Hi,
firstly, we are using Freeradius for all kind of authentications - and
It works very good!! -> Good Job to all of you.
But, lately we have some EAP-Problems mostly with windows-clients.
If a user authenticated correctly, after some time he gets disconnected
and tries to reauthenticate, but it fails - see Log.
Also I have some questions about eap at all. How should it work
correctly. because I see up to 10 Authentication-Requests until the
client is authenticated correctly. For example the client wants to do
EAP-PEAP (Windows-client), but the radius says EAP-NAK:
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 231
modcall: leaving group authenticate (returns handled) for request 231
Sending Access-Challenge ...
Finished request 231
What does it mean? Can I tune the process?
Thank you all for your answers!
Best regards
FLorian Prester
Log:
rad_recv: Access-Request packet from host 131.188.4.190:20000, id=35,
length=202
NAS-Port-Id = "2059/1"
Calling-Station-Id = "00-15-00-01-C0-D1"
Called-Station-Id = "00-0B-0E-15-3D-80:FAU-STAFF"
Service-Type = Framed-User
User-Name = "unrz06"
State = 0x...
EAP-Message = 0x...
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "Trapeze"
NAS-IP-Address = 131.188.4.190
Message-Authenticator = 0x...
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 228
modcall[authorize]: module "preprocess" returns ok for request 228
modcall[authorize]: module "chap" returns noop for request 228
modcall[authorize]: module "mschap" returns noop for request 228
rlm_eap: EAP packet type response id 14 length 53
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 228
users: Matched entry DEFAULT at line 12
modcall[authorize]: module "files" returns ok for request 228
rlm_ldap: - authorize
modcall[authorize]: module "ldap" returns ok for request 228
modcall[authorize]: module "perl" returns ok for request 228
modcall: leaving group authorize (returns updated) for request 228
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 228
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
(other): SSL negotiation finished successfully
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
SSL Connection Established
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 228
modcall: leaving group authenticate (returns reject) for request 228
auth: Failed to validate the user.
Login incorrect: [unrz06] (from client QRA-MX port 0 cli 00-15-00-01-C0-D1)
Sending Access-Reject of id 35 to 131.188.4.190 port 20000
EAP-Message = 0x040e0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 228
--
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Martensstr. 1
91052 Erlangen
Germany
Tel.: +499131 8527813
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
