Problem with log and PEAP/MS-CHAPv2

Andrea Gabellini andrea.gabellini at telecomitalia.sm
Thu Apr 13 09:41:31 CEST 2017 


Il 13/04/2017 02:15, Alan DeKok ha scritto:
> On Apr 12, 2017, at 7:34 AM, Andrea Gabellini <andrea.gabellini at telecomitalia.sm> wrote:
>> Now in the log, with the login incorrect, I found:
>>
>> Apr 12 13:31:28 radius31 radiusd[19562]: (8)   Login incorrect (mschap:
>> MS-CHAP2-Response is incorrect): [testuser] (from client wlc_wifi_tim
>> port 0 via TLS tunnel)
>   The (8) is the clue.
>
>   You've started the server in daemon mode, but passed it "-xx" on the command line.  So *all* debug output is being sent to the main log file.
>
>   The simple answer is "don't do that".

Hi Alan,

the server doesn't have any extra options:

[09:25:43][radius31:~] #systemctl restart radiusd

[09:29:46][radius31:~] #ps -ef | grep radiusd
radiusd  21746     1  0 09:29 ?        00:00:00
/usr/local/freeradius/sbin/radiusd

[09:30:06][radius31:~] #tail -f /var/log/radius/radius.log
Apr 13 09:30:44 radius31 radiusd[21746]: (9)   Login OK: [testuser]
(from client wlc_wifi_tim port 0 via TLS tunnel)
Apr 13 09:30:44 radius31 radiusd[21746]: (10) Login OK: [testuser] (from
client wlc_wifi_tim port 0 cli E8-3A-12-EF-30-CE)
Apr 13 09:30:52 radius31 radiusd[21746]: (19)   Login incorrect (mschap:
MS-CHAP2-Response is incorrect): [testuser] (from client wlc_wifi_tim
port 0 via TLS tunnel)
Apr 13 09:30:52 radius31 radiusd[21746]: (20) eap_peap:   This means you
need to read the PREVIOUS messages in the debug output
Apr 13 09:30:52 radius31 radiusd[21746]: (20) eap_peap:   to find out
the reason why the user was rejected
Apr 13 09:30:52 radius31 radiusd[21746]: (20) eap_peap:   Look for
"reject" or "fail".  Those earlier messages will tell you
Apr 13 09:30:52 radius31 radiusd[21746]: (20) eap_peap:   what went
wrong, and how to fix the problem
Apr 13 09:30:52 radius31 radiusd[21746]: (20) Login incorrect (eap_peap:
The users session was previously rejected: returning reject (again.)):
[testuser] (from client wlc_wifi_tim port 0 cli E8-3A-12-EF-30-CE)

I used the -xx switch in the past for the initial configuration, but now
I'm not using it.

Is there any other place where can I find debug switch?

Thanks,
Andrea

>> The eap_peap logs seems a debug log. Is it corect?
>   it's a debug log because you told it to be a debug log.
>
>   It helps to pay attention to the configuration changes you make.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
----------------------------------------------------------------
So many pedestrians, so little time.

----------------------------------------------------------------

Ing. Andrea Gabellini
Email: andrea.gabellini at telecomitalia.sm
Skype: andreagabellini
Tel: (+378) 0549 886111
Fax: (+378) 0549 886188

Telecom Italia San Marino S.p.A.
Via XXVIII Luglio, 212 - Piano -2
47893 Borgo Maggiore
Republic of San Marino

http://www.telecomitalia.sm

More information about the Freeradius-Users mailing list