Hi I'm going crazy with my RADIUS configuration. For some days all works. But now i can't authenticate with xp client, linux still works. It seams that it is a problem with the EAP configuration or with the certificates, but i doesn't find any error in the debug output!?
Maybe this will be the problem, "[eap] No EAP Start, assuming it's an on-going EAP conversation" but I don't know waht i can do. Please give me some futher hints. I want to authenticate with EAP-PEAP and MSCHAP. rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=43, length=145 NAS-IP-Address = 192.168.0.2 NAS-Port = 50005 NAS-Port-Type = Ethernet User-Name = "FIRMA1\\usera" Called-Station-Id = "00-15-F9-D8-7C-C5" Calling-Station-Id = "00-1A-4B-63-69-0B" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x02000014014649524d41315c626c657273636861 Message-Authenticator = 0x7371c1f1726066beb9dabe848c328593 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107 [auth_log] expand: %t -> Sun Nov 7 11:36:33 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera" [ntdomain] Found realm "FIRMA1" [ntdomain] Adding Stripped-User-Name = "usera" [ntdomain] Adding Realm = "FIRMA1" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 0 length 20 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for usera [ldap] expand: %{Stripped-User-Name} -> usera [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=usera) [ldap] expand: dc=firma1,dc=de -> dc=firma1,dc=de [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=firma1,dc=de, with filter (uid=usera) [ldap] Added User-Password = {SSHA}WNtfzJKztV/VYNqJAew//EpfaqFTTmRY in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] sambaNtPassword -> NT-Password == 0x3043423639343838303546373937424632413832383037393733423839353337 [ldap] sambaLmPassword -> LM-Password == 0x3031464335413642453742433639323941414433423433354235313430344545 [ldap] looking for reply items in directory... [ldap] user usera authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 43 to 192.168.0.2 port 1812 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe5811fdbe58006df807df3f78bad2b67 Finished request 42. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=44, length=230 NAS-IP-Address = 192.168.0.2 NAS-Port = 50005 NAS-Port-Type = Ethernet User-Name = "FIRMA1\\usera" Called-Station-Id = "00-15-F9-D8-7C-C5" Calling-Station-Id = "00-1A-4B-63-69-0B" Service-Type = Framed-User Framed-MTU = 1500 State = 0xe5811fdbe58006df807df3f78bad2b67 EAP-Message = 0x0201005719800000004d16030100480100004403014cd6813031d93b50d4e589daaf39973f09262a8588b4684bfd4c30b952c9245a00001600040005000a0009006400620003000600130012006301000005ff01000100 Message-Authenticator = 0xc287af478d7c193cfcec6b09c33c099c +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107 [auth_log] expand: %t -> Sun Nov 7 11:36:33 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera" [ntdomain] Found realm "FIRMA1" [ntdomain] Adding Stripped-User-Name = "usera" [ntdomain] Adding Realm = "FIRMA1" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 1 length 87 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 77 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0048], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 07d8], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 44 to 192.168.0.2 port 1812 EAP-Message = 0x0102040019c00000081c16030100310200002d03014cd68131c9a74e02de2ba907521446470a623f35b17ca47f32683ec55db8455f000004000005ff0100010016030107d80b0007d40007d10003733082036f30820257a003020102020101300d06092a864886f70d01010405003079310b3009060355040613024445311630140603550408130d426c6572736368526164697573311330110603550407130a5765696e67617274656e3110300e060355040a1307426c65727363683115301306092a864886f70d01090116066140612e6465311430120603550403130b5261646975732054657374301e170d3130313030373135303932315a170d31 EAP-Message = 0x31313030373135303932315a3064310b3009060355040613024445311630140603550408130d426c65727363685261646975733110300e060355040a1307426c6572736368311430120603550403130b52616469757320546573743115301306092a864886f70d01090116066140612e646530820122300d06092a864886f70d01010105000382010f003082010a0282010100beade1be49bb6da9990ac95083434e9fc6a86411143c8cec2aef5f2aaa5801a97f756f621461a34bfbaf348c97bd48269a36888e97d5b7e9dc765889712b4cd98092f312a6be1b96a3438646c64c974cefb4accf93ce7414a33b29922f3e8d268cfb61fcdb0309bba351 EAP-Message = 0x7defd94f63fe21857a958338d7f7337892653b9184d3b54ee131516261aaa8ac47bc6349e3100ff08c9714f8abc6cadd64dc50e00296adf04aa8a9e22c8cd35b0731246f9702849e480790d3bb1d2970917402cb8b2f3a0639b69a53447def512699944541b9be1e94a9528737e87496604a035f7a86220fffabc75b8c19429f067cf502276b22f0741c0646087a88e095844c4d616b0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100bd0d00c31db1f9d3792d88680abc76fd9c368ebe49bd728bdb8db8504d75fba64aff2a141ac63c8004a01a43291071f4f91337c6f9 EAP-Message = 0xf68cb9c7c714631cc88be66a728078e474df461ddf20f2db5f52cedf381646c1ba0c2e08b64a6d30946daaf5d92798d628631218c3c724290f9f3344d87b94428b7aa02dab38004100a0eea379017950d458cb34c71928a77018d9a83b80b5614d0303956dff622d133f88b8dc17bb608cd21ff12590332857a08949c72bff9c57f279a6e752797bb9d004467efefb38fd944c328fb43ac6a60be70233ee8f402e996c84d5d64de6ab91348af2063c3e8e27bde3eba4ef831431ab18e999225f1ee674c55d7d048d89d1d2000458308204543082033ca003020102020900f014131264b7ade5300d06092a864886f70d01010505003079310b30090603 EAP-Message = 0x550406130244453116301406 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe5811fdbe48306df807df3f78bad2b67 Finished request 43. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=45, length=149 NAS-IP-Address = 192.168.0.2 NAS-Port = 50005 NAS-Port-Type = Ethernet User-Name = "FIRMA1\\usera" Called-Station-Id = "00-15-F9-D8-7C-C5" Calling-Station-Id = "00-1A-4B-63-69-0B" Service-Type = Framed-User Framed-MTU = 1500 State = 0xe5811fdbe48306df807df3f78bad2b67 EAP-Message = 0x020200061900 Message-Authenticator = 0x6595267991b7298210d423ea9e5e7e34 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107 [auth_log] expand: %t -> Sun Nov 7 11:36:33 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera" [ntdomain] Found realm "FIRMA1" [ntdomain] Adding Stripped-User-Name = "usera" [ntdomain] Adding Realm = "FIRMA1" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 45 to 192.168.0.2 port 1812 EAP-Message = 0x010303fc194003550408130d426c6572736368526164697573311330110603550407130a5765696e67617274656e3110300e060355040a1307426c65727363683115301306092a864886f70d01090116066140612e6465311430120603550403130b5261646975732054657374301e170d3130313030373135303932315a170d3230313031343135303932315a3079310b3009060355040613024445311630140603550408130d426c6572736368526164697573311330110603550407130a5765696e67617274656e3110300e060355040a1307426c65727363683115301306092a864886f70d01090116066140612e6465311430120603550403130b EAP-Message = 0x526164697573205465737430820122300d06092a864886f70d01010105000382010f003082010a0282010100ed103b08365fb46bcabb1cb67f18b2a11a8b1b091c1984839c573cd2a8b07d4c7581a7288f4e58ced2e6429f6cc5a9caf7d3af27c77c3ddf2a4d15b3edbdc4107f4c2349a9d0ed866830996fe189872d5453deed13f6834c9a19a45a67acb59e4929acdb9ae55f43bf357f331b50e49a351b0339b462f845e2a24d81eceb0f63526bcec87858a85ffb7fe7cfe31fd84a4bbd06192401160c7103f7f77f961f7c2dd84c87427e900456941c33425630b692611cc96c79bee4fb28e78dfe18b9465f1b63dc71e12c3a780ac82d775764a451 EAP-Message = 0xe24474c861b96895fa7fad9add315db3c9d6bd413d193cbd431147f6a318743d7c29ed7656a7380b8ebf4fe110ae910203010001a381de3081db301d0603551d0e04160414ac77f070444423b5a05945e1546a0c7747062ba73081ab0603551d230481a33081a08014ac77f070444423b5a05945e1546a0c7747062ba7a17da47b3079310b3009060355040613024445311630140603550408130d426c6572736368526164697573311330110603550407130a5765696e67617274656e3110300e060355040a1307426c65727363683115301306092a864886f70d01090116066140612e6465311430120603550403130b526164697573205465737482 EAP-Message = 0x0900f014131264b7ade5300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100a4eda8c0530c34b7000a8955c4b977fafa376631a7e70b7f97e4d6ecdcde16be2bdd9b63eec98684dbbc0e5b1260fb2dbfbc176a70413802943b7ce71a3a17eea80c47adfb49282ad8511bc247e4cb07ce7d1750d89f1f72e3958222a60b3446b371eabaf0cd1cdac6500bb05edc876d5b3fa65fe194901d6782ce781ec2af28202ccc9c8f11359eca01a21530a84c5bc8d3e83eed89158a3408b6500a36e7e9adaa579df3447a5df899d7db132e2015685539921cb6cc2cf78048cd5b6afb367da3720cf912fa8b573958c54803929861 EAP-Message = 0xe30c97f4b32d6d07 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe5811fdbe78206df807df3f78bad2b67 Finished request 44. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=46, length=149 NAS-IP-Address = 192.168.0.2 NAS-Port = 50005 NAS-Port-Type = Ethernet User-Name = "FIRMA1\\usera" Called-Station-Id = "00-15-F9-D8-7C-C5" Calling-Station-Id = "00-1A-4B-63-69-0B" Service-Type = Framed-User Framed-MTU = 1500 State = 0xe5811fdbe78206df807df3f78bad2b67 EAP-Message = 0x020300061900 Message-Authenticator = 0x5b1899fb14339eca7ba59de266860af7 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107 [auth_log] expand: %t -> Sun Nov 7 11:36:33 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera" [ntdomain] Found realm "FIRMA1" [ntdomain] Adding Stripped-User-Name = "usera" [ntdomain] Adding Realm = "FIRMA1" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 46 to 192.168.0.2 port 1812 EAP-Message = 0x0104003619000f0b409c6f7dd2e83b8a1ad34c1b43c61b5cfa499e7822f081073040ea4c9280acd2686fd194f216030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe5811fdbe68506df807df3f78bad2b67 Finished request 45. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=47, length=149 NAS-IP-Address = 192.168.0.2 NAS-Port = 50005 NAS-Port-Type = Ethernet User-Name = "FIRMA1\\usera" Called-Station-Id = "00-15-F9-D8-7C-C5" Calling-Station-Id = "00-1A-4B-63-69-0B" Service-Type = Framed-User Framed-MTU = 1500 State = 0xe5811fdbe68506df807df3f78bad2b67 EAP-Message = 0x020400061900 Message-Authenticator = 0xc59a1a2d0cfb101ec430dad4e10897b6 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107 [auth_log] expand: %t -> Sun Nov 7 11:36:33 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera" [ntdomain] Found realm "FIRMA1" [ntdomain] Adding Stripped-User-Name = "usera" [ntdomain] Adding Realm = "FIRMA1" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 47 to 192.168.0.2 port 1812 EAP-Message = 0x010500061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe5811fdbe18406df807df3f78bad2b67 Finished request 46. Going to the next request Waking up in 4.9 seconds. Cleaning up request 42 ID 43 with timestamp +2802 Cleaning up request 43 ID 44 with timestamp +2802 Cleaning up request 44 ID 45 with timestamp +2802 Cleaning up request 45 ID 46 with timestamp +2802 Cleaning up request 46 ID 47 with timestamp +2802 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authentication-doesn-t-work-anymore-tp3253866p3253866.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html