Hi!
[EMAIL PROTECTED] wrote:
Hi,
Tue Feb 12 23:45:21 2008 : Error: Warning: Found 2 auth-types on request
for user '[EMAIL PROTECTED]'
Tue Feb 12 23:45:21 2008 : Debug: rad_check_password: Auth-Type = Accept,
accepting the user
whoah. WinXP is very fussy (as should all EAP clients) about getting a proper
EAP return. you seem to have thrown an 'Accept' straight back to the challenge
rather than let the EAP engine do its business.
config file or startup debug output please
Config file is the same as default example proxy-inner-tunnel in 2.0.2 release
with modified realm name only.
As I wrote before, double Auth-Type had been fixed by adding post-proxy { eap }
part in proxy-inner-tunnel.
But authentication still fails to pass. Got the following error:
Thu Feb 14 16:42:06 2008 : Error: rlm_eap: No EAP session matching the State
variable.
Thu Feb 14 16:42:06 2008 : Error: rlm_eap: Either EAP-request timed out OR
EAP-response to an unknown EAP-request
It comes after second authentication in eap module, after passing inner request
to virtual server.
xsupplicant receives EAP-MSCHAPv2 Success and sends phase 2 success back to
FreeRADIUS:
-----------------
[AUTH TYPE] (EAP-MSCHAPv2) Success!
[AUTH TYPE] Server authentication check success! Sending phase 2 success!
[AUTH TYPE] Unencrypted return frame :
000 | 1a 03 | ..
[AUTH TYPE] Encrypted return frame :
-----------------
FreeRADIUS debug output with failed authentication:
-----------------
rad_recv: Access-Request packet from host 192.168.2.3 port 8021, id=85,
length=279
Framed-MTU = 1466
NAS-IP-Address = 192.168.2.3
NAS-Identifier = "D-Link"
User-Name = "[EMAIL PROTECTED]"
Service-Type = Framed-User
NAS-Port = 33
NAS-Port-Type = Ethernet
NAS-Port-Id = "ether3_33"
Called-Station-Id = "00-15-e9-b8-79-dd"
Calling-Station-Id = "00-a9-40-0f-83-a5"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
State = 0x827a1bd58a710287540fbc1db46cf1a2
EAP-Message =
0x020b005019001703010020a8e33063d77e6a2f489c6f5d9a12306c870537dc721149322bd85623235edda1170301002088aaf69e118a31b4eac9
c0d7c106de95b51101eb9e1b0c70949645a855cc206c
Message-Authenticator = 0x82efd03b0f271f621eb2677ebf3c5902
Thu Feb 14 16:42:06 2008 : Debug: +- entering group authorize
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: calling preprocess
(rlm_preprocess) for request 9
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[preprocess] returns ok
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: returned from chap
(rlm_chap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[chap] returns noop
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: returned from mschap
(rlm_mschap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[mschap] returns noop
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: calling suffix
(rlm_realm) for request 9
Thu Feb 14 16:42:06 2008 : Debug: rlm_realm: Looking up realm "mynet.net" for
User-Name = "[EMAIL PROTECTED]"
Thu Feb 14 16:42:06 2008 : Debug: rlm_realm: No such realm "mynet.net"
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: returned from suffix
(rlm_realm) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[suffix] returns noop
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap)
for request 9
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap: EAP packet type response id 11
length 80
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap: Continuing tunnel setup.
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: returned from eap
(rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[eap] returns ok
Thu Feb 14 16:42:06 2008 : Debug: rad_check_password: Found Auth-Type EAP
Thu Feb 14 16:42:06 2008 : Debug: auth: type "EAP"
Thu Feb 14 16:42:06 2008 : Debug: +- entering group authenticate
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authenticate]: calling eap
(rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap: Request found, released from the
list
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap: EAP/peap
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap: processing type peap
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap_peap: Authenticate
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap_tls: processing TLS
Thu Feb 14 16:42:06 2008 : Debug: eaptls_verify returned 7
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap_tls: Done initial handshake
Thu Feb 14 16:42:06 2008 : Debug: eaptls_process returned 7
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap_peap: EAPTLS_OK
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap_peap: Session established.
Decoding tunneled attributes.
PEAP tunnel data in 0000: 1a 03
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap_peap: EAP type mschapv2
PEAP: Got tunneled EAP-Message
EAP-Message = 0x020b00061a03
Thu Feb 14 16:42:06 2008 : Debug: PEAP: Setting User-Name to aaa
PEAP: Sending tunneled request
EAP-Message = 0x020b00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "aaa"
State = 0xc858015dc9531b78fbe76e30aaba109e
Framed-MTU = 1466
NAS-IP-Address = 192.168.2.3
NAS-Identifier = "D-Link"
Service-Type = Framed-User
NAS-Port = 33
NAS-Port-Type = Ethernet
NAS-Port-Id = "ether3_33"
Called-Station-Id = "00-15-e9-b8-79-dd"
Calling-Station-Id = "00-a9-40-0f-83-a5"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
server proxy-inner-tunnel {
Thu Feb 14 16:42:06 2008 : Debug: +- entering group authorize
Thu Feb 14 16:42:06 2008 : Debug: ++[control] returns notfound
} # server proxy-inner-tunnel
PEAP: Got tunneled reply RADIUS code 0
Thu Feb 14 16:42:06 2008 : Debug: PEAP: Calling authenticate in order to
initiate tunneled EAP session.
Thu Feb 14 16:42:06 2008 : Debug: +- entering group authenticate
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authenticate]: calling eap
(rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Error: rlm_eap: No EAP session matching the State
variable.
Thu Feb 14 16:42:06 2008 : Error: rlm_eap: Either EAP-request timed out OR
EAP-response to an unknown EAP-request
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap: Failed in handler
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authenticate]: returned from eap
(rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[eap] returns invalid
Thu Feb 14 16:42:06 2008 : Debug: PEAP: Can't handle the return code 4
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap: Handler failed in EAP/peap
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap: Failed in EAP select
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authenticate]: returned from eap
(rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[eap] returns invalid
Thu Feb 14 16:42:06 2008 : Debug: auth: Failed to validate the user.
Thu Feb 14 16:42:06 2008 : Auth: Login incorrect: [EMAIL PROTECTED]/<via Auth-Type = EAP>] (from client sw-local port 33
cli 00-a9-40-0f-83-a5)
-----------------
--
Best wishes,
Dmitry Sergienko (SDA104-RIPE)
Trifle Co., Ltd.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html