Failed authentication on FreeRadius

Tal Nur nurtal at yahoo.com
Thu Jun 27 14:14:47 CEST 2019 

I installed FR 3.0.20 with plain text file storing users and their passwords.When I tried to connect end user bob at turan.kz via WiFi AP I failed.What is my mistake?
Here is output of freeradius  -X command during connection attempt:
 Received Access-Request Id 30 from 89.250.80.7:1026 to 89.250.80.6:1812 length 182
   User-Name = "bob at turan.kz"
   NAS-IP-Address = 192.168.0.1
   NAS-Port = 0
   Called-Station-Id = "C8-3A-35-40-1C-F0"
   Calling-Station-Id = "84-B1-53-DF-3E-BC"
   Framed-MTU = 1400
   NAS-Port-Type = Wireless-802.11
   EAP-Message = 0x02070030190017030300253bc5db1b0542fe953989206abc908f78fc9bd5babd5d93bf8913bf3d361ea67cccdf066be5
   State = 0xfefad346fbfdca45684956ecf2b10489
   Message-Authenticator = 0x1d94ee8285d897bee4e535fc3012a89a
 Restoring &session-state
   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
   &session-state:TLS-Session-Version = "TLS 1.2"
 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
   authorize {
     policy filter_username {
       if (&User-Name) {
       if (&User-Name)  -> TRUE
       if (&User-Name)  {
         if (&User-Name =~ / /) {
         if (&User-Name =~ / /)  -> FALSE
         if (&User-Name =~ /@[^@]*@/ ) {
         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
         if (&User-Name =~ /\.\./ ) {
         if (&User-Name =~ /\.\./ )  -> FALSE
         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
         if (&User-Name =~ /\.$/)  {
         if (&User-Name =~ /\.$/)   -> FALSE
         if (&User-Name =~ /@\./)  {
         if (&User-Name =~ /@\./)   -> FALSE
       } # if (&User-Name)  = notfound
     } # policy filter_username = notfound
     [preprocess] = ok
     [chap] = noop
     [mschap] = noop
     [digest] = noop
 suffix: Checking for suffix after "@"
 suffix: Looking up realm "turan.kz" for User-Name = "bob at turan.kz"
 suffix: Found realm "turan.kz"
 suffix: Adding Realm = "turan.kz"
 suffix: Authentication realm is LOCAL
     [suffix] = ok
 eap: Peer sent EAP Response (code 2) ID 7 length 48
 eap: Continuing tunnel setup
     [eap] = ok
   } # authorize = ok
 Found Auth-Type = eap
 # Executing group from file /usr/local/etc/raddb/sites-enabled/default
   authenticate {
 eap: Expiring EAP session with state 0xfefad346fbfdca45
 eap: Finished EAP session with state 0xfefad346fbfdca45
 eap: Previous EAP request found for state 0xfefad346fbfdca45, released from the list
 eap: Peer sent packet with method EAP PEAP (25)
 eap: Calling submodule eap_peap to process data
 eap_peap: Continuing EAP-TLS
 eap_peap: [eaptls verify] = ok
 eap_peap: Done initial handshake
 eap_peap: [eaptls process] = ok
 eap_peap: Session established.  Decoding tunneled attributes
 eap_peap: PEAP state WAITING FOR INNER IDENTITY
 eap_peap: Identity - bob at turan.kz
 eap_peap: Got inner identity 'bob at turan.kz'
 eap_peap: Setting default EAP type for tunneled EAP session
 eap_peap: Got tunneled request
 eap_peap:   EAP-Message = 0x0207001101626f6240747572616e2e6b7a
 eap_peap: Setting User-Name to bob at turan.kz
 eap_peap: Sending tunneled request to eduroam-inner-tunnel
 eap_peap:   EAP-Message = 0x0207001101626f6240747572616e2e6b7a
 eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
 eap_peap:   User-Name = "bob at turan.kz"
 eap_peap:   NAS-IP-Address = 192.168.0.1
 eap_peap:   NAS-Port = 0
 eap_peap:   Called-Station-Id = "C8-3A-35-40-1C-F0"
 eap_peap:   Calling-Station-Id = "84-B1-53-DF-3E-BC"
 eap_peap:   Framed-MTU = 1400
 eap_peap:   NAS-Port-Type = Wireless-802.11
 eap_peap:   Event-Timestamp = "Jun 26 2019 07:06:42 UTC"
 Virtual server eduroam-inner-tunnel received request
   EAP-Message = 0x0207001101626f6240747572616e2e6b7a
   FreeRADIUS-Proxied-To = 127.0.0.1
   User-Name = "bob at turan.kz"
   NAS-IP-Address = 192.168.0.1
   NAS-Port = 0
   Called-Station-Id = "C8-3A-35-40-1C-F0"
   Calling-Station-Id = "84-B1-53-DF-3E-BC"
   Framed-MTU = 1400
   NAS-Port-Type = Wireless-802.11
   Event-Timestamp = "Jun 26 2019 07:06:42 UTC"
 WARNING: Outer and inner identities are the same.  User privacy is compromised.
 server eduroam-inner-tunnel {
   # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
     authorize {
 auth_log: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
 auth_log:    --> /usr/local/var/log/radius/radacct/89.250.80.7/auth-detail-20190626
 auth_log: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/89.250.80.7/auth-detail-20190626
 auth_log: EXPAND %t
 auth_log:    --> Wed Jun 26 07:06:42 2019
       [auth_log] = ok
 eap: Peer sent EAP Response (code 2) ID 7 length 17
 eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
       [eap] = ok
 files: users: Matched entry bob at turan.kz at line 87
 files: EXPAND Hello, %{User-Name}
 files:    --> Hello, bob at turan.kz
       [files] = ok
       [mschap] = noop
 pap: WARNING: Auth-Type already set.  Not setting to PAP
       [pap] = noop
     } # authorize = ok
   Found Auth-Type = eap
   # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
     authenticate {
 eap: Peer sent packet with method EAP Identity (1)
 eap: Calling submodule eap_mschapv2 to process data
 eap_mschapv2: Issuing Challenge
 eap: Sending EAP Request (code 1) ID 8 length 43
 eap: EAP session adding &reply:State = 0x58cb71f258c36b09
       [eap] = handled
     } # authenticate = handled
 } # server eduroam-inner-tunnel
 Virtual server sending reply
   Reply-Message = "Hello, bob at turan.kz"
   EAP-Message = 0x0108002b1a01080026106a0612ff605c3452f6e178745c8eba94667265657261646975732d332e302e3230
   Message-Authenticator = 0x00000000000000000000000000000000
   State = 0x58cb71f258c36b095384618a82349908
 eap_peap: Got tunneled reply code 11
 eap_peap:   Reply-Message = "Hello, bob at turan.kz"
 eap_peap:   EAP-Message = 0x0108002b1a01080026106a0612ff605c3452f6e178745c8eba94667265657261646975732d332e302e3230
 eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
 eap_peap:   State = 0x58cb71f258c36b095384618a82349908
 eap_peap: Got tunneled reply RADIUS code 11
 eap_peap:   Reply-Message = "Hello, bob at turan.kz"
 eap_peap:   EAP-Message = 0x0108002b1a01080026106a0612ff605c3452f6e178745c8eba94667265657261646975732d332e302e3230
 eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
 eap_peap:   State = 0x58cb71f258c36b095384618a82349908
 eap_peap: Got tunneled Access-Challenge
 eap: Sending EAP Request (code 1) ID 8 length 74
 eap: EAP session adding &reply:State = 0xfefad346f8f2ca45
     [eap] = handled
   } # authenticate = handled
 Using Post-Auth-Type Challenge
 # Executing group from file /usr/local/etc/raddb/sites-enabled/default
   Challenge { ... } # empty sub-section is ignored
 session-state: Saving cached attributes
   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
   TLS-Session-Version = "TLS 1.2"
 Sent Access-Challenge Id 30 from 89.250.80.6:1812 to 89.250.80.7:1026 length 0
   EAP-Message = 0x0108004a1900170303003f65d2d81fede8586ad658fe2ef68148cdd00a0fe7d7b86fc891c73f2c4382c50fe3d4c8d8c75decf5ed2e079ab13f12c470df1c6d7eba8b61fcf7cfda3a4603
   Message-Authenticator = 0x00000000000000000000000000000000
   State = 0xfefad346f8f2ca45684956ecf2b10489
 Finished request

More information about the Freeradius-Users mailing list