Mathew/List I tried and I'm getting the same issue.
Here's the debug. rad_recv: Access-Request packet from host 172.16.15.57 port 1034, id=6, length=245 Message-Authenticator = 0x948b8c046dfeede3e79b0b99ef7afa1a Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xe1943d61e4922436507a40c0ae7feeb0 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0206002b19001703010020cba7d86600d185f93548bb4b8a904a38a9374114ae4f376530f2636234997179 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - bob [peap] Got inner identity 'bob' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206000801626f62 server { PEAP: Setting User-Name to bob Sending tunneled request EAP-Message = 0x0206000801626f62 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "bob" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry bob at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0107001d1a010700181041ddee2c965cc666b59a722846b03606626f62 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdcb7ba18dcb0a038bd0375a7346d3160 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0107001d1a010700181041ddee2c965cc666b59a722846b03606626f62 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdcb7ba18dcb0a038bd0375a7346d3160 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 6 to 172.16.15.57 port 1034 EAP-Message = 0x0107003b19001703010030f361b42992d2fe185b2ecb50a0ad36b527d73dba8701ca1054c8cc470dc3d24f6264911b5e402218e4d768082be0e2fc Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe1943d61e7932436507a40c0ae7feeb0 Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1034, id=7, length=293 Message-Authenticator = 0x8069a3d06eedbc23049e7abb97238b0c Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xe1943d61e7932436507a40c0ae7feeb0 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0207005b1900170301005006888ad17e1479ebf1252dd882c59af57fcbd8fc6fdc408be3aa9bca0f848910aaa971fce0d84e6bb295c7cfcb97bde44fa36080cf0b6339724dfb31451e7c555b8368fa68abb401ef4865dcee9697a8 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0207003e1a0207003931348dead339a96f464c6888db1dc6b1d10000000000000000bc37500d01943525cfbf94e73d034ffad65687700df882e200626f62 server { PEAP: Setting User-Name to bob Sending tunneled request EAP-Message = 0x0207003e1a0207003931348dead339a96f464c6888db1dc6b1d10000000000000000bc37500d01943525cfbf94e73d034ffad65687700df882e200626f62 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "bob" State = 0xdcb7ba18dcb0a038bd0375a7346d3160 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 62 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry bob at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: bob [mschap] Told to do MS-CHAPv2 for bob with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. expand: password incorrecto -> password incorrecto Login incorrect: [bob/<via Auth-Type = EAP>] (from client 172.16.15.57 port 0 via TLS tunnel) password incorrecto } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 7 to 172.16.15.57 port 1034 EAP-Message = 0x0108002b1900170301002083fe169562401f5c43afaf4cb74fbe5ea4774a2cd7c7fa97b12f9b79166d7851 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe1943d61e69c2436507a40c0ae7feeb0 Finished request 8. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1034, id=8, length=245 Message-Authenticator = 0xe3af8b2689dcb116c182ab22757afc9b Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xe1943d61e69c2436507a40c0ae7feeb0 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0208002b19001703010020924f468aa5f7c1dbbec3ec8dd582e3d54f437bf2d65be67569273dead8ad2a34 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. expand: password incorrecto -> password incorrecto Login incorrect: [bob/<via Auth-Type = EAP>] (from client 172.16.15.57 port 3 cli 10-40-F3-95-22-24) password incorrecto Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 8 to 172.16.15.57 port 1034 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. Cleaning up request 1 ID 0 with timestamp +22 Cleaning up request 2 ID 1 with timestamp +22 Cleaning up request 3 ID 2 with timestamp +22 Cleaning up request 4 ID 3 with timestamp +22 Cleaning up request 5 ID 4 with timestamp +22 Cleaning up request 6 ID 5 with timestamp +22 Cleaning up request 7 ID 6 with timestamp +22 Cleaning up request 8 ID 7 with timestamp +22 Waking up in 1.0 seconds. Cleaning up request 9 ID 8 with timestamp +22 Ready to process requests. rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=0, length=192 Message-Authenticator = 0xa0906d6e9baa55c0f2d52b574d79f6a4 Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000801626f62 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry bob at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.15.57 port 1036 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee9c16b0ee9d0f4bc37318d43ce26de7 Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=1, length=334 Message-Authenticator = 0x5cdd8e0b50791ff49a6476fd24974e5e Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xee9c16b0ee9d0f4bc37318d43ce26de7 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201008419800000007a16030100750100007103014f95ca5308334a7b6c18c056215661784e21c986bfc41f2918fa48cff1d52b1b000036c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00320033003800390016001301000012000a00080006001700180019000b00020100 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 132 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 122 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0075], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 08f8], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 1 to 172.16.15.57 port 1036 EAP-Message = 0x0102040019c000000935160301002a0200002603014f95ca5327cc991e70b77e26acf693105f409e8c76a846939d9390bbee807a7b00002f0016030108f80b0008f40008f10003e7308203e3308202cba003020102020101300d06092a864886f70d01010505003081b0310b3009060355040613024d583119301706035504081310446973747269746f204665646572616c310c300a06035504071303575443312a3028060355040a13215365637572697479204f7065726174696f6e732043656e7465722042657374656c3125302306092a864886f70d0109011616616172657965736a4062657374656c2e636f6d2e6d6331253023060355040313 EAP-Message = 0x1c456e746964616420436572746966696361646f72612042657374656c301e170d3132303432333136323135325a170d3133303432333136323135325a30819f310b3009060355040613024d583119301706035504081310446973747269746f204665646572616c312a3028060355040a13215365637572697479204f7065726174696f6e732043656e7465722042657374656c3122302006035504031319436572746966696361646f2070617261205365727669646f723125302306092a864886f70d0109011616616172657965736a4062657374656c2e636f6d2e6d7830820122300d06092a864886f70d01010105000382010f003082010a0282 EAP-Message = 0x010100be75d786c09b4ef3a52a43a2fc0723f7cd12a909b8291eeb3f8c9e7f29d7b7082b7d045c9c6d682586d91fa55b30554ad190f4fd241669f8734dfc7c4d012c3a5753743c7c03fe84e33058c63f9385d770e58d3cf12c97879405021f7ca9b262b526466981e02933caf75f648b914b00e5be0718c82eca14bfd1440dbe0688986daf6dad82c0bcc6d2ac53d7b59d413c57f2bf26fa95336ee180e7c6b8186b855e106848509a3d8aacdf7023db636aa6156cfe7727133fb613f1db344e3cf6c4258f4ec2f01f5eb17c1a453b93de4a7c8168471f5c5109f2e9c5f465e216ede9164dfbd67de0cc0f867b6ad7833321ced88941e0b383c171da7c EAP-Message = 0xf80977f08a110203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101004e8939f33961439f8e21c3a110d5b82bd414149574f752504e3b0c97ce37b9895e2aebbba2de1ccc2f62f51071355352a6608991447ba34605a79c9bd15b9392104ebdb949038ae58c762c930d56391b739aada4226a109c460087bad50e41bef46ba5de1fe76fce5221376074d481e038556e7dda6b30f907fc20ef4f9c07efd33c887d13032120747840851ff6646e1a9da6cced9a3ee49c634092563b6474fb220d43e19fb8084aca3fd81829558bd30863886ec5410e4bcf892ae8ff5f00c015cbc615 EAP-Message = 0x381cca41e1ac6b870a2a6c38 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee9c16b0ef9e0f4bc37318d43ce26de7 Finished request 11. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=2, length=208 Message-Authenticator = 0xc739fbd0ef9dcf866e7499bf3e1fc0da Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xee9c16b0ef9e0f4bc37318d43ce26de7 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200061900 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 172.16.15.57 port 1036 EAP-Message = 0x010303fc1940032746efe07ca1609b26d9870be420ff5c895ebab9edb979d34b3b21bcceee350934c34e8eba673c365095035004c100050430820500308203e8a003020102020900a2c39c984894d7f1300d06092a864886f70d01010505003081b0310b3009060355040613024d583119301706035504081310446973747269746f204665646572616c310c300a06035504071303575443312a3028060355040a13215365637572697479204f7065726174696f6e732043656e7465722042657374656c3125302306092a864886f70d0109011616616172657965736a4062657374656c2e636f6d2e6d63312530230603550403131c456e7469646164 EAP-Message = 0x20436572746966696361646f72612042657374656c301e170d3132303432333136323132385a170d3133303432333136323132385a3081b0310b3009060355040613024d583119301706035504081310446973747269746f204665646572616c310c300a06035504071303575443312a3028060355040a13215365637572697479204f7065726174696f6e732043656e7465722042657374656c3125302306092a864886f70d0109011616616172657965736a4062657374656c2e636f6d2e6d63312530230603550403131c456e746964616420436572746966696361646f72612042657374656c30820122300d06092a864886f70d01010105000382 EAP-Message = 0x010f003082010a0282010100b5ae278d69d605cdfce08ee4627348f7f149b236821a9a96c38e349599718719ea4e69d46b50a4ebb8d5b2e4e51a81f5770e3996e946045b866e9ba4fd644d23d3a9edaa2047aaeb8d65d49665f76cd4889388363204bf1a1a6ee09401700e80569e50a3795b9a8c6f0780045a2901c72a5bf5eb40787d6be22dc85e0480dcc72bd4e5a1b3b47459e5f38accc9a86687a3938f81969df947fb5a1dc4cdae760a533c53ec8b6a1558bc80f187211a322a9a2b831d0a6548885ada107ecc26482238b7bd9bca2fc65da92c0f934aceb404fa0348ff0b71b16bd642b5710f3cbccea2394e90881b6e00f82938e8a1e931401e EAP-Message = 0xd13863d429632c3c8c6a414ea14de70203010001a382011930820115301d0603551d0e04160414dd636dabfd2d63daa0df7f064e9e80524f09f8973081e50603551d230481dd3081da8014dd636dabfd2d63daa0df7f064e9e80524f09f897a181b6a481b33081b0310b3009060355040613024d583119301706035504081310446973747269746f204665646572616c310c300a06035504071303575443312a3028060355040a13215365637572697479204f7065726174696f6e732043656e7465722042657374656c3125302306092a864886f70d0109011616616172657965736a4062657374656c2e636f6d2e6d63312530230603550403131c45 EAP-Message = 0x6e74696461642043 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee9c16b0ec9f0f4bc37318d43ce26de7 Finished request 12. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=3, length=208 Message-Authenticator = 0x9721441fee42173f4ac830082831c323 Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xee9c16b0ec9f0f4bc37318d43ce26de7 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300061900 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 172.16.15.57 port 1036 EAP-Message = 0x0104014f19006572746966696361646f72612042657374656c820900a2c39c984894d7f1300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100a858e937f386ebf0d5cbafd3df632b75ed8f91985e2400074681a54c8218e23da99bed40feab9526ad2304f50d642ec64fe87a35a129bb188f9dacc905483cbaa538136be6c5c3964daa9f6c734dd58f80a21c606784c1481b3ec64f079d140e812c025dc0551be03714c9a1f1d91a33efffbae16d9ad9ff3d764384ecbf3fe416ef62d19218714d040eb537b2c9b857bfea26e6bdbb6cd1ab06219b2f8dfda391cfcedbec42191a3e69e783a54cbbc07e08f2073dc05e EAP-Message = 0x46df94eed2015f11ee6d142419cf527a2b89a1e0d42f2476fc0f3658280de7c9fb0bc12ceee819419e565037a8a3f9346ec46baaca43702384a2582d5972fe10b09ba2859d03649add16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee9c16b0ed980f4bc37318d43ce26de7 Finished request 13. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=4, length=540 Message-Authenticator = 0x5fca46c54b0196cd6fe7153f9dbfca56 Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xee9c16b0ed980f4bc37318d43ce26de7 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0204015019800000014616030101061000010201005bc6e8f77b4a5f1639708d69bde492a488c3d32ae3b24c27ff529908a3d5b69f49481e2d4915f43951aab38ac7aebade7ca22bf60cb88147ed7269538bfb74c436e36adbb94888c95cb71860bb8dd0e87a5a98aa321d45f89415ad6a44e56c5a2ba9b4f94e4ad43f63e1791472a1debf7bf3158cc571b112e65ee818b30b4b7a5027107e9550cc1fa3705174cd4a0013efa821316a1e3de4249677c5977bca910562f21ca05ccdef26df5d629cc34566885728d35d6d59b0534125bdcbf57d10cfd05ee862bccfffaa76b7d0b3d8a58ecc884720a3ed57fd5cb1eb3ab6d6588a6c22265acad15bad EAP-Message = 0xaade04d74274d3f88d15932924f524eed688578761c114e7140301000101160301003004903e31b67d27b0bd637926db96e06f986d29e87babe80894627deed61fe3df128a74864e9a5476c0a58340aab4a7c9 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 172.16.15.57 port 1036 EAP-Message = 0x01050041190014030100010116030100308669e55fd54bb312e722034e440cc89da9572b59e5fe404548a0ffaba858b0e3acd9c4a9fc0afb4c7e98bd9ef665cc7a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee9c16b0ea990f4bc37318d43ce26de7 Finished request 14. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=5, length=208 Message-Authenticator = 0xbe2776375b4e10ab3f30444b3ace7d8a Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xee9c16b0ea990f4bc37318d43ce26de7 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020500061900 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 5 to 172.16.15.57 port 1036 EAP-Message = 0x0106002b19001703010020336f1efa15562f7ec63d5a266a4ae594c54e973da46098c6b50fc906e6a6f50b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee9c16b0eb9a0f4bc37318d43ce26de7 Finished request 15. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=6, length=245 Message-Authenticator = 0x13b610bf50f117d1384d073b43625dec Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xee9c16b0eb9a0f4bc37318d43ce26de7 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0206002b1900170301002007db074f7d46924de79aecb4a8341354a13dff53821c77586e64075cd4579212 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - bob [peap] Got inner identity 'bob' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206000801626f62 server { PEAP: Setting User-Name to bob Sending tunneled request EAP-Message = 0x0206000801626f62 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "bob" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry bob at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0107001d1a0107001810a72ac61743ac31416a9d10a086efbb79626f62 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3ba3714d3ba46ba312c4d56b659c6f28 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0107001d1a0107001810a72ac61743ac31416a9d10a086efbb79626f62 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3ba3714d3ba46ba312c4d56b659c6f28 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 6 to 172.16.15.57 port 1036 EAP-Message = 0x0107003b190017030100305098dffb457482369d0a6ca4edb03a7362a3576cbcb7976426a24c938797a00685892c96b169a0cee843e8213e0f1ba0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee9c16b0e89b0f4bc37318d43ce26de7 Finished request 16. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=7, length=293 Message-Authenticator = 0x4d87ac714c2dd5f1386fa20d1ec9d726 Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xee9c16b0e89b0f4bc37318d43ce26de7 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0207005b1900170301005088a6556be482f16c6160b5d7b7491a57531befe9dba60a051bbfb7b5f1048c62e587d3f8626c3bf6cef973d56912f54af6fe66eaeac67f32132086a0e57dcc8931082247f05059dad398c9955e215ee4 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0207003e1a0207003931d18a71697552b4f92cd285af401063bd0000000000000000152e50cdf17822fe76795c1346d0211b7854c6ffc3cce09000626f62 server { PEAP: Setting User-Name to bob Sending tunneled request EAP-Message = 0x0207003e1a0207003931d18a71697552b4f92cd285af401063bd0000000000000000152e50cdf17822fe76795c1346d0211b7854c6ffc3cce09000626f62 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "bob" State = 0x3ba3714d3ba46ba312c4d56b659c6f28 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 62 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry bob at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: bob [mschap] Told to do MS-CHAPv2 for bob with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. expand: password incorrecto -> password incorrecto Login incorrect: [bob/<via Auth-Type = EAP>] (from client 172.16.15.57 port 0 via TLS tunnel) password incorrecto } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 7 to 172.16.15.57 port 1036 EAP-Message = 0x0108002b19001703010020a4fa56ea5314462b9c6b1d0de620729da0601187d25fd2d532da2b68c0b86e35 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee9c16b0e9940f4bc37318d43ce26de7 Finished request 17. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=8, length=245 Message-Authenticator = 0xcf8322e778b5603e0bc5c162899a06b9 Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xee9c16b0e9940f4bc37318d43ce26de7 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0208002b1900170301002055063fcb378b90263f36683d8bd9718d1f4d94963c882c3685c815dee3d336f1 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. expand: password incorrecto -> password incorrecto Login incorrect: [bob/<via Auth-Type = EAP>] (from client 172.16.15.57 port 3 cli 10-40-F3-95-22-24) password incorrecto Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 18 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 18 Sending Access-Reject of id 8 to 172.16.15.57 port 1036 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. I think I'm missing something on the configuration, any ideas? Regards. Alfonso. On Apr 23, 2012, at 3:14 PM, Matthew Newton wrote: > On Mon, Apr 23, 2012 at 12:48:33PM -0500, Reyes Jimenez Alfonso Alejandro > wrote: >> bob Cleartext-Password := "Test" >> >> and we would like to use the following: >> >> bob MD5-Password := "f43ed6ad2f43ea778b65557c626262ysu" > > There are non-hex chars in that string, so it's never going to work. > >> What changes do we need to do ir order to allow that kind of authentication, >> any ideas? > > It works fine. Generate password: > > $ echo -n Test | md5sum > 0cbc6611f5540bd0809a388dc95a615b - > > > Add to users: > > bob MD5-Password := "0cbc6611f5540bd0809a388dc95a615b" > > > Check: > > $ radtest bob Test localhost 1 testing123 > Sending Access-Request of id 73 to 127.0.0.1 port 1812 > User-Name = "bob" > User-Password = "Test" > NAS-IP-Address = 127.0.0.1 > NAS-Port = 1 > Message-Authenticator = 0x00000000000000000000000000000000 > rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=73, length=20 > > Cheers, > > Matthew > > > -- > Matthew Newton, Ph.D. <m...@le.ac.uk> > > Systems Architect (UNIX and Networks), Network Services, > I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom > > For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ##################################################################################### El contenido de este mensaje es confidencial. Si usted ha recibido este mensaje por error, le ruego que no lo reenvĂe y lo borre inmediatamente. The contents of this message are confidential. If message has been received in error, please do not forward and destroy immediately. #####################################################################################
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html