ERROR in the EAP/PEAP test of eapol_test

xuyu xuyubupt at gmail.com
Sun Apr 10 16:23:09 CEST 2011


Hi ! I meet a ERROR in the test of EAP/PEAP
" radtest sqluser 123 localhost 1812 testing123 " is OK
 ,I just delete the # before 'eap' in radiusd.conf and default files.
the test  eapol_test -c peap.txt -s testing123

my peap.txt is
network={
	eap=PEAP
	eapol_flags=0
	key_mgmt=IEEE8021X
	identity="sqluser"
	password="123"
	ca_cert="/usr/local/freeradius/etc/raddb/certs/ca.pem"
	phase2="auth=MSCHAPV2"
	anonymous_identity="anonymous"
}

The result is(too long I cut it,all the messages which contain
'fail'and'warning' are here)

rad_recv: Access-Request packet from host 127.0.0.1 port 40004, id=0, length=126
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x0200000e01616e6f6e796d6f7573
	Message-Authenticator = 0x028746a6804037ea96543cd3853748ca
# Executing section authorize from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] 	expand: %{User-Name} -> anonymous
[sql] sql_set_user escaped user --> 'anonymous'
rlm_sql (sql): Reserving sql socket id: 3

……

[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 40004
	EAP-Message = 0x010100160410d8844619dd6d7c77c5de455754592c0b
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x2e0cc3a22e0dc751cc2cadc82e7658db
Finished request 1

.……

rlm_sql (sql): Released sql socket id: 2
[sql] User anonymous not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 127.0.0.1 port 40004
	EAP-Message = 0x010200061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x2e0cc3a22f0eda51cc2cadc82e7658db
Finished request 2.
Going to the next request

……

Found Auth-Type = EAP
# Executing group from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 127.0.0.1 port 40004
	EAP-Message = 0x0103040019c000000ab416030100310200002d03014da1adfaa31490e821fdfa4885df0c8fc2d0ddd363a209a6143ab7d68062c397000039010005ff01000100160301085e0b00085a0008570003a6308203a23082028

……

[eap] EAP packet type response id 5 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled

……

# Executing section authorize from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
	EAP-Message = 0x020800421a0208003d318e803c23b5c6b460818c1e4b130f8f380000000000000000c8a4e6213ba5a367e9b0f70e15b31f87b770936006d21fa70073716c75736572
server  {
  PEAP: Setting User-Name to sqluser
Sending tunneled request
	EAP-Message = 0x020800421a0208003d318e803c23b5c6b460818c1e4b130f8f380000000000000000c8a4e6213ba5a367e9b0f70e15b31f87b770936006d21fa70073716c75736572
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "sqluser"
	State = 0xf9185daef910470fecfcaff659a7b6a6
server inner-tunnel {
# Executing section authorize from file
/usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "sqluser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file
/usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: sqluser
[mschap] Told to do MS-CHAPv2 for sqluser with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
	MS-CHAP-Error = "\010E=691 R=1"
	EAP-Message = 0x04080004
	Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
	MS-CHAP-Error = "\010E=691 R=1"
	EAP-Message = 0x04080004
	Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 8 to 127.0.0.1 port 40004
	EAP-Message = 0x0109003b190017030100302ab43a32e6ec7ff42289efbdfda591f3a3562799d9559589146b128457125284645e7d72ef66bb121d8dbb003bdab8ab
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x2e0cc3a22605da51cc2cadc82e7658db
Finished request 9.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 40004, id=9, length=226
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x0209006019001703010020b314a72f4acdfaf2dd08dcf94fd6c7082929e8fd0472499fb3f0ba7b79cae39517030100300bbd73ce8691181df7af8f7caabe39c7c75fa967f055a40ba68caf2780dbcf60a2f6b8be08e9d789e433758deacb3e88
	State = 0x2e0cc3a22605da51cc2cadc82e7658db
	Message-Authenticator = 0x6b7fca3ade7064bc39fb78dc05a9d319
# Executing section authorize from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the
debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> anonymous
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 10 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 10
Sending Access-Reject of id 9 to 127.0.0.1 port 40004
	EAP-Message = 0x04090004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.

can somebody give me a hand .
best regards.
thank you!




More information about the Freeradius-Users mailing list