hi, I am using Odyssey Client Manager and freeRADIUS 1.1.6. When I set peap with inner eap-mschap-v2, It works well.When I change inner eap type to eap-popt, seems can not work. eap.conf: eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/server_keycert.pem certificate_file = ${raddbdir}/certs/server_keycert.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes cipher_list = "DEFAULT" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes } mschapv2 { } } debug message: rad_recv: Access-Request packet from host 10.155.20.84:1028, id=97, length=310 User-Name = "hhe123" NAS-IP-Address = 10.155.20.84 NAS-Identifier = "AH-000030" NAS-Port = 0 Called-Station-Id = "00-19-77-00-00-31:hhe" Calling-Station-Id = "00-19-E0-80-A5-5A" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0204008f198000000085160301004510000041003f90e19f0e9099ace6ec05fb17123a18280ef2aaabf14d2a6c632e502133afefc99bf3c3e8216dd91489e6c3e58622bacd148a5c4cd3dfecff8fe172ac0d0a19140301000101160301003095d558aeea1c6a30113c21922745a4584a82f81ed2aec13d206481d23805d67e8760d4b1cdca811a54e5ed9819fefc52 State = 0xe364c386672736607a0f8f7ce0f2896a Message-Authenticator = 0x0743c8bc02356a840f048e55b5b87143 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_eap: EAP packet type response id 4 length 143 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry hhe123 at line 95 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0045], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 97 to 10.155.20.84 port 1028 Reply-Message = "Hello" EAP-Message = 0x0105004119001403010001011603010030972d13c7c42d04d1e4749ae66d2232830dd90327e820cab5cd8d2733712e71315b05c41c9c6b934cae84a1b7f75804e1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x218ad259b8a94329f3d37b7ee6d7afad Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.155.20.84:1028, id=98, length=173 User-Name = "hhe123" NAS-IP-Address = 10.155.20.84 NAS-Identifier = "AH-000030" NAS-Port = 0 Called-Station-Id = "00-19-77-00-00-31:hhe" Calling-Station-Id = "00-19-E0-80-A5-5A" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500061900 State = 0x218ad259b8a94329f3d37b7ee6d7afad Message-Authenticator = 0x95efe7dde77c253e487f9cfd6065f838 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry hhe123 at line 95 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 98 to 10.155.20.84 port 1028 Reply-Message = "Hello" EAP-Message = 0x0106002b190017030100207f66e440788e3e4a186296309a4f1b5ebf1038927fa99eb61b7e63dfc7317b84 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x22cd9bd446d12f902e0ad6df5d148f89 Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.155.20.84:1028, id=99, length=210 User-Name = "hhe123" NAS-IP-Address = 10.155.20.84 NAS-Identifier = "AH-000030" NAS-Port = 0 Called-Station-Id = "00-19-77-00-00-31:hhe" Calling-Station-Id = "00-19-E0-80-A5-5A" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0206002b1900170301002062571e196c27b9966b1382edddbf0274e942305aff8893fc3cd152c500f726ea State = 0x22cd9bd446d12f902e0ad6df5d148f89 Message-Authenticator = 0x82ae47e2cb4faa273ac7b648e4ec8383 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 43 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry hhe123 at line 95 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - hhe123 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x0206000b01686865313233 PEAP: Got tunneled identity of hhe123 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to hhe123 PEAP: Sending tunneled request EAP-Message = 0x0206000b01686865313233 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "hhe123" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry hhe123 at line 95 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 PEAP: Got tunneled reply RADIUS code 11 Reply-Message = "Hello" EAP-Message = 0x010700201a0107001b10b91afa7dcc132d9d9a98ec6a4c1bdc97686865313233 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfdb9dcb8c4a516dcb41f8ad450b8600a PEAP: Processing from tunneled session code 0x81745d8 11 Reply-Message = "Hello" EAP-Message = 0x010700201a0107001b10b91afa7dcc132d9d9a98ec6a4c1bdc97686865313233 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfdb9dcb8c4a516dcb41f8ad450b8600a PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 99 to 10.155.20.84 port 1028 Reply-Message = "Hello" EAP-Message = 0x0107004b190017030100409b40ceb2c423ae86e9f356b82858738088fead594577936681b8946ca687752bc90e31c2a093d94c7dfcd476e209191266ed9a8704f39b60e60a9892329909ad Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf80de75dd97216787da75df59dc75cd1 Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.155.20.84:1028, id=100, length=210 User-Name = "hhe123" NAS-IP-Address = 10.155.20.84 NAS-Identifier = "AH-000030" NAS-Port = 0 Called-Station-Id = "00-19-77-00-00-31:hhe" Calling-Station-Id = "00-19-E0-80-A5-5A" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0207002b190017030100209775c3b3d2ccbe5e26098b568eecd9b52fbf38942c670989a3a473825f6088c7 State = 0xf80de75dd97216787da75df59dc75cd1 Message-Authenticator = 0xe8a7a3a8a613f72f9ae0b72243b3626a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_eap: EAP packet type response id 7 length 43 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry hhe123 at line 95 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type nak rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020700060320 PEAP: Setting User-Name to hhe123 PEAP: Adding old state with fd b9 PEAP: Sending tunneled request EAP-Message = 0x020700060320 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "hhe123" State = 0xfdb9dcb8c4a516dcb41f8ad450b8600a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_eap: EAP packet type response id 7 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry hhe123 at line 95 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: NAK asked for bad type 32 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 Reply-Message = "Hello" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x8163440 3 Reply-Message = "Hello" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 100 to 10.155.20.84 port 1028 Reply-Message = "Hello" EAP-Message = 0x0108002b190017030100201de3831a7f2125c2ec88dedc5dbee21a24e23e625e1371f27bdab38d63f4568e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe001231019ae6ca94a0f00f7fc2da77b Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.155.20.84:1028, id=101, length=210 User-Name = "hhe123" NAS-IP-Address = 10.155.20.84 NAS-Identifier = "AH-000030" NAS-Port = 0 Called-Station-Id = "00-19-77-00-00-31:hhe" Calling-Station-Id = "00-19-E0-80-A5-5A" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0208002b19001703010020ca0014dd22e8f82e4820bb23d6b91f570d81a30691975f99827e71e2596d4145 State = 0xe001231019ae6ca94a0f00f7fc2da77b Message-Authenticator = 0x3fab705ee35081dfacb8bd2bc1cf65c2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_eap: EAP packet type response id 8 length 43 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry hhe123 at line 95 modcall[authorize]: module "files" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 8 modcall: leaving group authenticate (returns invalid) for request 8 auth: Failed to validate the user. Sending Access-Reject of id 101 to 10.155.20.84 port 1028 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Reply-Message = "Hello" Finished request 8 -John
--------------------------------- 雅虎邮箱传递新年祝福,个性贺卡送亲朋!
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html