> > If it's "sometimes", then it would be wise to compare the debug log of > when the client succeeds and when it does not. Also, IIRC RHEL5 has > 2.1.12 already, so you should upgrade just in case this is a fixed > bug. > > just updated my testserver to 2.1.12. I test now with rad_eap_test utility to eliminate a client failure. the behaviour gets more stranger. the test utility also fails sometimes, but the radius server seams to be ok now?
[root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 1 [root@wlan-radius rad_eap_test-0.23]# } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x5b1d5157a6d94d87d527c9aab7234a85 MS-MPPE-Recv-Key = 0x942bf481ca97760d330305771e0d2e09 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "nagios" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x5b1d5157a6d94d87d527c9aab7234a85 MS-MPPE-Recv-Key = 0x942bf481ca97760d330305771e0d2e09 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "nagios" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 9 to 172.21.15.1 port 59848 EAP-Message = 0x010a003b19001703010030a46c09beb178741efc835036735026e09d8b1b1b44a88b55fce72fc28133dbf7e6edca8c0a65a6a2a85fd98eeeef2f6e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc9f5fd31c0ffe486f9e2896c0b298eff Finished request 779. Going to the next request Waking up in 0.1 seconds. rad_recv: Access-Request packet from host 172.21.15.1 port 59848, id=10, length=226 User-Name = "nagios" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "rad_eap_test + eapol_test" EAP-Message = 0x020a006019001703010020fcc074273699ca1e907af0200b96b3eaa01064887cff1a26b692f38602c3a48817030100309381801c8d424b14a2d053af534f137d1f632c69aa0572f0720bec578a1d6a61df79dc279e86b9f81d68dc6c81191e8f State = 0xc9f5fd31c0ffe486f9e2896c0b298eff Message-Authenticator = 0xb3249ed0ca17319a8d00741f734c974b # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "nagios", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok Login OK: [nagios/<via Auth-Type = EAP>] (from client 172.21.15.1 port 0 cli 70-6F-6C-69-73-68) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{User-Name} -> nagios [sql] sql_set_user escaped user --> 'nagios' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'nagios', '', 'Access-Accept', '2012-08-08 10:42:37') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'nagios', '', 'Access-Accept', '2012-08-08 10:42:37') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 10 to 172.21.15.1 port 59848 MS-MPPE-Recv-Key = 0x3a1be0edbc8566fc1b291ff8d09a4892ad61da4dc4a33927088e7c700d478e12 MS-MPPE-Send-Key = 0x39a7512be1ea532b88619cf74533da41e180aeb57c6077287a98c82597f8cfa5 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "nagios" Finished request 780. Going to the next request Waking up in 0.1 seconds. -- kind regards, Stefan _______________________ www.epb.at - Your IT Partner in East Austria
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html