On 02/22/2011 01:45 PM, Raúl Tejeda Calero wrote:
Hello Raúl,
>> However, it looks like you are using mikem as the username and it does
>> not get changed. Or is mikem exactly what you use with your client? You
>> may try commenting out RewriteUsername while you do testing.
>
> I have tried it. Using rewrite username with $1 (mikem), $2 (anonymous) and
> without "rewriteusername". And the result was the same.
Ok, so the username goes end-to-end without changes and is mikem. The
last of these three lines from your log shows that information was found
for user mikem:
Tue Feb 22 12:23:19 2011: DEBUG: Reading users file /etc/radiator/users
Tue Feb 22 12:23:19 2011: DEBUG: Radius::AuthFILE looks for match with
mikem [anonymous]
Tue Feb 22 12:23:19 2011: DEBUG: Radius::AuthFILE ACCEPT: : mikem
[anonymous]
Since we know that the user exists, I would say there is something wrong
with your users file /etc/radiator/users or the password is typed in
incorrectly.
Your PEAP config looks good and the log does not show anything special.
>> About your clients file. If you really had this:
>> mikem user-password = xxxxx
>> you would get an error since user-name is not written as User-Password.
>> The error would be something like this: "Check item user-password
>> expression 'password' does not match '' in request" for a line like this
>> in the users file:
>> mikem user-password = "password"
>
> Sorry, it was a writing-mistake. My user file is correct and works with AAA.
>
> Any troubleshooting idea?
Please post your users file too. The log shows it contains mikem as user
name, but I would like to see the rest too.
Thanks!
Heikki
> Regards and thanks in advance,
> Raúl Tejeda
>
> New Radius.cfg:
>>
>> ######################################################################################################
>>
>> ######################################################################################################
>>
>> #basic configuration
>> # inner auth with MS-CHAP-V2
>> <Handler NAS-IP-Address="<IP-WLC>",TunnelledByPEAP=1>
>> Identifier EAP-MSCHAP-V2
>> <AuthBy FILE>
>> EAPType MSCHAP-V2
>> Filename %D/users
>> </AuthBy>
>> </Handler>
>>
>> # outer auth with just PEAP
>> <Handler NAS-IP-Address="<IP-WLC>">
>> Identifier EAP-PEAP
>> <AuthBy FILE>
>> EAPType PEAP
>> Filename %D/users-eap
>> EAPTLS_CAFile %D/certificados/CA.pem
>> EAPTLS_CAPath %D/certificados
>> EAPTLS_CertificateFile %D/certificados/Serv.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile %D/certificados/Serv.key
>> EAPTLS_MaxFragmentSize 1000
>> </AuthBy>
>> </Handler>
>>
>
>
> New logfile:
> ######################################################################################################
>
> ######################################################################################################
> Tue Feb 22 12:23:03 2011: NOTICE: SIGTERM received: stopping
> Tue Feb 22 12:23:04 2011: DEBUG: Finished reading configuration file
> '/etc/radiator/radius.cfg'
> Tue Feb 22 12:23:04 2011: DEBUG: Reading dictionary file
> '/etc/radiator/dictionary'
> Tue Feb 22 12:23:04 2011: DEBUG: Creating authentication port <RAD IP>:1812
> Tue Feb 22 12:23:04 2011: DEBUG: Creating accounting port <RAD IP>:1813
> Tue Feb 22 12:23:04 2011: NOTICE: Server started: Radiator 4.7 on <hostname>
>
> #############################################################################################
> # SOME Access Request - Access Challenge - PEAP -> MSCHAP-V2
> ################################
> #############################################################################################
>
>
>
>
> Tue Feb 22 12:23:19 2011: DEBUG: Packet dump:
> *** Received from <WLC IP> port 32768 ....
> Code: Access-Request
> Identifier: 216
> Authentic: <140>x<254>U/o<215><214>E<160><14><205><2><183><224><144>
> Attributes:
> User-Name = "mikem"
> Calling-Station-Id = "<MAC AP>"
> Called-Station-Id = "<MAC WLC>:Prueba"
> NAS-Port = 13
> NAS-IP-Address = <WLC IP>
> NAS-Identifier = "<WLC 1>"
> Airespace-WLAN-Id = 4
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 509
> EAP-Message =
> <2><12><0>W<25><0><23><3><1><0>L<1>{<230><144><241><7>|@<227>X<193>?<17><222>Z<183><20><11>}m<160><236><181>OX<132><148>-<226><201><25>G<27><18><25><216>s<222>`_<203><154><14><227>[[<<166><180>q<135><162><154><211>wF<21><217><157>M<17><157><136><131>=<209><142><10><161><188><216><157><153>jo<201>
> Message-Authenticator =
> L<19>b<233><240><218><211>k<155><135><167>aww<23><226>
>
> Tue Feb 22 12:23:19 2011: DEBUG: Handling request with Handler
> 'NAS-IP-Address="<WLC IP>"', Identifier 'EAP-PEAP'
> Tue Feb 22 12:23:19 2011: DEBUG: Deleting session for mikem, <WLC IP>, 13
> Tue Feb 22 12:23:19 2011: DEBUG: Handling with Radius::AuthFILE:
> Tue Feb 22 12:23:19 2011: DEBUG: Handling with EAP: code 2, 12, 87, 25
> Tue Feb 22 12:23:19 2011: DEBUG: Response type 25
> Tue Feb 22 12:23:19 2011: DEBUG: EAP PEAP inner authentication request for
> anonymous
> Tue Feb 22 12:23:19 2011: DEBUG: PEAP Tunnelled request Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: <26>Y<152><144><228><185>S'3w<207><248><200><4><170>^
> Attributes:
> EAP-Message =
> <2><12><0><<26><2><12><0>;1<177><183>Jv<24>KJ<169>I<169><31><140><251>,.<214><0><0><0><0><0><0><0><0>I<175>d<206><166><160>Gn-<233>Q<12>{<5><186><12><178><166><217><189><232><28><176>h<0>mikem
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> NAS-IP-Address = <WLC IP>
> NAS-Identifier = "<WLC 1>"
> NAS-Port = 13
> Calling-Station-Id = "<MAC AP>"
> User-Name = "anonymous"
>
> Tue Feb 22 12:23:19 2011: DEBUG: Handling request with Handler
> 'NAS-IP-Address="<WLC IP>",TunnelledByPEAP=1', Identifier 'EAP-MSCHAP-V2'
> Tue Feb 22 12:23:19 2011: DEBUG: Deleting session for anonymous, <WLC IP>, 13
> Tue Feb 22 12:23:19 2011: DEBUG: Handling with Radius::AuthFILE:
> Tue Feb 22 12:23:19 2011: DEBUG: Handling with EAP: code 2, 12, 60, 26
> Tue Feb 22 12:23:19 2011: DEBUG: Response type 26
> Tue Feb 22 12:23:19 2011: DEBUG: Reading users file /etc/radiator/users
> Tue Feb 22 12:23:19 2011: DEBUG: Radius::AuthFILE looks for match with mikem
> [anonymous]
> Tue Feb 22 12:23:19 2011: DEBUG: Radius::AuthFILE ACCEPT: : mikem [anonymous]
> Tue Feb 22 12:23:19 2011: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication
> failure
> Tue Feb 22 12:23:19 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP-V2
> Authentication failure
> Tue Feb 22 12:23:19 2011: INFO: Access rejected for anonymous: EAP MSCHAP-V2
> Authentication failure
> Tue Feb 22 12:23:19 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Reject
> Identifier: UNDEF
> Authentic: <26>Y<152><144><228><185>S'3w<207><248><200><4><170>^
> Attributes:
> EAP-Message = <4><12><0><4>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
> Tue Feb 22 12:23:19 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication
> redispatched to a Handler
> Tue Feb 22 12:23:19 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP
> inner authentication redispatched to a Handler
> Tue Feb 22 12:23:19 2011: DEBUG: Access challenged for mikem: EAP PEAP inner
> authentication redispatched to a Handler
> Tue Feb 22 12:23:19 2011: DEBUG: Packet dump:
> *** Sending to <WLC IP> port 32768 ....
> Code: Access-Challenge
> Identifier: 216
> Authentic: <20><212><236><140>G<192>iVF<225><234><248><165><239><128><171>
> Attributes:
> EAP-Message =
> <1><13><0>&<25><0><23><3><1><0><27>w<235><158><132><202><146><217><246><174><196><159><127><135><233><217>r<211><153><190><150>Hq<178>B<164><3><7>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Feb 22 12:23:19 2011: DEBUG: Packet dump:
> *** Received from <WLC IP> port 32768 ....
> Code: Access-Request
> Identifier: 217
> Authentic: R<139><173><202><152><143>oz<172>R<195><214>z+<235>1
> Attributes:
> User-Name = "mikem"
> Calling-Station-Id = "<MAC AP>"
> Called-Station-Id = "<MAC WLC>:Prueba"
> NAS-Port = 13
> NAS-IP-Address = <WLC IP>
> NAS-Identifier = "<WLC 1>"
> Airespace-WLAN-Id = 4
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 509
> EAP-Message =
> <2><13><0>&<25><0><23><3><1><0><27>z<1><138><217><25>S<183><234>'<1><162><214><176>x
> V<147>=<194>7<218><164><239>L<245>GO
> Message-Authenticator =
> S<23><243>80<10><196>M<204><173><253><181><245><<227>U
>
> Tue Feb 22 12:23:19 2011: DEBUG: Handling request with Handler
> 'NAS-IP-Address="<WLC IP>"', Identifier 'EAP-PEAP'
> Tue Feb 22 12:23:19 2011: DEBUG: Deleting session for mikem, <WLC IP>, 13
> Tue Feb 22 12:23:19 2011: DEBUG: Handling with Radius::AuthFILE:
> Tue Feb 22 12:23:19 2011: DEBUG: Handling with EAP: code 2, 13, 38, 25
> Tue Feb 22 12:23:19 2011: DEBUG: Response type 25
> Tue Feb 22 12:23:19 2011: DEBUG: EAP result: 1, PEAP Authentication Failure
> Tue Feb 22 12:23:19 2011: DEBUG: AuthBy FILE result: REJECT, PEAP
> Authentication Failure
> Tue Feb 22 12:23:19 2011: INFO: Access rejected for mikem: PEAP
> Authentication Failure
> Tue Feb 22 12:23:19 2011: DEBUG: Packet dump:
> *** Sending to <WLC IP> port 32768 ....
> Code: Access-Reject
> Identifier: 217
> Authentic: $<9>N<172><128><12>v<252><235><204><183><194><31><142>Qi
> Attributes:
> EAP-Message = <4><13><0><4>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
