Hi Alan! Thanks for your help. I did what you told me, but it seems that it wasn't the only error I made... I put in the users file :
ourson User-Password = " testtest"
i think i see two potential issues here ... one is noted in the logging:
[/usr/local/etc/raddb/users]:156 WARNING! Changing 'User-Password =' to 'User-Password ==' ?for comparing RADIUS attribute in check item list for user ourson
the operator that's needed is "==", not just "=" ... but radius sorta fixed that in the request, as the logs note.
the other potential issue: the space before the password begins. assuming that the password gets encrypted into the EAP-Message ( something i'm thinking happens ... but i'm not sure of ), that space is getting added to the encypted string and will never match.
and my user on the XP supplicant is also the same, but authentication is still impossible! I really don't understand because the same error message appears even if I change the users file like I show you before. I am asking myself about which options must be put on the MS-CHAP module (on radiusd.conf) ? I didn't change any options on the MS-CHAP module ( use_mppe, require_encryption, require_strong with a # before), but is it necessary?? (I tried quickly to put these options = yes ,but I had same results) If you have any idea about what is wrong with my configuration, please tell me! here are my log with the beginning of freeradius when it's launched:
+ LD_LIBRARY_PATH=/usr/local/ssl-end/lib + LD_PRELOAD=/usr/local/ssl-end/lib/libcrypto.so + export LD_LIBRARY_PATH LD_PRELOAD + /usr/local/sbin/radiusd -X -y -z Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/sauv-certif/cert/new/serveur6.pem" tls: certificate_file = "/sauv-certif/cert/new/serveur6.pem" tls: CA_file = "/sauv-certif/cert/new/root.pem" tls: private_key_password = "saucisson" tls: dh_file = "/sauv-certif/cert/new/dh" tls: random_file = "/sauv-certif/cert/new/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no rlm_eap: Loaded and initialized type peap rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" [/usr/local/etc/raddb/users]:156 WARNING! Changing 'User-Password =' to 'User-Password ==' ?for comparing RADIUS attribute in check item list for user ourson [/usr/local/etc/raddb/users]:159 WARNING! Changing 'User-Password =' to 'User-Password ==' ?for comparing RADIUS attribute in check item list for user tunnel-user Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" Module: Instantiated acct_unique (acct_unique) detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (reply_log) Listening on IP address *, ports 1812/udp and 1813/udp. Ready to process requests.
... ... rad_recv: Access-Request packet from host 192.168.1.2:2767, id=207, length=203 User-Name = "NOMADE\\ourson" Cisco-AVPair = "ssid=bebe" NAS-IP-Address = 192.168.1.2 Called-Station-Id = "00409656deff" Calling-Station-Id = "000af49c507f" NAS-Identifier = "AP350-56deff" NAS-Port = 37 Framed-MTU = 1400 State = 0x07e9f9208d0cfb69994928b58a72b12d NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x02dd00291900170301001e6d58217639535b3af807d99a4d9975aad4b0730b79de372ee9c1cc1eb482 Message-Authenticator = 0x839b3d54658fbd21e93f44b3137af9bb modcall: entering group authorize for request 21 modcall[authorize]: module "preprocess" returns ok for request 21 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215 modcall[authorize]: module "auth_log" returns ok for request 21 modcall[authorize]: module "chap" returns noop for request 21 rlm_eap: EAP packet type response id 221 length 41 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 21 rlm_realm: No '@' in User-Name = "NOMADE\ourson", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 21 modcall[authorize]: module "files" returns notfound for request 21 modcall[authorize]: module "mschap" returns noop for request 21 modcall: group authorize returns updated for request 21 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 21 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Proceeding to decode tunneled attributes.
rlm_eap_peap: Identity - NOMADE\ourson rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x02dd0012014e4f4d4144455c6f7572736f6e PEAP: Got tunneled identity of NOMADE\ourson PEAP: Setting default EAP type for tunneled EAP session. PEAP: Sending tunneled request EAP-Message = 0x02dd0012014e4f4d4144455c6f7572736f6e Freeradius-Proxied-To = 127.0.0.1 User-Name = "NOMADE\\ourson" modcall: entering group authorize for request 21 modcall[authorize]: module "preprocess" returns ok for request 21 radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215 modcall[authorize]: module "auth_log" returns ok for request 21 modcall[authorize]: module "chap" returns noop for request 21 rlm_eap: EAP packet type response id 221 length 18 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 21 rlm_realm: No '@' in User-Name = "NOMADE\ourson", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 21 modcall[authorize]: module "files" returns notfound for request 21 modcall[authorize]: module "mschap" returns noop for request 21 modcall: group authorize returns updated for request 21 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 21 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 21 modcall: group authenticate returns handled for request 21 PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x01de00271a01de0022101b29d4b74425188e9bd90ecbd0b749e54e4f4d4144455c6f7572736f6e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2548b672befdc64a5b854049752e2c7d PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 21 modcall: group authenticate returns handled for request 21 Sending Access-Challenge of id 207 to 192.168.1.2:2767 EAP-Message = 0x01de003e19001703010033198a95d5a33ed03bddec64e026741409df628e5e963aaed202ffc1b487c3aa8205784a8c9f3b7136a14a341d9b6785a0447dd0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa6883daa315586cbc29ea58ca9882e02 Finished request 21 Going to the next request Waking up in 3 seconds... rad_recv: Access-Request packet from host 192.168.1.2:2768, id=208, length=250 User-Name = "NOMADE\\ourson" Cisco-AVPair = "ssid=bebe" NAS-IP-Address = 192.168.1.2 Called-Station-Id = "00409656deff" Calling-Station-Id = "000af49c507f" NAS-Identifier = "AP350-56deff" NAS-Port = 37 Framed-MTU = 1400 State = 0xa6883daa315586cbc29ea58ca9882e02 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x02de00581900170301004d28c122dfe3fc4f0626dc33d8c38acf47929beafe21a32081e46f28cf00139b328d1b66c7a4055f6854bc6fffcac6d4f0fc016aeb33eaacc4019b199a85be153ac6d77cd4c5914a09e5ff36c22f Message-Authenticator = 0x86d5c4cb0a7073835b68164d71a63bd6 modcall: entering group authorize for request 22 modcall[authorize]: module "preprocess" returns ok for request 22 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215 modcall[authorize]: module "auth_log" returns ok for request 22 modcall[authorize]: module "chap" returns noop for request 22 rlm_eap: EAP packet type response id 222 length 88 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 22 rlm_realm: No '@' in User-Name = "NOMADE\ourson", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 22 modcall[authorize]: module "files" returns notfound for request 22 modcall[authorize]: module "mschap" returns noop for request 22 modcall: group authorize returns updated for request 22 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 22 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Proceeding to decode tunneled attributes.
rlm_eap_peap: EAP type 26 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x02de00411a02de003c31c6bf4c1979bda1ffd6378d4ae014bb20000000000000000023de50a1d0c91ad58c0a4cba3e3681bd2d3ac7a6e2c205a1006f7572736f6e PEAP: Adding old state with 25 48 PEAP: Sending tunneled request EAP-Message = 0x02de00411a02de003c31c6bf4c1979bda1ffd6378d4ae014bb20000000000000000023de50a1d0c91ad58c0a4cba3e3681bd2d3ac7a6e2c205a1006f7572736f6e Freeradius-Proxied-To = 127.0.0.1 User-Name = "NOMADE\\ourson" State = 0x2548b672befdc64a5b854049752e2c7d modcall: entering group authorize for request 22 modcall[authorize]: module "preprocess" returns ok for request 22 radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215 modcall[authorize]: module "auth_log" returns ok for request 22 modcall[authorize]: module "chap" returns noop for request 22 rlm_eap: EAP packet type response id 222 length 65 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 22 rlm_realm: No '@' in User-Name = "NOMADE\ourson", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 22 modcall[authorize]: module "files" returns notfound for request 22 modcall[authorize]: module "mschap" returns noop for request 22 modcall: group authorize returns updated for request 22 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 22 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 modcall: entering group Auth-Type for request 22 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: No LM-Password or NT-Password attribute found. Cannot perform MS-CHAP authentication. modcall[authenticate]: module "mschap" returns fail for request 22 modcall: group Auth-Type returns fail for request 22 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 22 modcall: group authenticate returns reject for request 22 auth: Failed to validate the user. Login incorrect: [NOMADE\\ourson/<no User-Password attribute>] (from client localhost port 0) PEAP: Got tunneled reply RADIUS code 3 EAP-Message = 0x04de0004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 22 modcall: group authenticate returns handled for request 22 Sending Access-Challenge of id 208 to 192.168.1.2:2768 EAP-Message = 0x01df00261900170301001b7bb0b0aafd6f035d74cc3caf47bebf6f01bd8ec079a52a0eaab7d6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x09b77e94e471c419188e7fc849827458 Finished request 22 Going to the next request Waking up in 3 seconds... rad_recv: Access-Request packet from host 192.168.1.2:2769, id=209, length=200 User-Name = "NOMADE\\ourson" Cisco-AVPair = "ssid=bebe" NAS-IP-Address = 192.168.1.2 Called-Station-Id = "00409656deff" Calling-Station-Id = "000af49c507f" NAS-Identifier = "AP350-56deff" NAS-Port = 37 Framed-MTU = 1400 State = 0x09b77e94e471c419188e7fc849827458 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x02df00261900170301001b6e97b2ce515af9c6997ec28d9b765293de27e77b2ed6f9b2ce1d06 Message-Authenticator = 0x03cb3668c8a04e54c5370b8d92b16b11 modcall: entering group authorize for request 23 modcall[authorize]: module "preprocess" returns ok for request 23 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215 modcall[authorize]: module "auth_log" returns ok for request 23 modcall[authorize]: module "chap" returns noop for request 23 rlm_eap: EAP packet type response id 223 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 23 rlm_realm: No '@' in User-Name = "NOMADE\ourson", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 23 modcall[authorize]: module "files" returns notfound for request 23 modcall[authorize]: module "mschap" returns noop for request 23 modcall: group authorize returns updated for request 23 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 23 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Proceeding to decode tunneled attributes.
rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 23 modcall: group authenticate returns invalid for request 23 auth: Failed to validate the user. Login incorrect: [NOMADE\\ourson/<no User-Password attribute>] (from client AP1 port 37 cli 000af49c507f) Delaying request 23 for 1 seconds Finished request 23 Going to the next request Waking up in 3 seconds...
what does it mean...?!
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
