Attribute "User-Password" is required for authentication

Cody Jarrett cody.jarrett at itfreedom.com
Tue Jun 19 01:03:03 CEST 2007



Arran Cudbard-Bell wrote:
> tnt at kalik.co.yu wrote:
>   
>> And where is your user/pass stored? It's not in users file and I don't
>> see any database configured.
>>     
I originally had "Default Auth-type := pam" but I removed that.  Users 
are stored in an ldap database and I am basically trying to get radius 
to use pam for auth info, is this wrong? I don't understand how radius 
will use pam if I don't specify it somewhere.
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>> Dana 18/6/2007, "Cody Jarrett" <cody.jarrett at itfreedom.com> piše:
>>
>>   
>>     
>>> Oh, I had "Default auth-type := pam" in users. I removed that line and 
>>> get a much longer debug output when I try to connect with the xp machine 
>>> to the wireless. radtest fails with this message "auth: No authenticate 
>>> method (Auth-Type) configuration found for the request: Rejecting the 
>>> user. I have a feeling something is wrong with my eap.conf, I have debug 
>>> below, any input would be appreciated.
>>>
>>> eap.conf
>>>    eap {
>>>                 default_eap_type = peap
>>>                 timer_expire     = 60
>>>                 ignore_unknown_eap_types = no
>>>                 md5 {
>>>                 }
>>>
>>>                 gtc {
>>>                 auth_type = PAP
>>>                 }
>>>                 tls {
>>>                         private_key_password = testing123
>>>                         private_key_file = ${dbdir}/certs/pem/server.pem
>>>                         certificate_file = ${dbdir}/certs/pem/server.pem
>>>                         CA_file = /etc/raddb/certs/pem/root.pem
>>>                         dh_file = ${raddbdir}/certs/dh
>>>                         random_file = /dev/urandom
>>>                 }
>>>                 ttls {
>>>                         default_eap_type = md5
>>>                  }
>>>                 peap {
>>>                         default_eap_type = mschapv2
>>>                         proxy_tunneled_request_as_eap = no
>>>                  }
>>>                 mschapv2 {
>>>                 }
>>>         }
>>>
>>> users:
>>> DEFAULT Service-Type == Framed-User
>>> 	Framed-Protocol == PPP,
>>>         Framed-Protocol = PPP,
>>>         Framed-Compression = Van-Jacobson-TCP-IP
>>>
>>> rad_recv: Access-Request packet from host 10.1.22.10:2626, id=0, length=185
>>>         Message-Authenticator = 0x381988b4c12ff0f1e3fa2e7e018b8ae5
>>>         Service-Type = Framed-User
>>>         User-Name = "cjarrett"
>>>         Framed-MTU = 1488
>>>         Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test"
>>>         Calling-Station-Id = "00-0E-35-FF-2A-82"
>>>         NAS-Identifier = "AP11G"
>>>         NAS-Port-Type = Wireless-802.11
>>>         Connect-Info = "CONNECT 54Mbps 802.11g"
>>>         EAP-Message = 0x0200000d01636a617272657474
>>>         NAS-IP-Address = 10.1.22.10
>>>         NAS-Port = 2
>>>         NAS-Port-Id = "STA port # 2"
>>>   Processing the authorize section of radiusd.conf
>>> modcall: entering group authorize for request 0
>>>   modcall[authorize]: module "preprocess" returns ok for request 0
>>>   modcall[authorize]: module "chap" returns noop for request 0
>>>   modcall[authorize]: module "mschap" returns noop for request 0
>>>     rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL
>>>     rlm_realm: No such realm "NULL"
>>>   modcall[authorize]: module "suffix" returns noop for request 0
>>>   rlm_eap: EAP packet type response id 0 length 13
>>>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>>   modcall[authorize]: module "eap" returns updated for request 0
>>>     users: Matched entry DEFAULT at line 176
>>>   modcall[authorize]: module "files" returns ok for request 0
>>> modcall: leaving group authorize (returns updated) for request 0
>>>   rad_check_password:  Found Auth-Type EAP
>>> auth: type "EAP"
>>>   Processing the authenticate section of radiusd.conf
>>> modcall: entering group authenticate for request 0
>>>   rlm_eap: EAP Identity
>>>   rlm_eap: processing type tls
>>>   rlm_eap_tls: Initiate
>>>   rlm_eap_tls: Start returned 1
>>>   modcall[authenticate]: module "eap" returns handled for request 0
>>> modcall: leaving group authenticate (returns handled) for request 0
>>> Sending Access-Challenge of id 0 to 10.1.22.10 port 2626
>>>         EAP-Message = 0x010100061920
>>>         Message-Authenticator = 0x00000000000000000000000000000000
>>>         State = 0x36ba98c6e90e487eb0cfe88fcb5d879a
>>> Finished request 0
>>> Going to the next request
>>> --- Walking the entire request list ---
>>> Waking up in 6 seconds...
>>> rad_recv: Access-Request packet from host 10.1.22.10:2626, id=1, length=270
>>>         Message-Authenticator = 0x43e1cd5ba6e967f5717089de44e05384
>>>         Service-Type = Framed-User
>>>         User-Name = "cjarrett"
>>>         Framed-MTU = 1488
>>>         State = 0x36ba98c6e90e487eb0cfe88fcb5d879a
>>>         Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test"
>>>         Calling-Station-Id = "00-0E-35-FF-2A-82"
>>>         NAS-Identifier = "AP11G"
>>>         NAS-Port-Type = Wireless-802.11
>>>         Connect-Info = "CONNECT 54Mbps 802.11g"
>>>         EAP-Message = 
>>> 0x0201005019800000004616030100410100003d03014676f85e6be1d378fdbdbe6213a94362bd4453b8699af3896b955781d14034be00001600040005000a000900640062000300060013001200630100
>>>         NAS-IP-Address = 10.1.22.10
>>>         NAS-Port = 2
>>>         NAS-Port-Id = "STA port # 2"
>>>   Processing the authorize section of radiusd.conf
>>> modcall: entering group authorize for request 1
>>>   modcall[authorize]: module "preprocess" returns ok for request 1
>>>   modcall[authorize]: module "chap" returns noop for request 1
>>>   modcall[authorize]: module "mschap" returns noop for request 1
>>>     rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL
>>>     rlm_realm: No such realm "NULL"
>>>   modcall[authorize]: module "suffix" returns noop for request 1
>>>   rlm_eap: EAP packet type response id 1 length 80
>>>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>>   modcall[authorize]: module "eap" returns updated for request 1
>>>     users: Matched entry DEFAULT at line 176
>>>   modcall[authorize]: module "files" returns ok for request 1
>>> modcall: leaving group authorize (returns updated) for request 1
>>>   rad_check_password:  Found Auth-Type EAP
>>> auth: type "EAP"
>>>   Processing the authenticate section of radiusd.conf
>>> modcall: entering group authenticate for request 1
>>>   rlm_eap: Request found, released from the list
>>>   rlm_eap: EAP/peap
>>>   rlm_eap: processing type peap
>>>   rlm_eap_peap: Authenticate
>>>   rlm_eap_tls: processing TLS
>>> rlm_eap_tls:  Length Included
>>>   eaptls_verify returned 11
>>>     (other): before/accept initialization
>>>     TLS_accept: before/accept initialization
>>>   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
>>>     TLS_accept: SSLv3 read client hello A
>>>   rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
>>>     TLS_accept: SSLv3 write server hello A
>>>   rlm_eap_tls: >>> TLS 1.0 Handshake [length 04f2], Certificate
>>>     TLS_accept: SSLv3 write certificate A
>>>   rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
>>>     TLS_accept: SSLv3 write server done A
>>>     TLS_accept: SSLv3 flush data
>>>     TLS_accept:error in SSLv3 read client certificate A
>>> rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
>>> In SSL Handshake Phase
>>> In SSL Accept mode
>>>   eaptls_process returned 13
>>>   rlm_eap_peap: EAPTLS_HANDLED
>>>   modcall[authenticate]: module "eap" returns handled for request 1
>>> modcall: leaving group authenticate (returns handled) for request 1
>>> Sending Access-Challenge of id 1 to 10.1.22.10 port 2626
>>>         EAP-Message = 
>>> 0x0102040a19c00000054f160301004a0200004603014676f843d803483c15d36e93f5903c5cc8e52cbb90fc704442d65da40223da252005d814e7158dcfd27bf3ca5c85ae01dd827440aee3ab5505601792296939c1e400040016030104f20b0004ee0004eb000237308202333082019ca003020102020108300d06092a864886f70d01010505003043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d301e170d3037303631383135303533315a170d3038303631373135303533315a3063310b3009060355040613025553310e
>>>         EAP-Message = 
>>> 0x300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d311e301c060355040313156a7573746963652e697466726565646f6d2e636f6d30819f300d06092a864886f70d010101050003818d00308189028181009e6c73fe997b3baf2228a324bbb2f80c3ffeab664c08c2894e57a3c38cb5fc8d7299f642c27381fecf697b41b086f496fccc8153a6ac97654b560c49dda4115a56c66ea4e024678a787eabcf507a4d46b811aa27740106137123510fe0959c5bd8e0260a418ef4d7252a90054aa4f60d800cbef287370213a413e90f73b7acef0203010001a3173015301306
>>>         EAP-Message = 
>>> 0x03551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100acc5695fa41984981e249e0631d35841f88973893c13a2e6830367d1304fbf4713b4618265bf5f5fb77b36a79c75e80a6f00dc89b2b78bfa26c4ff48e58d9e090362c60fb4aa414b5a570f2f5740ca2d983aa2183e29c6413e610bd87e0edad1a7efaffbbab3ec06b4c4f775ca04660df1b09f654d6f61b67af23ad5098e37440002ae308202aa30820213a0030201020209008830ae147680554c300d06092a864886f70d01010505003043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374
>>>         EAP-Message = 
>>> 0x696e31133011060355040a130a49542046726565646f6d301e170d3037303631383135303435315a170d3137303631353135303435315a3043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d30819f300d06092a864886f70d010101050003818d0030818902818100c5acdaf11ba8a3d0201544c60b08411c4a9e8fd2daf55c967d4918da50faa20b7301746d128f26d49e62cfa694be25f6ee5fd067db4aaa851a0f85e49ce5180377d981a35b5869aa4cb1a325b5fbb19efcde699ee112028503f0a8ba21cf36d2a55765a2
>>>         EAP-Message = 0x8bcf453bc58cbc621f2c93bffa3c802435d0ef96af8f
>>>         Message-Authenticator = 0x00000000000000000000000000000000
>>>         State = 0xdb7e976ee5b705e695f599c38b37c3ff
>>> Finished request 1
>>> Going to the next request
>>> --- Walking the entire request list ---
>>> Waking up in 5 seconds...
>>> rad_recv: Access-Request packet from host 10.1.22.10:2626, id=2, length=196
>>>         Message-Authenticator = 0xfe7be571e4388b7f6070941972326855
>>>         Service-Type = Framed-User
>>>         User-Name = "cjarrett"
>>>         Framed-MTU = 1488
>>>         State = 0xdb7e976ee5b705e695f599c38b37c3ff
>>>         Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test"
>>>         Calling-Station-Id = "00-0E-35-FF-2A-82"
>>>         NAS-Identifier = "AP11G"
>>>         NAS-Port-Type = Wireless-802.11
>>>         Connect-Info = "CONNECT 54Mbps 802.11g"
>>>         EAP-Message = 0x020200061900
>>>         NAS-IP-Address = 10.1.22.10
>>>         NAS-Port = 2
>>>         NAS-Port-Id = "STA port # 2"
>>>   Processing the authorize section of radiusd.conf
>>> modcall: entering group authorize for request 2
>>>   modcall[authorize]: module "preprocess" returns ok for request 2
>>>   modcall[authorize]: module "chap" returns noop for request 2
>>>   modcall[authorize]: module "mschap" returns noop for request 2
>>>     rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL
>>>     rlm_realm: No such realm "NULL"
>>>   modcall[authorize]: module "suffix" returns noop for request 2
>>>   rlm_eap: EAP packet type response id 2 length 6
>>>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>>   modcall[authorize]: module "eap" returns updated for request 2
>>>     users: Matched entry DEFAULT at line 176
>>>   modcall[authorize]: module "files" returns ok for request 2
>>> modcall: leaving group authorize (returns updated) for request 2
>>>   rad_check_password:  Found Auth-Type EAP
>>> auth: type "EAP"
>>>   Processing the authenticate section of radiusd.conf
>>> modcall: entering group authenticate for request 2
>>>   rlm_eap: Request found, released from the list
>>>   rlm_eap: EAP/peap
>>>   rlm_eap: processing type peap
>>>   rlm_eap_peap: Authenticate
>>>   rlm_eap_tls: processing TLS
>>> rlm_eap_tls: Received EAP-TLS ACK message
>>>   rlm_eap_tls: ack handshake fragment handler
>>>   eaptls_verify returned 1
>>>   eaptls_process returned 13
>>>   rlm_eap_peap: EAPTLS_HANDLED
>>>   modcall[authenticate]: module "eap" returns handled for request 2
>>> modcall: leaving group authenticate (returns handled) for request 2
>>> Sending Access-Challenge of id 2 to 10.1.22.10 port 2626
>>>         EAP-Message = 
>>> 0x01030155190041c9f615db2b0203010001a381a53081a2301d0603551d0e04160414c7c37e5eb8041d453578465052e5ee5064d4778630730603551d23046c306a8014c7c37e5eb8041d453578465052e5ee5064d47786a147a4453043310b3009060355040613025553310e300c060355040813055465786173310f300d0603550407130641757374696e31133011060355040a130a49542046726565646f6d8209008830ae147680554c300c0603551d13040530030101ff300d06092a864886f70d0101050500038181006a97ee175a18622c2bace0c431706ec598f7ea3766cb8f7980ebcc0e2ec7138e2ed6c08f598f27c2e0a22ab81e48127aeb
>>>         EAP-Message = 
>>> 0x730816c95730f262d998622fef7ab67085b11171fcf91eedc0c722978688b4d95cc733f75cc8129c379c68664c1d4b25f86f4bfe077e3f816874b5164236b79ad98f7f21bff654afa0f389c860452416030100040e000000
>>>         Message-Authenticator = 0x00000000000000000000000000000000
>>>         State = 0xa59e16e46b5a6ec02559580464dcdfc7
>>> Finished request 2
>>> Going to the next request
>>> Waking up in 5 seconds...
>>> rad_recv: Access-Request packet from host 10.1.22.10:2626, id=3, length=382
>>>         Message-Authenticator = 0x4fcb37f77d06f6b896b44d378446425a
>>>         Service-Type = Framed-User
>>>         User-Name = "cjarrett"
>>>         Framed-MTU = 1488
>>>         State = 0xa59e16e46b5a6ec02559580464dcdfc7
>>>         Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test"
>>>         Calling-Station-Id = "00-0E-35-FF-2A-82"
>>>         NAS-Identifier = "AP11G"
>>>         NAS-Port-Type = Wireless-802.11
>>>         Connect-Info = "CONNECT 54Mbps 802.11g"
>>>         EAP-Message = 
>>> 0x020300c01980000000b61603010086100000820080035f438a01efd8ab7c7a294a61aa7e875d7f06a8b634a2a73a3ec20b5069ec4dc0137747833e1252a070c6a3ce81917fd9dd1b712aaccd042e95790c91f15f1dd2408872453cb91d824630458d5b1546a2c60bcaee1207ddc57472ffc6afe456a82c452e1b3efc2f786ed598851a0a86be44c9dd31ba87d5c21cba7ef7e30d3a1403010001011603010020b3d94931dfd1413c9c4cb7248eaa9bfa185de0ce13cda40c4b717e7ac0271ba8
>>>         NAS-IP-Address = 10.1.22.10
>>>         NAS-Port = 2
>>>         NAS-Port-Id = "STA port # 2"
>>>   Processing the authorize section of radiusd.conf
>>> modcall: entering group authorize for request 3
>>>   modcall[authorize]: module "preprocess" returns ok for request 3
>>>   modcall[authorize]: module "chap" returns noop for request 3
>>>   modcall[authorize]: module "mschap" returns noop for request 3
>>>     rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL
>>>     rlm_realm: No such realm "NULL"
>>>   modcall[authorize]: module "suffix" returns noop for request 3
>>>   rlm_eap: EAP packet type response id 3 length 192
>>>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>>   modcall[authorize]: module "eap" returns updated for request 3
>>>     users: Matched entry DEFAULT at line 176
>>>   modcall[authorize]: module "files" returns ok for request 3
>>> modcall: leaving group authorize (returns updated) for request 3
>>>   rad_check_password:  Found Auth-Type EAP
>>> auth: type "EAP"
>>>   Processing the authenticate section of radiusd.conf
>>> modcall: entering group authenticate for request 3
>>>   rlm_eap: Request found, released from the list
>>>   rlm_eap: EAP/peap
>>>   rlm_eap: processing type peap
>>>   rlm_eap_peap: Authenticate
>>>   rlm_eap_tls: processing TLS
>>> rlm_eap_tls:  Length Included
>>>   eaptls_verify returned 11
>>>   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
>>>     TLS_accept: SSLv3 read client key exchange A
>>>   rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
>>>   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
>>>     TLS_accept: SSLv3 read finished A
>>>   rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
>>>     TLS_accept: SSLv3 write change cipher spec A
>>>   rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
>>>     TLS_accept: SSLv3 write finished A
>>>     TLS_accept: SSLv3 flush data
>>>     (other): SSL negotiation finished successfully
>>> rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
>>> SSL Connection Established
>>>   eaptls_process returned 13
>>>   rlm_eap_peap: EAPTLS_HANDLED
>>>   modcall[authenticate]: module "eap" returns handled for request 3
>>> modcall: leaving group authenticate (returns handled) for request 3
>>> Sending Access-Challenge of id 3 to 10.1.22.10 port 2626
>>>         EAP-Message = 
>>> 0x0104003119001403010001011603010020935e4cc86eaaa1072ebd4e4c8e29ec031c939675d0c8c4d896dd671395d3fa1f
>>>         Message-Authenticator = 0x00000000000000000000000000000000
>>>         State = 0xd79c6820132ebef7cf1548ab25a93afa
>>> Finished request 3
>>> Going to the next request
>>> Waking up in 5 seconds...
>>> rad_recv: Access-Request packet from host 10.1.22.10:2626, id=4, length=196
>>>         Message-Authenticator = 0x4064e5721fc1c83e994ee45dc66e4fb4
>>>         Service-Type = Framed-User
>>>         User-Name = "cjarrett"
>>>         Framed-MTU = 1488
>>>         State = 0xd79c6820132ebef7cf1548ab25a93afa
>>>         Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test"
>>>         Calling-Station-Id = "00-0E-35-FF-2A-82"
>>>         NAS-Identifier = "AP11G"
>>>         NAS-Port-Type = Wireless-802.11
>>>         Connect-Info = "CONNECT 54Mbps 802.11g"
>>>         EAP-Message = 0x020400061900
>>>         NAS-IP-Address = 10.1.22.10
>>>         NAS-Port = 2
>>>         NAS-Port-Id = "STA port # 2"
>>>   Processing the authorize section of radiusd.conf
>>> modcall: entering group authorize for request 4
>>>   modcall[authorize]: module "preprocess" returns ok for request 4
>>>   modcall[authorize]: module "chap" returns noop for request 4
>>>   modcall[authorize]: module "mschap" returns noop for request 4
>>>     rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL
>>>     rlm_realm: No such realm "NULL"
>>>   modcall[authorize]: module "suffix" returns noop for request 4
>>>   rlm_eap: EAP packet type response id 4 length 6
>>>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>>   modcall[authorize]: module "eap" returns updated for request 4
>>>     users: Matched entry DEFAULT at line 176
>>>   modcall[authorize]: module "files" returns ok for request 4
>>> modcall: leaving group authorize (returns updated) for request 4
>>>   rad_check_password:  Found Auth-Type EAP
>>> auth: type "EAP"
>>>   Processing the authenticate section of radiusd.conf
>>> modcall: entering group authenticate for request 4
>>>   rlm_eap: Request found, released from the list
>>>   rlm_eap: EAP/peap
>>>   rlm_eap: processing type peap
>>>   rlm_eap_peap: Authenticate
>>>   rlm_eap_tls: processing TLS
>>> rlm_eap_tls: Received EAP-TLS ACK message
>>>   rlm_eap_tls: ack handshake is finished
>>>   eaptls_verify returned 3
>>>   eaptls_process returned 3
>>>   rlm_eap_peap: EAPTLS_SUCCESS
>>>   modcall[authenticate]: module "eap" returns handled for request 4
>>> modcall: leaving group authenticate (returns handled) for request 4
>>> Sending Access-Challenge of id 4 to 10.1.22.10 port 2626
>>>         EAP-Message = 
>>> 0x0105002019001703010015182fff1e23fe4e9d74e4dd55b6a10b80d9cb1b6f3e
>>>         Message-Authenticator = 0x00000000000000000000000000000000
>>>         State = 0x890db137000563152da88540de2781e1
>>> Finished request 4
>>> Going to the next request
>>> Waking up in 5 seconds...
>>> rad_recv: Access-Request packet from host 10.1.22.10:2626, id=5, length=226
>>>         Message-Authenticator = 0x7ad74000bf14f349569c0ccfb1540c0d
>>>         Service-Type = Framed-User
>>>         User-Name = "cjarrett"
>>>         Framed-MTU = 1488
>>>         State = 0x890db137000563152da88540de2781e1
>>>         Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test"
>>>         Calling-Station-Id = "00-0E-35-FF-2A-82"
>>>         NAS-Identifier = "AP11G"
>>>         NAS-Port-Type = Wireless-802.11
>>>         Connect-Info = "CONNECT 54Mbps 802.11g"
>>>         EAP-Message = 
>>> 0x0205002419001703010019125b45ef09a64c9d64c8b7704291bcf4e8b811339b0138b716
>>>         NAS-IP-Address = 10.1.22.10
>>>         NAS-Port = 2
>>>         NAS-Port-Id = "STA port # 2"
>>>   Processing the authorize section of radiusd.conf
>>> modcall: entering group authorize for request 5
>>>   modcall[authorize]: module "preprocess" returns ok for request 5
>>>   modcall[authorize]: module "chap" returns noop for request 5
>>>   modcall[authorize]: module "mschap" returns noop for request 5
>>>     rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL
>>>     rlm_realm: No such realm "NULL"
>>>   modcall[authorize]: module "suffix" returns noop for request 5
>>>   rlm_eap: EAP packet type response id 5 length 36
>>>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>>   modcall[authorize]: module "eap" returns updated for request 5
>>>     users: Matched entry DEFAULT at line 176
>>>   modcall[authorize]: module "files" returns ok for request 5
>>> modcall: leaving group authorize (returns updated) for request 5
>>>   rad_check_password:  Found Auth-Type EAP
>>> auth: type "EAP"
>>>   Processing the authenticate section of radiusd.conf
>>> modcall: entering group authenticate for request 5
>>>   rlm_eap: Request found, released from the list
>>>   rlm_eap: EAP/peap
>>>   rlm_eap: processing type peap
>>>   rlm_eap_peap: Authenticate
>>>   rlm_eap_tls: processing TLS
>>>   eaptls_verify returned 7
>>>   rlm_eap_tls: Done initial handshake
>>>   eaptls_process returned 7
>>>   rlm_eap_peap: EAPTLS_OK
>>>   rlm_eap_peap: Session established.  Decoding tunneled attributes.
>>>   rlm_eap_peap: Identity - cjarrett
>>>   rlm_eap_peap: Tunneled data is valid.
>>>   PEAP: Got tunneled EAP-Message
>>>         EAP-Message = 0x0205000d01636a617272657474
>>>   PEAP: Got tunneled identity of cjarrett
>>>   PEAP: Setting default EAP type for tunneled EAP session.
>>>   PEAP: Setting User-Name to cjarrett
>>>   PEAP: Sending tunneled request
>>>         EAP-Message = 0x0205000d01636a617272657474
>>>         FreeRADIUS-Proxied-To = 127.0.0.1
>>>         User-Name = "cjarrett"
>>>   Processing the authorize section of radiusd.conf
>>> modcall: entering group authorize for request 5
>>>   modcall[authorize]: module "preprocess" returns ok for request 5
>>>   modcall[authorize]: module "chap" returns noop for request 5
>>>   modcall[authorize]: module "mschap" returns noop for request 5
>>>     rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL
>>>     rlm_realm: No such realm "NULL"
>>>   modcall[authorize]: module "suffix" returns noop for request 5
>>>   rlm_eap: EAP packet type response id 5 length 13
>>>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>>   modcall[authorize]: module "eap" returns updated for request 5
>>>   modcall[authorize]: module "files" returns notfound for request 5
>>> modcall: leaving group authorize (returns updated) for request 5
>>>   rad_check_password:  Found Auth-Type EAP
>>> auth: type "EAP"
>>>   Processing the authenticate section of radiusd.conf
>>> modcall: entering group authenticate for request 5
>>>   rlm_eap: EAP Identity
>>>   rlm_eap: processing type mschapv2
>>> rlm_eap_mschapv2: Issuing Challenge
>>>   modcall[authenticate]: module "eap" returns handled for request 5
>>> modcall: leaving group authenticate (returns handled) for request 5
>>>   PEAP: Got tunneled reply RADIUS code 11
>>>         EAP-Message = 
>>> 0x010600221a0106001d1058699d07aa7a08377307f1c5ed250f94636a617272657474
>>>         Message-Authenticator = 0x00000000000000000000000000000000
>>>         State = 0x6a6983e73566293debc28f9785f4ba2c
>>>   PEAP: Processing from tunneled session code 0x9c06760 11
>>>         EAP-Message = 
>>> 0x010600221a0106001d1058699d07aa7a08377307f1c5ed250f94636a617272657474
>>>         Message-Authenticator = 0x00000000000000000000000000000000
>>>         State = 0x6a6983e73566293debc28f9785f4ba2c
>>>   PEAP: Got tunneled Access-Challenge
>>>   modcall[authenticate]: module "eap" returns handled for request 5
>>> modcall: leaving group authenticate (returns handled) for request 5
>>> Sending Access-Challenge of id 5 to 10.1.22.10 port 2626
>>>         EAP-Message = 
>>> 0x010600391900170301002ef2c5b8b197e6c26f51f804007aeffa9201509b57c8efb035180baa21bb94725c31867049409c85079be2e3428678
>>>         Message-Authenticator = 0x00000000000000000000000000000000
>>>         State = 0xb9a3bd04514836a4cba31c175e9c77e6
>>> Finished request 5
>>> Going to the next request
>>> Waking up in 5 seconds...
>>> rad_recv: Access-Request packet from host 10.1.22.10:2626, id=6, length=280
>>>         Message-Authenticator = 0xc08fd8e4919b60e5bd7e5470be52c475
>>>         Service-Type = Framed-User
>>>         User-Name = "cjarrett"
>>>         Framed-MTU = 1488
>>>         State = 0xb9a3bd04514836a4cba31c175e9c77e6
>>>         Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test"
>>>         Calling-Station-Id = "00-0E-35-FF-2A-82"
>>>         NAS-Identifier = "AP11G"
>>>         NAS-Port-Type = Wireless-802.11
>>>         Connect-Info = "CONNECT 54Mbps 802.11g"
>>>         EAP-Message = 
>>> 0x0206005a1900170301004f9d20dcfecf2d949b98e83b0ef8ed9db381e1102982367126820039e03f3c11fb6d43998ca6a01e65a19e9ea7d823bd743bd8eb1d732d8dae19c82f39c08ad02e9d63fe13d0c25900ac075cdc3ada61
>>>         NAS-IP-Address = 10.1.22.10
>>>         NAS-Port = 2
>>>         NAS-Port-Id = "STA port # 2"
>>>   Processing the authorize section of radiusd.conf
>>> modcall: entering group authorize for request 6
>>>   modcall[authorize]: module "preprocess" returns ok for request 6
>>>   modcall[authorize]: module "chap" returns noop for request 6
>>>   modcall[authorize]: module "mschap" returns noop for request 6
>>>     rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL
>>>     rlm_realm: No such realm "NULL"
>>>   modcall[authorize]: module "suffix" returns noop for request 6
>>>   rlm_eap: EAP packet type response id 6 length 90
>>>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>>   modcall[authorize]: module "eap" returns updated for request 6
>>>     users: Matched entry DEFAULT at line 176
>>>   modcall[authorize]: module "files" returns ok for request 6
>>> modcall: leaving group authorize (returns updated) for request 6
>>>   rad_check_password:  Found Auth-Type EAP
>>> auth: type "EAP"
>>>   Processing the authenticate section of radiusd.conf
>>> modcall: entering group authenticate for request 6
>>>   rlm_eap: Request found, released from the list
>>>   rlm_eap: EAP/peap
>>>   rlm_eap: processing type peap
>>>   rlm_eap_peap: Authenticate
>>>   rlm_eap_tls: processing TLS
>>>   eaptls_verify returned 7
>>>   rlm_eap_tls: Done initial handshake
>>>   eaptls_process returned 7
>>>   rlm_eap_peap: EAPTLS_OK
>>>   rlm_eap_peap: Session established.  Decoding tunneled attributes.
>>>   rlm_eap_peap: EAP type mschapv2
>>>   rlm_eap_peap: Tunneled data is valid.
>>>   PEAP: Got tunneled EAP-Message
>>>         EAP-Message = 
>>> 0x020600431a0206003e31177b8b92c88cf3358dc9dce769bb3fe80000000000000000c4134ec0576a1f17704daad6e18e3a3b5f08dec2a3b5f1ba00636a617272657474
>>>   PEAP: Setting User-Name to cjarrett
>>>   PEAP: Adding old state with 6a 69
>>>   PEAP: Sending tunneled request
>>>         EAP-Message = 
>>> 0x020600431a0206003e31177b8b92c88cf3358dc9dce769bb3fe80000000000000000c4134ec0576a1f17704daad6e18e3a3b5f08dec2a3b5f1ba00636a617272657474
>>>         FreeRADIUS-Proxied-To = 127.0.0.1
>>>         User-Name = "cjarrett"
>>>         State = 0x6a6983e73566293debc28f9785f4ba2c
>>>   Processing the authorize section of radiusd.conf
>>> modcall: entering group authorize for request 6
>>>   modcall[authorize]: module "preprocess" returns ok for request 6
>>>   modcall[authorize]: module "chap" returns noop for request 6
>>>   modcall[authorize]: module "mschap" returns noop for request 6
>>>     rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL
>>>     rlm_realm: No such realm "NULL"
>>>   modcall[authorize]: module "suffix" returns noop for request 6
>>>   rlm_eap: EAP packet type response id 6 length 67
>>>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>>   modcall[authorize]: module "eap" returns updated for request 6
>>>   modcall[authorize]: module "files" returns notfound for request 6
>>> modcall: leaving group authorize (returns updated) for request 6
>>>   rad_check_password:  Found Auth-Type EAP
>>> auth: type "EAP"
>>>   Processing the authenticate section of radiusd.conf
>>> modcall: entering group authenticate for request 6
>>>   rlm_eap: Request found, released from the list
>>>   rlm_eap: EAP/mschapv2
>>>   rlm_eap: processing type mschapv2
>>>   Processing the authenticate section of radiusd.conf
>>> modcall: entering group MS-CHAP for request 6
>>>   rlm_mschap: No User-Password configured.  Cannot create LM-Password.
>>>   rlm_mschap: No User-Password configured.  Cannot create NT-Password.
>>>   rlm_mschap: Told to do MS-CHAPv2 for cjarrett with NT-Password
>>>   rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
>>>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>>>   modcall[authenticate]: module "mschap" returns reject for request 6
>>> modcall: leaving group MS-CHAP (returns reject) for request 6
>>>   rlm_eap: Freeing handler
>>>   modcall[authenticate]: module "eap" returns reject for request 6
>>> modcall: leaving group authenticate (returns reject) for request 6
>>> auth: Failed to validate the user.
>>>   PEAP: Got tunneled reply RADIUS code 3
>>>         MS-CHAP-Error = "\006E=691 R=1"
>>>         EAP-Message = 0x04060004
>>>         Message-Authenticator = 0x00000000000000000000000000000000
>>>   PEAP: Processing from tunneled session code 0x9c06198 3
>>>         MS-CHAP-Error = "\006E=691 R=1"
>>>         EAP-Message = 0x04060004
>>>         Message-Authenticator = 0x00000000000000000000000000000000
>>>   PEAP: Tunneled authentication was rejected.
>>>   rlm_eap_peap: FAILURE
>>>   modcall[authenticate]: module "eap" returns handled for request 6
>>> modcall: leaving group authenticate (returns handled) for request 6
>>> Sending Access-Challenge of id 6 to 10.1.22.10 port 2626
>>>         EAP-Message = 
>>> 0x010700261900170301001bf1f9bd115db78bcad8de732871f5282e1a0754b687ddc300965f0f
>>>         Message-Authenticator = 0x00000000000000000000000000000000
>>>         State = 0x56c5dd00772486e492f840877441be62
>>> Finished request 6
>>> Going to the next request
>>> Waking up in 5 seconds...
>>> rad_recv: Access-Request packet from host 10.1.22.10:2626, id=7, length=228
>>>         Message-Authenticator = 0x55ab371942148ebc1eed6c3b87d626de
>>>         Service-Type = Framed-User
>>>         User-Name = "cjarrett"
>>>         Framed-MTU = 1488
>>>         State = 0x56c5dd00772486e492f840877441be62
>>>         Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test"
>>>         Calling-Station-Id = "00-0E-35-FF-2A-82"
>>>         NAS-Identifier = "AP11G"
>>>         NAS-Port-Type = Wireless-802.11
>>>         Connect-Info = "CONNECT 54Mbps 802.11g"
>>>         EAP-Message = 
>>> 0x020700261900170301001b4fbf51c05fb105bb02792f87fba4e8cd787ff2beafe7d334716e53
>>>         NAS-IP-Address = 10.1.22.10
>>>         NAS-Port = 2
>>>         NAS-Port-Id = "STA port # 2"
>>>   Processing the authorize section of radiusd.conf
>>> modcall: entering group authorize for request 7
>>>   modcall[authorize]: module "preprocess" returns ok for request 7
>>>   modcall[authorize]: module "chap" returns noop for request 7
>>>   modcall[authorize]: module "mschap" returns noop for request 7
>>>     rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL
>>>     rlm_realm: No such realm "NULL"
>>>   modcall[authorize]: module "suffix" returns noop for request 7
>>>   rlm_eap: EAP packet type response id 7 length 38
>>>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>>   modcall[authorize]: module "eap" returns updated for request 7
>>>     users: Matched entry DEFAULT at line 176
>>>   modcall[authorize]: module "files" returns ok for request 7
>>> modcall: leaving group authorize (returns updated) for request 7
>>>   rad_check_password:  Found Auth-Type EAP
>>> auth: type "EAP"
>>>   Processing the authenticate section of radiusd.conf
>>> modcall: entering group authenticate for request 7
>>>   rlm_eap: Request found, released from the list
>>>   rlm_eap: EAP/peap
>>>   rlm_eap: processing type peap
>>>   rlm_eap_peap: Authenticate
>>>   rlm_eap_tls: processing TLS
>>>   eaptls_verify returned 7
>>>   rlm_eap_tls: Done initial handshake
>>>   eaptls_process returned 7
>>>   rlm_eap_peap: EAPTLS_OK
>>>   rlm_eap_peap: Session established.  Decoding tunneled attributes.
>>>   rlm_eap_peap: Received EAP-TLV response.
>>>   rlm_eap_peap: Tunneled data is valid.
>>>   rlm_eap_peap:  Had sent TLV failure.  User was rejcted rejected 
>>> earlier in this session.
>>>  rlm_eap: Handler failed in EAP/peap
>>>   rlm_eap: Failed in EAP select
>>>   modcall[authenticate]: module "eap" returns invalid for request 7
>>> modcall: leaving group authenticate (returns invalid) for request 7
>>> auth: Failed to validate the user.
>>> Delaying request 7 for 1 seconds
>>> Finished request 7
>>> Going to the next request
>>> Waking up in 5 seconds...
>>> rad_recv: Access-Request packet from host 10.1.22.10:2626, id=7, length=228
>>> Sending Access-Reject of id 7 to 10.1.22.10 port 2626
>>>         EAP-Message = 0x04070004
>>>         Message-Authenticator = 0x00000000000000000000000000000000
>>> --- Walking the entire request list ---
>>> Waking up in 2 seconds...
>>> --- Walking the entire request list ---
>>> Cleaning up request 0 ID 0 with timestamp 4676f842
>>> Waking up in 1 seconds...
>>>
>>>
>>> tnt at kalik.co.yu wrote:
>>>     
>>>       
>>>> You are forcing Auth-Type PAM and doing EAP. Where is Auth-Type coming
>>>> from? One of the DEFAULT entries? Don't set Auth-Type! Let the server
>>>> swich to one that's needed.
>>>>
>>>> Ivan Kalik
>>>> Kalik Informatika ISP
>>>>
>>>>
>>>> Dana 18/6/2007, "Cody Jarrett" <cody.jarrett at itfreedom.com> piše:
>>>>
>>>>       
>>>>         
>>>>> Sorry, 10.1.22.10 is the ip of my 3com.
>>>>>
>>>>> rad_recv: Access-Request packet from host 10.1.22.10:2458, id=0, length=185
>>>>>         Message-Authenticator = 0xb0ba1aec817dfd6ab3fc3b0e49fb1125
>>>>>         Service-Type = Framed-User
>>>>>         User-Name = "cjarrett"
>>>>>         Framed-MTU = 1488
>>>>>         Called-Station-Id = "00-0F-CB-FC-3E-5F:CJ Test"
>>>>>         Calling-Station-Id = "00-0E-35-FF-2A-82"
>>>>>         NAS-Identifier = "AP11G"
>>>>>         NAS-Port-Type = Wireless-802.11
>>>>>         Connect-Info = "CONNECT 54Mbps 802.11g"
>>>>>         EAP-Message = 0x0200000d01636a617272657474
>>>>>         NAS-IP-Address = 10.1.22.10
>>>>>         NAS-Port = 2
>>>>>         NAS-Port-Id = "STA port # 2"
>>>>>   Processing the authorize section of radiusd.conf
>>>>> modcall: entering group authorize for request 0
>>>>>   modcall[authorize]: module "preprocess" returns ok for request 0
>>>>>   modcall[authorize]: module "chap" returns noop for request 0
>>>>>   modcall[authorize]: module "mschap" returns noop for request 0
>>>>>     rlm_realm: No '@' in User-Name = "cjarrett", looking up realm NULL
>>>>>     rlm_realm: No such realm "NULL"
>>>>>   modcall[authorize]: module "suffix" returns noop for request 0
>>>>>   rlm_eap: EAP packet type response id 0 length 13
>>>>>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>>>>   modcall[authorize]: module "eap" returns updated for request 0
>>>>>     users: Matched entry DEFAULT at line 153
>>>>>     users: Matched entry DEFAULT at line 177
>>>>>   modcall[authorize]: module "files" returns ok for request 0
>>>>> modcall: leaving group authorize (returns updated) for request 0
>>>>>   rad_check_password:  Found Auth-Type pam
>>>>> auth: type "PAM"
>>>>>   Processing the authenticate section of radiusd.conf
>>>>> modcall: entering group authenticate for request 0
>>>>> rlm_pam: Attribute "User-Password" is required for authentication.
>>>>>   modcall[authenticate]: module "pam" returns invalid for request 0
>>>>> modcall: leaving group authenticate (returns invalid) for request 0
>>>>> auth: Failed to validate the user.
>>>>> Delaying request 0 for 1 seconds
>>>>> Finished request 0
>>>>> Going to the next request
>>>>> --- Walking the entire request list ---
>>>>> Waking up in 1 seconds...
>>>>> --- Walking the entire request list ---
>>>>> Waking up in 1 seconds...
>>>>> --- Walking the entire request list ---
>>>>> Sending Access-Reject of id 0 to 10.1.22.10 port 2458
>>>>> Waking up in 4 seconds...
>>>>>
>>>>>
>>>>>
>>>>> Kevin Bonner wrote:
>>>>>         
>>>>>           
>>>>>> On Monday 18 June 2007 16:31:37 Cody Jarrett wrote:
>>>>>>           
>>>>>>             
>>>>>>> I found a few topics on this issue but nothing quite informative enough.
>>>>>>> I'm trying to get freeradius auth working with pam and peap. When I test
>>>>>>> my config with radtest, I get Access-accept. When I use a windows XP
>>>>>>> supplicant with a 3com access point, I get:
>>>>>>>
>>>>>>> rlm_pam: Attribute "User-Password" is required for authentication.
>>>>>>> modcall[authenticate]: module "pam" returns invalid for request 4
>>>>>>> modcall: leaving group authenticate (returns invalid) for request 4
>>>>>>> auth: Failed to validate the user.
>>>>>>>
>>>>>>> Is the 3com not sending User-Password attributes in the packets, or is
>>>>>>> something else wrong?
>>>>>>>             
>>>>>>>               
>>>>>> Run FreeRADIUS in debug mode (radiusd -X) to verify.  We cannot guess what
>>>>>> your NAS/client is sending.
>>>>>>
>>>>>> -Kevin
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------
>>>>>>
>>>>>> -
>>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>>>>           
>>>>>>             
>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
>>>>>
>>>>>
>>>>>         
>>>>>           
>>>> - 
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>>
>>>>       
>>>>         
>>> - 
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>
>>>
>>>     
>>>       
>> - 
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>   
>>     
> Password has to be in plaintext, or ntPassword (md4(unicode(passphrase)) 
> for PEAP.
> Inner encryption module used for authentication is usually MSCHAPv2 
> which will search for  the check items NT-Password / Cleartext-Password. 
> You must provide these from a database/directory/configuration file.
>   
All the passwords stored in the ldap database are md5, is that going to 
work with peap?
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070618/25373aee/attachment.html>


More information about the Freeradius-Users mailing list