Help: 802.1x with freeRadius and mySql database

Thu Nov 18 00:54:31 CET 2010

Hi Everyone

I have set up a freeRadius in Ubuntu server 10.0.4. I also set up a Cisco
switch as a NAS and enable 802.1x in the switch port. I used the
configuration first (clients.conf, users). The 802.1x authentication just
works fine.

Then I start to use mySql database, instead of clients.conf and users.

I followed the instructions from this link
http://wiki.freeradius.org/SQL_HOWTO.

I use the "radtest" command to test the username/password. It works fine.
Then I use the Cisco switch to test the username/password and NAS, it also
works fine.

But the 802.1x authentication does not work. Here is the output from
"freeradius -X"

Ready to process requests.
rad_recv: Access-Request packet from host 10.5.84.14 port 1645, id=213,
length=265
        User-Name = "anonymous"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1A-6C-79-7F-89"
        Calling-Station-Id = "00-18-8B-B2-74-CE"
        EAP-Message =
0x0207006b190017030100603436ac7bdf2130158ce653dea69c9c5c155d4a677f8bf6a3330838e2ca749c29c00d7fef558443728826479cb9dbd75b4e3fc4e62b27ecc64a942b06784ae85df1499325a9c927f9e0de86a9989d7349874019e3a286ebb4ab95347d704aaf79
        Message-Authenticator = 0x8a020beb0674cb778f3feb2400792a88
        NAS-Port-Type = Ethernet
        NAS-Port = 50107
        NAS-Port-Id = "FastEthernet1/0/7"
        State = 0xc7b0e155c2nt (0018.8bb2.74ce) on Interface Fa1/0/7
AuditSessionID 0A05540E0000005E17970995b7f81cdb855c0280b00b4a
        NAS-IP-Address = 10.5.84.14
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message =
0x020700401a0207003b31c49dddfb7a41c1b1af6d0248706af94e0000000000000000d2f582ba4490575f7f0c78eb1e81b3dc81c41b0cb19cfc81003833303038
server  {
  PEAP: Setting User-Name to 83008
Sending tunneled r
020358: Nov 17 11:41:28.199 PST: %AUTHMGR-5-FAIL: Authorization failed for
client (0018.8bb2.74ce) on Interface Fa1/0/7 AuditSessionID 0equest
        EAP-Message =
0x020700401a0207003b31c49dddfb7a41c1b1af6d0248706af94e0000000000000000d2f582ba4490575f7f0c78eb1e81b3dc81c41b0cb19cfc81003833303038
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "83008"
        State = 0xe741fb76e746e148ba5c58c22edbac30
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "83008", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 64
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- enA05540E0000005E17970995tering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for 83008 with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.

83008 is my user id. Why it tries to use MSCHAP module and use NT-Password ?

Here is the fradius database information in mySql.

mysql> show tables;
+-------------------+
| Tables_in_fradius |
+-------------------+
| nas               |
| radacct           |
| radcheck          |
| radgroupcheck     |
| radgroupreply     |
| radpostauth       |
| radreply          |
| radusergroup      |
+-------------------+
8 rows in set (0.00 sec)

mysql> select * from nas;
+----+------------+------------------+-----------------+-------+--------+-----------+---------------+
| id | nasname    | shortname        | type            | ports | secret |
community | description   |
+----+------------+------------------+-----------------+-------+--------+-----------+---------------+
|  2 | 10.5.84.14 | lab-3750b | cisco  |  NULL | spl00t | NULL      | RADIUS
Client |
+----+------------+------------------+-----------------+-------+--------+-----------+---------------+
1 row in set (0.00 sec)

mysql> select * from radcheck;
+----+----------+--------------------+----+------------+
| id | username | attribute          | op | value      |
+----+----------+--------------------+----+------------+
|  1 | sqltest  | Password           | == | testpwd    |
|  2 | 83008    | Cleartext-Password | := | testing123 |
+----+----------+--------------------+----+------------+
2 rows in set (0.00 sec)

mysql> select * from radreply;
+----+----------+--------------+----+-------------------+
| id | username | attribute    | op | value             |
+----+----------+--------------+----+-------------------+
|  2 | 83008    | cisco-avpair | =  | shell:priv-lvl=15 |
+----+----------+--------------+----+-------------------+
1 row in set (0.00 sec)

The other tables is empty.

Thank to take a lootk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101117/041dc729/attachment.html>