Hi,
I am trying to authenticate my xsupplicant with freeradius using PEAP option,
but seems to fail with the below error message. Complete debug message is
attached to the email.
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for peerless with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
I have tried following in my users file
David User-Password=="freeradius"
---also
David Auth-Type=Local, Password = "freeradius"
Both does not seem to work. Please help me.
Regards,
Dev
FreeRADIUS Version 2.1.8, for host i686-pc-linux-gnu, built on Feb 2 2010 at
16:20:53
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/default
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost1 {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.191.8.187 {
require_message_authenticator = no
secret = "freeradius"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/radsvr.key"
certificate_file = "/usr/local/etc/raddb/certs/radsvrcert.pem"
CA_file = "/usr/local/etc/raddb/certs/cacert.pem"
private_key_password = "freeradius"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
[/usr/local/etc/raddb/users]:2 WARNING! Changing 'Password =' to 'Password =='
for comparing RADIUS attribute in check item list for user peerless
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.191.8.187 port 1043, id=218,
length=133
EAP-Message = 0x0278000d01706565726c657373
NAS-Port-Type = Ethernet
User-Name = "peerless"
NAS-IP-Address = 10.191.8.187
NAS-Port = 2
Framed-MTU = 1000
NAS-Port-Id = "Port 2"
Calling-Station-Id = "00-c0-ee-4c-2f-d9"
Called-Station-Id = "00-22-6b-33-ee-0d"
Message-Authenticator = 0x9a34285619913427b28390356ab86ce9
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "peerless", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 120 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry peerless at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 218 to 10.191.8.187 port 1043
EAP-Message = 0x017900061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x59c441c259bd585b25136bd92bdd8194
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.191.8.187 port 1043, id=219,
length=212
EAP-Message =
0x0279004a198000000040160301003b0100003703014bac01b65bd280b524127f2ec9cd3529375822647f190d4e7cc4cbfb7a217cd40000100035000a002f006200610009000800060100
State = 0x59c441c259bd585b25136bd92bdd8194
NAS-Port-Type = Ethernet
User-Name = "peerless"
NAS-IP-Address = 10.191.8.187
NAS-Port = 2
Framed-MTU = 1000
NAS-Port-Id = "Port 2"
Calling-Station-Id = "00-c0-ee-4c-2f-d9"
Called-Station-Id = "00-22-6b-33-ee-0d"
Message-Authenticator = 0x94d642fe3d19b1fd7bfe9a0e3495c8df
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "peerless", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 121 length 74
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 64
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 003b], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0547], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 219 to 10.191.8.187 port 1043
EAP-Message =
0x017a03e419c000000584160301002a0200002603014bac011053ecdc2bcc89114ba7d4a1b616cf6e6ccff6341ca44bbde755e78cb60000350016030105470b00054300054000026730820263308201cca003020102020102300d06092a864886f70d0101050500306f310b3009060355040613025553310b3009060355040813024341310c300a060355040a13036b796f310d300b060355040b13046669726d311330110603550403130a43417574686f726974793121301f06092a864886f70d010901161243417574686f72697479406b796f2e636f6d301e170d3130303331393134353634355a170d3230303331363134353634355a3067310b30
EAP-Message =
0x09060355040613025553310b3009060355040813024341310c300a060355040a13036b796f310d300b060355040b13046669726d310f300d06035504031306726164737672311d301b06092a864886f70d010901160e726164737672406b796f2e636f6e30819f300d06092a864886f70d010101050003818d0030818902818100bc365d317b1b8d7b6f5d78184155c51d0bd04d6233e2ede02b706ae941ad3bac9d9315e7801734bfe31d28fae03ee7a7cb5fed8a8d4fdebc73ff3b08c4e5e7a165e53517f54b25ab079ea0da12697c3da541dd9f6153968a7097aaceb086ff152a3d3ed4e0736d367f19b09f4d396271569b698d453efd4908af357d
EAP-Message =
0xb88dc94f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100c493af84e9c7419fee18df55fc47dd237bbed5ba2830ed24fe59da8c0d5c740f8de040f299fea2fc7e30efb8be1208b3e72a2c119b1b33aee53f654225713cbef479467c6ddbfee232495025cedd4bfdcb5916701d5a889825c66a13a9e1792081351aaaf2d8d631872abc17cc4fd0670f29db219d4c8082fd61b1cc3eb5d0e10002d3308202cf30820238a003020102020100300d06092a864886f70d0101050500306f310b3009060355040613025553310b3009060355040813024341310c300a060355040a13
EAP-Message =
0x036b796f310d300b060355040b13046669726d311330110603550403130a43417574686f726974793121301f06092a864886f70d010901161243417574686f72697479406b796f2e636f6d301e170d3130303331393132353331305a170d3133303331383132353331305a306f310b3009060355040613025553310b3009060355040813024341310c300a060355040a13036b796f310d300b060355040b13046669726d311330110603550403130a43417574686f726974793121301f06092a864886f70d010901161243417574686f72697479406b796f2e636f6d30819f300d06092a864886f70d01010105
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x59c441c258be585b25136bd92bdd8194
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.191.8.187 port 1043, id=220,
length=144
EAP-Message = 0x027a00061900
State = 0x59c441c258be585b25136bd92bdd8194
NAS-Port-Type = Ethernet
User-Name = "peerless"
NAS-IP-Address = 10.191.8.187
NAS-Port = 2
Framed-MTU = 1000
NAS-Port-Id = "Port 2"
Calling-Station-Id = "00-c0-ee-4c-2f-d9"
Called-Station-Id = "00-22-6b-33-ee-0d"
Message-Authenticator = 0xfe8e7370f7e32d16b8b0ad534ac28007
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "peerless", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 122 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 220 to 10.191.8.187 port 1043
EAP-Message =
0x017b01b019000003818d0030818902818100f431f44a612e2bb7793c26b8daca34458640afb273fe35d1577b1afd1b839d8d9c582e30a36f6cdf91e36af33eee71feb1d462dfb823d2c92cfa8029bacf9b5bf5efa82d0790cf7a7996dbfca64737604755fa45744d66f99882d081d7fae22612062965980ae15abffb42cc0dd8b096084dce3217fae625703b6c6c82dacaaf0203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e041604143322547284e62888df78fd3ed0a2cbfc8119fa89301f0603551d23041830
EAP-Message =
0x1680143322547284e62888df78fd3ed0a2cbfc8119fa89300d06092a864886f70d01010505000381810099182fbdab91eff962b5ab1a10f86b9df7b80f0ee7326a1b4189cbaefb6fb0ef85bcfea069a61df3da9bd3dcdc4944d09d9fd9083621e4ae28d970a66ec64935ef758e0347a549c4bd6b235db15aae71f71820db96c974f52a0f005df335d072cf7f7a90ec55a09577eb924f0ce150357090fb8136142194349a6ecb20ee53fd16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x59c441c25bbf585b25136bd92bdd8194
Finished request 2.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.191.8.187 port 1043, id=221,
length=346
EAP-Message =
0x027b00d01980000000c6160301008610000082008090e3031a1fba7c4bb2810f59c4321988338c37b6faaf9bc53fb7cee5f37dc5eb4f0dbea3c31f932d253798feedaec37e584eb4e9888c7db00d055cc049b4c0210fc1928de9293c9d9c1a370523841e9f3832072327a197dd954646c9fd14ca908f66506d28218094ea498d1f6fcb314f4fd001eb31649161e97ce1ddaa7900b41403010001011603010030e5a47a7e5b7498ccc7a2514377f2d5cbf36d7ef0cb92e0650a4c2238d454f3f653ec64e682571a027fc1c702625af0d2
State = 0x59c441c25bbf585b25136bd92bdd8194
NAS-Port-Type = Ethernet
User-Name = "peerless"
NAS-IP-Address = 10.191.8.187
NAS-Port = 2
Framed-MTU = 1000
NAS-Port-Id = "Port 2"
Calling-Station-Id = "00-c0-ee-4c-2f-d9"
Called-Station-Id = "00-22-6b-33-ee-0d"
Message-Authenticator = 0xdc5b448f013c2e8d808a04ceed71f511
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "peerless", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 123 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 221 to 10.191.8.187 port 1043
EAP-Message =
0x017c004119001403010001011603010030b8dbd9097cc00c7319cad1de80e17e06769705c47a43a83f7f2d0efc92e7109622cfef013e1715337182f6ddb8abbf29
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x59c441c25ab8585b25136bd92bdd8194
Finished request 3.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.191.8.187 port 1043, id=222,
length=144
EAP-Message = 0x027c00061900
State = 0x59c441c25ab8585b25136bd92bdd8194
NAS-Port-Type = Ethernet
User-Name = "peerless"
NAS-IP-Address = 10.191.8.187
NAS-Port = 2
Framed-MTU = 1000
NAS-Port-Id = "Port 2"
Calling-Station-Id = "00-c0-ee-4c-2f-d9"
Called-Station-Id = "00-22-6b-33-ee-0d"
Message-Authenticator = 0x53d84d386a1bae7e2548471018ad52c7
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "peerless", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 124 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 222 to 10.191.8.187 port 1043
EAP-Message =
0x017d002b190017030100209be66540fd3e4c4201e83e335e47a28db6080dfe0da8c64808cccb0277ec67d9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x59c441c25db9585b25136bd92bdd8194
Finished request 4.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.191.8.187 port 1043, id=223,
length=181
EAP-Message =
0x027d002b1900170301002033edb41d4329868b07bd7568fb6d0f88c1e97847920e52cf03e47057503407f5
State = 0x59c441c25db9585b25136bd92bdd8194
NAS-Port-Type = Ethernet
User-Name = "peerless"
NAS-IP-Address = 10.191.8.187
NAS-Port = 2
Framed-MTU = 1000
NAS-Port-Id = "Port 2"
Calling-Station-Id = "00-c0-ee-4c-2f-d9"
Called-Station-Id = "00-22-6b-33-ee-0d"
Message-Authenticator = 0xa039a0d3acca90e73c6b324deb99c979
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "peerless", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 125 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - peerless
[peap] Got tunneled request
EAP-Message = 0x027d000d01706565726c657373
server {
PEAP: Got tunneled identity of peerless
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to peerless
Sending tunneled request
EAP-Message = 0x027d000d01706565726c657373
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "peerless"
server {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "peerless", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 125 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry peerless at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server
[peap] Got tunneled reply code 11
EAP-Message =
0x017e00221a017e001d10d8079450962cc1acab8ca4f7d9bf14f4706565726c657373
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x76a3517276dd4b5ba1c35b6147edd1dd
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x017e00221a017e001d10d8079450962cc1acab8ca4f7d9bf14f4706565726c657373
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x76a3517276dd4b5ba1c35b6147edd1dd
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 223 to 10.191.8.187 port 1043
EAP-Message =
0x017e004b19001703010040ce0772ea79e39d719a5ce94a5a7bc0a2f760d4acc5b25762445c2565412ad8803b3224ab2cd924b68e1f8b957fcfa11d0e263b647b31fb82495a521b6c36066b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x59c441c25cba585b25136bd92bdd8194
Finished request 5.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 10.191.8.187 port 1043, id=224,
length=245
EAP-Message =
0x027e006b19001703010060e9365a33f94c8a55cf183ea767a39e0f2e11dd5337a11d155bbc3a4bbf72fecb97985ea4e0ef1164ba3e4c0eb04c4e2187734ea25586d72f1f5c7e103a5800ce5687f189e48d26198cc15c2f93beabee470c77700befec32576a5e273fb996df
State = 0x59c441c25cba585b25136bd92bdd8194
NAS-Port-Type = Ethernet
User-Name = "peerless"
NAS-IP-Address = 10.191.8.187
NAS-Port = 2
Framed-MTU = 1000
NAS-Port-Id = "Port 2"
Calling-Station-Id = "00-c0-ee-4c-2f-d9"
Called-Station-Id = "00-22-6b-33-ee-0d"
Message-Authenticator = 0xa3fa1825ff6ecc60c2a1b93cf5b8f8bb
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "peerless", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 126 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x027e00431a027e003e314f0777c0f0479c62bb74bd8d199efa110000000000000000b07dc25862205d9266ef4f301fea22902f8d4ab8b5de92eb00706565726c657373
server {
PEAP: Setting User-Name to peerless
Sending tunneled request
EAP-Message =
0x027e00431a027e003e314f0777c0f0479c62bb74bd8d199efa110000000000000000b07dc25862205d9266ef4f301fea22902f8d4ab8b5de92eb00706565726c657373
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "peerless"
State = 0x76a3517276dd4b5ba1c35b6147edd1dd
server {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "peerless", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 126 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry peerless at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for peerless with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server
[peap] Got tunneled reply code 3
MS-CHAP-Error = "~E=691 R=1"
EAP-Message = 0x047e0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "~E=691 R=1"
EAP-Message = 0x047e0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 224 to 10.191.8.187 port 1043
EAP-Message =
0x017f002b19001703010020d6712bd8530292efd97a8312456b25b4d41718f346c84d85c2f0adecab2018b3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x59c441c25fbb585b25136bd92bdd8194
Finished request 6.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 10.191.8.187 port 1043, id=225,
length=181
EAP-Message =
0x027f002b19001703010020a71e955ceea48d28108aadfbccbcfcba9cdf6c91420f07ec6e9e5fb39fb7f112
State = 0x59c441c25fbb585b25136bd92bdd8194
NAS-Port-Type = Ethernet
User-Name = "peerless"
NAS-IP-Address = 10.191.8.187
NAS-Port = 2
Framed-MTU = 1000
NAS-Port-Id = "Port 2"
Calling-Station-Id = "00-c0-ee-4c-2f-d9"
Called-Station-Id = "00-22-6b-33-ee-0d"
Message-Authenticator = 0x81e5312e4b863b70be849cb44eb2c6fc
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "peerless", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 127 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> peerless
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 225 to 10.191.8.187 port 1043
EAP-Message = 0x047f0004
Message-Authenticator = 0x00000000000000000000000000000000
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
