Failure to get freeradius work with mysql

Thai Pham Vinh phamvinhthai at yahoo.com
Thu Dec 3 05:27:18 CET 2009 

Hello all,

I'm doing some investigation to set up a system to authenticate wireless clients using 802.1X. freeradius is my choice because it's free and robust. I followed the instructions in "Deploying FreeRadius with MySQL Cluster Database" to set it up. I used radtest to verify the account in both "users" file and "mysql" database successfully. However, when it came to working with the wireless client, only the account in "users" file worked. The users stored in "mysql" database didn't. I configured the laptop to use EAP-PEAP.

I examined the debug and found that FR rejected the client request at the last steps (when using mysql database):

rad_recv: Access-Request packet from host 10.100.0.152 port 1226, id=242, length=271
User-Name = "user1"
NAS-IP-Address = 10.100.0.152
NAS-Identifier = "00:1f:41:54:c4:19"
NAS-Port = 1
Called-Station-Id = "00-1F-41-54-C4-19:free-internet"
Calling-Station-Id = "00-19-7E-75-8F-E5"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020700571900170301004c7a9ca4c1143f9e8369e9648842e42d52e47f32e377ddb7109dea0dff2a19a761b2344bf994690cdcc4929bbd725db2e151869d3c1673f6cb54cdfc8a9c366acb69ae7492cf63732a02a10a98
State = 0xfa24a8fafc23b1c9dd29d46684e60d05
Message-Authenticator = 0xe5772ca3d27eede908597d3ec363cdfe
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 87
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020700401a0207003b31f1d2adb1254069291e8790ea6b2abf8b0000000000000000c0da299a4d8e225d5eb3c29a799bdfd2e5f1fbb8b9ccf5c8007573657231
server  {
  PEAP: Setting User-Name to user1
Sending tunneled request
EAP-Message = 0x020700401a0207003b31f1d2adb1254069291e8790ea6b2abf8b0000000000000000c0da299a4d8e225d5eb3c29a799bdfd2e5f1fbb8b9ccf5c8007573657231
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "user1"
State = 0xb8773755b8702dae4ab169969e969276
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 64
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for user1 with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 242 to 10.100.0.152 port 1226
EAP-Message = 0x010800261900170301001bb01d04e6aa35394f3fb1a6ba4967e4d4d123c69434f2c2cf442703
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfa24a8fafd2cb1c9dd29d46684e60d05
Finished request 21.

I'm still reading more to understand the technology. But I hope that someone could help me to fix the problem.

Thanks,
Thai.


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091202/989c3560/attachment.html>

More information about the Freeradius-Users mailing list