Hi Mikael, I've had a similar issue before with straightfoward PPPoE authentication.
Login incorrect [rrr/] Some users would log in and I would see something like you're seeing above. I'd get them to retype their username and everything would be fine. I'm not sure if gnu-radius chomps the username (remove any carriage returns or spaces from usernames) but it almost looks like that was the issue. Anyways... it's an idea. Martin > Hi, > > I having problems getting my AP auth with my radius. Below are various > information. > > Windows client: ( I'm trying to translate the danish ) > WPA-Enterprise > Encryption: TKIP > Authentication method: PEAP ( the other one are chip or certificate ) > Dont validate server certificate > EAP-MSCHAP v2 ( Do not use windows logon name and password ) > Under there are 3 check boxes all turned off .... > > So ... windows says this configuration is right and I get to type the > username and password ... but It never gets to the RADIUS box, as you > can see from the log files below .... > > If you need more information, I will happily supply it .... as I'm > really lost here ... dont know if GNU Radius even are able to do it > ... only time will tell, but I sure hope so :-) > > best regards > Mikael Syska > > ---------------------- > > Here are some debug information: > Debug from the Cisco AP: > Mar 25 22:54:16.617: RADIUS/ENCODE(000000A1):Orig. component type = DOT11 > Mar 25 22:54:16.617: RADIUS: AAA Unsupported Attr: ssid > [263] 3 > Mar 25 22:54:16.617: RADIUS: 6F > [o] > Mar 25 22:54:16.617: RADIUS: AAA Unsupported Attr: location-name > [530] 4 > Mar 25 22:54:16.617: RADIUS: 4F 45 > [OE] > Mar 25 22:54:16.618: RADIUS: AAA Unsupported Attr: interface > [156] 3 > Mar 25 22:54:16.618: RADIUS: 34 > [4] > Mar 25 22:54:16.618: RADIUS(000000A1): Storing nasport 412 in rad_db > Mar 25 22:54:16.618: RADIUS(000000A1): Config NAS IP: 172.17.4.30 > Mar 25 22:54:16.619: RADIUS/ENCODE(000000A1): acct_session_id: 161 > Mar 25 22:54:16.619: RADIUS(000000A1): Config NAS IP: 172.17.4.30 > Mar 25 22:54:16.619: RADIUS(000000A1): sending > Mar 25 22:54:16.619: RADIUS(000000A1): Send Access-Request to > 172.17.4.1:1812 id 1645/31, len 121 > Mar 25 22:54:16.619: RADIUS: authenticator 63 B4 AE 27 0B BF 68 D1 - > 8E C2 A9 74 03 17 D7 38 > Mar 25 22:54:16.619: RADIUS: User-Name [1] 5 "rrr" > Mar 25 22:54:16.620: RADIUS: Framed-MTU [12] 6 1400 > Mar 25 22:54:16.620: RADIUS: Called-Station-Id [30] 16 > "001e.be8e.03e0" > Mar 25 22:54:16.620: RADIUS: Calling-Station-Id [31] 16 > "001b.77d2.b10c" > Mar 25 22:54:16.620: RADIUS: Service-Type [6] 6 Login > [1] > Mar 25 22:54:16.620: RADIUS: Message-Authenticato[80] 18 * > Mar 25 22:54:16.621: RADIUS: EAP-Message [79] 10 > Mar 25 22:54:16.621: RADIUS: 02 02 00 08 01 72 72 72 > [?????rrr] > Mar 25 22:54:16.621: RADIUS: NAS-Port-Type [61] 6 802.11 > wireless [19] > Mar 25 22:54:16.621: RADIUS: NAS-Port [5] 6 412 > Mar 25 22:54:16.621: RADIUS: NAS-IP-Address [4] 6 > 172.17.4.30 > Mar 25 22:54:16.621: RADIUS: Nas-Identifier [32] 6 "ap30" > Mar 25 22:54:16.624: RADIUS: Received from id 1645/31 172.17.4.1:1812, > Access-Reject, len 39 > Mar 25 22:54:16.624: RADIUS: authenticator 4C 71 B8 6A A3 15 51 B7 - > B5 4A 93 69 64 84 49 1C > Mar 25 22:54:16.624: RADIUS: Reply-Message [18] 19 > Mar 25 22:54:16.625: RADIUS: 0D 0A 41 63 63 65 73 73 20 64 65 6E 69 > 65 64 0D [??Access denied?] > Mar 25 22:54:16.625: RADIUS: 0A > [?] > Mar 25 22:54:16.625: RADIUS(000000A1): Received from id 1645/31 > > Debug from the GNU Radius server: > Mar 25 23:23:19 [8658]: (Access-Request 172.17.4.30 28 "rrr" > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/] > Mar 25 23:23:19 [8658]: (Access-Request 172.17.4.30 28 "rrr" > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace: > /usr/local/etc/raddb/users:14; hints:4 > Mar 25 23:27:54 [8658]: (Access-Request 172.17.4.30 29 "rrr" > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/] > Mar 25 23:27:54 [8658]: (Access-Request 172.17.4.30 29 "rrr" > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace: > /usr/local/etc/raddb/users:14; hints:4 > Mar 25 23:28:31 [8658]: (Access-Request 172.17.4.30 30 "rrr" > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/] > Mar 25 23:28:31 [8658]: (Access-Request 172.17.4.30 30 "rrr" > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace: > /usr/local/etc/raddb/users:14; hints:4 > Mar 25 23:54:08 [8658]: (Access-Request 172.17.4.30 31 "rrr" > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/] > Mar 25 23:54:08 [8658]: (Access-Request 172.17.4.30 31 "rrr" > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace: > /usr/local/etc/raddb/users:14; hints:4 > Mar 26 00:08:40 [8658]: (Access-Request 172.17.4.30 32 "rrr" > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/] > Mar 26 00:08:40 [8658]: (Access-Request 172.17.4.30 32 "rrr" > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace: > /usr/local/etc/raddb/users:14; hints:4 > Mar 26 00:09:36 [8658]: (Access-Request 172.17.4.30 33 "rrr" > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/] > Mar 26 00:09:36 [8658]: (Access-Request 172.17.4.30 33 "rrr" > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace: > /usr/local/etc/raddb/users:14; hints:4 > > Cisco config.txt: > ! > ! Last configuration change at 23:25:11 +0100 Tue Mar 25 2008 by Cisco > ! NVRAM config last updated at 23:25:11 +0100 Tue Mar 25 2008 by Cisco > ! > version 12.3 > no service pad > service timestamps debug datetime msec > service timestamps log datetime msec > service password-encryption > ! > hostname ap30 > ! > no logging console > enable secret 5 $1$2jwC$NHe..OkEaUL4fxHY22NDe0 > ! > clock timezone +0100 1 > ip subnet-zero > ip domain name foo.tld > ip name-server 172.17.4.1 > ! > ! > aaa new-model > ! > ! > aaa group server radius rad_eap > server 172.17.4.1 auth-port 1812 acct-port 1813 > ! > aaa group server radius rad_mac > ! > aaa group server radius rad_acct > ! > aaa group server radius rad_admin > ! > aaa group server tacacs+ tac_admin > ! > aaa group server radius rad_pmip > ! > aaa group server radius dummy > ! > aaa authentication login eap_methods group rad_eap > aaa authentication login mac_methods local > aaa authorization exec default local > aaa accounting network acct_methods start-stop group rad_acct > aaa session-id common > ! > dot11 ssid oma > authentication open eap eap_methods > authentication network-eap eap_methods > authentication key-management wpa > guest-mode > ! > ! > ! > username Cisco privilege 15 password 7 0005170B0D555B51 > ! > bridge irb > ! > ! > interface Dot11Radio0 > no ip address > no ip route-cache > ! > encryption mode ciphers tkip > ! > ssid oma > ! > speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 > basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 > station-role root > bridge-group 1 > bridge-group 1 subscriber-loop-control > bridge-group 1 block-unknown-source > no bridge-group 1 source-learning > no bridge-group 1 unicast-flooding > bridge-group 1 spanning-disabled > ! > interface FastEthernet0 > no ip address > no ip route-cache > duplex auto > speed auto > bridge-group 1 > no bridge-group 1 source-learning > bridge-group 1 spanning-disabled > ! > interface BVI1 > ip address 172.17.4.30 255.255.255.0 > no ip route-cache > ! > ip default-gateway 172.17.4.1 > ip http server > no ip http secure-server > ip http help-path > http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag > ip radius source-interface BVI1 > ! > logging facility auth > logging 172.17.4.20 > access-list 111 permit tcp any any neq telnet > snmp-server view dot11view ieee802dot11 included > snmp-server community public view dot11view RO > snmp-server location OEST > snmp-server contact [EMAIL PROTECTED] > snmp-server chassis-id ap30 > radius-server attribute 32 include-in-access-req format %h > radius-server host 172.17.4.1 auth-port 1812 acct-port 1813 key 7 > 135647415A5F567978 > radius-server vsa send accounting > bridge 1 route ip > ! > ! > ! > line con 0 > access-class 111 in > line vty 0 4 > access-class 111 in > ! > sntp server 83.221.136.68 > sntp broadcast client > end > > config from the radius server: > # For detailed description, run: > # info Radius config > > # usedbm no; > > option { > # source-ip 172.17.4.1; > max-requests 1024; > resolve no; > }; > > logging { > prefix-hook "default_log_prefix"; > channel default { > file "radius.log"; > print-category yes; > print-level yes; > }; > channel info { > file "radius.info"; > print-pid yes; > }; > channel debug { > file "radius.debug"; > }; > category auth { > level high; > print-auth yes; > print-failed-pass yes; > }; > category info { > channel info; > }; > category =debug { > channel debug; > }; > category * { > channel default; > }; > }; > > auth { > #listen 172.17.4.1; > #port 1645; > trace-rules yes; > max-requests 127; > request-cleanup-delay 2; > detail yes; > # detail-file-name "=nas_name(request_source_ip()) + > \"/detail.auth\""; > strip-names yes; > # checkrad-assume-logged yes; > }; > > acct { > max-requests 127; > request-cleanup-delay 2; > detail-file-name "=nas_name(request_source_ip()) + \"/detail\""; > }; > > rewrite { > load "checknas.rw"; > load "log-hook.rw"; > load "nas-ip.rw"; > }; > > # snmp { > # listen no; > # }; > > users from the Gnu Radius: > # For detailed description, run: > # info Radius users > > > ## The following entry is supposed to be used with authentication probe > ## control. Please read `info --node 'Auth Probing' radius' for the > detailed > ## description of it > DEFAULT Group = "*LOCKED_ACCOUNT*", > Auth-Type = Reject > Reply-Message = "Your account is currently locked.\n\ > Please, contact your system administrator\n" > > > ## Default entry. > DEFAULT Auth-Type = Crypt-Local, > Password-Location = SQL, > Simultaneous-Use = 1 > Service-Type = Framed-User, > Framed-Protocol = PPP > > sqlserver from the radius server: > Only changed a few things, like: > doauth yes; > user,pass,host,database so it can Auth, rest is default. > > > _______________________________________________ > Help-gnu-radius mailing list > [email protected] > http://lists.gnu.org/mailman/listinfo/help-gnu-radius > -- Senior Network Security Analyst CISSP, FCNSP, CCNP, CCDP, RCAS, CCAI [EMAIL PROTECTED] tel. 613.728.5504 cell. 613-295-5504 Marketbridge Technologies, Inc. 1066 Somerset St. West, Suite B-101 Ottawa, ON, K1Y 4T3 _______________________________________________ Help-gnu-radius mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnu-radius
