Cannot Authenticate - Help!

Filipe Scalioni filipe at osbogas.com.br
Thu Jun 18 19:36:48 CEST 2009 

I was really using an OLD version, just installed with yum on CentOS
5.03 and that package came. I removed it completely and installed the
last one from freeradius.org (2.1.6). Put it to run and I still cannot
authenticate... The log now ir REALLY BIG (1553 lines!), so I think it
won't fit here. I read through it and I think that the fail is on EAP,
but I can't figure out what it is... Here is a portion of the log, cut
a little bit above where the errors begin

+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "host/Bruna-PC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 72
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for host/Bruna-PC with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
	MS-CHAP-Error = "\010E=691 R=1"
	EAP-Message = 0x04080004
	Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
	MS-CHAP-Error = "\010E=691 R=1"
	EAP-Message = 0x04080004
	Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 8 to 192.168.10.40 port 1626
	EAP-Message = 0x0109002b19001703010020b13527dc7f67c4b029ac51c3a63ac74c2cf96da9f5dc022a07f84c96ed08063d
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x20f14f3328f8565a13796ff2a63166b8
Finished request 18.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.10.40 port 1626,
id=9, length=239
	Message-Authenticator = 0x56f28528e049d66735949a71133271a4
	Service-Type = Framed-User
	User-Name = "host/Bruna-PC"
	Framed-MTU = 1488
	State = 0x20f14f3328f8565a13796ff2a63166b8
	Called-Station-Id = "00-1D-7E-5F-DF-AB:Metasys-Desktop"
	Calling-Station-Id = "00-16-44-DA-54-89"
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 54Mbps 802.11g"
	EAP-Message = 0x0209002b19001703010020fe1720018ad5ed26df018427f1605ab89c44772ce85d4b561e2f79175ef1727e
	NAS-IP-Address = 192.168.10.40
	NAS-Port = 1
	NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/Bruna-PC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap]  Had sent TLV failure.  User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> host/Bruna-PC
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 19 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 19
Sending Access-Reject of id 9 to 192.168.10.40 port 1626
	EAP-Message = 0x04090004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 10 ID 0 with timestamp +115
Cleaning up request 11 ID 1 with timestamp +115
Cleaning up request 12 ID 2 with timestamp +115
Cleaning up request 13 ID 3 with timestamp +115
Cleaning up request 14 ID 4 with timestamp +115
Cleaning up request 15 ID 5 with timestamp +115
Cleaning up request 16 ID 6 with timestamp +115
Cleaning up request 17 ID 7 with timestamp +115
Cleaning up request 18 ID 8 with timestamp +115
Waking up in 1.0 seconds.
Cleaning up request 19 ID 9 with timestamp +115
Ready to process requests.


These two lines caught my eye:

[eap] Handler failed in EAP/peap
[eap] Failed in EAP select

But I don't know how to fix. I've played with the configs on eap.conf
but I was unsuccessful. Everything, except for ipaddr and port on
radiusd.conf was left untouched initially. I tried to use the
"NT_domain_hack" from the mschap config but it was no good too...

Thanks for any help!

More information about the Freeradius-Users mailing list