Cisco AP, mysql, either MSCHAP or Auth-Type problem i think

Mikael Syska mikael at syska.dk
Thu Mar 27 02:05:01 CET 2008


Hi,

Trying to get Freeradius to work with a Cisco Aironet 1100 AP.

Also as said in the "DEBUGGING" lines in the manual, change on thing
at a time ....

I'm using default setup, only uncomment the sql in the default "sites-enabled"

Running version: 2.0.3

I'm here so far ....
radtest 44 4444 localhost 1 testing123

>From the "radiusd -X"
        User-Name = "44"
        User-Password = "4444"
        NAS-IP-Address = 172.17.4.1
        NAS-Port = 1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "44", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
        expand: %{User-Name} -> 44
rlm_sql (sql): sql_set_user escaped user --> '44'
rlm_sql (sql): Reserving sql socket id: 3
        expand: SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '44'           ORDER BY id
rlm_sql (sql): User found in radcheck table
        expand: SELECT id, username, attribute, value, op
FROM radreply           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply           WHERE username = '44'           ORDER BY id
        expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
SELECT groupname           FROM radusergroup           WHERE username
= '44'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
  rad_check_password:  Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "4444"
rlm_pap: Using clear text password "4444"
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [44/4444] (from client localhost port 1)
Finished request 37.
Going to the next request
Waking up in 4.9 seconds.


That means it knows my user ....
+----+----------+--------------------+----+-------+
| id | username | attribute          | op | value |
+----+----------+--------------------+----+-------+
|  2 | 44       | Cleartext-Password | := | 4444  |
+----+----------+--------------------+----+-------+

Now I'm trying to Auth from my windows vista to the access point ...
I'm posted all debug from the session:
        User-Name = "44"
        Framed-MTU = 1400
        Called-Station-Id = "001e.be8e.03e0"
        Calling-Station-Id = "001b.77d2.b10c"
        Service-Type = Login-User
        Message-Authenticator = 0x2c78ecc5c0e94423b079797fb172c8a9
        EAP-Message = 0x02020007013434
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 691
        NAS-IP-Address = 172.17.4.30
        NAS-Identifier = "ap30"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "44", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 2 length 7
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
        expand: %{User-Name} -> 44
rlm_sql (sql): sql_set_user escaped user --> '44'
rlm_sql (sql): Reserving sql socket id: 2
        expand: SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '44'           ORDER BY id
rlm_sql (sql): User found in radcheck table
        expand: SELECT id, username, attribute, value, op
FROM radreply           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply           WHERE username = '44'           ORDER BY id
        expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
SELECT groupname           FROM radusergroup           WHERE username
= '44'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
        EAP-Message = 0x0103001604101ff42f65fb82fd975b5cce4925620508
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xac4fe051ac4ce41caf8c0fb3ddec01f0
Finished request 38.
Going to the next request
Waking up in 4.9 seconds.
        User-Name = "44"
        Framed-MTU = 1400
        Called-Station-Id = "001e.be8e.03e0"
        Calling-Station-Id = "001b.77d2.b10c"
        Service-Type = Login-User
        Message-Authenticator = 0xbaeede640114549687d2d83426b3629b
        EAP-Message = 0x020300060319
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 691
        State = 0xac4fe051ac4ce41caf8c0fb3ddec01f0
        NAS-IP-Address = 172.17.4.30
        NAS-Identifier = "ap30"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "44", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 3 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
        expand: %{User-Name} -> 44
rlm_sql (sql): sql_set_user escaped user --> '44'
rlm_sql (sql): Reserving sql socket id: 1
        expand: SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '44'           ORDER BY id
rlm_sql (sql): User found in radcheck table
        expand: SELECT id, username, attribute, value, op
FROM radreply           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply           WHERE username = '44'           ORDER BY id
        expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
SELECT groupname           FROM radusergroup           WHERE username
= '44'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP NAK
 rlm_eap: EAP-NAK asked for EAP-Type/peap
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
        EAP-Message = 0x010400061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xac4fe051ad4bf91caf8c0fb3ddec01f0
Finished request 39.
Going to the next request
Waking up in 4.9 seconds.
        User-Name = "44"
        Framed-MTU = 1400
        Called-Station-Id = "001e.be8e.03e0"
        Calling-Station-Id = "001b.77d2.b10c"
        Service-Type = Login-User
        Message-Authenticator = 0xa94ce1a35fdea2d052afa1f206662678
        EAP-Message =
0x0204007119800000006716030100620100005e030147eaeedd67f44753eca6bf1b25ce0a71b731d414137b7a8064d2aa9f3e8bd48d000018002f00350005000ac009c00ac013c01400320038001300040100001d0000000700050000023434000a00080006001700180019000b00020100
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 691
        State = 0xac4fe051ad4bf91caf8c0fb3ddec01f0
        NAS-IP-Address = 172.17.4.30
        NAS-Identifier = "ap30"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "44", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 4 length 113
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  TLS Length 103
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0062], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 084e], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
        EAP-Message =
0x0105040019c0000008ab160301004a02000046030147eaeeeb095d1a1e0b315cd9f0268b134ca77cd5895f40da89812c21caeca0e32039e479dd4abc49d2871a393c28d71b0ddfac0e267de00c586e4cc3bbfd1983f3002f00160301084e0b00084a0008470003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
        EAP-Message =
0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303332363032313532345a170d3039303332363032313532345a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e737c8c3ca5af3e7707cd4419ca136ffdc51e18148696a366e09b2eee768
        EAP-Message =
0xf656c770f21e6b5b964ae27f4ceefdddcb808219bae71d92befa93658f5c30e0fc077cc0053ec4f30ed422740f1baaea6910f17265509d1454c36e685626bb76650a24262543747f478f337067d75e59c7a0106fd7915e245ec713d0f37d317e323a15b38bc434a1b175e0726259aa7beb188ce53c088dbec44ec51802fda762f9a27f38e41be1d1e579711b00c8f0ac8e7b0a2fb889d6491de037ed8b465a5d4a9a2d3e673eb9c462100bbfaced9f15603c89a70b081f39a916fe9fac9a26874a5a2b99db598ab726d489733fce2b570fd1b01ada4dd74c9eb47cfb82585457fa770203010001a317301530130603551d25040c300a06082b06010505
        EAP-Message =
0x070301300d06092a864886f70d0101040500038201010092dc877d80b06ecae5ba2b180d9a462868e2d7da701ff11ba0685c3fbd1652f4b67dfed1e8621cc0bb54c74dc55896274adc89f95485c30d35c8261ddde283c08801d5ac36875554f706046e4142bdcb08bbc8ed80d9fde3b149cbc304bda53d8484f7b0abb357cc528cb61ac3ca5b94a5694ec7c9eee2c85bcda0661fcf595e03b8a8b11e778d9f9513e9e3bcb15552b32f662371a3aa68fa1ff830714340391283ae4569905e47ae9ad97903ff146ce4709bba831d172e46296c42b8fb221675b973129a30c776cb9871a76a368d02352a75386af2783fa3dae5d7c2142226bd4f2014c07d
        EAP-Message = 0x89f399ca4e40799b54d7b7f0
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xac4fe051ae4af91caf8c0fb3ddec01f0
Finished request 40.
Going to the next request
Waking up in 4.9 seconds.
        User-Name = "44"
        Framed-MTU = 1400
        Called-Station-Id = "001e.be8e.03e0"
        Calling-Station-Id = "001b.77d2.b10c"
        Service-Type = Login-User
        Message-Authenticator = 0x7a48e054d23bf5218cd465711cdf2d89
        EAP-Message = 0x020500061900
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 691
        State = 0xac4fe051ae4af91caf8c0fb3ddec01f0
        NAS-IP-Address = 172.17.4.30
        NAS-Identifier = "ap30"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "44", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 5 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
        EAP-Message =
0x010603fc19407d1a9e53e68b483ec93486a6b62800049b308204973082037fa003020102020100300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303332363032313531385a170d3038303432353032313531385a308193310b300906035504061302465231
        EAP-Message =
0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100cc59d17404c68eb77da5daae25944298fc16f0d16e4af40485998432137ded9c8ecab6adb289e5f182f021a485c2ce0d0408034643fd3e8396f07c2a0d7b321ac9308c81bce0fa87d151a6c78ea6d21fc19734475df7ee
        EAP-Message =
0x67ff51a6a11960d95c1855453d722a8c7ae3a5ed6f2b90f94f3fb2d2c59fd4af10d121b6c52a57043d7e72b2b82bfd4eef52a668b9835d93c3a7f4f553329464537ed323f1a8b9784a24de668f2d471a06ba0b3269106b446bb5cade889c644b96d59bc3ac98905edcb2737534f75d83778c9374041c947b38515267e61a8cea3241a0834e0a25d94fa3778ddb671c75ad9fbb878989f2d16f06ac03cb74ab803de2659f1baf564c170203010001a381f33081f0301d0603551d0e04160414e230d425fc9675360707dc7d8b81364fcb4202dc3081c00603551d230481b83081b58014e230d425fc9675360707dc7d8b81364fcb4202dca18199a48196
        EAP-Message =
0x308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010405000382010100aa73739552fb793eb38967f2cd283e961921b162826a746de1daeebbc9869bb1b9a11631d4655732bc659282809630229d2c454636e5dba531433968ec3f253f0943
        EAP-Message = 0xae9d48dcba25d3e1
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xac4fe051af49f91caf8c0fb3ddec01f0
Finished request 41.
Going to the next request
Waking up in 4.9 seconds.
        User-Name = "44"
        Framed-MTU = 1400
        Called-Station-Id = "001e.be8e.03e0"
        Calling-Station-Id = "001b.77d2.b10c"
        Service-Type = Login-User
        Message-Authenticator = 0xbca4b17cb162e97121365b24329f3f51
        EAP-Message = 0x020600061900
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 691
        State = 0xac4fe051af49f91caf8c0fb3ddec01f0
        NAS-IP-Address = 172.17.4.30
        NAS-Identifier = "ap30"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "44", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 6 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
        EAP-Message =
0x010700c51900b428f1e7fcc055a0b54a919224898754cdaa1224993cfd614efb270d034988e65ff91f1bff7b0afaea539505c02990844d4c3866371cd9767ddca1c5d31d1f72c26d3b12f47ec4c5cd98188631557121c1267dab38229ab3b155bce4cfe2e82af9817212cb64fa705f5ed9eb8c34aa67f0ce97b1ff8aa14abd749607d357c855cd95039d65f85c3c9c461ae630a5af488ac8289cc9df8ca6c7cb466a6604d0f7b905c2eff4781fd01d2b7705101f27680b182256ca2e16030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xac4fe051a848f91caf8c0fb3ddec01f0
Finished request 42.
Going to the next request
Waking up in 4.8 seconds.
        User-Name = "44"
        Framed-MTU = 1400
        Called-Station-Id = "001e.be8e.03e0"
        Calling-Station-Id = "001b.77d2.b10c"
        Service-Type = Login-User
        Message-Authenticator = 0xa3a63c00ff890e9765dbc6e7b0e9db86
        EAP-Message =
0x0207015019800000014616030101061000010201000eff9767934a9d5177220f926c4f85f06024b8e1f9bced0a0fd33624864ab2ca6f88531c736b31beb9d95262ebabaa437975bd07d5705dcef2aa1bbb35deb071e84184f75972ab63506697c027a3e6570dfec441b4823ca1f303733534059deb99f14a5488dbc174a5d985ebdb3464484053bb45f72e4e12f01bfcf1605df3d5b031d087e45f24f79c03f3f6f5eccbe173e08777b76a062d06efc9c32e58d9dc761fb95b5551ad889e1cdaf33a7a211a01bf8379c0568faedf73c050ad7028ec75e5dbcbd551a6ce206495cfe00690d3a03b9554636fd83d6a0d9f6b91017c15578a035b8bf3618b
        EAP-Message =
0x641db5c4d33b9fe5a9ca377a2de9a74857fb5b3b35c3a1951403010001011603010030d402557fb1e6617086ebe5d21bf90950ed9220350ce2f5de49c6b1cf6de14639b190058ac2b298260275f90f9c04d51d
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 691
        State = 0xac4fe051a848f91caf8c0fb3ddec01f0
        NAS-IP-Address = 172.17.4.30
        NAS-Identifier = "ap30"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "44", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 7 length 253
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  TLS Length 326
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
        EAP-Message =
0x0108004119001403010001011603010030bcfd373096d5438924af92e0207aec4f1ec1c651b2ddaa21f0e8383dcbad84976837bff893b4e6fbf9cb254f51369e2a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xac4fe051a947f91caf8c0fb3ddec01f0
Finished request 43.
Going to the next request
Waking up in 4.8 seconds.
        User-Name = "44"
        Framed-MTU = 1400
        Called-Station-Id = "001e.be8e.03e0"
        Calling-Station-Id = "001b.77d2.b10c"
        Service-Type = Login-User
        Message-Authenticator = 0x98e9620b015809364bac4ebfd64a18b1
        EAP-Message = 0x020800061900
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 691
        State = 0xac4fe051a947f91caf8c0fb3ddec01f0
        NAS-IP-Address = 172.17.4.30
        NAS-Identifier = "ap30"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "44", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 8 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake is finished
  eaptls_verify returned 3
  eaptls_process returned 3
  rlm_eap_peap: EAPTLS_SUCCESS
++[eap] returns handled
        EAP-Message =
0x0109002b19001703010020320b66e1a80499fc6cc7abf63e8262b634dcf89c1fec94e342f00719e0b05c84
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xac4fe051aa46f91caf8c0fb3ddec01f0
Finished request 44.
Going to the next request
Waking up in 4.8 seconds.
        User-Name = "44"
        Framed-MTU = 1400
        Called-Station-Id = "001e.be8e.03e0"
        Calling-Station-Id = "001b.77d2.b10c"
        Service-Type = Login-User
        Message-Authenticator = 0xe822cea7db71367fb74643fca49763c8
        EAP-Message =
0x0209002b190017030100205fa8fd2083f6024ec6e3265a3184d53ad3dc3e1436f25f1683ddbebe4bbe0102
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 691
        State = 0xac4fe051aa46f91caf8c0fb3ddec01f0
        NAS-IP-Address = 172.17.4.30
        NAS-Identifier = "ap30"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "44", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 9 length 43
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Identity - 44
  PEAP: Got tunneled identity of 44
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to 44
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [44/<no User-Password attribute>] (from client ap30 port 0)
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
++[eap] returns handled
        EAP-Message =
0x010a002b19001703010020bbe8e18591d9547924aa8edcf8488ab76d40e59daaa552d122744c0647c3b0d6
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xac4fe051ab45f91caf8c0fb3ddec01f0
Finished request 45.
Going to the next request
Waking up in 4.1 seconds.
        User-Name = "44"
        Framed-MTU = 1400
        Called-Station-Id = "001e.be8e.03e0"
        Calling-Station-Id = "001b.77d2.b10c"
        Service-Type = Login-User
        Message-Authenticator = 0x64694103d3bc1eb94961ded676b3c9ed
        EAP-Message =
0x020a002b1900170301002007064ccd8a958d75834052d3fc66dac7e31f52d610588da475bf61ab46f99be6
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 691
        State = 0xac4fe051ab45f91caf8c0fb3ddec01f0
        NAS-IP-Address = 172.17.4.30
        NAS-Identifier = "ap30"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "44", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 10 length 43
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap:  Had sent TLV failure.  User was rejected earlier in
this session.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [44/<via Auth-Type = EAP>] (from client ap30 port 691
cli 001b.77d2.b10c)
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> 44
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 46 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 46
        EAP-Message = 0x040a0004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.1 seconds.
Cleaning up request 38 ID 123 with timestamp +2658
Cleaning up request 39 ID 124 with timestamp +2658
Cleaning up request 40 ID 125 with timestamp +2658
Cleaning up request 41 ID 126 with timestamp +2658
Cleaning up request 42 ID 127 with timestamp +2658
Cleaning up request 43 ID 128 with timestamp +2658
Cleaning up request 44 ID 129 with timestamp +2658
Cleaning up request 45 ID 130 with timestamp +2658
Waking up in 1.6 seconds.
Cleaning up request 46 ID 131 with timestamp +2658
Ready to process requests.




The place I think it goes wrong is:
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user

But what do I need?
I have added the user with "dialup_admin" and changed the
User-Password -> Cleartext-Password as stated in the Debug information
...

But i'm lost here ... I havent done any Radius configuration before
... So i'm completely lost here ....

Setting a Auth-Type := System gives:
        User-Name = "44"
        Framed-MTU = 1400
        Called-Station-Id = "001e.be8e.03e0"
        Calling-Station-Id = "001b.77d2.b10c"
        Service-Type = Login-User
        Message-Authenticator = 0x83911cfc873f7688e9ce7b7954aa46ce
        EAP-Message = 0x02020007013434
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 710
        NAS-IP-Address = 172.17.4.30
        NAS-Identifier = "ap30"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "44", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 2 length 7
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
        expand: %{User-Name} -> 44
rlm_sql (sql): sql_set_user escaped user --> '44'
rlm_sql (sql): Reserving sql socket id: 0
        expand: SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '44'           ORDER BY id
rlm_sql (sql): User found in radcheck table
        expand: SELECT id, username, attribute, value, op
FROM radreply           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply           WHERE username = '44'           ORDER BY id
        expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
SELECT groupname           FROM radusergroup           WHERE username
= '44'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type System
auth: type "System"
+- entering group authenticate
rlm_unix: Attribute "User-Password" is required for authentication.
++[unix] returns invalid
auth: Failed to validate the user.
Login incorrect: [44/<via Auth-Type = System>] (from client ap30 port
710 cli 001b.77d2.b10c)
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> 44
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 47 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 47
Waking up in 4.9 seconds.
Cleaning up request 47 ID 132 with timestamp +3218
Ready to process requests.

and
Auth-Type := Local:
        User-Name = "44"
        Framed-MTU = 1400
        Called-Station-Id = "001e.be8e.03e0"
        Calling-Station-Id = "001b.77d2.b10c"
        Service-Type = Login-User
        Message-Authenticator = 0x896a8b81dd239b1870c2b24ad9d22689
        EAP-Message = 0x02020007013434
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 713
        NAS-IP-Address = 172.17.4.30
        NAS-Identifier = "ap30"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "44", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 2 length 7
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
        expand: %{User-Name} -> 44
rlm_sql (sql): sql_set_user escaped user --> '44'
rlm_sql (sql): Reserving sql socket id: 4
        expand: SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '44'           ORDER BY id
rlm_sql (sql): User found in radcheck table
        expand: SELECT id, username, attribute, value, op
FROM radreply           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply           WHERE username = '44'           ORDER BY id
        expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
SELECT groupname           FROM radusergroup           WHERE username
= '44'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Login incorrect: [44/<via Auth-Type = Local>] (from client ap30 port
713 cli 001b.77d2.b10c)
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> 44
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated




So .... as you can see ... I'm not at all master of what I'm trying to
do here ....

Hope there are some help to get ...

Links where do read more, as the freeradius site are so big that I
dont know where to begin .....

Really hope there are someone that can cast some light over my problem
.... really lost.

best regards
Mikael Syska



More information about the Freeradius-Users mailing list