hi alan, tnank you for reply.i google/found how to configure pc according to ch.4:
http://h17007.www1.hp.com/docs/interoperability/Microsoft/4AA2-1531EEE.pdf on pc i have pop-up window which asks for credentials (username and pwd) and for pc i have defined following entry (deleted old one including mac): gponpc3 Cleartext-Password := "pw4gponpc3" it works (as expected) with radtest check: bash-3.2$ sudo radtest gponpc3 pw4gponpc3 127.0.0.1 0 testing123 Sending Access-Request of id 108 to 127.0.0.1 port 1812 User-Name = "gponpc3" User-Password = "pw4gponpc3" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=108, length=20 but when i enter that username/pwd on pc again same debug output obtained: Ready to process requests. rad_recv: Access-Request packet from host 10.223.0.131 port 65534, id=16, length=132 NAS-IP-Address = 100.1.1.1 NAS-Port-Id = "1.2" Framed-MTU = 1024 User-Name = "00-02-A5-F8-70-29" Calling-Station-Id = "00-02-A5-F8-70-29" Message-Authenticator = 0x9ea1afaf433c44fbe0e5197d6a2a0292 EAP-Message = 0x0279000c0167706f6e706333 NAS-Identifier = "PENKALA" Ericsson-Attr-101 = 0x4552494353534f4e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "00-02-A5-F8-70-29", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 121 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 00-02-A5-F8-70-29 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 16 to 10.223.0.131 port 65534 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.223.0.131 port 65534, id=16, length=132 Sending duplicate reply to client 10.223.0.131 port 65534 - ID: 16 Sending Access-Reject of id 16 to 10.223.0.131 port 65534 Waking up in 4.7 seconds. Cleaning up request 0 ID 16 with timestamp +44 Ready to process requests. it seems that authenticator has field User-Name = "00-02-A5-F8-70-29" set according to RFC 3580, ch.3.1, regardles of what i define in users file: 3.1. User-Name In IEEE 802.1X, the Supplicant typically provides its identity via an EAP-Response/Identity message. Where available, the Supplicant identity is included in the User-Name attribute, and included in the RADIUS Access-Request and Access-Reply messages as specified in [RFC2865] and [RFC3579]. Alternatively, as discussed in [RFC3579] Section 2.1., the User-Name <------ attribute may contain the Calling-Station-ID value, which is set to <------ the Supplicant MAC address. <------ please can u comment again? i have captured 2 wireshark traces: -between server and authenticator -between authenticator and supplicant from wireshark trace (RADIUS_AUTH_SUPPLICANT.pcap) it can be observed that identity obtained from PC is gponpc3 (username i entered in pop-up window). please let me know if u r interested to see those ws traces and how i can post it to you? thank u in advance, irena -- View this message in context: http://freeradius.1045715.n5.nabble.com/PC-XP-SP2-with-802-1x-PEAP-authenticate-problem-tp4288722p4290719.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
