Hello list,
First of all: freeradius-2.1.8, Mysql 5.1.41 on Ubuntu 10.04 / Airport
Extreme v7.5
I'm having trouble authenticating users with EAP/mschapv2 against a
mysql database. Users authenticate fine if they are in the users file.
Here's the main problem it seems from the debug output:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for oogabooga with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Now I've read a million posts on the web, including this list where
people have reported the same problem. In most cases the problem was
that the inner-tunnel server wasn't configured for sql. I definitely
have sql on in the inner-tunnel file (which I will post in a sec). The
mysql server IS being queried on the initial request, but not in
inner-tunnel. Can someone please shed some light on this for me
please.
Here is my inner-tunnel file and debug output (long).
Thanks, Matt
/etc/freeradius/sites-enabled/inner-tunnel :
server inner-tunnel {
authorize {
chap
mschap
unix
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
sql
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
} # inner-tunnel server block
debug output:
rad_recv: Access-Request packet from host 10.20.20.254 port 65023,
id=181, length=153
User-Name = oogabooga
NAS-IP-Address = 10.20.20.254
NAS-Port = 0
Called-Station-Id = F8-1E-DF-FC-8C-82:xyz
Calling-Station-Id = 00-17-F2-45-F7-CF
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
EAP-Message = 0x028d000e016f6f6761626f6f6761
Message-Authenticator = 0x9388a95b4d72cd941931671109245b66
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = oogabooga, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 141 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{Stripped-User-Name} -
[sql] ... expanding second conditional
[sql] expand: %{User-Name} - oogabooga
[sql] expand: %{%{User-Name}:-DEFAULT} - oogabooga
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - oogabooga
[sql] sql_set_user escaped user -- 'oogabooga'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'oogabooga' ORDER
BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'oogabooga'
ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'oogabooga' ORDER
BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'oogabooga'
ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -
SELECT groupname FROM radusergroup WHERE username
= 'oogabooga' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'oogabooga' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found