wpa2 - huntgroup problems

Hans Bornemann hans.bornemann at uni-dortmund.de
Thu Apr 10 10:54:25 CEST 2008 

Hi,

I have a problem with huntgroups and wpa2. It concerns the following:

First, huntgroups works with ntradping and crypt-passwd:

mysql-db

unzinn    | NT-Password    | := | 7C53CFA5EA7D0F9B3B968AA0FB51A3F5
unzinn    | crypt-password | == | $1$7ftISFCW$xp.n8LMOxfPD7GqdSJqZC1
unzinn    | Huntgroup-Name | == | hrzvpn

with wpa2 (PEAP/MSCHAPv2) it works only without the huntgroup entry.

Is this a problem because of different adresses?
Access-Request packet from host 129.217.169.191 ..
NAS-IP-Address = 129.217.157.246 ?


huntgroups:
hrzvpn          NAS-IP-Address == 129.217.157.246


debug:

rad_recv: 
:32769, id=33, length=176
	User-Name = "unzinn"
	Calling-Station-Id = "00-19-D2-CF-E5-50"
	Called-Station-Id = "00-0B-85-9A-2D-30:ITMC-WPA2"
	NAS-Port = 29
	NAS-IP-Address = 129.217.157.246
	NAS-Identifier = "mh-wlc4"
	Airespace-Wlan-Id = 5
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "3503"
	EAP-Message = 0x0201000b01756e7a696e6e
	Message-Authenticator = 0x2bf90a315bc202464b3819722bfef98e
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
  modcall[authorize]: module "preprocess" returns ok for request 9
  modcall[authorize]: module "chap" returns noop for request 9
  modcall[authorize]: module "mschap" returns noop for request 9
    rlm_realm: No '@' in User-Name = "unzinn", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 9
  rlm_eap: EAP packet type response id 1 length 11
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 9
radius_xlat:  'unzinn'
rlm_sql (sql): sql_set_user escaped user --> 'unzinn'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM
radcheck           WHERE Username = 'unzinn'           ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 2
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'unzinn' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM
radreply           WHERE Username = 'unzinn'           ORDER BY id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'unzinn' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 2
rlm_sql (sql): No matching entry in the database for request from user
[unzinn]
  modcall[authorize]: module "sql" returns notfound for request 9
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 9
modcall: leaving group authorize (returns updated) for request 9
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
....

Thanks
Hans





-- 
Hans Bornemann
Universitaet Dortmund - ITMC
Tel. ++49 231 755 2132  Fax. ++49 231 755 2731

More information about the Freeradius-Users mailing list