Freeradius + PEAP.. stuck on validating identity..

Alan DeKok aland at
Thu Apr 1 17:57:41 CEST 2010

Bruno Kremel wrote:
> I am posting full log with first is radtest accepted and others are
> failde login from wifi client with 2 different accounts...
> FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Mar 29
> 2010 at 15:58:09

  You should probably upgrade to 2.1.8.  It has a lot of fixes &&
features over 2.0.4.

> server inner-tunnel {
> +- entering group authorize
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[unix] returns notfound
>     rlm_realm: No '@' in User-Name = "123", looking up realm NULL
>     rlm_realm: No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
>   rlm_eap: EAP packet type response id 8 length 62
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop

  And no "sql".  Edit raddb/sites-available/inner-tunnel, and add "sql"
to the "authorize" section.  It's already there, so you likely just have
to uncomment it.

>   rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
>   rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
>   rlm_mschap: Told to do MS-CHAPv2 for 123 with NT-Password
>   rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

  Yup.  No "known good" password means no authentication.

  You could also try:

  This lets you cut && paste the debug output into a form.  The response
is a colorized HTML page indicating common errors, and things you should
look into.  It won't catch this problem, but it will highlight the fact
that there was no "known good" password for the user.

  Alan DeKok.

More information about the Freeradius-Users mailing list