Freeradius reply attribute problem when using PEAP

Alan DeKok aland at
Sat Aug 9 16:53:25 CEST 2014

Terry Kantorowski wrote:
> Per your request. I have included the debug output from freeradius.
> You will see that my test user "rickjames" authenticates just fine.
> The problem I am having is that the attribute value pairs for his
> group are not passed and so he never actually "connects" to the
> wireless network. The AVPs are missing when I try to connect with a
> device using PEAP, but present when I force connect with TTLS. I did
> not see this until I ran tcpdump.

  Which is why all of the documentation tells you to run the server in
debugging mode, and to read the output.

> Thanks for taking the time to look at this.

  It should be pretty clear from the output.  There's a lot of it, but
reading it is simple.

> (11)  eap_peap : Got tunneled reply code 2
>         MS-MPPE-Encryption-Policy = Encryption-Allowed
>         MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
>         MS-MPPE-Send-Key = 0x179df4ed5c7771b6728858f3b86294c2
>         MS-MPPE-Recv-Key = 0xb9fea9733904585d418bc4af62e467f3
>         EAP-Message = 0x030b0004
>         Message-Authenticator = 0x00000000000000000000000000000000
>         User-Name = 'rickjames'

  So... no authorization attributes are in the tunnel.

  Fix that.

  Alan DeKok.

More information about the Freeradius-Users mailing list