EAP authentication stopped working

larry tembu larrytembu at yahoo.com
Sat May 4 10:03:19 CEST 2013


Hi Freeradius users,
i have FR freeradius-2.2.0-0.fc17.i686 set up on fedora 17 machine. the wimax clients are supplying EAPttls Mschapv2 for authentication. a few weeks ago, the configuration was working and authenticating, but it suddenly stopped. the users are created in the users file and below is the  radiusd -X output. any more info required will be promptly provided. could someone help me out on this? the wimax system is 4M alvarion and the CPe are well configured.
      ignore_null = no
  }
 Module: Checking accounting {...} for more modules to load
 Module: Instantiating module "detail" from file /etc/raddb/modules/detail
  detail {
        detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
  }
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
  radutmp {
        filename = "/var/log/radius/radutmp"
        username = "%{User-Name}"
        case_sensitive = yes
        check_with_nas = yes
        perm = 384
        callerid = yes
  }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter
  attr_filter attr_filter.accounting_response {
        attrsfile = "/etc/raddb/attrs.accounting_response"
        key = "%{User-Name}"
        relaxed = no
  }
reading pairlist file /etc/raddb/attrs.accounting_response
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter
  attr_filter attr_filter.access_reject {
        attrsfile = "/etc/raddb/attrs.access_reject"
        key = "%{User-Name}"
        relaxed = no
  }
reading pairlist file /etc/raddb/attrs.access_reject
 } # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = *
        port = 0
}
listen {
        type = "acct"
        ipaddr = *
        port = 0
}
listen {
        type = "control"
 listen {
        socket = "/var/run/radiusd/radiusd.sock"
 }
}
listen {
        type = "auth"
        ipaddr = 127.0.0.1
        port = 18120
}
 ... adding new socket proxy address * port 46422
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 11.0.0.205 port 1812, id=153, length=196
        User-Name = "{sm=1}rawlacurone at adn.com"
        EAP-Message = 0x0201001e017b736d3d317d7261776c616375726f6e654061646e2e636f6d
        Message-Authenticator = 0x39a7eb8d6128461e0fa6caf5dd5c26c3
        NAS-Identifier = "201"
        NAS-IP-Address = 11.0.0.205
        Calling-Station-Id = "AC-81-12-78-CA-6E"
        WiMAX-BS-Id = 0xfff329010102
        NAS-Port-Type = Wireless-802.16
        Framed-MTU = 2000
        Service-Type = Framed-User
        WiMAX-GMT-Timezone-offset = 256
        WiMAX-Release = "1.0"
        WiMAX-Accounting-Capabilities = IP-Session-Based
        WiMAX-Attr-1793 = 0x0000028a
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/11.0.0.205/auth-detail-20130501
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/11.0.0.205/auth-detail-20130501
[auth_log]      expand: %t -> Wed May  1 17:46:27 2013
++[auth_log] returns fail
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> {sm=1}rawlacurone at adn.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 153 to 11.0.0.205 port 1812
Waking up in 4.9 seconds.
Cleaning up request 0 ID 153 with timestamp +1
Ready to process requests.
rad_recv: Access-Request packet from host 11.0.0.205 port 1812, id=154, length=196
        User-Name = "{sm=1}rawlacurone at adn.com"
        EAP-Message = 0x0201001e017b736d3d317d7261776c616375726f6e654061646e2e636f6d
        Message-Authenticator = 0x0ddedece670902a6348d2b16c392c015
        NAS-Identifier = "201"
        NAS-IP-Address = 11.0.0.205
        Calling-Station-Id = "AC-81-12-78-CA-6E"
        WiMAX-BS-Id = 0xfff329010102
        NAS-Port-Type = Wireless-802.16
        Framed-MTU = 2000
        Service-Type = Framed-User
        WiMAX-GMT-Timezone-offset = 256
        WiMAX-Release = "1.0"
        WiMAX-Accounting-Capabilities = IP-Session-Based
        WiMAX-Attr-1793 = 0x0000028a
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/11.0.0.205/auth-detail-20130501
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/11.0.0.205/auth-detail-20130501
[auth_log]      expand: %t -> Wed May  1 17:46:35 2013
++[auth_log] returns fail
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> {sm=1}rawlacurone at adn.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 154 to 11.0.0.205 port 1812
Waking up in 4.9 seconds.
Cleaning up request 1 ID 154 with timestamp +9
Ready to process requests.
rad_recv: Access-Request packet from host 11.0.0.205 port 1812, id=155, length=196
        User-Name = "{sm=1}rawlacurone at adn.com"
        EAP-Message = 0x0201001e017b736d3d317d7261776c616375726f6e654061646e2e636f6d
        Message-Authenticator = 0x8cbc1a4105e88c044aaa7a95df6dc98a
        NAS-Identifier = "201"
        NAS-IP-Address = 11.0.0.205
        Calling-Station-Id = "AC-81-12-78-CA-6E"
        WiMAX-BS-Id = 0xfff329010102
        NAS-Port-Type = Wireless-802.16
        Framed-MTU = 2000
        Service-Type = Framed-User
        WiMAX-GMT-Timezone-offset = 256
        WiMAX-Release = "1.0"
        WiMAX-Accounting-Capabilities = IP-Session-Based
        WiMAX-Attr-1793 = 0x0000028a
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/11.0.0.205/auth-detail-20130501
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/11.0.0.205/auth-detail-20130501
[auth_log]      expand: %t -> Wed May  1 17:46:43 2013
++[auth_log] returns fail
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> {sm=1}rawlacurone at adn.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 155 to 11.0.0.205 port 1812
Waking up in 4.9 seconds.
Cleaning up request 2 ID 155 with timestamp +17
Ready to process requests.
rad_recv: Access-Request packet from host 11.0.0.205 port 1812, id=157, length=196
        User-Name = "{sm=1}rawlacurone at adn.com"
        EAP-Message = 0x0201001e017b736d3d317d7261776c616375726f6e654061646e2e636f6d
        Message-Authenticator = 0xd84871a21825f994c68593b4d78ca653
        NAS-Identifier = "201"
        NAS-IP-Address = 11.0.0.205
        Calling-Station-Id = "AC-81-12-78-CA-6E"
        WiMAX-BS-Id = 0xfff329010102
        NAS-Port-Type = Wireless-802.16
        Framed-MTU = 2000
        Service-Type = Framed-User
        WiMAX-GMT-Timezone-offset = 256
        WiMAX-Release = "1.0"
        WiMAX-Accounting-Capabilities = IP-Session-Based
        WiMAX-Attr-1793 = 0x0000028a
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expan
[auth_log]      expand: %t -> Wed May  1 17:46:50 2013
++[auth_log] returns fail
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> {sm=1}rawlacurone at adn.co
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 157 to 11.0.0.205 port 1812
Waking up in 4.9 seconds.
^C
[root at adn larry]#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130504/da210092/attachment-0001.html>


More information about the Freeradius-Users mailing list