eap_peap: fatal access_denied error

mustafa mujahid mustafa.mujahid at outlook.com
Wed Mar 8 18:53:36 CET 2017 

Hello all, I've been trying to authentication LAN on Cisco 2960 Switch. I've done configurations with PAP but this is the first time working with EAP. I have run into a bit of an issue. I receive a 'fatal :access denied error' in the debug log while testing with a single client.  Radius version is 3.0.12


Please find full debug log attached as it was quite long, along with my defaults file , eap module file and inner tunnel.


the Error as shown in debug output :


(6) Received Access-Request Id 111 from 10.10.99.5:1645 to 115.186.154.51:1812 length 208
(6)   User-Name = "inzamam.shafiq"
(6)   Service-Type = Framed-User
(6)   Framed-MTU = 1500
(6)   Called-Station-Id = "F4-1F-C2-29-F2-04"
(6)   Calling-Station-Id = "5C-B9-01-40-7A-51"
(6)   EAP-Message = 0x0207002f1980000000251503010020c16512711bcb968946945393a285231d100f4ad033f9b228472d29b6fe0f9330
(6)   Message-Authenticator = 0xe7d930474f3ffad35c235370b081c91f
(6)   NAS-Port-Type = Ethernet
(6)   NAS-Port = 50004
(6)   NAS-Port-Id = "FastEthernet0/4"
(6)   State = 0x83dbc94886dcd087405afa3e400f12a5
(6)   NAS-IP-Address = 10.10.99.5
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6)   authorize {
(6)     [preprocess] = ok
(6) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(6) auth_log:    --> /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170308
(6) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170308
(6) auth_log: EXPAND %t
(6) auth_log:    --> Wed Mar  8 11:05:41 2017
(6)     [auth_log] = ok
(6)     [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "inzamam.shafiq", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)     [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 7 length 47
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6)   authenticate {
(6) eap: Expiring EAP session with state 0x83dbc94886dcd087
(6) eap: Finished EAP session with state 0x83dbc94886dcd087
(6) eap: Previous EAP request found for state 0x83dbc94886dcd087, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer indicated complete TLS record size will be 37 bytes
(6) eap_peap: Got complete TLS record (37 bytes)
(6) eap_peap: [eaptls verify] = length included
(6) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal access_denied
(6) eap_peap: ERROR: TLS Alert read:fatal:access denied
(6) eap_peap: WARNING: No data inside of the tunnel
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established.  Decoding tunneled attributes
(6) eap_peap: PEAP state ?
(6) eap_peap: ERROR: Tunneled data is invalid
(6) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
(6) eap: Sending EAP Failure (code 4) ID 7 length 4
(6) eap: Failed in EAP select
(6)     [eap] = invalid
(6)   } # authenticate = invalid
(6) Failed to authenticate the user
(6) Using Post-Auth-Type Reject
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6)   Post-Auth-Type REJECT {
(6) sql: EXPAND .query
(6) sql:    --> .query
(6) sql: WARNING: No such configuration item .query
(6)     [sql] = noop
(6)   } # Post-Auth-Type REJECT = noop
(6) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(6) Sending delayed response
(6) Sent Access-Reject Id 111 from 115.186.154.51:1812 to 10.10.99.5:1645 length 44
(6)   EAP-Message = 0x04070004
(6)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 105 with timestamp +9
(1) Cleaning up request packet ID 106 with timestamp +9
(2) Cleaning up request packet ID 107 with timestamp +9
(3) Cleaning up request packet ID 108 with timestamp +10
(4) Cleaning up request packet ID 109 with timestamp +10
(5) Cleaning up request packet ID 110 with timestamp +10
(6) Cleaning up request packet ID 111 with timestamp +10
Ready to process requests


I read that radius works with EAP out of the box. I'm sorry I don't have more troubleshooting info as I couldnt figure out how to move forward from here. If I could be pointed in the right direction it would be greatly appreciated. Please let me know if further information is required.

BR/Mustafa.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RadLanAuthDebug
Type: application/octet-stream
Size: 24526 bytes
Desc: RadLanAuthDebug
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170308/cfc86dbd/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: EAP.CONF
Type: application/octet-stream
Size: 1048 bytes
Desc: EAP.CONF
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170308/cfc86dbd/attachment-0005.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Defaults file
Type: application/octet-stream
Size: 957 bytes
Desc: Defaults file
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170308/cfc86dbd/attachment-0006.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: inner tunnel
Type: application/octet-stream
Size: 558 bytes
Desc: inner tunnel
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170308/cfc86dbd/attachment-0007.obj>

More information about the Freeradius-Users mailing list