MS-CHAP2-Request is rejected

Manoel bezerra maneo.ufrn at gmail.com
Mon May 20 19:15:48 CEST 2019


hello.
you must use the attribute ntpassword. that's why mschap protocol is a
standard microsoft and it works only using this password type.
Atenciosamente.
Manoel Bezerra da Costa Neto
Analista de infraestruta em Redes de Computadores.


Em seg, 20 de mai de 2019 às 05:46, william steen via Freeradius-Users <
freeradius-users at lists.freeradius.org> escreveu:

> First time using freeradius, attempting to setup freeradius server on a
> RPi to create a testing environment for WPA2 Enterprise use on an IoT
> device. Any help to understand where I am going wrong gratefully received.
>
> Included below is the debug output on startup and when an attempt to
> connect using PEAP-MSCHAPv2 using just username and password (no
> certificate). The startup contains a few warnings which I assume are not
> material. The login debug has an error MS-CHAP2-Response is incorrect which
> comes after a WARNING: Auth-Type already set.  Not setting to PAP?
>
> FreeRADIUS Version 3.0.12
>
> [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay"               found in filter list for realm
> "DEFAULT".
> [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay-USec"   found in filter list for realm
> "DEFAULT".
>
> Ready to process requests
>
> Below is what debug output when trying to connect to the WAP.
>
> (0) Received Access-Request Id 37 from 192.168.1.38:52437 to
> 192.168.1.33:1812 length 172
> (0)   User-Name = "particle"
> (0)   NAS-IP-Address = 192.168.1.38
> (0)   NAS-Identifier = "b4fbe4c348ab"
> (0)   NAS-Port = 0
> (0)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (0)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (0)   Framed-MTU = 1400
> (0)   NAS-Port-Type = Wireless-802.11
> (0)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (0)   EAP-Message = 0x0205000d017061727469636c65
> (0)   Message-Authenticator = 0x3d7c5462881eb85ae3c3e8b1e7f2dcd8
> (0) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (0)   authorize {
> (0)     policy filter_username {
> (0)       if (&User-Name) {
> (0)       if (&User-Name)  -> TRUE
> (0)       if (&User-Name)  {
> (0)         if (&User-Name =~ / /) {
> (0)         if (&User-Name =~ / /)  -> FALSE
> (0)         if (&User-Name =~ /@[^@]*@/ ) {
> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (0)         if (&User-Name =~ /\.\./ ) {
> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>  -> FALSE
> (0)         if (&User-Name =~ /\.$/)  {
> (0)         if (&User-Name =~ /\.$/)   -> FALSE
> (0)         if (&User-Name =~ /@\./)  {
> (0)         if (&User-Name =~ /@\./)   -> FALSE
> (0)       } # if (&User-Name)  = notfound
> (0)     } # policy filter_username = notfound
> (0)     [preprocess] = ok
> (0)     [chap] = noop
> (0)     [mschap] = noop
> (0)     [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0)     [suffix] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 5 length 13
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (0)     [eap] = ok
> (0)   } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0)   authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_md5 to process data
> (0) eap_md5: Issuing MD5 Challenge
> (0) eap: Sending EAP Request (code 1) ID 6 length 22
> (0) eap: EAP session adding &reply:State = 0x792e584479285c88
> (0)     [eap] = handled
> (0)   } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) Post-Auth-Type sub-section not found.  Ignoring.
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) Sent Access-Challenge Id 37 from 192.168.1.33:1812 to
> 192.168.1.38:52437 length 0
> (0)   EAP-Message = 0x0106001604101e0a216dfaac8434a1e13f61d8e18c5f
> (0)   Message-Authenticator = 0x00000000000000000000000000000000
> (0)   State = 0x792e584479285c88d729d5f4b5ba04a4
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 38 from 192.168.1.38:52437 to
> 192.168.1.33:1812 length 183
> (1)   User-Name = "particle"
> (1)   NAS-IP-Address = 192.168.1.38
> (1)   NAS-Identifier = "b4fbe4c348ab"
> (1)   NAS-Port = 0
> (1)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (1)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (1)   Framed-MTU = 1400
> (1)   NAS-Port-Type = Wireless-802.11
> (1)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (1)   EAP-Message = 0x020600060319
> (1)   State = 0x792e584479285c88d729d5f4b5ba04a4
> (1)   Message-Authenticator = 0x81a3bc304acaf36767e74474836e1265
> (1) session-state: No cached attributes
> (1) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (1)   authorize {
> (1)     policy filter_username {
> (1)       if (&User-Name) {
> (1)       if (&User-Name)  -> TRUE
> (1)       if (&User-Name)  {
> (1)         if (&User-Name =~ / /) {
> (1)         if (&User-Name =~ / /)  -> FALSE
> (1)         if (&User-Name =~ /@[^@]*@/ ) {
> (1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (1)         if (&User-Name =~ /\.\./ ) {
> (1)         if (&User-Name =~ /\.\./ )  -> FALSE
> (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>  -> FALSE
> (1)         if (&User-Name =~ /\.$/)  {
> (1)         if (&User-Name =~ /\.$/)   -> FALSE
> (1)         if (&User-Name =~ /@\./)  {
> (1)         if (&User-Name =~ /@\./)   -> FALSE
> (1)       } # if (&User-Name)  = notfound
> (1)     } # policy filter_username = notfound
> (1)     [preprocess] = ok
> (1)     [chap] = noop
> (1)     [mschap] = noop
> (1)     [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1)     [suffix] = noop
> (1) eap: Peer sent EAP Response (code 2) ID 6 length 6
> (1) eap: No EAP Start, assuming it's an on-going EAP conversation
> (1)     [eap] = updated
> (1) files: users: Matched entry particle at line 1
> (1)     [files] = ok
> (1)     [expiration] = noop
> (1)     [logintime] = noop
> (1) pap: WARNING: Auth-Type already set.  Not setting to PAP
> (1)     [pap] = noop
> (1)   } # authorize = updated
> (1) Found Auth-Type = eap
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1)   authenticate {
> (1) eap: Expiring EAP session with state 0x792e584479285c88
> (1) eap: Finished EAP session with state 0x792e584479285c88
> (1) eap: Previous EAP request found for state 0x792e584479285c88, released
> from the list
> (1) eap: Peer sent packet with method EAP NAK (3)
> (1) eap: Found mutually acceptable type PEAP (25)
> (1) eap: Calling submodule eap_peap to process data
> (1) eap_peap: Initiating new EAP-TLS session
> (1) eap_peap: [eaptls start] = request
> (1) eap: Sending EAP Request (code 1) ID 7 length 6
> (1) eap: EAP session adding &reply:State = 0x792e584478294188
> (1)     [eap] = handled
> (1)   } # authenticate = handled
> (1) Using Post-Auth-Type Challenge
> (1) Post-Auth-Type sub-section not found.  Ignoring.
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1) Sent Access-Challenge Id 38 from 192.168.1.33:1812 to
> 192.168.1.38:52437 length 0
> (1)   EAP-Message = 0x010700061920
> (1)   Message-Authenticator = 0x00000000000000000000000000000000
> (1)   State = 0x792e584478294188d729d5f4b5ba04a4
> (1) Finished request
> Waking up in 4.9 seconds.
> (2) Received Access-Request Id 39 from 192.168.1.38:52437 to
> 192.168.1.33:1812 length 273
> (2)   User-Name = "particle"
> (2)   NAS-IP-Address = 192.168.1.38
> (2)   NAS-Identifier = "b4fbe4c348ab"
> (2)   NAS-Port = 0
> (2)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (2)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (2)   Framed-MTU = 1400
> (2)   NAS-Port-Type = Wireless-802.11
> (2)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (2)   EAP-Message =
> 0x0207006019800000005616030300510100004d030300000013d1a5ed06c133a6582eb8f8b59713a271b38c51af54d5ef2e0cc8b6d6000004003c002f01000020000a000400020017000b00020100000d000e000c020102030301030304010403
> (2)   State = 0x792e584478294188d729d5f4b5ba04a4
> (2)   Message-Authenticator = 0xbf54c5bcfb0c4aae623b313a7cec24bf
> (2) session-state: No cached attributes
> (2) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (2)   authorize {
> (2)     policy filter_username {
> (2)       if (&User-Name) {
> (2)       if (&User-Name)  -> TRUE
> (2)       if (&User-Name)  {
> (2)         if (&User-Name =~ / /) {
> (2)         if (&User-Name =~ / /)  -> FALSE
> (2)         if (&User-Name =~ /@[^@]*@/ ) {
> (2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (2)         if (&User-Name =~ /\.\./ ) {
> (2)         if (&User-Name =~ /\.\./ )  -> FALSE
> (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>  -> FALSE
> (2)         if (&User-Name =~ /\.$/)  {
> (2)         if (&User-Name =~ /\.$/)   -> FALSE
> (2)         if (&User-Name =~ /@\./)  {
> (2)         if (&User-Name =~ /@\./)   -> FALSE
> (2)       } # if (&User-Name)  = notfound
> (2)     } # policy filter_username = notfound
> (2)     [preprocess] = ok
> (2)     [chap] = noop
> (2)     [mschap] = noop
> (2)     [digest] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (2) suffix: No such realm "NULL"
> (2)     [suffix] = noop
> (2) eap: Peer sent EAP Response (code 2) ID 7 length 96
> (2) eap: Continuing tunnel setup
> (2)     [eap] = ok
> (2)   } # authorize = ok
> (2) Found Auth-Type = eap
> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (2)   authenticate {
> (2) eap: Expiring EAP session with state 0x792e584478294188
> (2) eap: Finished EAP session with state 0x792e584478294188
> (2) eap: Previous EAP request found for state 0x792e584478294188, released
> from the list
> (2) eap: Peer sent packet with method EAP PEAP (25)
> (2) eap: Calling submodule eap_peap to process data
> (2) eap_peap: Continuing EAP-TLS
> (2) eap_peap: Peer indicated complete TLS record size will be 86 bytes
> (2) eap_peap: Got complete TLS record (86 bytes)
> (2) eap_peap: [eaptls verify] = length included
> (2) eap_peap: (other): before SSL initialization
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: <<< recv TLS 1.2  [length 0051]
> (2) eap_peap: TLS_accept: SSLv3/TLS read client hello
> (2) eap_peap: >>> send TLS 1.2  [length 002a]
> (2) eap_peap: TLS_accept: SSLv3/TLS write server hello
> (2) eap_peap: >>> send TLS 1.2  [length 02f1]
> (2) eap_peap: TLS_accept: SSLv3/TLS write certificate
> (2) eap_peap: >>> send TLS 1.2  [length 0004]
> (2) eap_peap: TLS_accept: SSLv3/TLS write server done
> (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
> done
> (2) eap_peap: In SSL Handshake Phase
> (2) eap_peap: In SSL Accept mode
> (2) eap_peap: [eaptls process] = handled
> (2) eap: Sending EAP Request (code 1) ID 8 length 820
> (2) eap: EAP session adding &reply:State = 0x792e58447b264188
> (2)     [eap] = handled
> (2)   } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
> (2) Post-Auth-Type sub-section not found.  Ignoring.
> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (2) Sent Access-Challenge Id 39 from 192.168.1.33:1812 to
> 192.168.1.38:52437 length 0
> (2)   EAP-Message =
> 0x010803341900160303002a0200002603035010c628e6c3e571ecdfcb7ed14e02f944e131af1f1483cff17b618c02935b4200003c0016030302f10b0002ed0002ea0002e7308202e3308201cba003020102020900a170e33eaa8a04e7300d06092a864886f70d01010b0500301b3119301706035504030c
> (2)   Message-Authenticator = 0x00000000000000000000000000000000
> (2)   State = 0x792e58447b264188d729d5f4b5ba04a4
> (2) Finished request
> Waking up in 4.9 seconds.
> (3) Received Access-Request Id 40 from 192.168.1.38:52437 to
> 192.168.1.33:1812 length 547
> (3)   User-Name = "particle"
> (3)   NAS-IP-Address = 192.168.1.38
> (3)   NAS-Identifier = "b4fbe4c348ab"
> (3)   NAS-Port = 0
> (3)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (3)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (3)   Framed-MTU = 1400
> (3)   NAS-Port-Type = Wireless-802.11
> (3)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (3)   EAP-Message =
> 0x02080170198000000166160303010610000102010070ac8a7222a41f5fab40c2a114f343932b699e7629ee25a0ef96616b1582f4e105812e9efb79e3696823f69a931188eeb04bd2f4d9b67869db2d585364c2515a1d44414cc41bc6d87ba8df2ad36e6ba1e57e10fbeb14fc76837d57b50d95a780dc67
> (3)   State = 0x792e58447b264188d729d5f4b5ba04a4
> (3)   Message-Authenticator = 0xe80722a96c83d29962b7c6216f7a1b24
> (3) session-state: No cached attributes
> (3) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (3)   authorize {
> (3)     policy filter_username {
> (3)       if (&User-Name) {
> (3)       if (&User-Name)  -> TRUE
> (3)       if (&User-Name)  {
> (3)         if (&User-Name =~ / /) {
> (3)         if (&User-Name =~ / /)  -> FALSE
> (3)         if (&User-Name =~ /@[^@]*@/ ) {
> (3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (3)         if (&User-Name =~ /\.\./ ) {
> (3)         if (&User-Name =~ /\.\./ )  -> FALSE
> (3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>  -> FALSE
> (3)         if (&User-Name =~ /\.$/)  {
> (3)         if (&User-Name =~ /\.$/)   -> FALSE
> (3)         if (&User-Name =~ /@\./)  {
> (3)         if (&User-Name =~ /@\./)   -> FALSE
> (3)       } # if (&User-Name)  = notfound
> (3)     } # policy filter_username = notfound
> (3)     [preprocess] = ok
> (3)     [chap] = noop
> (3)     [mschap] = noop
> (3)     [digest] = noop
> (3) suffix: Checking for suffix after "@"
> (3) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (3) suffix: No such realm "NULL"
> (3)     [suffix] = noop
> (3) eap: Peer sent EAP Response (code 2) ID 8 length 368
> (3) eap: Continuing tunnel setup
> (3)     [eap] = ok
> (3)   } # authorize = ok
> (3) Found Auth-Type = eap
> (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (3)   authenticate {
> (3) eap: Expiring EAP session with state 0x792e58447b264188
> (3) eap: Finished EAP session with state 0x792e58447b264188
> (3) eap: Previous EAP request found for state 0x792e58447b264188, released
> from the list
> (3) eap: Peer sent packet with method EAP PEAP (25)
> (3) eap: Calling submodule eap_peap to process data
> (3) eap_peap: Continuing EAP-TLS
> (3) eap_peap: Peer indicated complete TLS record size will be 358 bytes
> (3) eap_peap: Got complete TLS record (358 bytes)
> (3) eap_peap: [eaptls verify] = length included
> (3) eap_peap: TLS_accept: SSLv3/TLS write server done
> (3) eap_peap: <<< recv TLS 1.2  [length 0106]
> (3) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
> (3) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
> (3) eap_peap: <<< recv TLS 1.2  [length 0010]
> (3) eap_peap: TLS_accept: SSLv3/TLS read finished
> (3) eap_peap: >>> send TLS 1.2  [length 0001]
> (3) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
> (3) eap_peap: >>> send TLS 1.2  [length 0010]
> (3) eap_peap: TLS_accept: SSLv3/TLS write finished
> (3) eap_peap: (other): SSL negotiation finished successfully
> (3) eap_peap: SSL Connection Established
> (3) eap_peap: [eaptls process] = handled
> (3) eap: Sending EAP Request (code 1) ID 9 length 97
> (3) eap: EAP session adding &reply:State = 0x792e58447a274188
> (3)     [eap] = handled
> (3)   } # authenticate = handled
> (3) Using Post-Auth-Type Challenge
> (3) Post-Auth-Type sub-section not found.  Ignoring.
> (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (3) Sent Access-Challenge Id 40 from 192.168.1.33:1812 to
> 192.168.1.38:52437 length 0
> (3)   EAP-Message =
> 0x0109006119001403030001011603030050e4ccfeb29d521f23bceec5b5a6d2086989af54bf30c104ebd10fcadeda3e144e401aeac50e2f2d6fb28711841f9bff03cac82c6e94eb8082d4da10ef0950f6eae7f637b23f93d14e28952fa0735e8273
> (3)   Message-Authenticator = 0x00000000000000000000000000000000
> (3)   State = 0x792e58447a274188d729d5f4b5ba04a4
> (3) Finished request
> Waking up in 4.8 seconds.
> (4) Received Access-Request Id 41 from 192.168.1.38:52437 to
> 192.168.1.33:1812 length 183
> (4)   User-Name = "particle"
> (4)   NAS-IP-Address = 192.168.1.38
> (4)   NAS-Identifier = "b4fbe4c348ab"
> (4)   NAS-Port = 0
> (4)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (4)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (4)   Framed-MTU = 1400
> (4)   NAS-Port-Type = Wireless-802.11
> (4)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (4)   EAP-Message = 0x020900061900
> (4)   State = 0x792e58447a274188d729d5f4b5ba04a4
> (4)   Message-Authenticator = 0x95b4fe0eef8a5368d718ba97543624d1
> (4) session-state: No cached attributes
> (4) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (4)   authorize {
> (4)     policy filter_username {
> (4)       if (&User-Name) {
> (4)       if (&User-Name)  -> TRUE
> (4)       if (&User-Name)  {
> (4)         if (&User-Name =~ / /) {
> (4)         if (&User-Name =~ / /)  -> FALSE
> (4)         if (&User-Name =~ /@[^@]*@/ ) {
> (4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (4)         if (&User-Name =~ /\.\./ ) {
> (4)         if (&User-Name =~ /\.\./ )  -> FALSE
> (4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>  -> FALSE
> (4)         if (&User-Name =~ /\.$/)  {
> (4)         if (&User-Name =~ /\.$/)   -> FALSE
> (4)         if (&User-Name =~ /@\./)  {
> (4)         if (&User-Name =~ /@\./)   -> FALSE
> (4)       } # if (&User-Name)  = notfound
> (4)     } # policy filter_username = notfound
> (4)     [preprocess] = ok
> (4)     [chap] = noop
> (4)     [mschap] = noop
> (4)     [digest] = noop
> (4) suffix: Checking for suffix after "@"
> (4) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (4) suffix: No such realm "NULL"
> (4)     [suffix] = noop
> (4) eap: Peer sent EAP Response (code 2) ID 9 length 6
> (4) eap: Continuing tunnel setup
> (4)     [eap] = ok
> (4)   } # authorize = ok
> (4) Found Auth-Type = eap
> (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (4)   authenticate {
> (4) eap: Expiring EAP session with state 0x792e58447a274188
> (4) eap: Finished EAP session with state 0x792e58447a274188
> (4) eap: Previous EAP request found for state 0x792e58447a274188, released
> from the list
> (4) eap: Peer sent packet with method EAP PEAP (25)
> (4) eap: Calling submodule eap_peap to process data
> (4) eap_peap: Continuing EAP-TLS
> (4) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
> (4) eap_peap: [eaptls verify] = success
> (4) eap_peap: [eaptls process] = success
> (4) eap_peap: Session established.  Decoding tunneled attributes
> (4) eap_peap: PEAP state TUNNEL ESTABLISHED
> (4) eap: Sending EAP Request (code 1) ID 10 length 75
> (4) eap: EAP session adding &reply:State = 0x792e58447d244188
> (4)     [eap] = handled
> (4)   } # authenticate = handled
> (4) Using Post-Auth-Type Challenge
> (4) Post-Auth-Type sub-section not found.  Ignoring.
> (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (4) Sent Access-Challenge Id 41 from 192.168.1.33:1812 to
> 192.168.1.38:52437 length 0
> (4)   EAP-Message =
> 0x010a004b19001703030040876f919e5b6f69b08d7d8082925085f96d9d4dc5d287be8a2220d788f3d81410117ac9b30cfe5bf1fdbd3fa127a1c59c9f43f811e9a1ed62184e6b52111b2cc9
> (4)   Message-Authenticator = 0x00000000000000000000000000000000
> (4)   State = 0x792e58447d244188d729d5f4b5ba04a4
> (4) Finished request
> Waking up in 4.8 seconds.
> (5) Received Access-Request Id 42 from 192.168.1.38:52437 to
> 192.168.1.33:1812 length 252
> (5)   User-Name = "particle"
> (5)   NAS-IP-Address = 192.168.1.38
> (5)   NAS-Identifier = "b4fbe4c348ab"
> (5)   NAS-Port = 0
> (5)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (5)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (5)   Framed-MTU = 1400
> (5)   NAS-Port-Type = Wireless-802.11
> (5)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (5)   EAP-Message =
> 0x020a004b19001703030040fdcdeff9a7da7077eb3784b51917dbb3f4b705b340e03a3feaf97f3de31941cb2864a9b7a6363f305b5c239727284a9e38bf34deab83141d8393bbc165f2cee7
> (5)   State = 0x792e58447d244188d729d5f4b5ba04a4
> (5)   Message-Authenticator = 0x16e198c5d18d50d6db5da8dc8ea94e23
> (5) session-state: No cached attributes
> (5) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (5)   authorize {
> (5)     policy filter_username {
> (5)       if (&User-Name) {
> (5)       if (&User-Name)  -> TRUE
> (5)       if (&User-Name)  {
> (5)         if (&User-Name =~ / /) {
> (5)         if (&User-Name =~ / /)  -> FALSE
> (5)         if (&User-Name =~ /@[^@]*@/ ) {
> (5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (5)         if (&User-Name =~ /\.\./ ) {
> (5)         if (&User-Name =~ /\.\./ )  -> FALSE
> (5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>  -> FALSE
> (5)         if (&User-Name =~ /\.$/)  {
> (5)         if (&User-Name =~ /\.$/)   -> FALSE
> (5)         if (&User-Name =~ /@\./)  {
> (5)         if (&User-Name =~ /@\./)   -> FALSE
> (5)       } # if (&User-Name)  = notfound
> (5)     } # policy filter_username = notfound
> (5)     [preprocess] = ok
> (5)     [chap] = noop
> (5)     [mschap] = noop
> (5)     [digest] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (5) suffix: No such realm "NULL"
> (5)     [suffix] = noop
> (5) eap: Peer sent EAP Response (code 2) ID 10 length 75
> (5) eap: Continuing tunnel setup
> (5)     [eap] = ok
> (5)   } # authorize = ok
> (5) Found Auth-Type = eap
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (5)   authenticate {
> (5) eap: Expiring EAP session with state 0x792e58447d244188
> (5) eap: Finished EAP session with state 0x792e58447d244188
> (5) eap: Previous EAP request found for state 0x792e58447d244188, released
> from the list
> (5) eap: Peer sent packet with method EAP PEAP (25)
> (5) eap: Calling submodule eap_peap to process data
> (5) eap_peap: Continuing EAP-TLS
> (5) eap_peap: [eaptls verify] = ok
> (5) eap_peap: Done initial handshake
> (5) eap_peap: [eaptls process] = ok
> (5) eap_peap: Session established.  Decoding tunneled attributes
> (5) eap_peap: PEAP state WAITING FOR INNER IDENTITY
> (5) eap_peap: Identity - particle
> (5) eap_peap: Got inner identity 'particle'
> (5) eap_peap: Setting default EAP type for tunneled EAP session
> (5) eap_peap: Got tunneled request
> (5) eap_peap:   EAP-Message = 0x020a000d017061727469636c65
> (5) eap_peap: Setting User-Name to particle
> (5) eap_peap: Sending tunneled request to inner-tunnel
> (5) eap_peap:   EAP-Message = 0x020a000d017061727469636c65
> (5) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
> (5) eap_peap:   User-Name = "particle"
> (5) Virtual server inner-tunnel received request
> (5)   EAP-Message = 0x020a000d017061727469636c65
> (5)   FreeRADIUS-Proxied-To = 127.0.0.1
> (5)   User-Name = "particle"
> (5) WARNING: Outer and inner identities are the same.  User privacy is
> compromised.
> (5) server inner-tunnel {
> (5)   # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (5)     authorize {
> (5)       policy filter_username {
> (5)         if (&User-Name) {
> (5)         if (&User-Name)  -> TRUE
> (5)         if (&User-Name)  {
> (5)           if (&User-Name =~ / /) {
> (5)           if (&User-Name =~ / /)  -> FALSE
> (5)           if (&User-Name =~ /@[^@]*@/ ) {
> (5)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (5)           if (&User-Name =~ /\.\./ ) {
> (5)           if (&User-Name =~ /\.\./ )  -> FALSE
> (5)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (5)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>  -> FALSE
> (5)           if (&User-Name =~ /\.$/)  {
> (5)           if (&User-Name =~ /\.$/)   -> FALSE
> (5)           if (&User-Name =~ /@\./)  {
> (5)           if (&User-Name =~ /@\./)   -> FALSE
> (5)         } # if (&User-Name)  = notfound
> (5)       } # policy filter_username = notfound
> (5)       [chap] = noop
> (5)       [mschap] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (5) suffix: No such realm "NULL"
> (5)       [suffix] = noop
> (5)       update control {
> (5)         &Proxy-To-Realm := LOCAL
> (5)       } # update control = noop
> (5) eap: Peer sent EAP Response (code 2) ID 10 length 13
> (5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (5)       [eap] = ok
> (5)     } # authorize = ok
> (5)   Found Auth-Type = eap
> (5)   # Executing group from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (5)     authenticate {
> (5) eap: Peer sent packet with method EAP Identity (1)
> (5) eap: Calling submodule eap_mschapv2 to process data
> (5) eap_mschapv2: Issuing Challenge
> (5) eap: Sending EAP Request (code 1) ID 11 length 43
> (5) eap: EAP session adding &reply:State = 0x9ed5137a9ede0992
> (5)       [eap] = handled
> (5)     } # authenticate = handled
> (5) } # server inner-tunnel
> (5) Virtual server sending reply
> (5)   EAP-Message =
> 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132
> (5)   Message-Authenticator = 0x00000000000000000000000000000000
> (5)   State = 0x9ed5137a9ede099241d17dbdaa28bbf3
> (5) eap_peap: Got tunneled reply code 11
> (5) eap_peap:   EAP-Message =
> 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132
> (5) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
> (5) eap_peap:   State = 0x9ed5137a9ede099241d17dbdaa28bbf3
> (5) eap_peap: Got tunneled reply RADIUS code 11
> (5) eap_peap:   EAP-Message =
> 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132
> (5) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
> (5) eap_peap:   State = 0x9ed5137a9ede099241d17dbdaa28bbf3
> (5) eap_peap: Got tunneled Access-Challenge
> (5) eap: Sending EAP Request (code 1) ID 11 length 107
> (5) eap: EAP session adding &reply:State = 0x792e58447c254188
> (5)     [eap] = handled
> (5)   } # authenticate = handled
> (5) Using Post-Auth-Type Challenge
> (5) Post-Auth-Type sub-section not found.  Ignoring.
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (5) Sent Access-Challenge Id 42 from 192.168.1.33:1812 to
> 192.168.1.38:52437 length 0
> (5)   EAP-Message =
> 0x010b006b19001703030060427e72f2a75ff426efd53ee1f42bf29ba4aae389d83bc4b7e8f1257e772430ede3cb69944b24e4f7b6280ffa62e224b27be20c2c641b0fbf6a77cab9ef38ba1f47e79470ecca8368ca25beda56349c1e21e3d49b1db8bc2bd749aab8bf3aa3cb
> (5)   Message-Authenticator = 0x00000000000000000000000000000000
> (5)   State = 0x792e58447c254188d729d5f4b5ba04a4
> (5) Finished request
> Waking up in 4.7 seconds.
> (6) Received Access-Request Id 43 from 192.168.1.38:52437 to
> 192.168.1.33:1812 length 300
> (6)   User-Name = "particle"
> (6)   NAS-IP-Address = 192.168.1.38
> (6)   NAS-Identifier = "b4fbe4c348ab"
> (6)   NAS-Port = 0
> (6)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (6)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (6)   Framed-MTU = 1400
> (6)   NAS-Port-Type = Wireless-802.11
> (6)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (6)   EAP-Message =
> 0x020b007b19001703030070fdcdeff9a7da7077eb3784b51917dbb344ede7b63a9b0f5b11eb7701e504139b09564427efbb43c2ec17f8b42b4124f8fbfc5b440c1c050ff8aa9b8badfaedf539c727f4dfa655815cc469a0812b494ea16db3c4e1ffb49720bdf58408642e7387e7d103393cc91e2db29818
> (6)   State = 0x792e58447c254188d729d5f4b5ba04a4
> (6)   Message-Authenticator = 0x9d932302c8a3d3979d08ad610dcc59e7
> (6) session-state: No cached attributes
> (6) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (6)   authorize {
> (6)     policy filter_username {
> (6)       if (&User-Name) {
> (6)       if (&User-Name)  -> TRUE
> (6)       if (&User-Name)  {
> (6)         if (&User-Name =~ / /) {
> (6)         if (&User-Name =~ / /)  -> FALSE
> (6)         if (&User-Name =~ /@[^@]*@/ ) {
> (6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (6)         if (&User-Name =~ /\.\./ ) {
> (6)         if (&User-Name =~ /\.\./ )  -> FALSE
> (6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>  -> FALSE
> (6)         if (&User-Name =~ /\.$/)  {
> (6)         if (&User-Name =~ /\.$/)   -> FALSE
> (6)         if (&User-Name =~ /@\./)  {
> (6)         if (&User-Name =~ /@\./)   -> FALSE
> (6)       } # if (&User-Name)  = notfound
> (6)     } # policy filter_username = notfound
> (6)     [preprocess] = ok
> (6)     [chap] = noop
> (6)     [mschap] = noop
> (6)     [digest] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (6) suffix: No such realm "NULL"
> (6)     [suffix] = noop
> (6) eap: Peer sent EAP Response (code 2) ID 11 length 123
> (6) eap: Continuing tunnel setup
> (6)     [eap] = ok
> (6)   } # authorize = ok
> (6) Found Auth-Type = eap
> (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (6)   authenticate {
> (6) eap: Expiring EAP session with state 0x9ed5137a9ede0992
> (6) eap: Finished EAP session with state 0x792e58447c254188
> (6) eap: Previous EAP request found for state 0x792e58447c254188, released
> from the list
> (6) eap: Peer sent packet with method EAP PEAP (25)
> (6) eap: Calling submodule eap_peap to process data
> (6) eap_peap: Continuing EAP-TLS
> (6) eap_peap: [eaptls verify] = ok
> (6) eap_peap: Done initial handshake
> (6) eap_peap: [eaptls process] = ok
> (6) eap_peap: Session established.  Decoding tunneled attributes
> (6) eap_peap: PEAP state phase2
> (6) eap_peap: EAP method MSCHAPv2 (26)
> (6) eap_peap: Got tunneled request
> (6) eap_peap:   EAP-Message =
> 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65
> (6) eap_peap: Setting User-Name to particle
> (6) eap_peap: Sending tunneled request to inner-tunnel
> (6) eap_peap:   EAP-Message =
> 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65
> (6) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
> (6) eap_peap:   User-Name = "particle"
> (6) eap_peap:   State = 0x9ed5137a9ede099241d17dbdaa28bbf3
> (6) Virtual server inner-tunnel received request
> (6)   EAP-Message =
> 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65
> (6)   FreeRADIUS-Proxied-To = 127.0.0.1
> (6)   User-Name = "particle"
> (6)   State = 0x9ed5137a9ede099241d17dbdaa28bbf3
> (6) WARNING: Outer and inner identities are the same.  User privacy is
> compromised.
> (6) server inner-tunnel {
> (6)   session-state: No cached attributes
> (6)   # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (6)     authorize {
> (6)       policy filter_username {
> (6)         if (&User-Name) {
> (6)         if (&User-Name)  -> TRUE
> (6)         if (&User-Name)  {
> (6)           if (&User-Name =~ / /) {
> (6)           if (&User-Name =~ / /)  -> FALSE
> (6)           if (&User-Name =~ /@[^@]*@/ ) {
> (6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (6)           if (&User-Name =~ /\.\./ ) {
> (6)           if (&User-Name =~ /\.\./ )  -> FALSE
> (6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>  -> FALSE
> (6)           if (&User-Name =~ /\.$/)  {
> (6)           if (&User-Name =~ /\.$/)   -> FALSE
> (6)           if (&User-Name =~ /@\./)  {
> (6)           if (&User-Name =~ /@\./)   -> FALSE
> (6)         } # if (&User-Name)  = notfound
> (6)       } # policy filter_username = notfound
> (6)       [chap] = noop
> (6)       [mschap] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (6) suffix: No such realm "NULL"
> (6)       [suffix] = noop
> (6)       update control {
> (6)         &Proxy-To-Realm := LOCAL
> (6)       } # update control = noop
> (6) eap: Peer sent EAP Response (code 2) ID 11 length 67
> (6) eap: No EAP Start, assuming it's an on-going EAP conversation
> (6)       [eap] = updated
> (6) files: users: Matched entry particle at line 1
> (6)       [files] = ok
> (6)       [expiration] = noop
> (6)       [logintime] = noop
> (6) pap: WARNING: Auth-Type already set.  Not setting to PAP
> (6)       [pap] = noop
> (6)     } # authorize = updated
> (6)   Found Auth-Type = eap
> (6)   # Executing group from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (6)     authenticate {
> (6) eap: Expiring EAP session with state 0x9ed5137a9ede0992
> (6) eap: Finished EAP session with state 0x9ed5137a9ede0992
> (6) eap: Previous EAP request found for state 0x9ed5137a9ede0992, released
> from the list
> (6) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (6) eap: Calling submodule eap_mschapv2 to process data
> (6) eap_mschapv2: # Executing group from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (6) eap_mschapv2:   authenticate {
> (6) mschap: Found Cleartext-Password, hashing to create NT-Password
> (6) mschap: Found Cleartext-Password, hashing to create LM-Password
> (6) mschap: Creating challenge hash with username: particle
> (6) mschap: Client is using MS-CHAPv2
> (6) mschap: ERROR: MS-CHAP2-Response is incorrect
> (6)     [mschap] = reject
> (6)   } # authenticate = reject
> (6) eap: Sending EAP Failure (code 4) ID 11 length 4
> (6) eap: Freeing handler
> (6)       [eap] = reject
> (6)     } # authenticate = reject
> (6)   Failed to authenticate the user
> (6)   Using Post-Auth-Type Reject
> (6)   # Executing group from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (6)     Post-Auth-Type REJECT {
> (6) attr_filter.access_reject: EXPAND %{User-Name}
> (6) attr_filter.access_reject:    --> particle
> (6) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (6)       [attr_filter.access_reject] = updated
> (6)       update outer.session-state {
> (6)         &Module-Failure-Message := &request:Module-Failure-Message ->
> 'mschap: MS-CHAP2-Response is incorrect'
> (6)       } # update outer.session-state = noop
> (6)     } # Post-Auth-Type REJECT = updated
> (6) } # server inner-tunnel
> (6) Virtual server sending reply
> (6)   MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48
> V=3 M=Authentication failed"
> (6)   EAP-Message = 0x040b0004
> (6)   Message-Authenticator = 0x00000000000000000000000000000000
> (6) eap_peap: Got tunneled reply code 3
> (6) eap_peap:   MS-CHAP-Error = "\013E=691 R=1
> C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed"
> (6) eap_peap:   EAP-Message = 0x040b0004
> (6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
> (6) eap_peap: Got tunneled reply RADIUS code 3
> (6) eap_peap:   MS-CHAP-Error = "\013E=691 R=1
> C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed"
> (6) eap_peap:   EAP-Message = 0x040b0004
> (6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
> (6) eap_peap: Tunneled authentication was rejected
> (6) eap_peap: FAILURE
> (6) eap: Sending EAP Request (code 1) ID 12 length 75
> (6) eap: EAP session adding &reply:State = 0x792e58447f224188
> (6)     [eap] = handled
> (6)   } # authenticate = handled
> (6) Using Post-Auth-Type Challenge
> (6) Post-Auth-Type sub-section not found.  Ignoring.
> (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (6) session-state: Saving cached attributes
> (6)   Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect"
> (6) Sent Access-Challenge Id 43 from 192.168.1.33:1812 to
> 192.168.1.38:52437 length 0
> (6)   EAP-Message =
> 0x010c004b190017030300400c78fe983c5dd192db59da8240896c96033a7305a8f101405d8d1c04a6b8b77542214f016ab70bfe1a2c9039ff65e7c215f722faedc84912623688cb283b2cbd
> (6)   Message-Authenticator = 0x00000000000000000000000000000000
> (6)   State = 0x792e58447f224188d729d5f4b5ba04a4
> (6) Finished request
> Waking up in 4.7 seconds.
> (7) Received Access-Request Id 44 from 192.168.1.38:52437 to
> 192.168.1.33:1812 length 252
> (7)   User-Name = "particle"
> (7)   NAS-IP-Address = 192.168.1.38
> (7)   NAS-Identifier = "b4fbe4c348ab"
> (7)   NAS-Port = 0
> (7)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (7)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (7)   Framed-MTU = 1400
> (7)   NAS-Port-Type = Wireless-802.11
> (7)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (7)   EAP-Message =
> 0x020c004b19001703030040fdcdeff9a7da7077eb3784b51917dbb315f7e335a9c8a19767c1033ff9329c5f037450eba6f2eb7a9b9347ed8606cef0ce75ae3f03a9518a7ecf3c4b642716ea
> (7)   State = 0x792e58447f224188d729d5f4b5ba04a4
> (7)   Message-Authenticator = 0xc6525ab028d9d5e9459c8d3d25442ff7
> (7) Restoring &session-state
> (7)   &session-state:Module-Failure-Message := "mschap: MS-CHAP2-Response
> is incorrect"
> (7) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (7)   authorize {
> (7)     policy filter_username {
> (7)       if (&User-Name) {
> (7)       if (&User-Name)  -> TRUE
> (7)       if (&User-Name)  {
> (7)         if (&User-Name =~ / /) {
> (7)         if (&User-Name =~ / /)  -> FALSE
> (7)         if (&User-Name =~ /@[^@]*@/ ) {
> (7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (7)         if (&User-Name =~ /\.\./ ) {
> (7)         if (&User-Name =~ /\.\./ )  -> FALSE
> (7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>  -> FALSE
> (7)         if (&User-Name =~ /\.$/)  {
> (7)         if (&User-Name =~ /\.$/)   -> FALSE
> (7)         if (&User-Name =~ /@\./)  {
> (7)         if (&User-Name =~ /@\./)   -> FALSE
> (7)       } # if (&User-Name)  = notfound
> (7)     } # policy filter_username = notfound
> (7)     [preprocess] = ok
> (7)     [chap] = noop
> (7)     [mschap] = noop
> (7)     [digest] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7)     [suffix] = noop
> (7) eap: Peer sent EAP Response (code 2) ID 12 length 75
> (7) eap: Continuing tunnel setup
> (7)     [eap] = ok
> (7)   } # authorize = ok
> (7) Found Auth-Type = eap
> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (7)   authenticate {
> (7) eap: Expiring EAP session with state 0x792e58447f224188
> (7) eap: Finished EAP session with state 0x792e58447f224188
> (7) eap: Previous EAP request found for state 0x792e58447f224188, released
> from the list
> (7) eap: Peer sent packet with method EAP PEAP (25)
> (7) eap: Calling submodule eap_peap to process data
> (7) eap_peap: Continuing EAP-TLS
> (7) eap_peap: [eaptls verify] = ok
> (7) eap_peap: Done initial handshake
> (7) eap_peap: [eaptls process] = ok
> (7) eap_peap: Session established.  Decoding tunneled attributes
> (7) eap_peap: PEAP state send tlv failure
> (7) eap_peap: Received EAP-TLV response
> (7) eap_peap:   The users session was previously rejected: returning
> reject (again.)
> (7) eap_peap:   This means you need to read the PREVIOUS messages in the
> debug output
> (7) eap_peap:   to find out the reason why the user was rejected
> (7) eap_peap:   Look for "reject" or "fail".  Those earlier messages will
> tell you
> (7) eap_peap:   what went wrong, and how to fix the problem
> (7) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module
> failed
> (7) eap: Sending EAP Failure (code 4) ID 12 length 4
> (7) eap: Failed in EAP select
> (7)     [eap] = invalid
> (7)   } # authenticate = invalid
> (7) Failed to authenticate the user
> (7) Using Post-Auth-Type Reject
> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (7)   Post-Auth-Type REJECT {
> (7) attr_filter.access_reject: EXPAND %{User-Name}
> (7) attr_filter.access_reject:    --> particle
> (7) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (7)     [attr_filter.access_reject] = updated
> (7)     [eap] = noop
> (7)     policy remove_reply_message_if_eap {
> (7)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (7)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (7)       else {
> (7)         [noop] = noop
> (7)       } # else = noop
> (7)     } # policy remove_reply_message_if_eap = noop
> (7)   } # Post-Auth-Type REJECT = updated
> (7) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (7) Sending delayed response
> (7) Sent Access-Reject Id 44 from 192.168.1.33:1812 to 192.168.1.38:52437
> length 44
> (7)   EAP-Message = 0x040c0004
> (7)   Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.7 seconds.
> (0) Cleaning up request packet ID 37 with timestamp +37
> (1) Cleaning up request packet ID 38 with timestamp +37
> (2) Cleaning up request packet ID 39 with timestamp +37
> Waking up in 0.1 seconds.
> (3) Cleaning up request packet ID 40 with timestamp +37
> (4) Cleaning up request packet ID 41 with timestamp +37
> (5) Cleaning up request packet ID 42 with timestamp +37
> (6) Cleaning up request packet ID 43 with timestamp +37
> (7) Cleaning up request packet ID 44 with timestamp +37
>
> Thanks in advance for any help.
>
> Will
>
> wjsteen at talktalk.net
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list