EAP mschapv2 Failed to authenticate the user
Pedro Alves
pedrojmalves at gmail.com
Wed May 19 11:45:18 CEST 2010
Ok, this is it radius -X logs with packets:
rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=151, length=134
User-Name = "SCxxxxxx"
Framed-MTU = 1400
Called-Station-Id = "0016.9df4.c3d0"
Calling-Station-Id = "001a.73a8.6482"
Service-Type = Login-User
Message-Authenticator = 0x69c0bdb2f77ea232cbb08cf2c83496b9
EAP-Message = 0x0201000d015343313030353538
NAS-Port-Type = Wireless-802.11
NAS-Port = 1965
NAS-IP-Address = 10.1.3.17
NAS-Identifier = "apTeste"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> SCxxxxxx
[sql] sql_set_user escaped user --> 'SCxxxxxx'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'SCxxxxxx' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'SCxxxxxx' ORDER BY priority
rlm_sql (sql): Released sql socket id: 0
[sql] User SCxxxxxx not found
++[sql] returns notfound
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 151 to 10.1.3.17 port 1645
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x71a07f9a71a2665d779b09e23c4bbcc5
Finished request 10.
Going to the next request
Waking up in 1.0 seconds.
rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=152, length=251
User-Name = "SCxxxxxx"
Framed-MTU = 1400
Called-Station-Id = "0016.9df4.c3d0"
Calling-Station-Id = "001a.73a8.6482"
Service-Type = Login-User
Message-Authenticator = 0xfec204f79341a8f5862c5667a618628d
EAP-Message = 0x0202007019800000006616030100610100005d03014bf2bfb6ed6206a28296dff33b58190d3d71a6fa3fa34f7512115f8ea3f9214100003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100
NAS-Port-Type = Wireless-802.11
NAS-Port = 1965
State = 0x71a07f9a71a2665d779b09e23c4bbcc5
NAS-IP-Address = 10.1.3.17
NAS-Identifier = "apTeste"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 102
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0061], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0791], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 152 to 10.1.3.17 port 1645
EAP-Message = 0x0103040019c000000960160301002a0200002603014bf2cdc4a5be307179f9e66645f49e7485abc9df3786e84fd2881f6908b164360000390016030107910b00078d00078a00030f3082030b308201f3a003020102020101300d06092a864886f70d0101040500308181310b3009060355040613025054310f300d060355040813064c6973626f613112301006035504071309416c6672616769646531143012060355040a130b53756d6f6c436f6d70616c3121301f06092a864886f70d01090116126473694073756d6f6c636f6d70616c2e7074311430120603550403130b53756d6f6c436f6d70616c301e170d3130303530333138303030375a17
EAP-Message = 0x0d3133303530323138303030375a307b310b3009060355040613025054310f300d060355040813064c6973626f6131143012060355040a130b53756d6f6c436f6d70616c310c300a060355040b1303647369311430120603550403130b53756d6f6c436f6d70616c3121301f06092a864886f70d01090116126473694073756d6f6c636f6d70616c2e707430819f300d06092a864886f70d010101050003818d0030818902818100f8957c8923b7bbefa910f557ab74f5f950f50b7211be83d0ac53630430edf40257c6b4f7f4cbb584e3ae97b48f66ac31cb8ac302f064d9c8967654128a9288297ff276e3c2dd91669b90d1ba52215990ad7a6a07e5
EAP-Message = 0x655f09ef328a16f80604e9df43c40d4b197981fe41bc0d3dc5950b56b1eb846226d3bcbca05be2c5de6faf0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010051142c0e7e03b78e59ae31d321302ff36b0f12d6e289a38234d7ede583e3b668d33ff6f3ed2b02d19d6b0e56d7dd6626c085141fc9817327db0ccfadba32432eff943b646b8ddc71a022eef73e4dc78db61b754a088f68924f8ca6f4c6be87b5e18340a9f7bf38e2818c593004289d08b47897da3ef342f58a4fe7af887635d90a7032e70cd5bcc7345c6eaf2192930b30af56e55704799517a87adc6e9a630f
EAP-Message = 0x5ed60b0ec2127ac4bbd28a605825c91d0f2d6f566e72e16e28baa9b6a9053176f3067465f13c92ac05deaba34a6a93ba1e35ac0bbd6eb1fd2def51f8d60cddde7d591e29d0f320a7cf51418c818b6fce6cadef076ef1614d1d26804377d7bb620004753082047130820359a003020102020900f17af5bcd5a336d4300d06092a864886f70d0101050500308181310b3009060355040613025054310f300d060355040813064c6973626f613112301006035504071309416c6672616769646531143012060355040a130b53756d6f6c436f6d70616c3121301f06092a864886f70d01090116126473694073756d6f6c636f6d70616c2e70743114301206
EAP-Message = 0x03550403130b53756d6f6c43
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x71a07f9a70a3665d779b09e23c4bbcc5
Finished request 11.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=153, length=145
User-Name = "SCxxxxxx"
Framed-MTU = 1400
Called-Station-Id = "0016.9df4.c3d0"
Calling-Station-Id = "001a.73a8.6482"
Service-Type = Login-User
Message-Authenticator = 0x3bb21c2657201679cb8ec944891469f4
EAP-Message = 0x020300061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 1965
State = 0x71a07f9a70a3665d779b09e23c4bbcc5
NAS-IP-Address = 10.1.3.17
NAS-Identifier = "apTeste"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 153 to 10.1.3.17 port 1645
EAP-Message = 0x010403fc19406f6d70616c301e170d3130303530333138303030375a170d3133303530323138303030375a308181310b3009060355040613025054310f300d060355040813064c6973626f613112301006035504071309416c6672616769646531143012060355040a130b53756d6f6c436f6d70616c3121301f06092a864886f70d01090116126473694073756d6f6c636f6d70616c2e7074311430120603550403130b53756d6f6c436f6d70616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100c22f4331e11c8a97823dd2e22b09bb25d14519b49edca72e81123bbd4bbdfdad77a968c8e3f8d46a8bd657a636
EAP-Message = 0x1544b1e58ac3589d701ee275a5d386a892def7dd0d90edb7adf46793d1bc90044e770f801e90156b02162ef932142d4c6f26db1faf5000bf1a910fd5427e4e25ca904ef164e30983841e5af2acfbf082eb4dbaabea870699ca7319d857dcfaaa3483097d0afea7286265f2a85df491c222508c15e21bec0eaaeb13822ba9c0d67818db0bf0b37f6660e35d0f95383bb780c8adb6791086cdc90cba8efa705b051a660d16c13bbfd9a56188e6deb6a044f12d2ff81efcc141608ad423109b52cce64543a2c9b3927e3101f1b8b6ca60a3e043810203010001a381e93081e6301d0603551d0e041604143f6ba9f9a46015e19021e778c73e34281fe547cd
EAP-Message = 0x3081b60603551d230481ae3081ab80143f6ba9f9a46015e19021e778c73e34281fe547cda18187a48184308181310b3009060355040613025054310f300d060355040813064c6973626f613112301006035504071309416c6672616769646531143012060355040a130b53756d6f6c436f6d70616c3121301f06092a864886f70d01090116126473694073756d6f6c636f6d70616c2e7074311430120603550403130b53756d6f6c436f6d70616c820900f17af5bcd5a336d4300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010071e8ab8308a34ac0b8a083c5a6d85025b9e17a677db2c2f68d7cb42c906e9f3032e3
EAP-Message = 0x82bd876717c5f62932ca6a52145bb0050aec8af14c318eaef68b4c659b2b21f515ab29276d06deb095cab322c3b3de511edfae55fa290d84e4038a2b1aabb45f0dca3e5875fab8cf241fb4646f04e9e02c41ae9c1db6c9a23b1a63f9e9d7b708c62cafdc0274f7083fd81ce4e15287e938ec06824545373b911cfe58a37bf41c72869947dc217fed008884a7b6c8dad73616637691dde2b76addcbf184832b97e9466ca7c05ef33eb16104f0c81f094daa4f6e9367ce79c1a05cfed53c494c64dffbfca5d1268e63bd4233a722499d893d774287bb2bc6729a28f906f528160301018d0c0001890080b14d2f089c3b50d74a3f9e5ce2c2880a8f1b8b93
EAP-Message = 0x22e1b8d859d4f5de
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x71a07f9a73a4665d779b09e23c4bbcc5
Finished request 12.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=154, length=145
User-Name = "SCxxxxxx"
Framed-MTU = 1400
Called-Station-Id = "0016.9df4.c3d0"
Calling-Station-Id = "001a.73a8.6482"
Service-Type = Login-User
Message-Authenticator = 0xa3951d2c17ace66b077f00fc7bf0e6d9
EAP-Message = 0x020400061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 1965
State = 0x71a07f9a73a4665d779b09e23c4bbcc5
NAS-IP-Address = 10.1.3.17
NAS-Identifier = "apTeste"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 154 to 10.1.3.17 port 1645
EAP-Message = 0x0105017a19009676138f73c79a82ddd65a1542a379689ddae4af8e5ecef841f47e257d1cf25a8eba135c2609a54fa1f0b2e79b55050b3b96728df6510ac7410631e34914f8c79749f595086ee5aefdc15de18835d952d2eaeb9dab4864e7b67264d57cd57824ae4bfebb00010200804aace583e12c1e575ec9f6c497caa2865034bfd9362bf22a166b71ba10e42be564b0be336ad8eb10fede894a30cd9cc77fcc16addf032ce300f67adc92ec5c645271421b2d2fccd6f2be423ba9281615e0a42198c04dbf42f4324fb0eb27b47f9219bc66767eebf2eb38e4cfbac8ad6da8548638c5812645bae9f41c8b8aa42a00805fbd31d37d5709d5a4fda9fe
EAP-Message = 0x7e2faed53317515aba6737ea4dc992a3c60a479de7aee9a7cb4d9fb5adbffb0ce15a9e4454ba8a52311ecdd7b0e59656f1a9992e16ed0f34eb3e0b680f50b16338f37a8252b818f1241df03a9e16840ba3a1639db282d5aacbf4f6ff1d87f6a5574c33ea5bc02b6fa9c9ef9f7931562b011bee0316030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x71a07f9a72a5665d779b09e23c4bbcc5
Finished request 13.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=155, length=347
User-Name = "SCxxxxxx"
Framed-MTU = 1400
Called-Station-Id = "0016.9df4.c3d0"
Calling-Station-Id = "001a.73a8.6482"
Service-Type = Login-User
Message-Authenticator = 0x19105064daaf31e887425b24651b81f0
EAP-Message = 0x020500d01980000000c61603010086100000820080abae2e2f4f44f5d08810fd2381d392c2015258106ee277bbe0b05610ffb1ef62b44656acb92e2393268c0c1941480ab6ae8ff78518a2b32a41d28376dd06a05653661d4fa894fef1580415fcfdf9124c7c37a7bd4257191ac95976ff7bb98e92457676556df1cf7e5091e73cec917340ee1cb931fbc2042b77614881c785d40f140301000101160301003057e5cb45b47e93b0b594619d739390e28385488a9498746b9268cb2c78d81aab44bee5f592d76374a58615ff155e81ac
NAS-Port-Type = Wireless-802.11
NAS-Port = 1965
State = 0x71a07f9a72a5665d779b09e23c4bbcc5
NAS-IP-Address = 10.1.3.17
NAS-Identifier = "apTeste"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 155 to 10.1.3.17 port 1645
EAP-Message = 0x01060041190014030100010116030100305e71c8d68d36fcd86bcafcc8cb3e2844c70ab21c81dd08f95ed93e7f00f4beb433f6d8b85766b0b5589a00357960c5ba
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x71a07f9a75a6665d779b09e23c4bbcc5
Finished request 14.
Going to the next request
Waking up in 0.8 seconds.
rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=156, length=145
User-Name = "SCxxxxxx"
Framed-MTU = 1400
Called-Station-Id = "0016.9df4.c3d0"
Calling-Station-Id = "001a.73a8.6482"
Service-Type = Login-User
Message-Authenticator = 0x48ce51b9867ef2956fe03dc1f1d03439
EAP-Message = 0x020600061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 1965
State = 0x71a07f9a75a6665d779b09e23c4bbcc5
NAS-IP-Address = 10.1.3.17
NAS-Identifier = "apTeste"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 156 to 10.1.3.17 port 1645
EAP-Message = 0x0107002b19001703010020cf52edce1f82a710b58c1c4858ab02ad12f6a180500d84269090b540687e30dc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x71a07f9a74a7665d779b09e23c4bbcc5
Finished request 15.
Going to the next request
Waking up in 0.8 seconds.
rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=157, length=219
User-Name = "SCxxxxxx"
Framed-MTU = 1400
Called-Station-Id = "0016.9df4.c3d0"
Calling-Station-Id = "001a.73a8.6482"
Service-Type = Login-User
Message-Authenticator = 0xd530849a7abac306539b90b908518fc3
EAP-Message = 0x02070050190017030100206bc36363ce7860db7b98d045d281e783ab75f7cb90b274ea5abe9b21a25685d9170301002013fcf9dbfe1a5f4d0ede5bc6b33b8faa6cc6da182c9d64658e862b22a2cc11a9
NAS-Port-Type = Wireless-802.11
NAS-Port = 1965
State = 0x71a07f9a74a7665d779b09e23c4bbcc5
NAS-IP-Address = 10.1.3.17
NAS-Identifier = "apTeste"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - SCxxxxxx
[peap] Got tunneled request
EAP-Message = 0x0207000d015343313030353538
server {
PEAP: Got tunneled identity of SCxxxxxx
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to SCxxxxxx
Sending tunneled request
EAP-Message = 0x0207000d015343313030353538
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "SCxxxxxx"
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> SCxxxxxx
[sql] sql_set_user escaped user --> 'SCxxxxxx'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'SCxxxxxx' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'SCxxxxxx' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
[sql] User SCxxxxxx not found
++[sql] returns notfound
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010800221a0108001d10da858d721d2eae1b76bceca6c3cf8fca5343313030353538
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa664a388a66cb983d236d23ebef37d3d
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010800221a0108001d10da858d721d2eae1b76bceca6c3cf8fca5343313030353538
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa664a388a66cb983d236d23ebef37d3d
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 157 to 10.1.3.17 port 1645
EAP-Message = 0x0108004b19001703010040fe8440f6630f7d88ee229e5a486b85ecd9fee28524b56055249a462f18800a2c7d5a06a9651e132b098be2f2c938b6dc795fa4bbf3a2345d78b216e847f4ae78
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x71a07f9a77a8665d779b09e23c4bbcc5
Finished request 16.
Going to the next request
Waking up in 0.8 seconds.
rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=158, length=283
User-Name = "SCxxxxxx"
Framed-MTU = 1400
Called-Station-Id = "0016.9df4.c3d0"
Calling-Station-Id = "001a.73a8.6482"
Service-Type = Login-User
Message-Authenticator = 0x776ff2b831f9a969c494a1381e93b15e
EAP-Message = 0x020800901900170301002024d1038c0d3204f8fdaffffeb5d27d8af99505c85af736757559407840d8d80117030100607a55a04202ab1bac1ee36032254706582604c929bb2cb1df635c7decc8a7eaea82a6f8f1cdaafaff46d5de57d4a0d739ed7d872723601879b37920586e1918f6618b69a6a6808bf94a203e34585c2db1efa0a25c448386e5d674a751b22ee8af
NAS-Port-Type = Wireless-802.11
NAS-Port = 1965
State = 0x71a07f9a77a8665d779b09e23c4bbcc5
NAS-IP-Address = 10.1.3.17
NAS-Identifier = "apTeste"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020800431a0208003e318d6715cf1b766ba449213e70d547fd620000000000000000d27bf329069b5287e10c2aecb5db2d2b6ec72b5009d4b417005343313030353538
server {
PEAP: Setting User-Name to SCxxxxxx
Sending tunneled request
EAP-Message = 0x020800431a0208003e318d6715cf1b766ba449213e70d547fd620000000000000000d27bf329069b5287e10c2aecb5db2d2b6ec72b5009d4b417005343313030353538
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "SCxxxxxx"
State = 0xa664a388a66cb983d236d23ebef37d3d
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> SCxxxxxx
[sql] sql_set_user escaped user --> 'SCxxxxxx'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'SCxxxxxx' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'SCxxxxxx' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User SCxxxxxx not found
++[sql] returns notfound
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for SCxxxxxx with NT-Password
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: %{mschap:NT-Domain} ->
[mschap] ... expanding second conditional
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-sxxxxxxxx} -> --domain=sxxxxxxxxx
[mschap] expand: %{Stripped-User-Name} ->
[mschap] ... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[mschap] expand: %{User-Name:-None} -> SCxxxxxx
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=SCxxxxxx
[mschap] mschap2: da
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=6acdf0838a09579d
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=d27bf329069b5287e10c2aecb5db2d2b6ec72b5009d4b417
Exec-Program output: NT_KEY: 5F4E8449C438F65A74F572745BB76D4B
Exec-Program-Wait: plaintext: NT_KEY: 5F4E8449C438F65A74F572745BB76D4B
Exec-Program: returned: 0
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010900331a0308002e533d36394636324143333342424342363530313838433746413336413046323439434345363535423132
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa664a388a76db983d236d23ebef37d3d
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010900331a0308002e533d36394636324143333342424342363530313838433746413336413046323439434345363535423132
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa664a388a76db983d236d23ebef37d3d
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 158 to 10.1.3.17 port 1645
EAP-Message = 0x0109005b19001703010050f3713234ef67f70fb3db926e546551d060bea83aeb8cc7a5252cd2b6a28a6e1737369bb10c1926ac1241d3e8cd681e5fb431babf61bdc3db7b8ccc486adf282599179dd9afd5c249c26de9f939ff7be4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x71a07f9a76a9665d779b09e23c4bbcc5
Finished request 17.
Going to the next request
Waking up in 0.7 seconds.
rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=159, length=219
User-Name = "SCxxxxxx"
Framed-MTU = 1400
Called-Station-Id = "0016.9df4.c3d0"
Calling-Station-Id = "001a.73a8.6482"
Service-Type = Login-User
Message-Authenticator = 0x9cd0dabf5df53bfa7fc35fa43d366933
EAP-Message = 0x0209005019001703010020261ff487a8d8832e68d1548f56b04d87c6329b28fe2bc8d2575d21273da016ad170301002089f34c53faa28e493b56fbecc85f8cf2f0b1172212995969e6f5e2de1ab7604f
NAS-Port-Type = Wireless-802.11
NAS-Port = 1965
State = 0x71a07f9a76a9665d779b09e23c4bbcc5
NAS-IP-Address = 10.1.3.17
NAS-Identifier = "apTeste"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020900061a04
server {
PEAP: Setting User-Name to SCxxxxxx
Sending tunneled request
EAP-Message = 0x020900061a04
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "SCxxxxxx"
State = 0xa664a388a76db983d236d23ebef37d3d
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> SCxxxxxx
[sql] sql_set_user escaped user --> 'SCxxxxxx'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'SCxxxxxx' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'SCxxxxxx' ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
[sql] User SCxxxxxx not found
++[sql] returns notfound
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
rlm_eap_mschapv2: Invalid response type 4
[eap] Handler failed in EAP/mschapv2
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 159 to 10.1.3.17 port 1645
EAP-Message = 0x010a002b190017030100202e8d249df8eae2bea8cc7a0715b973aaf3c7b9b75c1c4708cd475c7c41485156
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x71a07f9a79aa665d779b09e23c4bbcc5
Finished request 18.
Going to the next request
Waking up in 0.7 seconds.
rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=160, length=219
User-Name = "SCxxxxxx"
Framed-MTU = 1400
Called-Station-Id = "0016.9df4.c3d0"
Calling-Station-Id = "001a.73a8.6482"
Service-Type = Login-User
Message-Authenticator = 0xb80ea40196f818e93145fa48861f26ee
EAP-Message = 0x020a00501900170301002017fa468115e7a7cf26fb13623a2ae41edea9f192fa65bb84dc1f1a5d1f142a0e17030100208d47a1fdfa3ee6b8b62bde0c18c43d3ad37de55e74d5c99f92509b86f79ab892
NAS-Port-Type = Wireless-802.11
NAS-Port = 1965
State = 0x71a07f9a79aa665d779b09e23c4bbcc5
NAS-IP-Address = 10.1.3.17
NAS-Identifier = "apTeste"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "SCxxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> SCxxxxxx
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 19 for 1 seconds
Going to the next request
-----Original Message-----
From: freeradius-users-bounces+pedrojmalves=gmail.com at lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail.com at lists.freeradius.org] On Behalf Of Alan Buxey
Sent: quarta-feira, 19 de Maio de 2010 9:11
To: FreeRadius users mailing list
Subject: Re: EAP mschapv2 Failed to authenticate the user
Hi,
> Radiusd –X log:
...which is useless because all it shows is the startup stuff.....ie
we need to see the occurances after the following lines...
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Listening on command file /usr/local/var/run/radiusd/radiusd.sock
> Listening on proxy address * port 1814
> Ready to process requests.
.....silence here. this is where we expect to see things to help you
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list