Auth: Login incorrect: [maxx09/<no User-Password attribute>]

Alan DeKok aland at
Mon Mar 23 01:22:24 CET 2020

On Mar 22, 2020, at 8:10 PM, Sam T <givemesam at> wrote:
> Thank you for that. Your right. I did not compile this freeradius server,
> so im working with something that has been modded heavily. But i did get in
> there, and add eap to authorize. that got it going. i loaded in eap.conf
> with the right mods too (changed md5 to tls).
> After reviewing the debug output, i think the router was sending the
> password inside "EAP-Message" or somehow mschapv2 is coming in as
> EAP-message? OR mikrotik is trying to pull a client cert from radius. im
> not sure....

  You need to be sure.  You can't configure the server to do unknown kinds of authentication.  And if you don't know what kind of authentication is being used, you don't know how to configure the server.

> this is after putting eap in authorize, and modding the eap.conf to point
> to the certs and md5>tls

  OK, that's a start.

> my desired goal is to get user/pass to work through EAP, with no client
> certs.

  That's not how EAP works.  The end-user system is the one which is choosing the EAP method to use.

  So... what EAP method is that system configured to use?  You need to know this.

> im not sure it is possible, but each reply i get from you, and then
> research more, gets me a few steps closer. i also wrote mikrotik to see if
> their setup is passing the password through EAP message, or their ignoring
> it, and the EAP-radius is designed for cert only, no passwords. but maybe
> you can tell when looking at the cert error below.
> Found Auth-Type = EAP
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!! Replacing User-Password in config items with Cleartext-Password. !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!! Please update your configuration so that the "known good" !!!
> !!! clear text password is in Cleartext-Password, and not in User-Password.
> !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  As I said... fix that error.  Stop wasting your time doing other things, and do something which you KNOW will fix a problem.
>   1. Executing group from file /etc/freeradius/sites-enabled/server01.rad
>   +- entering group authenticate {...}
>   [eap] Request found, released from the list
>   [eap] EAP/tls
>   [eap] processing type tls
>   [tls] Authenticate
>   [tls] processing EAP-TLS
>   TLS Length 141
>   [tls] Length Included
>   [tls] eaptls_verify returned 11
>   [tls] <<< TLS 1.0 Handshake [length 0007], Certificate
>   [tls] >>> TLS 1.0 Alert [length 0002], fatal handshake_failure
>   TLS Alert write:fatal:handshake failure
>   TLS_accept: error in SSLv3 read client certificate B
>   rlm_eap: SSL error error:140890C7:SSL
>   routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

  That's pretty clear.

  You told FreeRADIUS to ONLY do EAP-TLS.  And the other end won't do only EAP-TLS.

  You're pretty much randomly changing things in the hope that it will "fix" things.  It won't.

  You have to understand what the end-user system is doing.  You have to understand what are the limitations of the EAP type.  You have to understand how to configure FreeRADIUS to authenticate that EAP type.

  Right now, you know none of that.  But you're asking us for help.  Well, our help is that you MUST understand at least the first point.  If you don't, it's impossible for us to help you.

  Alan DeKok.

More information about the Freeradius-Users mailing list