Hi folks.
I'm trying to authenticate WinXP clients using a Vivato Wi-Fi switch
using EAP-PEAP.
The server configuration seems to be same as i have seen from people
that say they have PEAP working with Win XP.
Any clues weither it is the server misconfiguration or the AP that is
not working.
Thanx
Paul
Debug:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/freeradius/raddb/proxy.conf
Config: including file: /usr/local/freeradius/raddb/clients.conf
Config: including file: /usr/local/freeradius/raddb/snmp.conf
Config: including file: /usr/local/freeradius/raddb/eap.conf
Config: including file: /usr/local/freeradius/raddb/sql.conf
main: prefix = "/usr/local/freeradius"
main: localstatedir = "/usr/local/freeradius/var"
main: logdir = "/usr/local/freeradius/var/log/radius"
main: libdir = "/usr/local/freeradius/lib"
main: radacctdir = "/usr/local/freeradius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/freeradius/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = "/usr/local/freeradius/var/run/radiusd/radiusd.pid"
main: user = "root"
main: group = "wheel"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/freeradius/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/freeradius/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded Pam
pam: pam_auth = "radiusd"
Module: Instantiated pam (pam)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 120
eap: ignore_unknown_eap_types = yes
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/freeradius/raddb/1x/bsd01.pem"
tls: certificate_file = "/usr/local/freeradius/raddb/1x/bsd01.pem"
tls: CA_file = "/usr/local/freeradius/raddb/1x/root.pem"
tls: private_key_password = "mypass"
tls: dh_file = "/usr/local/freeradius/raddb/1x/dh"
tls: random_file = "/usr/local/freeradius/raddb/1x/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/freeradius/raddb/huntgroups"
preprocess: hints = "/usr/local/freeradius/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/freeradius/raddb/users"
files: acctusersfile = "/usr/local/freeradius/raddb/acct_users"
files: preproxy_usersfile =
"/usr/local/freeradius/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/freeradius/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = "/usr/local/freeradius/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 66.38.229.2:1024, id=213,
length=170
User-Name = "vivatotest1"
NAS-IP-Address = 66.38.229.2
NAS-Port = 0
Called-Station-Id = "00:0B:33:01:1A:60"
Calling-Station-Id = "00:02:2D:67:E2:A0"
NAS-Identifier = "dns01.otalbds"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300100176697661746f7465737431
Message-Authenticator = 0x97c7bb6e353daa8880347882448651cb
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "vivatotest1", looking up realm
NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 3 length 16
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
modcall[authorize]: module "files" returns notfound for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 213 to 66.38.229.2:1024
EAP-Message = 0x010400060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8d063feaafca17cce5925ded1e67f831
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 66.38.229.2:1024, id=214,
length=172
User-Name = "vivatotest1"
NAS-IP-Address = 66.38.229.2
NAS-Port = 0
Called-Station-Id = "00:0B:33:01:1A:60"
Calling-Station-Id = "00:02:2D:67:E2:A0"
NAS-Identifier = "dns01.otalbds"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400060319
State = 0x8d063feaafca17cce5925ded1e67f831
Message-Authenticator = 0x10c1b9eb473dca322f548c9f7d147eef
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "vivatotest1", looking up realm
NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
modcall[authorize]: module "files" returns notfound for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 214 to 66.38.229.2:1024
EAP-Message = 0x010500061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfe7590978dd8ccf5767d999221b14ac9
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 66.38.229.2:1024, id=215,
length=246
User-Name = "vivatotest1"
NAS-IP-Address = 66.38.229.2
NAS-Port = 0
Called-Station-Id = "00:0B:33:01:1A:60"
Calling-Station-Id = "00:02:2D:67:E2:A0"
NAS-Identifier = "dns01.otalbds"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0205005019800000004616030100410100003d030140a23eb79d3410954b1dc167714412916fe4ab432538636e2753e29fc0c61cce00001600040005000a000900640062000300060013001200630100
State = 0xfe7590978dd8ccf5767d999221b14ac9
Message-Authenticator = 0xb857b5d88eaebbf50d5dcd8009ad50aa
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "vivatotest1", looking up realm
NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 5 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
modcall[authorize]: module "files" returns notfound for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0676], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 215 to 66.38.229.2:1024
EAP-Message =
0x0106040a19c0000006d3160301004a02000046030140a23f1fc518dbc7fdedf9c7111c1bf66b446c2c43b538b0ab0ed014e759629c202a3ab5c5baece72cc6794d31fa7eda5b4afcbe8ebbae3ba01fdf0b2276f2a1ca00040016030106760b00067200066f0002c7308202c33082022ca003020102020101300d06092a864886f70d0101040500308197310b3009060355040613024341310b30090603550408130251433111300f060355040713084d6f6e747265616c31143012060355040a130b444953545249425554454c310c300a060355040b13034e4f433120301e06035504031317444953545249425554454c20576972656c657373204341
EAP-Message =
0x3122302006092a864886f70d01090116136e6f6340646973747269627574656c2e6e6574301e170d3034303531313231343933325a170d3035303531313231343933325a30819d310b3009060355040613024341310f300d060355040813065175656265633111300f060355040713084d6f6e747265616c31143012060355040a130b444953545249425554454c310c300a060355040b13034e4f43312230200603550403131962736430312e6e63632e646973747269627574656c2e6e65743122302006092a864886f70d01090116136e6f6340646973747269627574656c2e6e657430819f300d06092a864886f70d010101050003818d00308189
EAP-Message =
0x02818100c2c18bf1d3dfee428c4424ca883c13e124b9b93faa7c4acb10e6af8f280d183a060b1725b8ce5952aaeef93222b68c90b21f8e24509f4ea13f2fcdd4cc62061bf188496d299ead25c966b56625eb7248dcb7e691cae2e0c7c20257076239a9b82fdcbd53c859ff3e5fe66f27cac14fefa9ff2208c66baf63f1f8ed0d4ff4f5d70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181001f560de4ef56539ffff962d7001a79ffb0310270e093cbff58a73fce8d3a771817a469d61357c6263e3f767e253d9b67b5d4d09ebe43bfdf3050c301740333a21340738640375c9a
EAP-Message =
0x1e5da03d72f65edf49ea970e059f44e2867869b897c69014708730967b51ec5fbd426ce25d03c4b913e6dbbdc15e6d048b8cab317280b6490003a23082039e30820307a003020102020100300d06092a864886f70d0101040500308197310b3009060355040613024341310b30090603550408130251433111300f060355040713084d6f6e747265616c31143012060355040a130b444953545249425554454c310c300a060355040b13034e4f433120301e06035504031317444953545249425554454c20576972656c6573732043413122302006092a864886f70d01090116136e6f6340646973747269627574656c2e6e6574301e170d3034303531
EAP-Message = 0x313231343130355a170d303430363130323134313035
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x69272e87ffd2f07e309494c522469c63
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 66.38.229.2:1024, id=216,
length=172
User-Name = "vivatotest1"
NAS-IP-Address = 66.38.229.2
NAS-Port = 0
Called-Station-Id = "00:0B:33:01:1A:60"
Calling-Station-Id = "00:02:2D:67:E2:A0"
NAS-Identifier = "dns01.otalbds"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020600061900
State = 0x69272e87ffd2f07e309494c522469c63
Message-Authenticator = 0xf89c045fe8d98837841a465a4f80a6ba
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "vivatotest1", looking up realm
NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 6 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
modcall[authorize]: module "files" returns notfound for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 216 to 66.38.229.2:1024
EAP-Message =
0x010702d919005a308197310b3009060355040613024341310b30090603550408130251433111300f060355040713084d6f6e747265616c31143012060355040a130b444953545249425554454c310c300a060355040b13034e4f433120301e06035504031317444953545249425554454c20576972656c6573732043413122302006092a864886f70d01090116136e6f6340646973747269627574656c2e6e657430819f300d06092a864886f70d010101050003818d0030818902818100bdff86bfbb2a130864c0534fe92be90086a7cfa38ad97726f70af019aaafd03729fc5009d0adda2a54b724738e06b65e8e402048e51bbca4a2073e90a2e0cf
EAP-Message =
0xcb21f3594c6abbbcd0a49945f6ce6f4eb4acf204d90853f0f91c6992fe5ca055f69299a8b0a9954c9065a91db6396277ed672b4eb840a4697243d602d381e75b2b0203010001a381f73081f4301d0603551d0e0416041446bafd1c48f779afadfe81c37277b502ac7efe103081c40603551d230481bc3081b9801446bafd1c48f779afadfe81c37277b502ac7efe10a1819da4819a308197310b3009060355040613024341310b30090603550408130251433111300f060355040713084d6f6e747265616c31143012060355040a130b444953545249425554454c310c300a060355040b13034e4f433120301e06035504031317444953545249425554
EAP-Message =
0x454c20576972656c6573732043413122302006092a864886f70d01090116136e6f6340646973747269627574656c2e6e6574820100300c0603551d13040530030101ff300d06092a864886f70d0101040500038181009ed4363a49b8e5fb03d293ad9845af0248711029a8a8064f73c264c88d7372721ff80c3ea004ad398367d4d143d8af8318d2c5273a552f468c3802ee0ef752e7871ad4be1e4ee4f726a58cdfc05b77de6e572d1e63243d27361f3333e0b469eb0396a4f2f4815c31e782d8fe4b464b84d486f882e66d60d149d5af61da49833e16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa46f6e45bdb19ada59ea51e646d8fce3
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 66.38.229.2:1024, id=217,
length=172
User-Name = "vivatotest1"
NAS-IP-Address = 66.38.229.2
NAS-Port = 0
Called-Station-Id = "00:0B:33:01:1A:60"
Calling-Station-Id = "00:02:2D:67:E2:A0"
NAS-Identifier = "dns01.otalbds"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020700061900
State = 0xa46f6e45bdb19ada59ea51e646d8fce3
Message-Authenticator = 0x53f4082be1dc31d2f4288b072f784864
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "vivatotest1", looking up realm
NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 7 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
modcall[authorize]: module "files" returns notfound for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
eaptls_verify returned 3
eaptls_process returned 3
TLS_accept:error in SSLv3 read client certificate A
rlm_eap_peap: EAPTLS_SUCCESS
modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 217 to 66.38.229.2:1024
EAP-Message = 0x010800061900
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8a11c13a441d27620348c48c0c325bac
Finished request 4
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 213 with timestamp 40a23f1f
Cleaning up request 1 ID 214 with timestamp 40a23f1f
Cleaning up request 2 ID 215 with timestamp 40a23f1f
Cleaning up request 3 ID 216 with timestamp 40a23f1f
Cleaning up request 4 ID 217 with timestamp 40a23f1f
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
