5d77513831376822f2fd03ff4f0236abbc6eaf831d4838909a263a0673f7ac176673eff4506db30bf950203010001a317301530130603551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d01010405000382010100996af82a8524e81fa2070413fa3bc07ef4d1acc88e96ee8f90b412dcd1564de0280bd3bc8eb8f024c7753ee0fb3a1d9c9e7e1fc60e87aa7309ba76e44ac083788079b800f28c46bf4cdbc8423c40b6c897ec4a2ccaa95c4b59d0c035a00725cc5e943ec10dac7cf1669995ec20a26ffaedf7c0e7bdc2acc11882ecb3e9f9e06e8597dfc4c30a9d69210cdf2872ed848af5e1c89e2ed34a6db012129685b12f56d4bec3f6e13e7b43b6e00a81545a38f28090f1ff3ceca37a107ea01898d2269f7156ca7c74c8b20ead294a6a7d1d32eb70065bda7bcfe009a070c6f01a9b0b9674fa3cff08a1 EAP-Message = 0xd8bf0854f4d5920b817066b8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9baa2d299aa834161e655ea3ece36f0c Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0, length=146 Cleaning up request 1 ID 0 with timestamp +41 User-Name = "userX" NAS-IP-Address = 172.16.27.37 Called-Station-Id = "001c1066a106" Calling-Station-Id = "001cdf77bb4d" NAS-Identifier = "001c1066a106" NAS-Port = 1 Framed-MTU = 1400 State = 0x9baa2d299aa834161e655ea3ece36f0c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200061900 Message-Authenticator = 0x6ae87b9fa610cc290341c3c8721eab9c +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 172.16.27.37/auth-detail-20080620 expand: %t -> Fri Jun 20 15:25:59 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "userX", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.27.37 port 3072 EAP-Message = 0x010303fc19401cd7c4c2a6889ffa64eb3b48b32b0004ab308204a73082038fa003020102020900d0b321af3f5e6edb300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303631383134323133305a170d3038303731383134323133305a308193310b30090603 EAP-Message = 0x55040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c61affd9b5606d309f732b738a593c3adc04fc3cd9d9b4b974c83e330b98f92eb01c54c4a73ba87e32181239a999468e387accc8edac79fe1d61b7331b3a4d5d658858ecdaa0e0119b6d2a958f7bf3 EAP-Message = 0x6c05b684d836361612e031a7c863de56c0c2eecea221506078f4f991d6f7f1b40882d1981e6be282cc6ca1e5555309375397dfc7b6a379cf23f9780841d540d83ac4a89847ec588c84073f1d8e4be9c2fc955cc79d12fc8e4e51a0bc388854a5fd8d19f7bf36495cdeade9dc373fdde84b6b4e452109c95785f65e663bdce3543241b34c49b8d41b1fe44362998a782bc18398a00b8261b303f9a6b025cb8165e6a107967a5f823a135c83611b99f5c0c30203010001a381fb3081f8301d0603551d0e0416041442ba48fa03771a044de938b92a0ac80bd48b46c83081c80603551d230481c03081bd801442ba48fa03771a044de938b92a0ac80bd48b EAP-Message = 0x46c8a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900d0b321af3f5e6edb300c0603551d13040530030101ff300d06092a864886f70d010105050003820101009271c64430e33a20e02c5c3ea887afbda2e892a25f633961c5b13d6df2461f7675b2d3ef317087b1eeeef20c6855c4208c7d EAP-Message = 0x22dbf87ea84011c3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9baa2d2999a934161e655ea3ece36f0c Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0, length=146 Cleaning up request 2 ID 0 with timestamp +41 User-Name = "userX" NAS-IP-Address = 172.16.27.37 Called-Station-Id = "001c1066a106" Calling-Station-Id = "001cdf77bb4d" NAS-Identifier = "001c1066a106" NAS-Port = 1 Framed-MTU = 1400 State = 0x9baa2d2999a934161e655ea3ece36f0c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0x55eb06fdd249f58d4b098d211ef699db +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 172.16.27.37/auth-detail-20080620 expand: %t -> Fri Jun 20 15:25:59 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "userX", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.27.37 port 3072 EAP-Message = 0x010402e71900589c274af17f1a494850cb1028aea864d133e063ba83420b4e3c091030cb4a0c5e5913181a57a0ef4e965b1a1490eb20c705bfc44603e0e52aa98d2f47831b1e88e8cb4149a777c58356b40fcb237ad48b79a1e61a5a02e245b071293b2b25d6b3bbc2e1eb5e26db78735d8172015a39ae2ab6d93382ef0be94f0419a5a7101b93f3f91c7a124f75d5884e225990d032bb21374f62ebdca5a3add90be36aa926a41695835c2eb3f7e88337da950eb5394a9ffb5f63412909f5e387762b4bc9607be7d5871e1c160301020d0c0002090080d98dfb21f227dd0de0112a4e02b14ba70211061c5b376bb17b336613f8dc7867bf69d166fa9a EAP-Message = 0x06947948dc5a2a0bb67aece8a2eb6ec595b94459607661010ebd873c133571818cf379124cde39be0e869e24c60c3ecaf1faaf1d96b46cb542c1a8207a4a2c8114788241b433bbe70a1c9ba7e56a3e27932254db2290c295e28300010200801e2c86c4785eeb02a0bb6dd6aa890202b7e118a106a5c230c576d7030939045bb009c2ac440005c74fe3659e3fd5b15f4554226f7dcd0131dc636b3d8b2152b63efc1cb23b6e8b0b3bd2960488c73b9bf499434d44629b813ff423fcf0580858aa6473354cce503e27925a2b5493fad07897a8f9ee105c4b949d6277b0ffa75d010034c14143a28ad289e2d0a39f498063167f73fcbf4000caa9c70a3905 EAP-Message = 0x71a008d47f3651cca5a115167ccf4c3990bbaf3507e2b958546eb5e323c7fe857e8394a68251ad5404da26810c662052e242961cb37eafcab475f322a740a0abd48178f31bed95df9004fb37f667282bdbaa9db8402640ffad48ecb15a49ea5db0ace40026026cd5ab50949ade5c903144779999672f88dd7885fcf946ed5c01779571173271d8503a0c3e43791e06a2c4400ff0553c76e15bf7624cf432dd2d44643827b4d29a8763738b073e09b1bbb3c6f2d411391976badabf00cd6ccbb57627e315142009a49e948f5911cf3873557dc60adfebd10a8892d1ac71109fb9cf9a3e6416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9baa2d2998ae34161e655ea3ece36f0c Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0, length=344 Cleaning up request 3 ID 0 with timestamp +41 User-Name = "userX" NAS-IP-Address = 172.16.27.37 Called-Station-Id = "001c1066a106" Calling-Station-Id = "001cdf77bb4d" NAS-Identifier = "001c1066a106" NAS-Port = 1 Framed-MTU = 1400 State = 0x9baa2d2998ae34161e655ea3ece36f0c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400cc190016030100861000008200804316d20c6a7c178058561a988cd4c857a1818bca9d6381d259ad888eb8590fb37aa41737e0465ed1c8645c4b84abd506a7d30c4bb7a7a10f909b9feb1f8a51b8430d748d87f03c7df6a01a3bb99c178da207b3a19c540469709f2845ba90768f8ec804175b2e9afaa80dccc2107919f7580b1953431922cdeda4f877c91e174f14030100010116030100300f7ef3899514ebb34daa12ac552eb8f9eb8841016f046ea3a63e53aadfb3e3397a93e73456cc41e1135861707733b220 Message-Authenticator = 0xdea135864ef03eb8674379a35331fd5f +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 172.16.27.37/auth-detail-20080620 expand: %t -> Fri Jun 20 15:25:59 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "userX", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 204 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.27.37 port 3072 EAP-Message = 0x0105004119001403010001011603010030e6a2e4f9f396f695728dfc74be50459b34dea2ec026e3b041e64ad32a19bfc01ce00a4f39422c30e86d83059c040853f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9baa2d299faf34161e655ea3ece36f0c Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0, length=146 Cleaning up request 4 ID 0 with timestamp +41 User-Name = "userX" NAS-IP-Address = 172.16.27.37 Called-Station-Id = "001c1066a106" Calling-Station-Id = "001cdf77bb4d" NAS-Identifier = "001c1066a106" NAS-Port = 1 Framed-MTU = 1400 State = 0x9baa2d299faf34161e655ea3ece36f0c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500061900 Message-Authenticator = 0xaa2e2ed89ffe2379528536376d6b3678 +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 172.16.27.37/auth-detail-20080620 expand: %t -> Fri Jun 20 15:25:59 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "userX", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.27.37 port 3072 EAP-Message = 0x0106002b190017030100203d19543fef6a354b15802fa24ac6be930472a2bb2963b2cd40acb8569178208b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9baa2d299eac34161e655ea3ece36f0c Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0, length=236 Cleaning up request 5 ID 0 with timestamp +41 User-Name = "userX" NAS-IP-Address = 172.16.27.37 Called-Station-Id = "001c1066a106" Calling-Station-Id = "001cdf77bb4d" NAS-Identifier = "001c1066a106" NAS-Port = 1 Framed-MTU = 1400 State = 0x9baa2d299eac34161e655ea3ece36f0c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600601900170301002006f9c4c30ed6970d17049ecab64a52b6bd0147e5e8aa1632efba5d9bc17ad65517030100307342716fd8fa732607a62a93a4ea9d0be8cd1c9717af27bb67b840bc0a308060563c313805c8b9810e19ba7a0485738a Message-Authenticator = 0x8aa405f4d2a413e1dfdf4f6019925a83 +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 172.16.27.37/auth-detail-20080620 expand: %t -> Fri Jun 20 15:25:59 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "userX", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 96 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - userX PEAP: Got tunneled identity of userX PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to userX auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.27.37 port 3072 EAP-Message = 0x0107003b1900170301003083a87eb6970e9d00f7463517385ede5e1301a3788b857b995947b8b8ab618a56ac5422ade8ea7d08e6be181deb19075e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9baa2d299dad34161e655ea3ece36f0c Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0, length=236 Cleaning up request 6 ID 0 with timestamp +41 User-Name = "userX" NAS-IP-Address = 172.16.27.37 Called-Station-Id = "001c1066a106" Calling-Station-Id = "001cdf77bb4d" NAS-Identifier = "001c1066a106" NAS-Port = 1 Framed-MTU = 1400 State = 0x9baa2d299dad34161e655ea3ece36f0c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207006019001703010020e1e6a5669a6e1f2fad8b18557490b2a36580caac37130035ec533f519aa058651703010030ea09edd1a98107005cbbefece6de1029da93fab2b2f14456b2a2728ff91532a35d075fb23197f925da6206a6e1ee5db1 Message-Authenticator = 0xd2a2e7d67cd0ea7f1d069d4ebf3731cc +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 172.16.27.37/auth-detail-20080620 expand: %t -> Fri Jun 20 15:25:59 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "userX", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 7 length 96 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> userX attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 0 to 172.16.27.37 port 3072 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 7. Going to the next request Waking up in 4.9 seconds. Cleaning up request 7 ID 0 with timestamp +41 Ready to process requests. 2008/6/20 Alan DeKok <aland@deployingradius.com>:
Andy An wrote:
Hi Ivan: The password is in the ldap server as one of attributes binded to the user (userPassword: {CRYPT}something). ... rlm_ldap: performing search in ou=People,dc=eciad,dc=ca, with filter (uid=andyan) ... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
The debug output disagrees with you.
There is no known good password available.
Again, it helps to READ the debug output yourself. The warning messages are clear, and are written in simple English.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jelle Langbroek wrote:
Hi, I know it's plain English but I still can't figure out where the warning is comming from and what I have to change. It finds the password, but still gives the auth(failure):
You're running 2.0.4, and you need to install raddb/sites-enabled/inner-tunnel. Alan DeKok.
So, for the sake of 'clean' configs I reinstalled freeRadius 2.0.5 (which I was running before btw..) and changed nothing except "default_eap_type = peap". To my amazement it ran perfectly! Then I turned MySQL auth on and it worked! After all these hours figuring out freeRadius and following HowToos, it now runs out of the box! Where there so many changes from 2.0.3 to 2.0.5? Anyway, thanks for all the help Alan and Ivan! Jelle 2008/6/20 Alan DeKok <aland@deployingradius.com>:
Jelle Langbroek wrote:
Hi, I know it's plain English but I still can't figure out where the warning is comming from and what I have to change. It finds the password, but still gives the auth(failure):
You're running 2.0.4, and you need to install raddb/sites-enabled/inner-tunnel.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
So, for the sake of 'clean' configs I reinstalled freeRadius 2.0.5 (which I was running before btw..) and changed nothing except "default_eap_type = peap". To my amazement it ran perfectly! Then I turned MySQL auth on and it worked! After all these hours figuring out freeRadius and following HowToos, it now runs out of the box! Where there so many changes from 2.0.3 to 2.0.5?
Not really. Only significant thing that changed there was that inner-tunnel config file was copied to the place it was suposed to be (you had to do-it-yourself in previous version - oversight). Ivan Kalik Kalik Informatika ISP
What version is this? It looks like you are missing the inner-tunnel virtual server config file. You should copy it from the download dictionary to raddb/sites-enabled/. Ivan Kalik Kalik Informatika ISP Dana 20/6/2008, "Jelle Langbroek" <jml@orkz.net> piše:
Hi, I know it's plain English but I still can't figure out where the warning is comming from and what I have to change. It finds the password, but still gives the auth(failure):
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user.
I'm using the default config-files with PEAP auth. Can somebody give me a hint in the right direction? Where/what config file should I look in and what to edit? THANKS!
Here are my logs...
Listening on authentication address 172.16.27.103 port 1812 Ready to process requests. rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0, length=141 User-Name = "userX" NAS-IP-Address = 172.16.27.37 Called-Station-Id = "001c1066a106" Calling-Station-Id = "001cdf77bb4d" NAS-Identifier = "001c1066a106" NAS-Port = 1 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02000013016a656c6c656c616e6762726f656b Message-Authenticator = 0x933439cddca44559a4ee3c2b327aaac5 +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 172.16.27.37/auth-detail-20080620 expand: %t -> Fri Jun 20 15:25:59 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "userX", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated expand: %{User-Name} -> userX rlm_sql (sql): sql_set_user escaped user --> 'userX' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = 'userX' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = 'userX' ORDER BY id expand: SELECT 'dynamic' as groupname FROM customers WHERE name = '%{SQL-User-Name}' ORDER BY id -> SELECT 'dynamic' as groupname FROM customers WHERE name = 'userX' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.27.37 port 3072 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9baa2d299bab34161e655ea3ece36f0c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0, length=233 Cleaning up request 0 ID 0 with timestamp +41 User-Name = "userX" NAS-IP-Address = 172.16.27.37 Called-Station-Id = "001c1066a106" Calling-Station-Id = "001cdf77bb4d" NAS-Identifier = "001c1066a106" NAS-Port = 1 Framed-MTU = 1400 State = 0x9baa2d299bab34161e655ea3ece36f0c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201005d190016030100520100004e0301485baf3e8e15e57593e3e1819134ab3ad55c2a65dbdd6278dadce70ffee5409a00002600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100 Message-Authenticator = 0xda28b5bb86c975ef4fd3c5bf45e4bba5 +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 172.16.27.37/auth-detail-20080620 expand: %t -> Fri Jun 20 15:25:59 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "userX", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 93 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0052], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.27.37 port 3072 EAP-Message = 0x0102040019c000000acd160301004a020000460301485bafe7c5b0d88a48309c43edcd95ad1a7074078f255e9ae50b996f1652ccb920a16607e93eaa7110ee032225ce8e42a2f268a83d10b15c608aaa906a0983b761003901160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303631383134323133315a170d3039303631383134323133315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e51de7b82469cbac2af9f14199eb4c8ebc3f2c3102c669d669d474b3c8a9 EAP-Message = 0x10af6d0ed5e1d33fdca7a6fd55b046f135a4d7fce70cce39f1e2378ef0e137638ba9fa1dc376347d313f64f63d5955437faad9f0898028cd6386e91cc7305583103b82f4614092c960a0a0bced39a7cbdfc2267da2ffc5e29b607d9f47169ca043d4aa054efccb590ee0f0eb0c3825d5d72595f3afc15a59b39c3eaebee214108bbfdd4a5f3787b9d434219b11a62e59fdbeb53e2d962333c53483821af4d69d282dabeb36117b5b99cedb3800652d4901f44ae12e9eedd6e5d77513831376822f2fd03ff4f0236abbc6eaf831d4838909a263a0673f7ac176673eff4506db30bf950203010001a317301530130603551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d01010405000382010100996af82a8524e81fa2070413fa3bc07ef4d1acc88e96ee8f90b412dcd1564de0280bd3bc8eb8f024c7753ee0fb3a1d9c9e7e1fc60e87aa7309ba76e44ac083788079b800f28c46bf4cdbc8423c40b6c897ec4a2ccaa95c4b59d0c035a00725cc5e943ec10dac7cf1669995ec20a26ffaedf7c0e7bdc2acc11882ecb3e9f9e06e8597dfc4c30a9d69210cdf2872ed848af5e1c89e2ed34a6db012129685b12f56d4bec3f6e13e7b43b6e00a81545a38f28090f1ff3ceca37a107ea01898d2269f7156ca7c74c8b20ead294a6a7d1d32eb70065bda7bcfe009a070c6f01a9b0b9674fa3cff08a1 EAP-Message = 0xd8bf0854f4d5920b817066b8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9baa2d299aa834161e655ea3ece36f0c Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0, length=146 Cleaning up request 1 ID 0 with timestamp +41 User-Name = "userX" NAS-IP-Address = 172.16.27.37 Called-Station-Id = "001c1066a106" Calling-Station-Id = "001cdf77bb4d" NAS-Identifier = "001c1066a106" NAS-Port = 1 Framed-MTU = 1400 State = 0x9baa2d299aa834161e655ea3ece36f0c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200061900 Message-Authenticator = 0x6ae87b9fa610cc290341c3c8721eab9c +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 172.16.27.37/auth-detail-20080620 expand: %t -> Fri Jun 20 15:25:59 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "userX", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.27.37 port 3072 EAP-Message = 0x010303fc19401cd7c4c2a6889ffa64eb3b48b32b0004ab308204a73082038fa003020102020900d0b321af3f5e6edb300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303631383134323133305a170d3038303731383134323133305a308193310b30090603 EAP-Message = 0x55040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c61affd9b5606d309f732b738a593c3adc04fc3cd9d9b4b974c83e330b98f92eb01c54c4a73ba87e32181239a999468e387accc8edac79fe1d61b7331b3a4d5d658858ecdaa0e0119b6d2a958f7bf3 EAP-Message = 0x6c05b684d836361612e031a7c863de56c0c2eecea221506078f4f991d6f7f1b40882d1981e6be282cc6ca1e5555309375397dfc7b6a379cf23f9780841d540d83ac4a89847ec588c84073f1d8e4be9c2fc955cc79d12fc8e4e51a0bc388854a5fd8d19f7bf36495cdeade9dc373fdde84b6b4e452109c95785f65e663bdce3543241b34c49b8d41b1fe44362998a782bc18398a00b8261b303f9a6b025cb8165e6a107967a5f823a135c83611b99f5c0c30203010001a381fb3081f8301d0603551d0e0416041442ba48fa03771a044de938b92a0ac80bd48b46c83081c80603551d230481c03081bd801442ba48fa03771a044de938b92a0ac80bd48b EAP-Message = 0x46c8a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900d0b321af3f5e6edb300c0603551d13040530030101ff300d06092a864886f70d010105050003820101009271c64430e33a20e02c5c3ea887afbda2e892a25f633961c5b13d6df2461f7675b2d3ef317087b1eeeef20c6855c4208c7d EAP-Message = 0x22dbf87ea84011c3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9baa2d2999a934161e655ea3ece36f0c Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0, length=146 Cleaning up request 2 ID 0 with timestamp +41 User-Name = "userX" NAS-IP-Address = 172.16.27.37 Called-Station-Id = "001c1066a106" Calling-Station-Id = "001cdf77bb4d" NAS-Identifier = "001c1066a106" NAS-Port = 1 Framed-MTU = 1400 State = 0x9baa2d2999a934161e655ea3ece36f0c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0x55eb06fdd249f58d4b098d211ef699db +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 172.16.27.37/auth-detail-20080620 expand: %t -> Fri Jun 20 15:25:59 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "userX", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.27.37 port 3072 EAP-Message = 0x010402e71900589c274af17f1a494850cb1028aea864d133e063ba83420b4e3c091030cb4a0c5e5913181a57a0ef4e965b1a1490eb20c705bfc44603e0e52aa98d2f47831b1e88e8cb4149a777c58356b40fcb237ad48b79a1e61a5a02e245b071293b2b25d6b3bbc2e1eb5e26db78735d8172015a39ae2ab6d93382ef0be94f0419a5a7101b93f3f91c7a124f75d5884e225990d032bb21374f62ebdca5a3add90be36aa926a41695835c2eb3f7e88337da950eb5394a9ffb5f63412909f5e387762b4bc9607be7d5871e1c160301020d0c0002090080d98dfb21f227dd0de0112a4e02b14ba70211061c5b376bb17b336613f8dc7867bf69d166fa9a EAP-Message = 0x06947948dc5a2a0bb67aece8a2eb6ec595b94459607661010ebd873c133571818cf379124cde39be0e869e24c60c3ecaf1faaf1d96b46cb542c1a8207a4a2c8114788241b433bbe70a1c9ba7e56a3e27932254db2290c295e28300010200801e2c86c4785eeb02a0bb6dd6aa890202b7e118a106a5c230c576d7030939045bb009c2ac440005c74fe3659e3fd5b15f4554226f7dcd0131dc636b3d8b2152b63efc1cb23b6e8b0b3bd2960488c73b9bf499434d44629b813ff423fcf0580858aa6473354cce503e27925a2b5493fad07897a8f9ee105c4b949d6277b0ffa75d010034c14143a28ad289e2d0a39f498063167f73fcbf4000caa9c70a3905 EAP-Message = 0x71a008d47f3651cca5a115167ccf4c3990bbaf3507e2b958546eb5e323c7fe857e8394a68251ad5404da26810c662052e242961cb37eafcab475f322a740a0abd48178f31bed95df9004fb37f667282bdbaa9db8402640ffad48ecb15a49ea5db0ace40026026cd5ab50949ade5c903144779999672f88dd7885fcf946ed5c01779571173271d8503a0c3e43791e06a2c4400ff0553c76e15bf7624cf432dd2d44643827b4d29a8763738b073e09b1bbb3c6f2d411391976badabf00cd6ccbb57627e315142009a49e948f5911cf3873557dc60adfebd10a8892d1ac71109fb9cf9a3e6416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9baa2d2998ae34161e655ea3ece36f0c Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0, length=344 Cleaning up request 3 ID 0 with timestamp +41 User-Name = "userX" NAS-IP-Address = 172.16.27.37 Called-Station-Id = "001c1066a106" Calling-Station-Id = "001cdf77bb4d" NAS-Identifier = "001c1066a106" NAS-Port = 1 Framed-MTU = 1400 State = 0x9baa2d2998ae34161e655ea3ece36f0c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400cc190016030100861000008200804316d20c6a7c178058561a988cd4c857a1818bca9d6381d259ad888eb8590fb37aa41737e0465ed1c8645c4b84abd506a7d30c4bb7a7a10f909b9feb1f8a51b8430d748d87f03c7df6a01a3bb99c178da207b3a19c540469709f2845ba90768f8ec804175b2e9afaa80dccc2107919f7580b1953431922cdeda4f877c91e174f14030100010116030100300f7ef3899514ebb34daa12ac552eb8f9eb8841016f046ea3a63e53aadfb3e3397a93e73456cc41e1135861707733b220 Message-Authenticator = 0xdea135864ef03eb8674379a35331fd5f +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 172.16.27.37/auth-detail-20080620 expand: %t -> Fri Jun 20 15:25:59 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "userX", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 204 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.27.37 port 3072 EAP-Message = 0x0105004119001403010001011603010030e6a2e4f9f396f695728dfc74be50459b34dea2ec026e3b041e64ad32a19bfc01ce00a4f39422c30e86d83059c040853f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9baa2d299faf34161e655ea3ece36f0c Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0, length=146 Cleaning up request 4 ID 0 with timestamp +41 User-Name = "userX" NAS-IP-Address = 172.16.27.37 Called-Station-Id = "001c1066a106" Calling-Station-Id = "001cdf77bb4d" NAS-Identifier = "001c1066a106" NAS-Port = 1 Framed-MTU = 1400 State = 0x9baa2d299faf34161e655ea3ece36f0c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500061900 Message-Authenticator = 0xaa2e2ed89ffe2379528536376d6b3678 +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 172.16.27.37/auth-detail-20080620 expand: %t -> Fri Jun 20 15:25:59 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "userX", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.27.37 port 3072 EAP-Message = 0x0106002b190017030100203d19543fef6a354b15802fa24ac6be930472a2bb2963b2cd40acb8569178208b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9baa2d299eac34161e655ea3ece36f0c Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0, length=236 Cleaning up request 5 ID 0 with timestamp +41 User-Name = "userX" NAS-IP-Address = 172.16.27.37 Called-Station-Id = "001c1066a106" Calling-Station-Id = "001cdf77bb4d" NAS-Identifier = "001c1066a106" NAS-Port = 1 Framed-MTU = 1400 State = 0x9baa2d299eac34161e655ea3ece36f0c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600601900170301002006f9c4c30ed6970d17049ecab64a52b6bd0147e5e8aa1632efba5d9bc17ad65517030100307342716fd8fa732607a62a93a4ea9d0be8cd1c9717af27bb67b840bc0a308060563c313805c8b9810e19ba7a0485738a Message-Authenticator = 0x8aa405f4d2a413e1dfdf4f6019925a83 +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 172.16.27.37/auth-detail-20080620 expand: %t -> Fri Jun 20 15:25:59 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "userX", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 96 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - userX PEAP: Got tunneled identity of userX PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to userX auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.27.37 port 3072 EAP-Message = 0x0107003b1900170301003083a87eb6970e9d00f7463517385ede5e1301a3788b857b995947b8b8ab618a56ac5422ade8ea7d08e6be181deb19075e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9baa2d299dad34161e655ea3ece36f0c Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.27.37 port 3072, id=0, length=236 Cleaning up request 6 ID 0 with timestamp +41 User-Name = "userX" NAS-IP-Address = 172.16.27.37 Called-Station-Id = "001c1066a106" Calling-Station-Id = "001cdf77bb4d" NAS-Identifier = "001c1066a106" NAS-Port = 1 Framed-MTU = 1400 State = 0x9baa2d299dad34161e655ea3ece36f0c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207006019001703010020e1e6a5669a6e1f2fad8b18557490b2a36580caac37130035ec533f519aa058651703010030ea09edd1a98107005cbbefece6de1029da93fab2b2f14456b2a2728ff91532a35d075fb23197f925da6206a6e1ee5db1 Message-Authenticator = 0xd2a2e7d67cd0ea7f1d069d4ebf3731cc +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/172.16.27.37/auth-detail-20080620 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 172.16.27.37/auth-detail-20080620 expand: %t -> Fri Jun 20 15:25:59 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "userX", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 7 length 96 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> userX attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 0 to 172.16.27.37 port 3072 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 7. Going to the next request Waking up in 4.9 seconds. Cleaning up request 7 ID 0 with timestamp +41 Ready to process requests.
2008/6/20 Alan DeKok <aland@deployingradius.com>:
Andy An wrote:
Hi Ivan: The password is in the ldap server as one of attributes binded to the user (userPassword: {CRYPT}something). ... rlm_ldap: performing search in ou=People,dc=eciad,dc=ca, with filter (uid=andyan) ... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
The debug output disagrees with you.
There is no known good password available.
Again, it helps to READ the debug output yourself. The warning messages are clear, and are written in simple English.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The password is in the ldap server as one of attributes binded to the user (userPassword: {CRYPT}something). I posted the debugging info here and thanks a lot for your help!
1. crypt and mschap don't mix: http://deployingradius.com/documents/protocols/compatibility.html 2. Even the encrypted one is not there:
rlm_ldap: performing search in ou=People,dc=eciad,dc=ca, with filter (uid=andyan) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
Ivan Kalik Kalik Informatika ISP
participants (4)
-
Alan DeKok -
Andy An -
Ivan Kalik -
Jelle Langbroek