Need help for adding dictionary and used for check item
吳子境 Matt.Wu/TP/FITI
matt.wu at fitivision.com
Tue May 9 10:38:48 CEST 2017
Hello,
I have problem in adding new dictionary in FreeRADIUS Version 2.2.8,
and use the attribute to users check item, but always response Access-Reject.
Below is my create step:
First, Create 'dictionary.fitivision' in '/usr/share/freeradius2/', as following:
# -*- text -*-
#
# As posted to the list.
#
# Version: $Id$
#
VENDOR Fitivision 49809
BEGIN-VENDOR Fitivision
ATTRIBUTE Fitivision-Essid-Name 1 string
END-VENDOR Fitivision
And add include in '/usr/share/freeradius2/dictionary':
$INCLUDE dictionary.fitivision
When I test it on reply item, it's workable.
But when I used for check item, it always response Access-Reject.
The users config as following:
"test3" Cleartext-Password := "testpwd", Fitivision-Essid-Name == "test"
And the radiux log as following:
radiusd: FreeRADIUS Version 2.2.8, for host arm-openwrt-linux-gnu, built on Apr 28 2017 at 10:22:04
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius2/radiusd.conf
including configuration file /etc/freeradius2/clients.conf
including files in directory /etc/freeradius2/modules/
including configuration file /etc/freeradius2/modules/attr_filter
including configuration file /etc/freeradius2/modules/attr_rewrite
including configuration file /etc/freeradius2/modules/chap
including configuration file /etc/freeradius2/modules/echo
including configuration file /etc/freeradius2/modules/exec
including configuration file /etc/freeradius2/modules/files
including configuration file /etc/freeradius2/modules/mschap
including configuration file /etc/freeradius2/modules/pap
including configuration file /etc/freeradius2/eap.conf
including files in directory /etc/freeradius2/sites/
including configuration file /etc/freeradius2/sites/default
main {
allow_core_dumps = no
}
including dictionary file /etc/freeradius2/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log"
run_dir = "/var/run"
libdir = "/usr/lib/freeradius2"
radacctdir = "/var/db/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client 0.0.0.0/0 {
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: #### Instantiating modules ####
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius2/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius2/modules/pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius2/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius2/modules/mschap
mschap {
use_mppe = no
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius2/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius2/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius2/certs/server.pem"
certificate_file = "/etc/freeradius2/certs/server.pem"
CA_file = "/etc/freeradius2/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius2/certs/dh"
random_file = "/etc/freeradius2/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius2/modules/files
files {
usersfile = "/etc/freeradius2/users"
acctusersfile = "/etc/freeradius2/acct_users"
preproxy_usersfile = "/etc/freeradius2/preproxy_users"
compat = "cistron"
}
reading pairlist file /etc/freeradius2/users
[/etc/freeradius2/users]:21 Cistron compatibility checks for entry test3 ...
reading pairlist file /etc/freeradius2/acct_users
reading pairlist file /etc/freeradius2/preproxy_users
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius2/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
Listening on authentication address 192.168.168.205 port 1812
Listening on accounting address 192.168.168.205 port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=18, length=197
User-Name = "test3"
Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "A4-67-06-6D-A8-2E"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "BF8FD357-00000002"
Attr-186 = 0x0050f202
Attr-187 = 0x0050f202
Attr-188 = 0x000fac01
Fitivision-Essid-Name = "test"
Framed-MTU = 1400
EAP-Message = 0x021b000a017465737433
Message-Authenticator = 0x07abb25c6fcac61aeb3d0f1e49cc98d6
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 27 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 18 to 192.168.168.205 port 42115
EAP-Message = 0x011c00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc30eff1bc312e6f65e8768c16e09584c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=19, length=336
User-Name = "test3"
Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "A4-67-06-6D-A8-2E"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "BF8FD357-00000002"
Attr-186 = 0x0050f202
Attr-187 = 0x0050f202
Attr-188 = 0x000fac01
Fitivision-Essid-Name = "test"
Framed-MTU = 1400
011000500040100001f000a00080006001700180019000b0002010000050005010000000000120000
State = 0xc30eff1bc312e6f65e8768c16e09584c
Message-Authenticator = 0x97c6fbb9e1abd4ef3a74f02b493bd9d9
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 28 length 131
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 121
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< Unknown TLS version [length 0005]
[peap] <<< TLS 1.0 Handshake [length 0074], ClientHello
[peap] TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap] TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] TLS_accept: Need to read more data: unknown state
[peap] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
[603087.097870] [wifi0]
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eFWLOG: [81054832] ap] = handled
+} # group authenticate = handled
Sending AccessRATE: ChainMask 1, peer_mac a8:2e, phymode 1, ni_flags 0x00040016, vht_mcs_set 0x0000, ht_mcs_set 0xffffffff, legacy_rate_set 0x0fff
-Challenge of id 19 to 192.168.168.205 port 42115
071309536f6d65776865726531153013060355040a130c4578616d706c65200x73496e632e3120301e06092a864886f70d010901161161646d696e406578616d70, 6c652e636f6d312630240603550403131d4578616d706c6520436572746966
0xa EAP-Message = 0x696361746520417574686f72697479301e170d313630363, 0x90 )
, 0x90 )
96e406578616d706c652e636f6d30820122300d06092a864, 0x3, 0x479, 0x0, 0x9 )
886f70d01010105000382010f003082010a0282010100c946423265b4772617374660729c3c023d379b4681413b66f0de07f15b16eb15b5ee002373b664f5c61e11551f35c7
3f493e1437188fd72840aeeb6ceaf96f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505
fba07a9ee61c4c06d633ec4ec0c0885d07b45952f31d2edea03bb0bb93aa6e42fe7580a3d2f58b052a1fb56bde36002acee20f2e3b92bb99b72b0c67
EAP-Message = 0x65011ccb33e94e5fd90004ab
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc30eff1bc213e6f65e8768c16e09584c
Finished request 1.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=20, length=211
User-Name = "test3"
Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "A4-67-06-6D-A8-2E"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "BF8FD357-00000002"
Attr-186 = 0x0050f202
Attr-187 = 0x0050f202
Attr-188 = 0x000fac01
Fitivision-Essid-Name = "test"
Framed-MTU = 1400
EAP-Message = 0x021d00061900
State = 0xc30eff1bc213e6f65e8768c16e09584c
Message-Authenticator = 0xf40ff990a4a13753cc3f28b33ca5a182
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 29 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 20 to 192.168.168.205 port 42115
7479301e170d3136303632313037343833345a170d3137303632313037343833345a308193310b3009060355040613024652310f300d060355040813
25d9d75e9faa36bacf2d256d8087504d1055532185e593fa3e07f9e6ddad8e457bf8979b2546bdc2768018764158ab0f21ae77998cecd6d1809b278b
0f8d572ebd0d9e887d3081c80603551d230481c03081bd80140e28c41f34600d01ab674c0f8d572ebd0d9e887da18199a48196308193310b30090603
fffb4632ebeca0865b13c0303e9485f59828369fe812f32b4d77d3d9706c7e97666a331797210b32c9cab80c500d4bf29224708affda268acc6bc612
EAP-Message = 0x68d2a1ab15f206e8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc30eff1bc110e6f65e8768c16e09584c
Finished request 2.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=21, length=211
User-Name = "test3"
Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "A4-67-06-6D-A8-2E"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "BF8FD357-00000002"
Attr-186 = 0x0050f202
Attr-187 = 0x0050f202
Attr-188 = 0x000fac01
Fitivision-Essid-Name = "test"
Framed-MTU = 1400
EAP-Message = 0x021e00061900
State = 0xc30eff1bc110e6f65e8768c16e09584c
Message-Authenticator = 0xee0d464855fa5a53cf755d16de6fdb07
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 30 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 21 to 192.168.168.205 port 42115
0001470300174104975e7a95fb4a34da8edb2ed340d161af75e08b4a69b597f4cbda60518ee060eeb29b016c3f54fd1ff7fa5f5723e02b9b2409daaa
155596da9065984a02f00d19716a270374c21be8cec30236a14cf2e6eff550a27c26bce5e22b7314a6141ecf8695d2a5a74d9ee2dfe30413058ccb62
EAP-Message = 0xadbf51cc6d2a30b94b8ba5cc45dfc686b316030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc30eff1bc011e6f65e8768c16e09584c
Finished request 3.
Going to the next request
Waking up in 4.1 seconds.
rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=22, length=349
User-Name = "test3"
Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "A4-67-06-6D-A8-2E"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "BF8FD357-00000002"
Attr-186 = 0x0050f202
Attr-187 = 0x0050f202
Attr-188 = 0x000fac01
Fitivision-Essid-Name = "test"
Framed-MTU = 1400
116030100304477833ffd6e82754c90f5ccfc4fd75f7c67c30f13f0e3b07d3dbd903b794dc8bf52b3eb26040ed2925a094f71bebf30
State = 0xc30eff1bc011e6f65e8768c16e09584c
Message-Authenticator = 0x981d19112699f36bcaa048ac6d5cb917
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 31 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< Unknown TLS version [length 0005]
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] <<< Unknown TLS version [length 0005]
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< Unknown TLS version [length 0005]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 22 to 192.168.168.205 port 42115
EAP-Message = 0x0120004119001403010001011603010030743a197efba6673363d52e38c84ee6af1156dc98475b254286422eec8c0d0c5e4a55682ec8483c791906496be38ca2b0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc30eff1bc72ee6f65e8768c16e09584c
Finished request 4.
Going to the next request
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=23, length=211
User-Name = "test3"
Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "A4-67-06-6D-A8-2E"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "BF8FD357-00000002"
Attr-186 = 0x0050f202
Attr-187 = 0x0050f202
Attr-188 = 0x000fac01
Fitivision-Essid-Name = "test"
Framed-MTU = 1400
EAP-Message = 0x022000061900
State = 0xc30eff1bc72ee6f65e8768c16e09584c
Message-Authenticator = 0x3ad860d004ef3fcabba5f7614d629707
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 32 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
[peap] >>> Unknown TLS version [length 0005]
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 23 to 192.168.168.205 port 42115
EAP-Message = 0x0121002b1900170301002038f0a9de8c6c35bb8c25d91742508de0756c5f96898a5f807bbf622d860fd702
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc30eff1bc62fe6f65e8768c16e09584c
Finished request 5.
Going to the next request
Waking up in 3.5 seconds.
rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=24, length=248
User-Name = "test3"
Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "A4-67-06-6D-A8-2E"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "BF8FD357-00000002"
Attr-186 = 0x0050f202
Attr-187 = 0x0050f202
Attr-188 = 0x000fac01
Fitivision-Essid-Name = "test"
Framed-MTU = 1400
EAP-Message = 0x0221002b19001703010020d9a51a72f4d3f026ee29713f988b5ea384f63c39bca9d72cbd454c22dc9f7f6b
State = 0xc30eff1bc62fe6f65e8768c16e09584c
Message-Authenticator = 0x9598e5c8853b46372c49e0eab0d847b1
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 33 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< Unknown TLS version [length 0005]
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - test3
[peap] Got inner identity 'test3'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0221000a017465737433
server {
[peap] Setting User-Name to test3
Sending tunneled request
EAP-Message = 0x0221000a017465737433
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test3"
Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "A4-67-06-6D-A8-2E"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "BF8FD357-00000002"
Attr-186 = 0x0050f202
Attr-187 = 0x0050f202
Attr-188 = 0x000fac01
Fitivision-Essid-Name = "test"
Framed-MTU = 1400
server {
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 33 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server
[peap] Got tunneled reply code 11
EAP-Message = 0x0122001f1a0122001a1038b1d4f1ac9d9e2d502428bcd4be1b877465737433
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaacefa4baaece0d52cbb51841f6886cc
[peap] Got tunneled reply RADIUS code Access-Challenge
EAP-Message = 0x0122001f1a0122001a1038b1d4f1ac9d9e2d502428bcd4be1b877465737433
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaacefa4baaece0d52cbb51841f6886cc
[peap] Got tunneled Access-Challenge
[peap] >>> Unknown TLS version [length 0005]
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 24 to 192.168.168.205 port 42115
EAP-Message = 0x0122003b19001703010030d70c7180d63f7345328c82eee2d29cc97bcbfd56bd375a88759bec5058ea295a12563bc4e70233b1f386d332e063d5c9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc30eff1bc52ce6f65e8768c16e09584c
Finished request 6.
Going to the next request
Waking up in 3.2 seconds.
rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=25, length=312
User-Name = "test3"
Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "A4-67-06-6D-A8-2E"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "BF8FD357-00000002"
Attr-186 = 0x0050f202
Attr-187 = 0x0050f202
Attr-188 = 0x000fac01
Fitivision-Essid-Name = "test"
Framed-MTU = 1400
10519e089ae2095a3afea8dc67f17dc4b
State = 0xc30eff1bc52ce6f65e8768c16e09584c
Message-Authenticator = 0xea0f404b1fdc40e787d84bac706215d1
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 34 length 107
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< Unknown TLS version [length 0005]
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x022200401a0222003b3131bc7ac09237790b1b2f2de3c9da70d10000000000000000ff91457ee5eb447396e409f6847c1759fead5ba59f6f7b0a007465737433
server {
[peap] Setting User-Name to test3
Sending tunneled request
EAP-Message = 0x022200401a0222003b3131bc7ac09237790b1b2f2de3c9da70d10000000000000000ff91457ee5eb447396e409f6847c1759fead5ba59f6f7b0a007465737433
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test3"
State = 0xaacefa4baaece0d52cbb51841f6886cc
Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "A4-67-06-6D-A8-2E"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "BF8FD357-00000002"
Attr-186 = 0x0050f202
Attr-187 = 0x0050f202
Attr-188 = 0x000fac01
Fitivision-Essid-Name = "test"
Framed-MTU = 1400
server {
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 34 length 64
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius2/sites/default
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: test3
[mschap] Client is using MS-CHAPv2 for test3, we need NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.
} # server
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\"E=691 R=1"
EAP-Message = 0x04220004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code Access-Reject
MS-CHAP-Error = "\"E=691 R=1"
EAP-Message = 0x04220004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
[peap] >>> Unknown TLS version [length 0005]
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 25 to 192.168.168.205 port 42115
EAP-Message = 0x0123002b190017030100200a019db07d5b363141790d2b79f35448849fb36c234d074dbdcaa68b4ec312f0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc30eff1bc42de6f65e8768c16e09584c
Finished request 7.
Going to the next request
Waking up in 2.8 seconds.
rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=26, length=248
User-Name = "test3"
Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Calling-Station-Id = "A4-67-06-6D-A8-2E"
Connect-Info = "CONNECT 0Mbps 802.11b"
Acct-Session-Id = "BF8FD357-00000002"
Attr-186 = 0x0050f202
Attr-187 = 0x0050f202
Attr-188 = 0x000fac01
Fitivision-Essid-Name = "test"
Framed-MTU = 1400
EAP-Message = 0x0223002b19001703010020b8cd3f0acc578a073928fe39c5cd9910ae9fa867c95ddf1aade29daba16fd349
State = 0xc30eff1bc42de6f65e8768c16e09584c
Message-Authenticator = 0xfa5287fca7371b423b4170722af255c2
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 35 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< Unknown TLS version [length 0005]
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 26 to 192.168.168.205 port 42115
EAP-Message = 0x04230004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1.7 seconds.
Cleaning up request 0 ID 18 with timestamp +3
Waking up in 0.1 seconds.
Cleaning up request 1 ID 19 with timestamp +3
Waking up in 0.4 seconds.
Cleaning up request 2 ID 20 with timestamp +4
Waking up in 0.3 seconds.
Cleaning up request 3 ID 21 with timestamp +4
Waking up in 0.1 seconds.
Cleaning up request 4 ID 22 with timestamp +4
Waking up in 0.3 seconds.
Cleaning up request 5 ID 23 with timestamp +4
Waking up in 0.3 seconds.
Cleaning up request 6 ID 24 with timestamp +5
Waking up in 0.4 seconds.
Cleaning up request 7 ID 25 with timestamp +5
Waking up in 1.0 seconds.
Cleaning up request 8 ID 26 with timestamp +5
Ready to process requests.
Do I missing something?
Thanks
Matt Wu
More information about the Freeradius-Users
mailing list