Freeradius SQL: PEAP: Tunneled authentication was rejected.
chris
rocksie at gmx.de
Thu Jan 27 21:52:39 CET 2011
Hi,
i prepare freeradius with eap/peap and the users file that works fine.
Now i setup a sql database,
i can use radtest or radeapclient to check the user and password in the
database and it works fine,
but if i try to connect to freeradius the request will be rejected and i
have no idea why
So if you can give me some hints you are welcome...
here the reject:
PEAP: Tunneled authentication was rejected.
here the total debug log:
rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=0,
length=194
Message-Authenticator = 0x6462a3c080bc0ee0af1d99a080b2d335
Service-Type = Framed-User
User-Name = "sqluser"
Framed-MTU = 1488
Called-Station-Id = "F0-7D-68-17-D4-39:dlink"
Calling-Station-Id = "00-18-DE-E1-85-89"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0200000c0173716c75736572
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 12
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
expand: %{User-Name} -> sqluser
rlm_sql (sql): sql_set_user escaped user --> 'sqluser'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'sqluser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'sqluser' ORDER BY
id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'sqluser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'sqluser' ORDER BY
id
expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'sqluser'
ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'sqluser' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.0.50 port 1037
EAP-Message = 0x01010016041056977865b8f38f672c99a5c049338698
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xeff176eaeff0727198f0e801bd7f42f1
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=1,
length=206
Message-Authenticator = 0x97148f06ecd1d47d289947214042b441
Service-Type = Framed-User
User-Name = "sqluser"
Framed-MTU = 1488
State = 0xeff176eaeff0727198f0e801bd7f42f1
Called-Station-Id = "F0-7D-68-17-D4-39:dlink"
Calling-Station-Id = "00-18-DE-E1-85-89"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020100060319
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
expand: %{User-Name} -> sqluser
rlm_sql (sql): sql_set_user escaped user --> 'sqluser'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'sqluser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'sqluser' ORDER BY
id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'sqluser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'sqluser' ORDER BY
id
expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'sqluser'
ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'sqluser' ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.0.50 port 1037
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xeff176eaeef36f7198f0e801bd7f42f1
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=2,
length=337
Message-Authenticator = 0xf06fbed85cd7d6f9a7b00bc67df6ba87
Service-Type = Framed-User
User-Name = "sqluser"
Framed-MTU = 1488
State = 0xeff176eaeef36f7198f0e801bd7f42f1
Called-Station-Id = "F0-7D-68-17-D4-39:dlink"
Calling-Station-Id = "00-18-DE-E1-85-89"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x020200891900160301007e0100007a03014d41cf9c8c7503cfc4ac02ba74ce4c6a5b185d8c7ea7574f4d7b354e60026c0a2067de91fbb878785f4a07
302074edf8ef6ade9886e8f9428ecc0d84247b18c57f003200390038003500880087008400160013000a00330032002f004500440041000500040015001200090014001100080006
0003020100
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 2 length 137
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 007e], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
TLS_accept: SSLv3 write key exchange A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.0.50 port 1037
EAP-Message =
0x0103040019c000000acd160301004a0200004603014d41cf9cfaed3d7fc78c6ba9b7d8bb11c01eb9b4921e04d0548b69bb81a108ae208f4f020fcd8a
efcbc4748614f56ca619187eda3b33f4ff255e018e100378c655003901160301085e0b00085a0008570003a6308203a23082028aa003020102020102300d06092a864886f70d0101
040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d70
6c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
EAP-Message =
0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303130373136323632365a170d323130313034313632
3632365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578
616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d
01010105000382010f003082010a0282010100bc734f9d3049b9ad29649bf5685fc25a07bee2149b4c8e417e165b2c6ed9
EAP-Message =
0xe5fbb2cf2d0a9f44f6b8e8c89cafb2cbc4a9968c1803966929f10af48996cdd46fb425caaf0a19e2f8e7d46550c1c7bc89bf9e1e0811bf39a527b7e2
80028c227a2e97a47d618735b1797a7dfd7f169ba3404dee104b7269db1a4e452fd526d6af1afad3a1ed3a0e807811a133101dbfa4f6edaacbf096aaf7a8b4196ed49671a749cd7b
75d079c717a16903d7dfb57c523adaeeab99f651831ecb262b86d49ad10e05b8e2a112190e3ec6039a477f0ae70f7975bc59d1c62898f34ca0a2f42febd2cf5c46e4f080e4176261
58c0122d711e068d966fdfd6f4a95dffc8cc3ee1ce270203010001a317301530130603551d25040c300a06082b06010505
EAP-Message =
0x070301300d06092a864886f70d01010405000382010100877baa777876021f1268749453b9ab3513ad8b4c9f0ea68e6af12bb980d156a05a845392d0
0cc42a05f834dc6463ec2dbb990e68d890789fdfd5bf6897aa2ae6f03576f1cd412e5290e56b7024026aa5889095060b95b8305ae1d922dc6442d69f7ecfd82d01d8ac8407fe8b1e
f6021d26aafc7d327eda89e48778c0e7c890284d78e4783b99a07907e0403156a023d08862471ed1b6cd6d506acc4e9e24b84112f3efdcdb76dbf63bdfeb749ea2faf5e8e67fbcd7
d7c1b179b9adfd97ad81eda2b68195ea19ad5e7c976e7eefecd16e45016ca70093732f101538df6deb4a0b28b0ac7816e5
EAP-Message = 0x3537f15a3e6d28557e50ced1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xeff176eaedf26f7198f0e801bd7f42f1
Finished request 2.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=3,
length=206
Message-Authenticator = 0xc0236583fb6cc1eff4e3692386b05cd5
Service-Type = Framed-User
User-Name = "sqluser"
Framed-MTU = 1488
State = 0xeff176eaedf26f7198f0e801bd7f42f1
Called-Station-Id = "F0-7D-68-17-D4-39:dlink"
Calling-Station-Id = "00-18-DE-E1-85-89"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020300061900
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 192.168.0.50 port 1037
EAP-Message =
0x010403fc1940d76bf7348c65d017f49ee7a0e94f0004ab308204a73082038fa00302010202090088d6a04b914711cc300d06092a864886f70d010105
0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c
6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043657274696669636174652041
7574686f72697479301e170d3131303130373136323632365a170d3131303230363136323632365a308193310b30090603
EAP-Message =
0x55040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d70
6c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520
417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100af5bebdfb1e9fb1e943de80e9f0acbf563d7ca009ec112a9b5979e0b779a
681debed0535d03ea8e16523453e72b1912e6e1dada0d72053ccc2d96d6c4be07bac43c12f5c5348cc2e99ca85a793ff57
EAP-Message =
0x41aedc3a0ea690141f3b58c130da1aaad2223c421d6634fc7ce836180dbc2ac9ab5bf52abde87d9dd3cec84d65a8c1321abf381d2023bed5ac595f84
af770efe04ddaa417234d4e8f68498e02d67c2a4fb28fe4d2bac043d983446d12187de441bc5a5df6d9465cdeff6fead18d1a9b7cc0d8562caccd62e70f66a0507d04b678d2aadd0
8be6e6978cdd0d1e1a095889fbb7d98f1802a4eb0d5489b85b90ac8821bc243cbd7f9843152af22ba66645e2510203010001a381fb3081f8301d0603551d0e041604147f436e8fc5
e6a6b8437022ae88b879dc095cd18c3081c80603551d230481c03081bd80147f436e8fc5e6a6b8437022ae88b879dc095c
EAP-Message =
0xd18ca18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d6577686572
6531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d457861
6d706c6520436572746966696361746520417574686f7269747982090088d6a04b914711cc300c0603551d13040530030101ff300d06092a864886f70d010105050003820101009e
4148e0bcfa4d3f6e5b607d864dad98650e482159aa8bb34b66c0c07fbf3e37c79cca55a2502a591cca0518411a47d0e296
EAP-Message = 0x70e0874d635f5cd3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xeff176eaecf56f7198f0e801bd7f42f1
Finished request 3.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=4,
length=206
Message-Authenticator = 0x28863aba9a3b7269b75e881aada8a924
Service-Type = Framed-User
User-Name = "sqluser"
Framed-MTU = 1488
State = 0xeff176eaecf56f7198f0e801bd7f42f1
Called-Station-Id = "F0-7D-68-17-D4-39:dlink"
Calling-Station-Id = "00-18-DE-E1-85-89"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020400061900
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 192.168.0.50 port 1037
EAP-Message =
0x010502e71900d8166dc7b99a4e27a679b04388e1d246bbb52beea9dcdeb033f596c10e980bc0ab99d92b013ccd79bd1115bd76604da368170c434737
b2a722331a510ae27009b20cb5e6888b63eccd479eca9e394d58404b78b285e706ba026f7a13318965a5d8d4d1ceb679d3443b4e90f45ec1d6e83980f7f42ab5427402b449025a22
ae48ec63ac38974337165677b17b7dd589d716bd572add065073662ed1b6e656159049e6dada7066205e19c8c15baa2b85af112353df2f278813b6f55682ca273882b54876b8330c
160301020d0c0002090080fe5ee9d93c834c61b96c084a22ea6cdd00107bc59f9e391af41618125b59f81f241f831ea90c
EAP-Message =
0x94a3627f3c424a82fbc20778144b62e9731fd7ef82c1fad8c33b82d29df918153c00834cdaeb332b03b1f4bbf40b7d2201f881e5f5accedc938bff2b
f316465677806e17e69d7334aeb1e45ce13367c66f9283e675c998940f5300010200802a468d7356edf3171caef4c97454274ac86d38f3a0a87b9bd4dd05b2f9f36118342129453f
8cff65fb71b7bf4008e64ccc0b371902304eb6a58d86da4e5c9b84b49c89fe8a3deba167f623d5fa28a35cdd4b7bed3e85d29c0542384a59aac5095d098330f567e409b0f60cd657
802085b4d612d49b29cb869693f0efd6d1502c010053160d171ed2021760e5e4d39b4572f57dd58e5391524e95cf70e701
EAP-Message =
0x8c85fdc2598764461eb216d3f7c285f4a8bf91c8f475971ec5ea7314a6bc6a6b77ec3587172b1a4e27d41342aca759e13be98f3dc794eb542e7649cb
282e4e2d74fe7c8f7761da3ec1a5172b944a26cd65f6f75eb1663dc95350019be71b5411af14fc43361cc6a5965f7aa3d90483cbc1c2402ad0e09bff52db746fb56a4f66490c740c
9957c687258a2c81f8b3a80bcc8065939ef509e710161d438da1779763f6ba5b14db8d8ce577753ea592ac5402a0cec04b7626908692f718899fafe44b434a1ebcae72194c94a849
2e1e0b9b14354c23344f3b9bee005fecc3cd3da82dea5db316030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xeff176eaebf46f7198f0e801bd7f42f1
Finished request 4.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=5,
length=404
Message-Authenticator = 0x63c5e1ff1a1d9df1b0bbdad7714b8c9a
Service-Type = Framed-User
User-Name = "sqluser"
Framed-MTU = 1488
State = 0xeff176eaebf46f7198f0e801bd7f42f1
Called-Station-Id = "F0-7D-68-17-D4-39:dlink"
Calling-Station-Id = "00-18-DE-E1-85-89"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x020500cc19001603010086100000820080a5a12e9fb29344c07d155ed199dce1f532ec737a672c18187595b8a616d7006dddbfd6f9bb3460dafac218
b07e5ce0fa0bdf78bf0a2af0259a3fe1aa31c1f4297fc1a2df94ae090a7e9f4ff5296baae51ca8d7b99f98361e8f33943e8473d6c713461f26f8263a1effe2887e6e417e106522ae
35bf38844286cec0bdba5df74614030100010116030100301fcbd83169e23e468af5113d1eef78760b4ec6de5f4d18548159af3a0a914df0c65ac7493db98a95ff31816202441083
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 5 length 204
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 5 to 192.168.0.50 port 1037
EAP-Message =
0x010600411900140301000101160301003084f98267ce99a87e36417d12793cd01d1320e28f73eed0b310fe35e98fb08f638aa96e46f1173378a09936
14cba69952
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xeff176eaeaf76f7198f0e801bd7f42f1
Finished request 5.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=6,
length=206
Message-Authenticator = 0xbb693480b8c053732ac09c3354cddf7d
Service-Type = Framed-User
User-Name = "sqluser"
Framed-MTU = 1488
State = 0xeff176eaeaf76f7198f0e801bd7f42f1
Called-Station-Id = "F0-7D-68-17-D4-39:dlink"
Calling-Station-Id = "00-18-DE-E1-85-89"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020600061900
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 6 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 6 to 192.168.0.50 port 1037
EAP-Message =
0x0107002b19001703010020132e756d08ced7e45da425ed9248e8578c3988d758aeca13d08753171d6288fd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xeff176eae9f66f7198f0e801bd7f42f1
Finished request 6.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=7,
length=296
Message-Authenticator = 0xa6e6a2d92ae86919ede0b3fbf1d3588a
Service-Type = Framed-User
User-Name = "sqluser"
Framed-MTU = 1488
State = 0xeff176eae9f66f7198f0e801bd7f42f1
Called-Station-Id = "F0-7D-68-17-D4-39:dlink"
Calling-Station-Id = "00-18-DE-E1-85-89"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0207006019001703010020f23c5c5bff65e357c1d04750e77a02a3018ec1e29f452f8b40744b4a781f41a6170301003087cb3edea87d9ae896ee6a1b
a1f110beaae1ac3fd3b15e17511bde8ee9f19afd54ef63376f466842f3662048ee5485f7
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 7 length 96
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - sqluser
PEAP: Got tunneled EAP-Message
EAP-Message = 0x0207000c0173716c75736572
PEAP: Got tunneled identity of sqluser
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to sqluser
PEAP: Sending tunneled request
EAP-Message = 0x0207000c0173716c75736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "sqluser"
server inner-tunnel {
+- entering group authorize
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
rlm_eap: EAP packet type response id 7 length 12
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
PEAP: Got tunneled reply RADIUS code 11
EAP-Message =
0x010800211a0108001c101b48646fa92543913807a5b05f32e72473716c75736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc0b632abc0be28c6482b7cb6c82ab8d2
PEAP: Processing from tunneled session code 0x81bd2b0 11
EAP-Message =
0x010800211a0108001c101b48646fa92543913807a5b05f32e72473716c75736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc0b632abc0be28c6482b7cb6c82ab8d2
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 7 to 192.168.0.50 port 1037
EAP-Message =
0x0108004b190017030100402003024634e4f8ec66529bbf55bbcbdf55e9b2de71df4307a92425182981824df1d671e2cc670be268bf621066d6d46388
0ac2ebe173ac6cf5d2ad2a927172c6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xeff176eae8f96f7198f0e801bd7f42f1
Finished request 7.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=8,
length=344
Message-Authenticator = 0x6d830a81d5020493951deab84388b73b
Service-Type = Framed-User
User-Name = "sqluser"
Framed-MTU = 1488
State = 0xeff176eae8f96f7198f0e801bd7f42f1
Called-Station-Id = "F0-7D-68-17-D4-39:dlink"
Calling-Station-Id = "00-18-DE-E1-85-89"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0208009019001703010020fd154ad5033bc10deb9affe6269fbb4e011fb48b4955855c6d1a6cb884edc9fb1703010060325cf7f4956a0f450c4124d0
eadcfc46b3f7346bd768d367985c39b79d8ade99e37783cb5ddc062e795602cd3b965a3cc446365ea8cd6fc1dd7c98a6d11921c9018c77621c798adbbe1711e4100e3e341de47b09
28105cb056ea7dcf93e5ad68
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 8 length 144
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
PEAP: Got tunneled EAP-Message
EAP-Message =
0x020800421a0208003d31d8329bd18d2b3c48b3e9dcd414628b6a000000000000000025c5f8448290bf0b3b376400dc3862cc7a50e4bc5f7583e20073
716c75736572
PEAP: Setting User-Name to sqluser
PEAP: Sending tunneled request
EAP-Message =
0x020800421a0208003d31d8329bd18d2b3c48b3e9dcd414628b6a000000000000000025c5f8448290bf0b3b376400dc3862cc7a50e4bc5f7583e20073
716c75736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "sqluser"
State = 0xc0b632abc0be28c6482b7cb6c82ab8d2
server inner-tunnel {
+- entering group authorize
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
rlm_eap: EAP packet type response id 8 length 66
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for sqluser with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [sqluser/<via Auth-Type = EAP>] (from client
dlink-private-network port 0 via TLS tunnel)
} # server inner-tunnel
PEAP: Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Processing from tunneled session code 0x81bd288 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
++[eap] returns handled
Sending Access-Challenge of id 8 to 192.168.0.50 port 1037
EAP-Message =
0x0109003b1900170301003034751d74d2db85e76a4a09990bc079aabf886c33adbae4de36aa4b998d1437564e312ceb4f3ef2e602a0ec1b74c34c8b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xeff176eae7f86f7198f0e801bd7f42f1
Finished request 8.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=9,
length=296
Message-Authenticator = 0xcf9f988ac3da6a9784a700bd6e8bd235
Service-Type = Framed-User
User-Name = "sqluser"
Framed-MTU = 1488
State = 0xeff176eae7f86f7198f0e801bd7f42f1
Called-Station-Id = "F0-7D-68-17-D4-39:dlink"
Calling-Station-Id = "00-18-DE-E1-85-89"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0209006019001703010020b4f42681cb8004c329ba3e6eb3f20af6ab64a075776fd142c83e827add1a8e531703010030f9a9c64a35e6e5b5327b4c2e
91499e1a3897f2202d67ff4db4b2e03510edaa39019a712075a32f6ef78368edcc2e3bb6
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 9 length 96
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this
session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [sqluser/<via Auth-Type = EAP>] (from client
dlink-private-network port 1 cli 00-18-DE-E1-85-89)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> sqluser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 9 to 192.168.0.50 port 1037
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.4 seconds.
Cleaning up request 0 ID 0 with timestamp +24
Cleaning up request 1 ID 1 with timestamp +24
Waking up in 0.3 seconds.
Cleaning up request 2 ID 2 with timestamp +24
Cleaning up request 3 ID 3 with timestamp +24
Cleaning up request 4 ID 4 with timestamp +24
Waking up in 0.1 seconds.
Cleaning up request 5 ID 5 with timestamp +24
Cleaning up request 6 ID 6 with timestamp +24
Cleaning up request 7 ID 7 with timestamp +24
Cleaning up request 8 ID 8 with timestamp +24
Waking up in 1.0 seconds.
Cleaning up request 9 ID 9 with timestamp +24
Ready to process requests.
Tell me if you need more information
thx
Chris
--
View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-SQL-PEAP-Tunneled-authentication-was-rejected-tp3360430p3360430.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list