freeradius 3.0 with its local user database + Cisco WLC + PEAP
Maciej Waliszko
mwaliszko at gmail.com
Mon Jan 16 14:30:51 UTC 2023
Hello,
I am trying to configure the above. Here is what I have done so far.
1) Cisco WLC was configured
2) freeradius 3.0 was installed on a Debian machine
a) Cisco WLC IPv4 address was added as a client to freeradius
/etc/freeradius/3.0/clients.conf
b) A few local users were added to users file
/etc/freeradius/3.0/users
3) whenever I try to use the below command on WLC
test aaa group radius joe.doe pa44w0rd new-code
I am successfully authenticated. However this is going as PAP.
4) any request from the wifi client is not going through cause it is
PEAP-MSCHAP
Currently 'freeradius -X' gives me the following
(39) Cisco-AVPair = "vlan-id=101"
(39) NAS-IP-Address = 172.16.100.10
(39) NAS-Port-Id = "capwap_90000004"
(39) NAS-Port-Type = Wireless-802.11
(39) NAS-Port = 5
(39) State = 0x8afb70f28ffc69b5cf854ba7abc363a9
(39) Cisco-AVPair = "cisco-wlan-ssid=NEFO1x"
(39) Cisco-AVPair = "wlan-profile-name=NEFO-802.1x"
(39) Called-Station-Id = "24-36-da-17-30-00:NEFO1x"
(39) Calling-Station-Id = "7a-be-3e-4d-a8-62"
(39) Airespace-Wlan-Id = 4
(39) NAS-Identifier = "WLC9120-NEFO"
(39) WLAN-Group-Cipher = 1027076
(39) WLAN-Pairwise-Cipher = 1027076
(39) WLAN-AKM-Suite = 1027075
(39) WLAN-Group-Mgmt-Cipher = 1027078
(39) session-state: No cached attributes
(39) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(39) authorize {
(39) policy filter_username {
(39) if (&User-Name) {
(39) if (&User-Name) -> TRUE
(39) if (&User-Name) {
(39) if (&User-Name =~ / /) {
(39) if (&User-Name =~ / /) -> FALSE
(39) if (&User-Name =~ /@[^@]*@/ ) {
(39) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(39) if (&User-Name =~ /\.\./ ) {
(39) if (&User-Name =~ /\.\./ ) -> FALSE
(39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(39) if (&User-Name =~ /\.$/) {
(39) if (&User-Name =~ /\.$/) -> FALSE
(39) if (&User-Name =~ /@\./) {
(39) if (&User-Name =~ /@\./) -> FALSE
(39) } # if (&User-Name) = notfound
(39) } # policy filter_username = notfound
(39) [preprocess] = ok
(39) [chap] = noop
(39) [mschap] = noop
(39) [digest] = noop
(39) suffix: Checking for suffix after "@"
(39) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL
(39) suffix: No such realm "NULL"
(39) [suffix] = noop
(39) eap: Peer sent EAP Response (code 2) ID 7 length 51
(39) eap: Continuing tunnel setup
(39) [eap] = ok
(39) } # authorize = ok
(39) Found Auth-Type = eap
(39) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(39) authenticate {
(39) eap: Expiring EAP session with state 0x8afb70f28ffc69b5
(39) eap: Finished EAP session with state 0x8afb70f28ffc69b5
(39) eap: Previous EAP request found for state 0x8afb70f28ffc69b5, released
from the list
(39) eap: Peer sent packet with method EAP PEAP (25)
(39) eap: Calling submodule eap_peap to process data
(39) eap_peap: Continuing EAP-TLS
(39) eap_peap: [eaptls verify] = ok
(39) eap_peap: Done initial handshake
(39) eap_peap: [eaptls process] = ok
(39) eap_peap: Session established. Decoding tunneled attributes
(39) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(39) eap_peap: Identity - joe.doe
(39) eap_peap: Got inner identity 'joe.doe'
(39) eap_peap: Setting default EAP type for tunneled EAP session
(39) eap_peap: Got tunneled request
(39) eap_peap: EAP-Message = 0x02070014016d616369656a2e77616c69737a6b6f
(39) eap_peap: Setting User-Name to joe.doe
(39) eap_peap: Sending tunneled request to inner-tunnel
(39) eap_peap: EAP-Message = 0x02070014016d616369656a2e77616c69737a6b6f
(39) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(39) eap_peap: User-Name = "joe.doe"
(39) Virtual server inner-tunnel received request
(39) EAP-Message = 0x02070014016d616369656a2e77616c69737a6b6f
(39) FreeRADIUS-Proxied-To = 127.0.0.1
(39) User-Name = "joe.doe"
(39) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(39) server inner-tunnel {
(39) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(39) authorize {
(39) policy filter_username {
(39) if (&User-Name) {
(39) if (&User-Name) -> TRUE
(39) if (&User-Name) {
(39) if (&User-Name =~ / /) {
(39) if (&User-Name =~ / /) -> FALSE
(39) if (&User-Name =~ /@[^@]*@/ ) {
(39) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(39) if (&User-Name =~ /\.\./ ) {
(39) if (&User-Name =~ /\.\./ ) -> FALSE
(39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(39) if (&User-Name =~ /\.$/) {
(39) if (&User-Name =~ /\.$/) -> FALSE
(39) if (&User-Name =~ /@\./) {
(39) if (&User-Name =~ /@\./) -> FALSE
(39) } # if (&User-Name) = notfound
(39) } # policy filter_username = notfound
(39) [chap] = noop
(39) [mschap] = noop
(39) suffix: Checking for suffix after "@"
(39) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL
(39) suffix: No such realm "NULL"
(39) [suffix] = noop
(39) update control {
(39) &Proxy-To-Realm := LOCAL
(39) } # update control = noop
(39) eap: Peer sent EAP Response (code 2) ID 7 length 20
(39) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(39) [eap] = ok
(39) } # authorize = ok
(39) Found Auth-Type = eap
(39) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(39) authenticate {
(39) eap: Peer sent packet with method EAP Identity (1)
(39) eap: Calling submodule eap_mschapv2 to process data
(39) eap_mschapv2: Issuing Challenge
(39) eap: Sending EAP Request (code 1) ID 8 length 43
(39) eap: EAP session adding &reply:State = 0xa779f0bba771eab5
(39) [eap] = handled
(39) } # authenticate = handled
(39) } # server inner-tunnel
(39) Virtual server sending reply
(39) EAP-Message =
0x0108002b1a01080026102e31c720efcc97f1b1344319c2717f10667265657261646975732d332e302e3137
(39) Message-Authenticator = 0x00000000000000000000000000000000
(39) State = 0xa779f0bba771eab5fa1472a70f642a70
(39) eap_peap: Got tunneled reply code 11
(39) eap_peap: EAP-Message =
0x0108002b1a01080026102e31c720efcc97f1b1344319c2717f10667265657261646975732d332e302e3137
(39) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(39) eap_peap: State = 0xa779f0bba771eab5fa1472a70f642a70
(39) eap_peap: Got tunneled reply RADIUS code 11
(39) eap_peap: EAP-Message =
0x0108002b1a01080026102e31c720efcc97f1b1344319c2717f10667265657261646975732d332e302e3137
(39) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(39) eap_peap: State = 0xa779f0bba771eab5fa1472a70f642a70
(39) eap_peap: Got tunneled Access-Challenge
(39) eap: Sending EAP Request (code 1) ID 8 length 74
(39) eap: EAP session adding &reply:State = 0x8afb70f28cf369b5
(39) [eap] = handled
(39) } # authenticate = handled
(39) Using Post-Auth-Type Challenge
(39) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(39) Challenge { ... } # empty sub-section is ignored
(39) Sent Access-Challenge Id 249 from 10.222.34.11:1812 to
172.16.100.10:65092 length 0
(39) EAP-Message =
0x0108004a1900170303003fcc5b8334628ab37aa89b123da75ca7c75fd530ecc021320acc07bdc59b19d161f36ee6151578b5fa7487e0d86eb2dee898bde53e74baca61f9c67ccd045dc0
(39) Message-Authenticator = 0x00000000000000000000000000000000
(39) State = 0x8afb70f28cf369b5cf854ba7abc363a9
(39) Finished request
Waking up in 4.9 seconds.
(38) Cleaning up request packet ID 248 with timestamp +985
(40) Received Access-Request Id 248 from 172.16.100.10:65092 to
10.222.34.11:1812 length 538
(40) User-Name = "joe.doe"
(40) Service-Type = Framed-User
(40) Cisco-AVPair = "service-type=Framed"
(40) Framed-MTU = 1485
(40) EAP-Message =
0x020800691900170303005e89bf7fdf3bb86e3e467aef6b8988848fce28ba903c8c18014db6390e35aea1dfefd7abf64b8bc29c5f574a83dc3a850169b6de84430922b3617bbd5bef2f8ab879603c7c43c1940ed4e61b724f2bfde0d24c7f7c8fc3eb9c05f74ce8cccd
(40) Message-Authenticator = 0x928deedf5800d89e75d47b6c4ff5f004
(40) Cisco-AVPair = "audit-session-id=0A6410AC00001FAE74DE0A43"
(40) Cisco-AVPair = "method=dot1x"
(40) Cisco-AVPair = "client-iif-id=2852134698"
(40) Cisco-AVPair = "vlan-id=101"
(40) NAS-IP-Address = 172.16.100.10
(40) NAS-Port-Id = "capwap_90000004"
(40) NAS-Port-Type = Wireless-802.11
(40) NAS-Port = 5
(40) State = 0x8afb70f28cf369b5cf854ba7abc363a9
(40) Cisco-AVPair = "cisco-wlan-ssid=NEFO1x"
(40) Cisco-AVPair = "wlan-profile-name=NEFO-802.1x"
(40) Called-Station-Id = "24-36-da-17-30-00:NEFO1x"
(40) Calling-Station-Id = "7a-be-3e-4d-a8-62"
(40) Airespace-Wlan-Id = 4
(40) NAS-Identifier = "WLC9120-NEFO"
(40) WLAN-Group-Cipher = 1027076
(40) WLAN-Pairwise-Cipher = 1027076
(40) WLAN-AKM-Suite = 1027075
(40) WLAN-Group-Mgmt-Cipher = 1027078
(40) session-state: No cached attributes
(40) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(40) authorize {
(40) policy filter_username {
(40) if (&User-Name) {
(40) if (&User-Name) -> TRUE
(40) if (&User-Name) {
(40) if (&User-Name =~ / /) {
(40) if (&User-Name =~ / /) -> FALSE
(40) if (&User-Name =~ /@[^@]*@/ ) {
(40) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(40) if (&User-Name =~ /\.\./ ) {
(40) if (&User-Name =~ /\.\./ ) -> FALSE
(40) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(40) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(40) if (&User-Name =~ /\.$/) {
(40) if (&User-Name =~ /\.$/) -> FALSE
(40) if (&User-Name =~ /@\./) {
(40) if (&User-Name =~ /@\./) -> FALSE
(40) } # if (&User-Name) = notfound
(40) } # policy filter_username = notfound
(40) [preprocess] = ok
(40) [chap] = noop
(40) [mschap] = noop
(40) [digest] = noop
(40) suffix: Checking for suffix after "@"
(40) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL
(40) suffix: No such realm "NULL"
(40) [suffix] = noop
(40) eap: Peer sent EAP Response (code 2) ID 8 length 105
(40) eap: Continuing tunnel setup
(40) [eap] = ok
(40) } # authorize = ok
(40) Found Auth-Type = eap
(40) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(40) authenticate {
(40) eap: Expiring EAP session with state 0xa779f0bba771eab5
(40) eap: Finished EAP session with state 0x8afb70f28cf369b5
(40) eap: Previous EAP request found for state 0x8afb70f28cf369b5, released
from the list
(40) eap: Peer sent packet with method EAP PEAP (25)
(40) eap: Calling submodule eap_peap to process data
(40) eap_peap: Continuing EAP-TLS
(40) eap_peap: [eaptls verify] = ok
(40) eap_peap: Done initial handshake
(40) eap_peap: [eaptls process] = ok
(40) eap_peap: Session established. Decoding tunneled attributes
(40) eap_peap: PEAP state phase2
(40) eap_peap: EAP method MSCHAPv2 (26)
(40) eap_peap: Got tunneled request
(40) eap_peap: EAP-Message =
0x0208004a1a0208004531ac16e2ad0f43ee8ec9bdd2aad3c5deda0000000000000000e4fff9f3543da30667451659b4a7598166306e0f8b66215c006d616369656a2e77616c69737a6b6f
(40) eap_peap: Setting User-Name to joe.doe
(40) eap_peap: Sending tunneled request to inner-tunnel
(40) eap_peap: EAP-Message =
0x0208004a1a0208004531ac16e2ad0f43ee8ec9bdd2aad3c5deda0000000000000000e4fff9f3543da30667451659b4a7598166306e0f8b66215c006d616369656a2e77616c69737a6b6f
(40) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(40) eap_peap: User-Name = "joe.doe"
(40) eap_peap: State = 0xa779f0bba771eab5fa1472a70f642a70
(40) Virtual server inner-tunnel received request
(40) EAP-Message =
0x0208004a1a0208004531ac16e2ad0f43ee8ec9bdd2aad3c5deda0000000000000000e4fff9f3543da30667451659b4a7598166306e0f8b66215c006d616369656a2e77616c69737a6b6f
(40) FreeRADIUS-Proxied-To = 127.0.0.1
(40) User-Name = "joe.doe"
(40) State = 0xa779f0bba771eab5fa1472a70f642a70
(40) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(40) server inner-tunnel {
(40) session-state: No cached attributes
(40) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(40) authorize {
(40) policy filter_username {
(40) if (&User-Name) {
(40) if (&User-Name) -> TRUE
(40) if (&User-Name) {
(40) if (&User-Name =~ / /) {
(40) if (&User-Name =~ / /) -> FALSE
(40) if (&User-Name =~ /@[^@]*@/ ) {
(40) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(40) if (&User-Name =~ /\.\./ ) {
(40) if (&User-Name =~ /\.\./ ) -> FALSE
(40) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(40) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(40) if (&User-Name =~ /\.$/) {
(40) if (&User-Name =~ /\.$/) -> FALSE
(40) if (&User-Name =~ /@\./) {
(40) if (&User-Name =~ /@\./) -> FALSE
(40) } # if (&User-Name) = notfound
(40) } # policy filter_username = notfound
(40) [chap] = noop
(40) [mschap] = noop
(40) suffix: Checking for suffix after "@"
(40) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL
(40) suffix: No such realm "NULL"
(40) [suffix] = noop
(40) update control {
(40) &Proxy-To-Realm := LOCAL
(40) } # update control = noop
(40) eap: Peer sent EAP Response (code 2) ID 8 length 74
(40) eap: No EAP Start, assuming it's an on-going EAP conversation
(40) [eap] = updated
(40) files: users: Matched entry joe.doe at line 91
(40) [files] = ok
rlm_ldap (ldap): Reserved connection (17)
(40) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(40) ldap: --> (uid=joe.doe)
(40) ldap: Performing search in "dc=netformers,dc=local" with filter
"(uid=joe.doe)", scope "sub"
(40) ldap: Waiting for search result...
(40) ldap: User object found at DN "uid=joe.doe,dc=netformers,dc=local"
(40) ldap: Processing user attributes
rlm_ldap (ldap): Released connection (17)
(40) [ldap] = ok
(40) [expiration] = noop
(40) [logintime] = noop
(40) pap: WARNING: Auth-Type already set. Not setting to PAP
(40) [pap] = noop
(40) } # authorize = updated
(40) Found Auth-Type = eap
(40) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(40) authenticate {
(40) eap: Expiring EAP session with state 0xa779f0bba771eab5
(40) eap: Finished EAP session with state 0xa779f0bba771eab5
(40) eap: Previous EAP request found for state 0xa779f0bba771eab5, released
from the list
(40) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(40) eap: Calling submodule eap_mschapv2 to process data
(40) eap_mschapv2: # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(40) eap_mschapv2: authenticate {
(40) mschap: Found Cleartext-Password, hashing to create NT-Password
(40) mschap: Found Cleartext-Password, hashing to create LM-Password
(40) mschap: Creating challenge hash with username: joe.doe
(40) mschap: Client is using MS-CHAPv2
(40) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(40) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(40) mschap: --> --username=joe.doe
(40) mschap: Creating challenge hash with username: joe.doe
(40) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(40) mschap: --> --challenge=ab5d475d8e18b55f
(40) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(40) mschap: -->
--nt-response=e4fff9f3543da30667451659b4a7598166306e0f8b66215c
(40) mschap: ERROR: Program returned code (1) and output 'The attempted
logon is invalid. This is either due to a bad username or authentication
information. (0xc000006d)'
(40) mschap: External script failed
(40) mschap: ERROR: External script says: The attempted logon is invalid.
This is either due to a bad username or authentication information.
(0xc000006d)
(40) mschap: ERROR: MS-CHAP2-Response is incorrect
(40) [mschap] = reject
(40) } # authenticate = reject
(40) eap: Sending EAP Failure (code 4) ID 8 length 4
(40) eap: Freeing handler
(40) [eap] = reject
(40) } # authenticate = reject
(40) Failed to authenticate the user
(40) Using Post-Auth-Type Reject
(40) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(40) Post-Auth-Type REJECT {
(40) attr_filter.access_reject: EXPAND %{User-Name}
(40) attr_filter.access_reject: --> joe.doe
(40) attr_filter.access_reject: Matched entry DEFAULT at line 11
(40) [attr_filter.access_reject] = updated
(40) update outer.session-state {
(40) &Module-Failure-Message := &request:Module-Failure-Message ->
'mschap: Program returned code (1) and output \'The attempted logon is
invalid. This is either due to a bad username or authentication
information. (0xc000006d)\''
(40) } # update outer.session-state = noop
(40) } # Post-Auth-Type REJECT = updated
(40) } # server inner-tunnel
(40) Virtual server sending reply
(40) MS-CHAP-Error = "\010E=691 R=1 C=1985ba6f4d3735081b98c08700af1b01
V=3 M=Authentication rejected"
(40) EAP-Message = 0x04080004
(40) Message-Authenticator = 0x00000000000000000000000000000000
(40) eap_peap: Got tunneled reply code 3
(40) eap_peap: MS-CHAP-Error = "\010E=691 R=1
C=1985ba6f4d3735081b98c08700af1b01 V=3 M=Authentication rejected"
(40) eap_peap: EAP-Message = 0x04080004
(40) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(40) eap_peap: Got tunneled reply RADIUS code 3
(40) eap_peap: MS-CHAP-Error = "\010E=691 R=1
C=1985ba6f4d3735081b98c08700af1b01 V=3 M=Authentication rejected"
(40) eap_peap: EAP-Message = 0x04080004
(40) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(40) eap_peap: Tunneled authentication was rejected
(40) eap_peap: FAILURE
(40) eap: Sending EAP Request (code 1) ID 9 length 46
(40) eap: EAP session adding &reply:State = 0x8afb70f28df269b5
(40) [eap] = handled
(40) } # authenticate = handled
(40) Using Post-Auth-Type Challenge
(40) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(40) Challenge { ... } # empty sub-section is ignored
(40) session-state: Saving cached attributes
(40) Module-Failure-Message := "mschap: Program returned code (1) and
output 'The attempted logon is invalid. This is either due to a bad
username or authentication information. (0xc000006d)'"
(40) Sent Access-Challenge Id 248 from 10.222.34.11:1812 to
172.16.100.10:65092 length 0
(40) EAP-Message =
0x0109002e19001703030023cc5b8334628ab37bb472f1e4b99ece77d59027ce510b3ac1d5025c03cc60b794d73259
(40) Message-Authenticator = 0x00000000000000000000000000000000
(40) State = 0x8afb70f28df269b5cf854ba7abc363a9
(40) Finished request
Waking up in 4.9 seconds.
(39) Cleaning up request packet ID 249 with timestamp +985
(41) Received Access-Request Id 249 from 172.16.100.10:65092 to
10.222.34.11:1812 length 479
(41) User-Name = "joe.doe"
(41) Service-Type = Framed-User
(41) Cisco-AVPair = "service-type=Framed"
(41) Framed-MTU = 1485
(41) EAP-Message =
0x0209002e1900170303002389bf7fdf3bb86e3fb7a4f82750437b28a44f01b7420ad299cf3bc0490d9e73ab33590b
(41) Message-Authenticator = 0xa8d0b6155902a4394dfc46e21888f099
(41) Cisco-AVPair = "audit-session-id=0A6410AC00001FAE74DE0A43"
(41) Cisco-AVPair = "method=dot1x"
(41) Cisco-AVPair = "client-iif-id=2852134698"
(41) Cisco-AVPair = "vlan-id=101"
(41) NAS-IP-Address = 172.16.100.10
(41) NAS-Port-Id = "capwap_90000004"
(41) NAS-Port-Type = Wireless-802.11
(41) NAS-Port = 5
(41) State = 0x8afb70f28df269b5cf854ba7abc363a9
(41) Cisco-AVPair = "cisco-wlan-ssid=NEFO1x"
(41) Cisco-AVPair = "wlan-profile-name=NEFO-802.1x"
(41) Called-Station-Id = "24-36-da-17-30-00:NEFO1x"
(41) Calling-Station-Id = "7a-be-3e-4d-a8-62"
(41) Airespace-Wlan-Id = 4
(41) NAS-Identifier = "WLC9120-NEFO"
(41) WLAN-Group-Cipher = 1027076
(41) WLAN-Pairwise-Cipher = 1027076
(41) WLAN-AKM-Suite = 1027075
(41) WLAN-Group-Mgmt-Cipher = 1027078
(41) Restoring &session-state
(41) &session-state:Module-Failure-Message := "mschap: Program returned
code (1) and output 'The attempted logon is invalid. This is either due to
a bad username or authentication information. (0xc000006d)'"
(41) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(41) authorize {
(41) policy filter_username {
(41) if (&User-Name) {
(41) if (&User-Name) -> TRUE
(41) if (&User-Name) {
(41) if (&User-Name =~ / /) {
(41) if (&User-Name =~ / /) -> FALSE
(41) if (&User-Name =~ /@[^@]*@/ ) {
(41) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(41) if (&User-Name =~ /\.\./ ) {
(41) if (&User-Name =~ /\.\./ ) -> FALSE
(41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(41) if (&User-Name =~ /\.$/) {
(41) if (&User-Name =~ /\.$/) -> FALSE
(41) if (&User-Name =~ /@\./) {
(41) if (&User-Name =~ /@\./) -> FALSE
(41) } # if (&User-Name) = notfound
(41) } # policy filter_username = notfound
(41) [preprocess] = ok
(41) [chap] = noop
(41) [mschap] = noop
(41) [digest] = noop
(41) suffix: Checking for suffix after "@"
(41) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL
(41) suffix: No such realm "NULL"
(41) [suffix] = noop
(41) eap: Peer sent EAP Response (code 2) ID 9 length 46
(41) eap: Continuing tunnel setup
(41) [eap] = ok
(41) } # authorize = ok
(41) Found Auth-Type = eap
(41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(41) authenticate {
(41) eap: Expiring EAP session with state 0x8afb70f28df269b5
(41) eap: Finished EAP session with state 0x8afb70f28df269b5
(41) eap: Previous EAP request found for state 0x8afb70f28df269b5, released
from the list
(41) eap: Peer sent packet with method EAP PEAP (25)
(41) eap: Calling submodule eap_peap to process data
(41) eap_peap: Continuing EAP-TLS
(41) eap_peap: [eaptls verify] = ok
(41) eap_peap: Done initial handshake
(41) eap_peap: [eaptls process] = ok
(41) eap_peap: Session established. Decoding tunneled attributes
(41) eap_peap: PEAP state send tlv failure
(41) eap_peap: Received EAP-TLV response
(41) eap_peap: ERROR: The users session was previously rejected:
returning reject (again.)
(41) eap_peap: This means you need to read the PREVIOUS messages in the
debug output
(41) eap_peap: to find out the reason why the user was rejected
(41) eap_peap: Look for "reject" or "fail". Those earlier messages will
tell you
(41) eap_peap: what went wrong, and how to fix the problem
(41) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
failed
(41) eap: Sending EAP Failure (code 4) ID 9 length 4
(41) eap: Failed in EAP select
(41) [eap] = invalid
(41) } # authenticate = invalid
(41) Failed to authenticate the user
(41) Using Post-Auth-Type Reject
(41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(41) Post-Auth-Type REJECT {
(41) attr_filter.access_reject: EXPAND %{User-Name}
(41) attr_filter.access_reject: --> joe.doe
(41) attr_filter.access_reject: Matched entry DEFAULT at line 11
(41) [attr_filter.access_reject] = updated
(41) [eap] = noop
(41) policy remove_reply_message_if_eap {
(41) if (&reply:EAP-Message && &reply:Reply-Message) {
(41) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(41) else {
(41) [noop] = noop
(41) } # else = noop
(41) } # policy remove_reply_message_if_eap = noop
(41) } # Post-Auth-Type REJECT = updated
(41) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(41) Sending delayed response
(41) Sent Access-Reject Id 249 from 10.222.34.11:1812 to 172.16.100.10:65092
length 44
(41) EAP-Message = 0x04090004
(41) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Can anyone shed some light on this and point me in the right direction what
else should I do?
All the examples I am able to find on the internet are using AD/samba as
database for freeradius which is not the case here.
More information about the Freeradius-Users
mailing list