your mail

Daniel Lopez danilogo1991 at gmail.com
Mon Nov 2 17:08:20 CET 2015


Hi Matthew, thanks for your response, I see i can't match Auth-type accept
with EAP, i did it because when I set auth-type EAP server also returns
error.
My previous configuration was
Auth-type := EAP

My NAS is a tp-link n750 access point, I configure it WPA2 enterprise, AES
encryption, GKUP = 30
 So when I try to connect with this configuration I receive the following
output:

rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=9,
length=206

        User-Name = "daniel"

        NAS-IP-Address = 192.168.0.1

        NAS-Port = 0

        Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti"

        Calling-Station-Id = "EC-0E-C4-12-81-3F"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        Connect-Info = "CONNECT 0Mbps 802.11"

        EAP-Message =
0x0209002b19001703010020e2655cfae9bba34897cb25ced3d5addeba14dd79244d067a52920706cecd672b

        State = 0xf9d08276fed99b298671c9ec938c6074

        Message-Authenticator = 0x2a7334490eba3ac3d0321067d0fc8eef

# Executing section authorize from file
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "daniel", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 9 length 43

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] eaptls_verify returned 7

[peap] Done initial handshake

[peap] eaptls_process returned 7

[peap] EAPTLS_OK

[peap] Session established.  Decoding tunneled attributes.

*[peap] Peap state send tlv failure*

*[peap] Received EAP-TLV response.*

*[peap]  The users session was previously rejected: returning reject
(again.)*

*[peap]  *** This means you need to read the PREVIOUS messages in the debug
output*

*[peap]  *** to find out the reason why the user was rejected.*

*[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell
you.*

*[peap]  *** what went wrong, and how to fix the problem.*

*[eap] Handler failed in EAP/peap*

*[eap] Failed in EAP select*

*++[eap] returns invalid*

*Failed to authenticate the user*.

Using Post-Auth-Type Reject

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group REJECT {...}

[attr_filter.access_reject]     expand: %{User-Name} -> daniel

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 8 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 8

Sending Access-Reject of id 9 to 10.25.4.250 port 44145

        EAP-Message = 0x04090004

        Message-Authenticator = 0x00000000000000000000000000000000

Waking up in 3.7 seconds.


What i'm doing wrong? What i'm missing?

Thanks again

2015-10-30 18:02 GMT-04:00 Matthew Newton <mcn4 at leicester.ac.uk>:

> On Fri, Oct 30, 2015 at 04:38:18PM -0400, Daniel Lopez wrote:
> > The user "daniel" belongs to usergroup "wifi". In radgroupcheck I set the
> > attribute Auth-Type := Accept for the group "wifi". When I try  to
> connect
> > from the terminal, server returns an Access-accept message, but however i
> > can't still connect, screen of my device shows an eternal loop trying to
> > connect but it doesn't do.
>
> Configure the eap module properly for your situation.
>
> You can't just return an access-accept for eap; without the
> correct handshakes between the client and the RADIUS server it
> won't work, just like you've discovered.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list