Freeradius doesn't detect EAP when authenticating against MySQL
Andrew Rowson
freeradius at growse.com
Sun Sep 9 23:24:10 CEST 2007
Alan DeKok wrote:
> Andrew Rowson wrote:
>> Ok, I updated the radcheck table in mysql so that the atttibute read
>> "Cleartext-Password". I now get a different result when trying to log in
>> from the wlan:
> ...
>> rlm_eap_peap: Had sent TLV failure. User was rejected
>> earlier in this session.
>
> Please post the *previous* debug messages, which indicate *why* the
> user was rejected.
A complete output dump from freeradius is quite long, so I've hosted it
at http://public.growse.com/radiusd.log
Looking over it, it seems that a problem comes up with the MSCHAP bit:
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for growse with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 14
This appears to imply that there's no User-Password entry found anywhere
for the user in the database. This would be correct, as the attribute in
the radcheck table is set to Cleartext-Password. Anything other than
Cleartext-Password and freeradius doesn't attempt an auth-type of EAP,
but Local instead, going back to my original problem.
Andrew
>> Also, my cisco device logins have now broken since updating this
>> attribute, I'm guessing because the sql module can't authenticate the
>> user against the db?
>
> No. The SQL module doesn't authenticate users.
>
> Again, read the *entire* debug log to see what's going on.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list