Help PLease

Adam Schappell aschappell at clearedgeit.com
Thu Mar 26 17:51:06 CET 2015 

Ok I figured all that out, supposivly does not like the AP's connecting to
different subnets which is not going to go over well with my DMZ. But now I
am getting reject error when authenticating to wifi. Here is debug output.

[peap] Got inner identity 'CORP\aschappell'

[peap] Setting default EAP type for tunneled EAP session.

[peap] Got tunneled request

EAP-Message = 0x0217001401434f52505c61736368617070656c6c

server  {

[peap] Setting User-Name to CORP\aschappell

Sending tunneled request

EAP-Message = 0x0217001401434f52505c61736368617070656c6c

FreeRADIUS-Proxied-To = 127.0.0.1

User-Name = "CORP\\aschappell"

server inner-tunnel {

  WARNING: Empty authorize section.  Using default return values.

ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user

Failed to authenticate the user.

Login incorrect: [CORP\\aschappell] (from client ClearEdge port 0 via TLS
tunnel)

} # server inner-tunnel

[peap] Got tunneled reply code 3

[peap] Got tunneled reply RADIUS code 3

[peap] Tunneled authentication was rejected.

[peap] FAILURE

++[eap] returns handled

Sending Access-Challenge of id 54 to 10.0.1.149 port 32781

EAP-Message =
0x0118002b190017030100201647053fbeb14c32719744432002a54c459f497b2e32754269e04e1066211a2d

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xc2d6f40ac4ceed9bb2dc291e7276ac0d

Finished request 55.

Going to the next request

Waking up in 4.4 seconds.

rad_recv: Access-Request packet from host 10.0.1.149 port 32781, id=55,
length=231

User-Name = "CORP\\aschappell"

NAS-IP-Address = 10.0.1.149

NAS-Identifier = "24a43c105cfc"

NAS-Port = 0

Called-Station-Id = "24-A4-3C-1B-9F-92:ClearEdgeCORP"

Calling-Station-Id = "C8-BC-C8-C0-1D-A7"

Framed-MTU = 1400

NAS-Port-Type = Wireless-802.11

Connect-Info = "CONNECT 0Mbps 802.11b"

EAP-Message =
0x0218002b190017030100207c934f93a305a368e73e4b44d84d62b6006059b4228216bc5a70d117bf0a88e7

State = 0xc2d6f40ac4ceed9bb2dc291e7276ac0d

Message-Authenticator = 0x51c3c60a40d2995b5f14141e055f0950

# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel

+- entering group authorize {...}

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

++[chap] returns noop

++[mschap] returns noop

[suffix] No '@' in User-Name = "CORP\aschappell", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

++[control] returns noop

[eap] EAP packet type response id 24 length 43

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

# Executing group from file /etc/raddb/sites-enabled/inner-tunnel

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] eaptls_verify returned 7

[peap] Done initial handshake

[peap] eaptls_process returned 7

[peap] EAPTLS_OK

[peap] Session established.  Decoding tunneled attributes.

[peap] Peap state send tlv failure

[peap] Received EAP-TLV response.

[peap]  The users session was previously rejected: returning reject (again.)

[peap]  *** This means you need to read the PREVIOUS messages in the debug
output

[peap]  *** to find out the reason why the user was rejected.

[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell
you.

[peap]  *** what went wrong, and how to fix the problem.

[eap] Handler failed in EAP/peap

[eap] Failed in EAP select

++[eap] returns invalid

Failed to authenticate the user.

Login incorrect: [CORP\\aschappell] (from client ClearEdge port 0 cli
C8-BC-C8-C0-1D-A7)

Using Post-Auth-Type Reject

# Executing group from file /etc/raddb/sites-enabled/inner-tunnel

+- entering group REJECT {...}

[attr_filter.access_reject] expand: %{User-Name} -> CORP\aschappell

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 56 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 56

Sending Access-Reject of id 55 to 10.0.1.149 port 32781

EAP-Message = 0x04180004

Message-Authenticator = 0x00000000000000000000000000000000

Waking up in 3.4 seconds.

Cleaning up request 49 ID 48 with timestamp +214

Waking up in 0.4 seconds.

Cleaning up request 50 ID 49 with timestamp +215

Cleaning up request 51 ID 50 with timestamp +215

Cleaning up request 52 ID 51 with timestamp +215

Cleaning up request 53 ID 52 with timestamp +215

Cleaning up request 54 ID 53 with timestamp +215

Cleaning up request 55 ID 54 with timestamp +215

Waking up in 1.0 seconds.

Cleaning up request 56 ID 55 with timestamp +215

Ready to process requests.

Adam Schappell
System Administrator II
Clearedge IT Solutions, LLC
10620 Guilford Road
Jessup, MD 20794
Office:443-212-4712
Fax:443-212-4809
www.ClearEdgeIT.com <http://www.clearedgeit.com/>


On Thu, Mar 26, 2015 at 12:38 PM, Matthew Newton <mcn4 at leicester.ac.uk>
wrote:

> On Thu, Mar 26, 2015 at 12:21:19PM -0400, Adam Schappell wrote:
> > Yes so I am not getting any traffic going to radius server from the AP
> > server, I disabled firewall and everything. Something is not right lol
>
> Sounds like you need to fix that first then. Unlikely to be
> something anyone here can help with.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
>

More information about the Freeradius-Users mailing list