Hi, I´m still having problems with my PEAP-MSCHAP-V2 configuration.
But the problem seems more complex this time and I don´t sure to understand the process. The log shows this: Schema: 1) EAPChallenge for mikem 2) Access challenged for anonymous: EAP PEAP Challenge 3) Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler 4) EAP PEAP inner authentication request for anonymous 5) Access challenged for anonymous: EAP MSCHAP-V2 Challenge 6) Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler 7) Radius::AuthFILE looks for match with mikem [anonymous] Radius::AuthFILE ACCEPT: : mikem [anonymous] EAP result: 1, EAP MSCHAP-V2 Authentication failure Thanks for the help. Raúl Tejeda ** Details: ** Radius.cfg: ###################################################################################################### ###################################################################################################### # Basic radius configuration # # outer auth with just PEAP <Handler NAS-IP-Address="<WLC-IP>"> <AuthBy FILE> EAPType PEAP, MSCHAP-V2 Filename %D/users-eap EAPTLS_CAFile %D/certificados/CAxxx.pem EAPTLS_CAPath %D/certificados EAPTLS_CertificateFile %D/certificados/serverxxx.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificados/serverxxx.key EAPTLS_MaxFragmentSize 500 </AuthBy> </Handler> # inner auth with MS-CHAP-V2 <Handler NAS-IP-Address="<WLC-IP>",TunnelledByPEAP=1> <AuthBy FILE> RewriteUsername s/(.*)\\(.*)/$2/ EAPType MSCHAP-V2 Filename %D/users EAPTLS_CAFile %D/certificados/CAxxx.pem EAPTLS_CertificateFile %D/certificados/serverxxx.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificados/serverxxx.key EAPTLS_MaxFragmentSize 500 </AuthBy> </Handler> User-Files: ###################################################################################################### ###################################################################################################### users: --------------------------------------- mikem user-password = xxxxx users-eap: --------------------------------------- anonymous mikem user-password = xxxxx COMPLETE LOG ###################################################################################################### ###################################################################################################### Wed Feb 16 11:04:58 2011: NOTICE: SIGTERM received: stopping Wed Feb 16 11:04:58 2011: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg' Wed Feb 16 11:04:58 2011: DEBUG: Reading dictionary file '/etc/radiator/dictionary' Wed Feb 16 11:04:58 2011: DEBUG: Creating authentication port <IP RAD>:1812 Wed Feb 16 11:04:58 2011: DEBUG: Creating accounting port <IP RAD>:1813 Wed Feb 16 11:04:58 2011: NOTICE: Server started: Radiator 4.7 on <serv radius> Wed Feb 16 11:05:12 2011: DEBUG: Packet dump: *** Received from <IP WLC> port 32768 .... Code: Access-Request Identifier: 203 Authentic: i<207><154><255><143><255>_<24><252>[<31>*2<2>i<30> Attributes: User-Name = "mikem" Calling-Station-Id = "<MAC-PC>" Called-Station-Id = "<MAC-WLC>:Prueba" NAS-Port = 13 NAS-IP-Address = <IP WLC> NAS-Identifier = "WLC-1" Airespace-WLAN-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-IEEE-802-11 Tunnel-Type = 0:VLAN Tunnel-Medium-Type = 0:802 Tunnel-Private-Group-ID = 509 EAP-Message = <2><2><0><10><1>mikem Message-Authenticator = <12>n<27><237><234><217><3>E<20><184><6>@<129><17><140><135> Wed Feb 16 11:05:12 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<IP WLC>"', Identifier '' Wed Feb 16 11:05:12 2011: DEBUG: Deleting session for mikem, <IP WLC>, 13 Wed Feb 16 11:05:12 2011: DEBUG: Handling with Radius::AuthFILE: Wed Feb 16 11:05:12 2011: DEBUG: Handling with EAP: code 2, 2, 10, 1 Wed Feb 16 11:05:12 2011: DEBUG: Response type 1 Wed Feb 16 11:05:12 2011: DEBUG: EAP result: 3, EAP PEAP Challenge Wed Feb 16 11:05:12 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge Wed Feb 16 11:05:12 2011: DEBUG: Access challenged for mikem: EAP PEAP Challenge Wed Feb 16 11:05:12 2011: DEBUG: Packet dump: *** Sending to <IP WLC> port 32768 .... Code: Access-Challenge Identifier: 203 Authentic: :<156>A<30>"<246>%{<237>KQ8<208><228><178>_ Attributes: EAP-Message = <1><3><0><6><25>! Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> ##Some similar messages#################################################################### Wed Feb 16 11:05:12 2011: DEBUG: Packet dump: *** Received from <IP WLC> port 32768 .... Code: Access-Request Identifier: 212 Authentic: <201><161><203>W<165>C<169><14><245><177>V<217><178><164><30><216> Attributes: User-Name = "mikem" Calling-Station-Id = "<MAC-PC>" Called-Station-Id = "<MAC-WLC>:Prueba" NAS-Port = 13 NAS-IP-Address = <IP WLC> NAS-Identifier = "WLC-1" Airespace-WLAN-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-IEEE-802-11 Tunnel-Type = 0:VLAN Tunnel-Medium-Type = 0:802 Tunnel-Private-Group-ID = 509 EAP-Message = <2><11><0>!<25><0><23><3><1><0><22><185><224>-$Z<208><127>BM<146>R<173><151>]<128><196><139>:q<225>a<179> Message-Authenticator = <194><4><19>m<210><11><252>o<12>4k<220>D<142>Bz Wed Feb 16 11:05:12 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<IP WLC>"', Identifier '' Wed Feb 16 11:05:12 2011: DEBUG: Deleting session for mikem, <IP WLC>, 13 Wed Feb 16 11:05:12 2011: DEBUG: Handling with Radius::AuthFILE: Wed Feb 16 11:05:12 2011: DEBUG: Handling with EAP: code 2, 11, 33, 25 Wed Feb 16 11:05:12 2011: DEBUG: Response type 25 Wed Feb 16 11:05:12 2011: DEBUG: EAP PEAP inner authentication request for anonymous Wed Feb 16 11:05:12 2011: DEBUG: PEAP Tunnelled request Packet dump: Code: Access-Request Identifier: UNDEF Authentic: W<31><131>I<185>5<14><133><132>(B<131><26>D<25>X Attributes: EAP-Message = <2><11><0><6><1>mikem Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> NAS-IP-Address = <IP WLC> NAS-Identifier = "WLC-1" NAS-Port = 13 Calling-Station-Id = "<MAC-PC>" User-Name = "anonymous" Wed Feb 16 11:05:12 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<IP WLC>"', Identifier '' Wed Feb 16 11:05:12 2011: DEBUG: Deleting session for anonymous, <IP WLC>, 13 Wed Feb 16 11:05:12 2011: DEBUG: Handling with Radius::AuthFILE: Wed Feb 16 11:05:12 2011: DEBUG: Handling with EAP: code 2, 11, 6, 1 Wed Feb 16 11:05:12 2011: DEBUG: Response type 1 Wed Feb 16 11:05:12 2011: DEBUG: EAP result: 3, EAP PEAP Challenge Wed Feb 16 11:05:12 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge Wed Feb 16 11:05:12 2011: DEBUG: Access challenged for anonymous: EAP PEAP Challenge Wed Feb 16 11:05:12 2011: DEBUG: Returned PEAP tunnelled packet dump: Code: Access-Challenge Identifier: UNDEF Authentic: W<31><131>I<185>5<14><133><132>(B<131><26>D<25>X Attributes: EAP-Message = <1><12><0><6><25>! Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Wed Feb 16 11:05:12 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler Wed Feb 16 11:05:12 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler Wed Feb 16 11:05:12 2011: DEBUG: Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler Wed Feb 16 11:05:12 2011: DEBUG: Packet dump: *** Sending to <IP WLC> port 32768 .... Code: Access-Challenge Identifier: 212 Authentic: <191><164>/<156><7>!>{=<134>:H<204><183><19>H Attributes: EAP-Message = <1><12><0><29><25><0><23><3><1><0><18><231><246><253>}Q<7>^+<208><141><141>N<135>D<225><160><187><213> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Wed Feb 16 11:05:12 2011: DEBUG: Packet dump: *** Received from <IP WLC> port 32768 .... Code: Access-Request Identifier: 213 Authentic: <233><173>P]$<25><167><6><6><250>3<200><165><138>:u Attributes: User-Name = "mikem" Calling-Station-Id = "<MAC-PC>" Called-Station-Id = "<MAC-WLC>:Prueba" NAS-Port = 13 NAS-IP-Address = <IP WLC> NAS-Identifier = "WLC-1" Airespace-WLAN-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-IEEE-802-11 Tunnel-Type = 0:VLAN Tunnel-Medium-Type = 0:802 Tunnel-Private-Group-ID = 509 EAP-Message = <2><12><0><29><25><0><23><3><1><0><18><<248><228><171>*_j<215>0&tF:<169>[6<170><238> Message-Authenticator = [a<239>q<192>v<222><145>,Y<230><173><172><250>?<181> Wed Feb 16 11:05:12 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<IP WLC>"', Identifier '' Wed Feb 16 11:05:12 2011: DEBUG: Deleting session for mikem, <IP WLC>, 13 Wed Feb 16 11:05:12 2011: DEBUG: Handling with Radius::AuthFILE: Wed Feb 16 11:05:12 2011: DEBUG: Handling with EAP: code 2, 12, 29, 25 Wed Feb 16 11:05:12 2011: DEBUG: Response type 25 Wed Feb 16 11:05:12 2011: DEBUG: EAP PEAP inner authentication request for anonymous Wed Feb 16 11:05:12 2011: DEBUG: PEAP Tunnelled request Packet dump: Code: Access-Request Identifier: UNDEF Authentic: <134><206><195><16><234><142><185>m<138><152><139>E<21><234>1< Attributes: EAP-Message = <2><12><0><2><3><26> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> NAS-IP-Address = <IP WLC> NAS-Identifier = "WLC-1" NAS-Port = 13 Calling-Station-Id = "<MAC-PC>" User-Name = "anonymous" Wed Feb 16 11:05:12 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<IP WLC>"', Identifier '' Wed Feb 16 11:05:12 2011: DEBUG: Deleting session for anonymous, <IP WLC>, 13 Wed Feb 16 11:05:12 2011: DEBUG: Handling with Radius::AuthFILE: Wed Feb 16 11:05:12 2011: DEBUG: Handling with EAP: code 2, 12, 2, 3 Wed Feb 16 11:05:12 2011: DEBUG: Response type 3 Wed Feb 16 11:05:12 2011: DEBUG: EAP Nak desires type 26 Wed Feb 16 11:05:12 2011: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge Wed Feb 16 11:05:12 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP MSCHAP-V2 Challenge Wed Feb 16 11:05:12 2011: DEBUG: Access challenged for anonymous: EAP MSCHAP-V2 Challenge Wed Feb 16 11:05:12 2011: DEBUG: Returned PEAP tunnelled packet dump: Code: Access-Challenge Identifier: UNDEF Authentic: <134><206><195><16><234><142><185>m<138><152><139>E<21><234>1< Attributes: EAP-Message = <1><13><0>'<26><1><13><0>"<16>w<254><199><198><216><139>^f<201>^<134><222><217><204><227>w<serv radius> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Wed Feb 16 11:05:12 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler Wed Feb 16 11:05:12 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler Wed Feb 16 11:05:12 2011: DEBUG: Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler Wed Feb 16 11:05:12 2011: DEBUG: Packet dump: *** Sending to <IP WLC> port 32768 .... Code: Access-Challenge Identifier: 213 Authentic: [<146><163><18>Y<205><217>!;[<244><149><146>'d<147> Attributes: EAP-Message = <1><13><0>><25><0><23><3><1><0>3<146>N0:#\f<216><162><12>p<181>]<249>`<159><170>|%j<247><20>y<22>10<246>o<209><170><21><194><147>{<207><194><185><152>e<5><149><235><241>v<10><173>_<30>Btk Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Wed Feb 16 11:05:12 2011: DEBUG: Packet dump: *** Received from <IP WLC> port 32768 .... Code: Access-Request Identifier: 214 Authentic: <243>'<235><188><26><13><226><180>9X7?<167>r[<192> Attributes: User-Name = "mikem" Calling-Station-Id = "<MAC-PC>" Called-Station-Id = "<MAC-WLC>:Prueba" NAS-Port = 13 NAS-IP-Address = <IP WLC> NAS-Identifier = "WLC-1" Airespace-WLAN-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-IEEE-802-11 Tunnel-Type = 0:VLAN Tunnel-Medium-Type = 0:802 Tunnel-Private-Group-ID = 509 EAP-Message = <2><13><0>W<25><0><23><3><1><0>L/4>0o<214>_<204>\<247><26>v<193>a<189>wT<214>t<177>YX<206><219><196><141>E<19><216><190>7g<215><161>#<176><11><0><162>;<127><183>@<253><255>[r<14><12>><134>k-<171>Z<1>M<146><179>{<165><135><217>|<157>D<218><166><216><189><27><173>'<169>!<156> Message-Authenticator = <213><253>$<9>x<214>0<222><178><14>S<183><215>3<213><27> Wed Feb 16 11:05:12 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<IP WLC>"', Identifier '' Wed Feb 16 11:05:12 2011: DEBUG: Deleting session for mikem, <IP WLC>, 13 Wed Feb 16 11:05:12 2011: DEBUG: Handling with Radius::AuthFILE: Wed Feb 16 11:05:12 2011: DEBUG: Handling with EAP: code 2, 13, 87, 25 Wed Feb 16 11:05:12 2011: DEBUG: Response type 25 Wed Feb 16 11:05:12 2011: DEBUG: EAP PEAP inner authentication request for anonymous Wed Feb 16 11:05:12 2011: DEBUG: PEAP Tunnelled request Packet dump: Code: Access-Request Identifier: UNDEF Authentic: <147><157><28><11><16><21><16><216><133>P<153><224>'Q<142><15> Attributes: EAP-Message = <2><13><0><<26><2><13><0>;1<196><192><1><248><8><179><247>|<24>Pd<204><26><149><177><156><0><0><0><0><0><0><0><0>iS_<168><157>v<220>?tav<2><169><196><255>j<149><178><162><14><187>^<155>c<0>mikem Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> NAS-IP-Address = <IP WLC> NAS-Identifier = "WLC-1" NAS-Port = 13 Calling-Station-Id = "<MAC-PC>" User-Name = "anonymous" Wed Feb 16 11:05:12 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<IP WLC>"', Identifier '' Wed Feb 16 11:05:12 2011: DEBUG: Deleting session for anonymous, <IP WLC>, 13 Wed Feb 16 11:05:12 2011: DEBUG: Handling with Radius::AuthFILE: Wed Feb 16 11:05:12 2011: DEBUG: Handling with EAP: code 2, 13, 60, 26 Wed Feb 16 11:05:12 2011: DEBUG: Response type 26 Wed Feb 16 11:05:12 2011: DEBUG: Reading users file /etc/radiator/users-eap Wed Feb 16 11:05:12 2011: DEBUG: Radius::AuthFILE looks for match with mikem [anonymous] Wed Feb 16 11:05:12 2011: DEBUG: Radius::AuthFILE ACCEPT: : mikem [anonymous] Wed Feb 16 11:05:12 2011: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure Wed Feb 16 11:05:12 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP-V2 Authentication failure Wed Feb 16 11:05:12 2011: INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication failure Wed Feb 16 11:05:12 2011: DEBUG: Returned PEAP tunnelled packet dump: Code: Access-Reject Identifier: UNDEF Authentic: <147><157><28><11><16><21><16><216><133>P<153><224>'Q<142><15> Attributes: EAP-Message = <4><13><0><4> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Reply-Message = "Request Denied" ###################################################################################################### ###################################################################################################### _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator