your mail
Daniel Lopez
danilogo1991 at gmail.com
Mon Nov 2 17:08:20 CET 2015
Hi Matthew, thanks for your response, I see i can't match Auth-type accept
with EAP, i did it because when I set auth-type EAP server also returns
error.
My previous configuration was
Auth-type := EAP
My NAS is a tp-link n750 access point, I configure it WPA2 enterprise, AES
encryption, GKUP = 30
So when I try to connect with this configuration I receive the following
output:
rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=9,
length=206
User-Name = "daniel"
NAS-IP-Address = 192.168.0.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti"
Calling-Station-Id = "EC-0E-C4-12-81-3F"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x0209002b19001703010020e2655cfae9bba34897cb25ced3d5addeba14dd79244d067a52920706cecd672b
State = 0xf9d08276fed99b298671c9ec938c6074
Message-Authenticator = 0x2a7334490eba3ac3d0321067d0fc8eef
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "daniel", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
*[peap] Peap state send tlv failure*
*[peap] Received EAP-TLV response.*
*[peap] The users session was previously rejected: returning reject
(again.)*
*[peap] *** This means you need to read the PREVIOUS messages in the debug
output*
*[peap] *** to find out the reason why the user was rejected.*
*[peap] *** Look for "reject" or "fail". Those earlier messages will tell
you.*
*[peap] *** what went wrong, and how to fix the problem.*
*[eap] Handler failed in EAP/peap*
*[eap] Failed in EAP select*
*++[eap] returns invalid*
*Failed to authenticate the user*.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> daniel
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 9 to 10.25.4.250 port 44145
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
What i'm doing wrong? What i'm missing?
Thanks again
2015-10-30 18:02 GMT-04:00 Matthew Newton <mcn4 at leicester.ac.uk>:
> On Fri, Oct 30, 2015 at 04:38:18PM -0400, Daniel Lopez wrote:
> > The user "daniel" belongs to usergroup "wifi". In radgroupcheck I set the
> > attribute Auth-Type := Accept for the group "wifi". When I try to
> connect
> > from the terminal, server returns an Access-accept message, but however i
> > can't still connect, screen of my device shows an eternal loop trying to
> > connect but it doesn't do.
>
> Configure the eap module properly for your situation.
>
> You can't just return an access-accept for eap; without the
> correct handshakes between the client and the RADIUS server it
> won't work, just like you've discovered.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list