Dear All, Kndly help with the following setup: SETUP;
wifi client (Windows-XPservice pack 2) <-----------------> AP <-----------------------> freeradius-2.1.1 on red hat fedora-9 auth type:PEAP-EAP-MD5 wpa-enterprise (external Radius Server) user: client password :test123 I trying to use WPA-Enterprise using PEAP,EAP-MD5 as authentication type and freeradius-2.1.1 as external radius server. It fails to authenticate. Attached are the log files and wireshark captures from the freeradius-2.1.1. Regards Prasad
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.199 port 1376, id=90,
length=182
User-Name = "client"
NAS-IP-Address = 192.168.0.199
NAS-Identifier = "test.5gwireless.com"
NAS-Port = 0
Called-Station-Id = "00-0B-6B-87-01-BD:test"
Calling-Station-Id = "00-1C-F0-9B-64-E5"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020300061900
State = 0x49595b094b5a4202775fa048860f1f11
Message-Authenticator = 0x536599f560d86a4c509be7a69f47084e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "client", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 90 to 192.168.0.199 port 1376
EAP-Message =
0x010402c719004e071ea95e3d7726e47f44c7cada8299cb134d5f0fbc491f7a1b8dcf8b014cc36f95a4d15cddcc861f2fa61c5433d2f417cdceda75620bd687128300957c99c8e8a1ed728f992ad98187abb16d10be7f4728242a89d18cf3b909fc50ea7b0044e32483860426732d83c107bc648fa7326fc71665dfa6cf60108aaaa8713b4f36b9a942fdf56e5ca530bace2a81b8db083bc3015d0cd19db23d09c59b765f3bf182ac28b46327160301020d0c0002090080ca6b6b090d42dbd654e500e15188e1f8db31d77b18d37bae34d299d06c5e6b5a59b670a81389f7101ee8b070444fb8587b8d26e797175d316e46411dbd7d700ac3fbe0b85496
EAP-Message =
0xcae6ec2286040c046c79931d291755387e002808e0d95d2c0276f20623955173768285a1e80665364ff7971f05d91421dbcac745d421f74d28730001020080c919d0d6645d3629a3339f2d830832bbd4d18f0f6932285a063c7732540f1d037a53528fa61ea6c751eac9e64141a8c884c4221494a1619edb4ef83e08ef7b5500d970762ea5821e5a12e46ecb12aab281bebba9af5c94d4458e78928fcfef5629f6fc381ce9804832e54463a92fb03f425ce27eed791932585d670bbc1339db01000b33870443ed640a21bc007ff5481a947ea18bafcd5af55b3f00f0a03ec504e2cf093e8d506f1d1916c1d82c7b26db60eaab7ed89cc760559eaf144d
EAP-Message =
0xaa038d4d59aaac90489b936a6fe2cdb931214fa2fb22d5fd999d8fd41c3438918c17d5d4a415a7cf91de037c318d1183f3aa98e2bfbe642cefdfc8ce6c3163862323baf4f9eb9e9ad175d106d4ced3679a46a2bf67572ba12b6631cf3aadf43b34121fa915fee0ccf9f5aa322e70600c47eefbe0070a08ac77ff117f548d38fe62401c32263aa9a30f9e2d30a39af60e79355c4a3989bd659676f2de96174cfd7ea3e40d48d3ba5d76dfc89f95ec3013e068cab6abe6b55a43639c385b8933d5a967b94116030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x49595b094a5d4202775fa048860f1f11
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.199 port 1376, id=91,
length=376
User-Name = "client"
NAS-IP-Address = 192.168.0.199
NAS-Identifier = "test.5gwireless.com"
NAS-Port = 0
Called-Station-Id = "00-0B-6B-87-01-BD:test"
Calling-Station-Id = "00-1C-F0-9B-64-E5"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x020400c81980000000be1603010086100000820080921071c4c63cc4670634284452c1843e64dc3503e4ff15ab50d3402443f221d512966eeb9c8321a6b2f2dbda5960513a8deff8b54a3e38daac6ed006819df33f60a272ed93cbeca74ffd0ff7d22e22fb61ea177d938ad361b83fa9be6c6f332469d83657361268ef9c6b9e34a85ce3772395a5f127c1e08383c210aa7867f5ef140301000101160301002895b81e66dbea1f5ae2271fa4ed91741693c7d1fc4bc0b1449f2f68cba0fc095c56725f85057164f1
State = 0x49595b094a5d4202775fa048860f1f11
Message-Authenticator = 0xde20d26aea8d5ecf5fe8fd8e38f5414d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "client", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 200
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 190
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 91 to 192.168.0.199 port 1376
EAP-Message =
0x0105003919001403010001011603010028d11b1f9113307828ff1855a4d19be23a61a2747273fab76098dc4d83a3bd82500743194eb0dcb4b3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x49595b094d5c4202775fa048860f1f11
Finished request 4.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.0.199 port 1376, id=92,
length=182
User-Name = "client"
NAS-IP-Address = 192.168.0.199
NAS-Identifier = "test.5gwireless.com"
NAS-Port = 0
Called-Station-Id = "00-0B-6B-87-01-BD:test"
Calling-Station-Id = "00-1C-F0-9B-64-E5"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020500061900
State = 0x49595b094d5c4202775fa048860f1f11
Message-Authenticator = 0xc765f4cb6011014227ede4176aa494ff
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "client", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 92 to 192.168.0.199 port 1376
EAP-Message =
0x0106002b1900170301002051411f474ebeb73ac25eb6804f77f858c2162c497d0d44795af75750553d7cdb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x49595b094c5f4202775fa048860f1f11
Finished request 5.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.0.199 port 1376, id=93,
length=248
User-Name = "client"
NAS-IP-Address = 192.168.0.199
NAS-Identifier = "test.5gwireless.com"
NAS-Port = 0
Called-Station-Id = "00-0B-6B-87-01-BD:test"
Calling-Station-Id = "00-1C-F0-9B-64-E5"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x02060048190017030100189dce6ae4b0e7626a80e9fa6b2033ae5111ba27f667cae4191703010020e7e2a4d0e906f105352cfadf2cf40dad31102a956da8cf1a7238a0808d0695ed
State = 0x49595b094c5f4202775fa048860f1f11
Message-Authenticator = 0x38dc142142c303e80b7572794b3724d8
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "client", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 72
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - client
[peap] Got tunnled request
EAP-Message = 0x0206000b01636c69656e74
server (null) {
PEAP: Got tunneled identity of client
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to client
Sending tunneled request
EAP-Message = 0x0206000b01636c69656e74
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "client"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "client", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry client at line 89
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Reply-Message = "Hello, client"
EAP-Message =
0x010700201a0107001b10f474f3b69580e17f3b0680c2d41d7317636c69656e74
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc6718235c67698c446659fb782fc21ed
[peap] Got tunneled reply RADIUS code 11
Reply-Message = "Hello, client"
EAP-Message =
0x010700201a0107001b10f474f3b69580e17f3b0680c2d41d7317636c69656e74
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc6718235c67698c446659fb782fc21ed
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 93 to 192.168.0.199 port 1376
EAP-Message =
0x01070043190017030100386beaabe29f5cd53608a3709bff2704b45506358ecf996bc4a716ca71967d65619ed31409ce14c577ab3929b185eb24d47b047bd6e8a8d5bb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x49595b094f5e4202775fa048860f1f11
Finished request 6.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.0.199 port 1376, id=94,
length=240
User-Name = "client"
NAS-IP-Address = 192.168.0.199
NAS-Identifier = "test.5gwireless.com"
NAS-Port = 0
Called-Station-Id = "00-0B-6B-87-01-BD:test"
Calling-Station-Id = "00-1C-F0-9B-64-E5"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x02070040190017030100186e2edd18ceb5604a145d713f4597b44baece5f0f88e8e5ea17030100181ef6f25817bed8c00e1da6aa9838c59fcb9f174b6a388724
State = 0x49595b094f5e4202775fa048860f1f11
Message-Authenticator = 0x0e3ddbc203700437b5d6eee1cecd5912
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "client", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 64
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type nak
[peap] Got tunnled request
EAP-Message = 0x020700060304
server (null) {
PEAP: Setting User-Name to client
Sending tunneled request
EAP-Message = 0x020700060304
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "client"
State = 0xc6718235c67698c446659fb782fc21ed
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "client", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry client at line 89
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/md5
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Reply-Message = "Hello, client"
EAP-Message = 0x010800160410d10c9d658f673584ebe48d9ee23dd292
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc6718235c77986c446659fb782fc21ed
[peap] Got tunneled reply RADIUS code 11
Reply-Message = "Hello, client"
EAP-Message = 0x010800160410d10c9d658f673584ebe48d9ee23dd292
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc6718235c77986c446659fb782fc21ed
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 94 to 192.168.0.199 port 1376
EAP-Message =
0x0108003319001703010028d6840c48ca0c7872a1e0002880490cb55f3edcb169129e6bae0e834a36b04d8423df210db790d0ca
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x49595b094e514202775fa048860f1f11
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.0.199 port 1376, id=95,
length=256
User-Name = "client"
NAS-IP-Address = 192.168.0.199
NAS-Identifier = "test.5gwireless.com"
NAS-Port = 0
Called-Station-Id = "00-0B-6B-87-01-BD:test"
Calling-Station-Id = "00-1C-F0-9B-64-E5"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x02080050190017030100188fda9b5c9d547537d95d8b15b0bddf49979dca1a962227af170301002857d6298e0c53206e1445f8c5ec7cb11c63dc7d7e8a289dc5fe81a94fef7070a4213b0aace8e50a6c
State = 0x49595b094e514202775fa048860f1f11
Message-Authenticator = 0x39edb9c79e34ab3c3688719c8ca23a74
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "client", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type md5
[peap] Got tunnled request
EAP-Message = 0x020800160410622705afb928b5c49b4b6deae44b4ea7
server (null) {
PEAP: Setting User-Name to client
Sending tunneled request
EAP-Message = 0x020800160410622705afb928b5c49b4b6deae44b4ea7
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "client"
State = 0xc6718235c77986c446659fb782fc21ed
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "client", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry client at line 89
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
Reply-Message = "Hello, client"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
Reply-Message = "Hello, client"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 95 to 192.168.0.199 port 1376
EAP-Message =
0x0109002b19001703010020cf1e805cee2c191d83f70d7012d0ea5cd7ae3e2f6cd9543e784fdfa2147b4557
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x49595b0941504202775fa048860f1f11
Finished request 8.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.0.199 port 1376, id=96,
length=248
User-Name = "client"
NAS-IP-Address = 192.168.0.199
NAS-Identifier = "test.5gwireless.com"
NAS-Port = 0
Called-Station-Id = "00-0B-6B-87-01-BD:test"
Calling-Station-Id = "00-1C-F0-9B-64-E5"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x0209004819001703010018b13073e5eb51fae3821e121fdd6383c48cc6b5b190bb6788170301002083628dd64df93fffefdb38356d51e0b78093db0a5f5873dd888bff546386d219
State = 0x49595b0941504202775fa048860f1f11
Message-Authenticator = 0x1b52b20bc7954df7401c5c955e414687
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "client", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 72
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> client
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 96 to 192.168.0.199 port 1376
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
Cleaning up request 0 ID 87 with timestamp +59
Cleaning up request 1 ID 88 with timestamp +59
Cleaning up request 2 ID 89 with timestamp +59
Cleaning up request 3 ID 90 with timestamp +59
Waking up in 0.1 seconds.
Cleaning up request 4 ID 91 with timestamp +59
Cleaning up request 5 ID 92 with timestamp +59
Cleaning up request 6 ID 93 with timestamp +59
Cleaning up request 7 ID 94 with timestamp +59
Cleaning up request 8 ID 95 with timestamp +59
Waking up in 1.0 seconds.
Cleaning up request 9 ID 96 with timestamp +59
Ready to process requests.
dro250i_auth_assoc_open_wpa-peap_eap_md5_eth_cap_freeradius-2.1.1
Description: Binary data
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
