freeradius sql MD5-Password pap fails

Jan-Christoph Fuchs jcfuchs at me.com
Thu Sep 29 13:32:19 CEST 2016


Hello Mailing-List Members,

I have manged to set up an freeradius server with mysql backend. My Supplicants are TP-Link Accesspoints (will be exchanged to Unifi soon) with OpenWRT installed. Port-Based authentacation and dynamic VLAN assignment works. All Passwords in the MySQL Database are stored as Cleartext-Password. Everythings works fine.

I have tested the envirement with radtest and Smartphones and laptops via the Accesspoint.

No I have changed the Database table radcheck to store MD5-Password. Tests with radtest works, but livetest will be rejected.

I really dont know much about protocolls (pap, chap, eap and so on) Debigging freeradius told me that radtest uses pap and live test via accespoint cant establish pap and uses somthing other.

Is there someone who can help me please. The System is not live yet. So we can search for my fault or I also can setup a new freeradius if troubleshooting ends up with a neverending story :-)

Background: We are a BOYD school. If the solution is to install a protocoll extension on every client of our students to achieve md5 passwords, than the project is not possible and I will keep Cleartext-Password

Best Regards

Jan

If you want to see more outputs or config-file, tell me, I will post them


Here is the Debug output: 

rad_recv: Access-Request packet from host 10.4.254.128 port 47333, id=236, length=185
	User-Name = "FuchsA"
	Called-Station-Id = "C6-E9-84-71-33-A2:FES-WLAN"
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 1
	Calling-Station-Id = "44-00-10-57-E4-82"
	Connect-Info = "CONNECT 54Mbps 802.11g"
	Acct-Session-Id = "57DD11F2-0000001E"
	X-Ascend-Home-Agent-UDP-Port = 1027076
	X-Ascend-Multilink-ID = 1027076
	X-Ascend-Num-In-Multilink = 1027073
	Framed-MTU = 1400
	EAP-Message = 0x0286000b01467563687341
	Message-Authenticator = 0x819d0053ba71a3c1525673a983d95924
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "FuchsA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 134 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[sql] 	expand: %{User-Name} -> FuchsA
[sql] sql_set_user escaped user --> 'FuchsA'
rlm_sql (sql): Reserving sql socket id: 17
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'FuchsA'           ORDER BY id
[sql] User found in radcheck table
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'FuchsA'           ORDER BY id
[sql] 	expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'FuchsA'           ORDER BY priority
[sql] 	expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'admin'           ORDER BY id
[sql] User found in group admin
[sql] 	expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'admin'           ORDER BY id
rlm_sql (sql): Released sql socket id: 17
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing MD5-Password from hex encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 236 to 10.4.254.128 port 47333
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "250"
	EAP-Message = 0x01870016041036755ba251ac95120aa224d97bd61aa9
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x6d2213206da51747a13dedf79c550bd5
Finished request 28.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.4.254.128 port 47333, id=237, length=200
	User-Name = "FuchsA"
	Called-Station-Id = "C6-E9-84-71-33-A2:FES-WLAN"
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 1
	Calling-Station-Id = "44-00-10-57-E4-82"
	Connect-Info = "CONNECT 54Mbps 802.11g"
	Acct-Session-Id = "57DD11F2-0000001E"
	X-Ascend-Home-Agent-UDP-Port = 1027076
	X-Ascend-Multilink-ID = 1027076
	X-Ascend-Num-In-Multilink = 1027073
	Framed-MTU = 1400
	EAP-Message = 0x028700080319152b
	State = 0x6d2213206da51747a13dedf79c550bd5
	Message-Authenticator = 0xdc30aaf425f5dabaa0472c254f5384b8
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "FuchsA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 135 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[sql] 	expand: %{User-Name} -> FuchsA
[sql] sql_set_user escaped user --> 'FuchsA'
rlm_sql (sql): Reserving sql socket id: 16
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'FuchsA'           ORDER BY id
[sql] User found in radcheck table
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'FuchsA'           ORDER BY id
[sql] 	expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'FuchsA'           ORDER BY priority
[sql] 	expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'admin'           ORDER BY id
[sql] User found in group admin
[sql] 	expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'admin'           ORDER BY id
rlm_sql (sql): Released sql socket id: 16
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing MD5-Password from hex encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 237 to 10.4.254.128 port 47333
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "250"
	EAP-Message = 0x018800061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x6d2213206caa0a47a13dedf79c550bd5
Finished request 29.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.4.254.128 port 47333, id=238, length=319
	User-Name = "FuchsA"
	Called-Station-Id = "C6-E9-84-71-33-A2:FES-WLAN"
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 1
	Calling-Station-Id = "44-00-10-57-E4-82"
	Connect-Info = "CONNECT 54Mbps 802.11g"
	Acct-Session-Id = "57DD11F2-0000001E"
	X-Ascend-Home-Agent-UDP-Port = 1027076
	X-Ascend-Multilink-ID = 1027076
	X-Ascend-Num-In-Multilink = 1027073
	Framed-MTU = 1400
	EAP-Message = 0x0288007f19800000007516030100700100006c030157eb768e89b2857cbe003d1389f98db48372a8570086886e7b71517d1a05be1400002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000
	State = 0x6d2213206caa0a47a13dedf79c550bd5
	Message-Authenticator = 0x45280af78c56a967ba77f3210aa4fe44
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "FuchsA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 136 length 127
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 117
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0070], ClientHello  
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello  
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 02ca], Certificate  
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange  
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 238 to 10.4.254.128 port 47333
	EAP-Message = 0x0189040019c00000046616030100390200003503013cc6e4266ef83183eb4609ac0eae4f941b2e88e0103f771e18a149ae336fb3ae00c01400000dff01000100000b00040300010216030102ca0b0002c60002c30002c0308202bc308201a4a003020102020900a5fffa2bd980f52f300d06092a864886f70d01010b050030163114301206035504030c0b7261737062657272797069301e170d3136303531363039353930305a170d3236303531343039353930305a30163114301206035504030c0b726173706265727279706930820122300d06092a864886f70d01010105000382010f003082010a0282010100c3d09a5c1cf391c424a9db1c9546
	EAP-Message = 0xe2d0d56ef0c7992e58cc9fddfcca2e1e792de870f1b44732e39760c9be69d00bee75ebb6544ef6e7552cd6071cf42a0314dfcf5f6588403e82906d1bdc76e22d83d897f5822cc3ad4e8688b26a7e51272de8f12178c18eeef3736db12c082c610cf4ed064ca669a8502cd0b304f9b347e9b6e792d22b7477447b724fc1a5b8feaa5bc2dab89c47f61083f2ad2a713346a45779f64738f78e6c6b50dd9fba57b8c429d9130ffe2852ae300f0da67338d241c7f9ed1a3edfd9e60e4a204888db9e7c2b2c4b2720cac0bb75955fdc8dededdcd3005b33e3c3665cb56f8fea647fe98b100ac37981f6664b06baf77672578b49510203010001a30d300b3009
	EAP-Message = 0x0603551d1304023000300d06092a864886f70d01010b0500038201010059f5ccb527a5c95bd585d481cf2c0d940a2100bfe19c781f8fc6c9fe6ecf9581cc11899915a4a4a76f93ce5d9a27a1377e9f5b595d0c91b85158b46264b6bbf53d663f5972a29bb9ee27f94fa19c0e10cb315bbfff1a0b9dada6af7b44055bde3a97fce3d03d0e3d9dd2ca98d02899654c38e978067be45716b8095b7eec985ed5766a840d768fde1384f8d70c2b2b62f3bf1ce577e8c7e55870217ef8101973e33c417108d7645823438b1b637bf66d11755e23ccceabf7256480a3ce55f410d5479aa862e7cd048a3661213131c38bdcfae6a8223dbc92e680e4e8feee2c86
	EAP-Message = 0xf60edf462d78a0cd61d0be2a807c82feddfb62a74cd23265bc34cf55c8de1296160301014b0c00014703001741043ead1ff12c3e5fed822014f6d59b539cabcbf196f4eb40ee5d62854c0dc2bdda5030b357400422658f71d055af54e1d62e7e5a5b9f22432c813f8003c72c570601009811ddf450723aa785b5bc9629ba26c9e1b1806b3e0ea97361040fb1b81deb2dd6e9ff5ad8e1961704df861d7487ac12fbdad29924c1f5ae6898b24f41103a99de1ee61d9a28ff0ae4db32bddace0029ac193391d575036ce541a1e8c989db3582cab0533386df57b67fa022ef71e3102b85135d484fc70a870f51145e5adb1d1881eb9ecb51be126594cd950c
	EAP-Message = 0x9e950b6987abca735dd6656b
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x6d2213206fab0a47a13dedf79c550bd5
Finished request 30.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.4.254.128 port 47333, id=239, length=198
	User-Name = "FuchsA"
	Called-Station-Id = "C6-E9-84-71-33-A2:FES-WLAN"
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 1
	Calling-Station-Id = "44-00-10-57-E4-82"
	Connect-Info = "CONNECT 54Mbps 802.11g"
	Acct-Session-Id = "57DD11F2-0000001E"
	X-Ascend-Home-Agent-UDP-Port = 1027076
	X-Ascend-Multilink-ID = 1027076
	X-Ascend-Num-In-Multilink = 1027073
	Framed-MTU = 1400
	EAP-Message = 0x028900061900
	State = 0x6d2213206fab0a47a13dedf79c550bd5
	Message-Authenticator = 0x7e55a5a478220f8876242bc4959696cd
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "FuchsA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 137 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 239 to 10.4.254.128 port 47333
	EAP-Message = 0x018a007619000822c25dfccbe32a0f8e5d315cbeb3f24eda13493ae01b43ca705bfd836af6a8ac776f2152e0481330415ba2b210ef511fd77d1c99a915e5624ce91cb979472e0117e1f9abeee7791ef4bbf951f30d85246f947afe66649ba8497178fb9172a8951fb621fbcc4416030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x6d2213206ea80a47a13dedf79c550bd5
Finished request 31.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.4.254.128 port 47333, id=240, length=336
	User-Name = "FuchsA"
	Called-Station-Id = "C6-E9-84-71-33-A2:FES-WLAN"
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 1
	Calling-Station-Id = "44-00-10-57-E4-82"
	Connect-Info = "CONNECT 54Mbps 802.11g"
	Acct-Session-Id = "57DD11F2-0000001E"
	X-Ascend-Home-Agent-UDP-Port = 1027076
	X-Ascend-Multilink-ID = 1027076
	X-Ascend-Num-In-Multilink = 1027073
	Framed-MTU = 1400
	EAP-Message = 0x028a00901980000000861603010046100000424104acff38e6d2efbb463eb192cbfd1960fc9726ecd13a153cfa0a86e678bcc4c07b968b58bad98e7ede0da65e40e22443b1243af69357374a908aa0eaaa8189bcbe140301000101160301003047da577f491a90ecf37d4971f3fbf1b674805e3211566f9a18a7d8237f3434aca36930765161165150e20ee086fa47be
	State = 0x6d2213206ea80a47a13dedf79c550bd5
	Message-Authenticator = 0x01f653ca010fc02c1e138ba276e5028b
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "FuchsA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 138 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange  
[peap]     TLS_accept: unknown state
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[peap] <<< TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: unknown state
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 240 to 10.4.254.128 port 47333
	EAP-Message = 0x018b004119001403010001011603010030754f1b44a5ef9a3eb053ca666d7928e0ec660a6761ee7d3cfe8502961adfdfb081f8e341bf29200b219a09d1b4f89b3a
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x6d22132069a90a47a13dedf79c550bd5
Finished request 32.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.4.254.128 port 47333, id=241, length=198
	User-Name = "FuchsA"
	Called-Station-Id = "C6-E9-84-71-33-A2:FES-WLAN"
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 1
	Calling-Station-Id = "44-00-10-57-E4-82"
	Connect-Info = "CONNECT 54Mbps 802.11g"
	Acct-Session-Id = "57DD11F2-0000001E"
	X-Ascend-Home-Agent-UDP-Port = 1027076
	X-Ascend-Multilink-ID = 1027076
	X-Ascend-Num-In-Multilink = 1027073
	Framed-MTU = 1400
	EAP-Message = 0x028b00061900
	State = 0x6d22132069a90a47a13dedf79c550bd5
	Message-Authenticator = 0x614e1872ae450f11e6193f10d89d1152
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "FuchsA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 139 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3 
[peap] eaptls_process returned 3 
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 241 to 10.4.254.128 port 47333
	EAP-Message = 0x018c002b1900170301002040970fe4cdfce1c98d07750e9e8dfbfe6203c4c251f1c91f41a0a8c5af703471
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x6d22132068ae0a47a13dedf79c550bd5
Finished request 33.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.4.254.128 port 47333, id=242, length=235
	User-Name = "FuchsA"
	Called-Station-Id = "C6-E9-84-71-33-A2:FES-WLAN"
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 1
	Calling-Station-Id = "44-00-10-57-E4-82"
	Connect-Info = "CONNECT 54Mbps 802.11g"
	Acct-Session-Id = "57DD11F2-0000001E"
	X-Ascend-Home-Agent-UDP-Port = 1027076
	X-Ascend-Multilink-ID = 1027076
	X-Ascend-Num-In-Multilink = 1027073
	Framed-MTU = 1400
	EAP-Message = 0x028c002b19001703010020a4f6487c901e758952d4ebb8192b06a100c952c0f51cbf9075095376ce46d79d
	State = 0x6d22132068ae0a47a13dedf79c550bd5
	Message-Authenticator = 0x0d74a47e1f6a7da6ff1d1d56c9306c7f
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "FuchsA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 140 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - FuchsA
[peap] Got inner identity 'FuchsA'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
	EAP-Message = 0x028c000b01467563687341
server  {
[peap] Setting User-Name to FuchsA
Sending tunneled request
	EAP-Message = 0x028c000b01467563687341
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "FuchsA"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "FuchsA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 140 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[sql] 	expand: %{User-Name} -> FuchsA
[sql] sql_set_user escaped user --> 'FuchsA'
rlm_sql (sql): Reserving sql socket id: 15
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'FuchsA'           ORDER BY id
[sql] User found in radcheck table
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'FuchsA'           ORDER BY id
[sql] 	expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'FuchsA'           ORDER BY priority
[sql] 	expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'admin'           ORDER BY id
[sql] User found in group admin
[sql] 	expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'admin'           ORDER BY id
rlm_sql (sql): Released sql socket id: 15
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing MD5-Password from hex encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "250"
	EAP-Message = 0x018d00201a018d001b10221b294c64d499b6034b7a226fd25479467563687341
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x8847961788ca8c9cc6104708d23e8f0f
[peap] Got tunneled reply RADIUS code 11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "250"
	EAP-Message = 0x018d00201a018d001b10221b294c64d499b6034b7a226fd25479467563687341
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x8847961788ca8c9cc6104708d23e8f0f
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 242 to 10.4.254.128 port 47333
	EAP-Message = 0x018d004b19001703010040f16b47ee01283d92c5211f2eba865c3cf690c5d8f379e6ceee8b650118294e59d208ef197054f33899aa42b3b5bb564c958de862da3e91f39a3855befbf2d416
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x6d2213206baf0a47a13dedf79c550bd5
Finished request 34.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.4.254.128 port 47333, id=243, length=299
	User-Name = "FuchsA"
	Called-Station-Id = "C6-E9-84-71-33-A2:FES-WLAN"
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 1
	Calling-Station-Id = "44-00-10-57-E4-82"
	Connect-Info = "CONNECT 54Mbps 802.11g"
	Acct-Session-Id = "57DD11F2-0000001E"
	X-Ascend-Home-Agent-UDP-Port = 1027076
	X-Ascend-Multilink-ID = 1027076
	X-Ascend-Num-In-Multilink = 1027073
	Framed-MTU = 1400
	EAP-Message = 0x028d006b1900170301006032b97f11dad52cbaccf648b6e4c7e35fd590aa635a565d03d9c20b05c6e279f28ca0e9805a8fc5571a52378448b1e51fe1d64414e0a0d2e183a54ff7f8b97b31fe341b0a4b65f3a2c1d63dacb20e2c2b0aad4d3b77bcef5d7cc5ca14c78dbf67
	State = 0x6d2213206baf0a47a13dedf79c550bd5
	Message-Authenticator = 0x4d2fe674478a1905fc8bcb893ab44529
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "FuchsA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 141 length 107
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
	EAP-Message = 0x028d00411a028d003c318eac3750d1e862afbc3e94a20e35e8370000000000000000f60f6c1f11e9ecee306c68cb23756e67bd0c66735896eecf00467563687341
server  {
[peap] Setting User-Name to FuchsA
Sending tunneled request
	EAP-Message = 0x028d00411a028d003c318eac3750d1e862afbc3e94a20e35e8370000000000000000f60f6c1f11e9ecee306c68cb23756e67bd0c66735896eecf00467563687341
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "FuchsA"
	State = 0x8847961788ca8c9cc6104708d23e8f0f
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "FuchsA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 141 length 65
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[sql] 	expand: %{User-Name} -> FuchsA
[sql] sql_set_user escaped user --> 'FuchsA'
rlm_sql (sql): Reserving sql socket id: 14
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'FuchsA'           ORDER BY id
[sql] User found in radcheck table
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'FuchsA'           ORDER BY id
[sql] 	expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'FuchsA'           ORDER BY priority
[sql] 	expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'admin'           ORDER BY id
[sql] User found in group admin
[sql] 	expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'admin'           ORDER BY id
rlm_sql (sql): Released sql socket id: 14
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing MD5-Password from hex encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: FuchsA
[mschap] Client is using MS-CHAPv2 for FuchsA, we need NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject] 	expand: %{User-Name} -> FuchsA
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server inner-tunnel
[peap] Got tunneled reply code 3
	MS-CHAP-Error = "\215E=691 R=1"
	EAP-Message = 0x048d0004
	Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
	MS-CHAP-Error = "\215E=691 R=1"
	EAP-Message = 0x048d0004
	Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 243 to 10.4.254.128 port 47333
	EAP-Message = 0x018e002b1900170301002023498abf9b5d47cb17b4ebf0b990c141fcbd38fd2a87b7d8294e62fc5da56cce
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x6d2213206aac0a47a13dedf79c550bd5
Finished request 35.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 10.4.254.128 port 47333, id=244, length=235
	User-Name = "FuchsA"
	Called-Station-Id = "C6-E9-84-71-33-A2:FES-WLAN"
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 1
	Calling-Station-Id = "44-00-10-57-E4-82"
	Connect-Info = "CONNECT 54Mbps 802.11g"
	Acct-Session-Id = "57DD11F2-0000001E"
	X-Ascend-Home-Agent-UDP-Port = 1027076
	X-Ascend-Multilink-ID = 1027076
	X-Ascend-Num-In-Multilink = 1027073
	Framed-MTU = 1400
	EAP-Message = 0x028e002b19001703010020f39ddab6c30dbe6e7aa9b45952c3032c64658f9f7db0a3c653ba5ec288b9ccaa
	State = 0x6d2213206aac0a47a13dedf79c550bd5
	Message-Authenticator = 0x35027d583f9d44fccca2de40949ce9e1
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "FuchsA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 142 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] 	expand: %{User-Name} -> FuchsA
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 36 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 36
Sending Access-Reject of id 244 to 10.4.254.128 port 47333
	EAP-Message = 0x048e0004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.6 seconds.
Cleaning up request 28 ID 236 with timestamp +189
Cleaning up request 29 ID 237 with timestamp +189
Cleaning up request 30 ID 238 with timestamp +189
Cleaning up request 31 ID 239 with timestamp +189
Cleaning up request 32 ID 240 with timestamp +189
Cleaning up request 33 ID 241 with timestamp +189
Cleaning up request 34 ID 242 with timestamp +189
Waking up in 0.1 seconds.
Cleaning up request 35 ID 243 with timestamp +189
Waking up in 1.0 seconds.
Cleaning up request 36 ID 244 with timestamp +189
Ready to process requests.








More information about the Freeradius-Users mailing list