On 02/22/2011 01:45 PM, Raúl Tejeda Calero wrote: Hello Raúl,
>> However, it looks like you are using mikem as the username and it does >> not get changed. Or is mikem exactly what you use with your client? You >> may try commenting out RewriteUsername while you do testing. > > I have tried it. Using rewrite username with $1 (mikem), $2 (anonymous) and > without "rewriteusername". And the result was the same. Ok, so the username goes end-to-end without changes and is mikem. The last of these three lines from your log shows that information was found for user mikem: Tue Feb 22 12:23:19 2011: DEBUG: Reading users file /etc/radiator/users Tue Feb 22 12:23:19 2011: DEBUG: Radius::AuthFILE looks for match with mikem [anonymous] Tue Feb 22 12:23:19 2011: DEBUG: Radius::AuthFILE ACCEPT: : mikem [anonymous] Since we know that the user exists, I would say there is something wrong with your users file /etc/radiator/users or the password is typed in incorrectly. Your PEAP config looks good and the log does not show anything special. >> About your clients file. If you really had this: >> mikem user-password = xxxxx >> you would get an error since user-name is not written as User-Password. >> The error would be something like this: "Check item user-password >> expression 'password' does not match '' in request" for a line like this >> in the users file: >> mikem user-password = "password" > > Sorry, it was a writing-mistake. My user file is correct and works with AAA. > > Any troubleshooting idea? Please post your users file too. The log shows it contains mikem as user name, but I would like to see the rest too. Thanks! Heikki > Regards and thanks in advance, > Raúl Tejeda > > New Radius.cfg: >> >> ###################################################################################################### >> >> ###################################################################################################### >> >> #basic configuration >> # inner auth with MS-CHAP-V2 >> <Handler NAS-IP-Address="<IP-WLC>",TunnelledByPEAP=1> >> Identifier EAP-MSCHAP-V2 >> <AuthBy FILE> >> EAPType MSCHAP-V2 >> Filename %D/users >> </AuthBy> >> </Handler> >> >> # outer auth with just PEAP >> <Handler NAS-IP-Address="<IP-WLC>"> >> Identifier EAP-PEAP >> <AuthBy FILE> >> EAPType PEAP >> Filename %D/users-eap >> EAPTLS_CAFile %D/certificados/CA.pem >> EAPTLS_CAPath %D/certificados >> EAPTLS_CertificateFile %D/certificados/Serv.pem >> EAPTLS_CertificateType PEM >> EAPTLS_PrivateKeyFile %D/certificados/Serv.key >> EAPTLS_MaxFragmentSize 1000 >> </AuthBy> >> </Handler> >> > > > New logfile: > ###################################################################################################### > > ###################################################################################################### > Tue Feb 22 12:23:03 2011: NOTICE: SIGTERM received: stopping > Tue Feb 22 12:23:04 2011: DEBUG: Finished reading configuration file > '/etc/radiator/radius.cfg' > Tue Feb 22 12:23:04 2011: DEBUG: Reading dictionary file > '/etc/radiator/dictionary' > Tue Feb 22 12:23:04 2011: DEBUG: Creating authentication port <RAD IP>:1812 > Tue Feb 22 12:23:04 2011: DEBUG: Creating accounting port <RAD IP>:1813 > Tue Feb 22 12:23:04 2011: NOTICE: Server started: Radiator 4.7 on <hostname> > > ############################################################################################# > # SOME Access Request - Access Challenge - PEAP -> MSCHAP-V2 > ################################ > ############################################################################################# > > > > > Tue Feb 22 12:23:19 2011: DEBUG: Packet dump: > *** Received from <WLC IP> port 32768 .... > Code: Access-Request > Identifier: 216 > Authentic: <140>x<254>U/o<215><214>E<160><14><205><2><183><224><144> > Attributes: > User-Name = "mikem" > Calling-Station-Id = "<MAC AP>" > Called-Station-Id = "<MAC WLC>:Prueba" > NAS-Port = 13 > NAS-IP-Address = <WLC IP> > NAS-Identifier = "<WLC 1>" > Airespace-WLAN-Id = 4 > Service-Type = Framed-User > Framed-MTU = 1300 > NAS-Port-Type = Wireless-IEEE-802-11 > Tunnel-Type = 0:VLAN > Tunnel-Medium-Type = 0:802 > Tunnel-Private-Group-ID = 509 > EAP-Message = > <2><12><0>W<25><0><23><3><1><0>L<1>{<230><144><241><7>|@<227>X<193>?<17><222>Z<183><20><11>}m<160><236><181>OX<132><148>-<226><201><25>G<27><18><25><216>s<222>`_<203><154><14><227>[[<<166><180>q<135><162><154><211>wF<21><217><157>M<17><157><136><131>=<209><142><10><161><188><216><157><153>jo<201> > Message-Authenticator = > L<19>b<233><240><218><211>k<155><135><167>aww<23><226> > > Tue Feb 22 12:23:19 2011: DEBUG: Handling request with Handler > 'NAS-IP-Address="<WLC IP>"', Identifier 'EAP-PEAP' > Tue Feb 22 12:23:19 2011: DEBUG: Deleting session for mikem, <WLC IP>, 13 > Tue Feb 22 12:23:19 2011: DEBUG: Handling with Radius::AuthFILE: > Tue Feb 22 12:23:19 2011: DEBUG: Handling with EAP: code 2, 12, 87, 25 > Tue Feb 22 12:23:19 2011: DEBUG: Response type 25 > Tue Feb 22 12:23:19 2011: DEBUG: EAP PEAP inner authentication request for > anonymous > Tue Feb 22 12:23:19 2011: DEBUG: PEAP Tunnelled request Packet dump: > Code: Access-Request > Identifier: UNDEF > Authentic: <26>Y<152><144><228><185>S'3w<207><248><200><4><170>^ > Attributes: > EAP-Message = > <2><12><0><<26><2><12><0>;1<177><183>Jv<24>KJ<169>I<169><31><140><251>,.<214><0><0><0><0><0><0><0><0>I<175>d<206><166><160>Gn-<233>Q<12>{<5><186><12><178><166><217><189><232><28><176>h<0>mikem > Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > NAS-IP-Address = <WLC IP> > NAS-Identifier = "<WLC 1>" > NAS-Port = 13 > Calling-Station-Id = "<MAC AP>" > User-Name = "anonymous" > > Tue Feb 22 12:23:19 2011: DEBUG: Handling request with Handler > 'NAS-IP-Address="<WLC IP>",TunnelledByPEAP=1', Identifier 'EAP-MSCHAP-V2' > Tue Feb 22 12:23:19 2011: DEBUG: Deleting session for anonymous, <WLC IP>, 13 > Tue Feb 22 12:23:19 2011: DEBUG: Handling with Radius::AuthFILE: > Tue Feb 22 12:23:19 2011: DEBUG: Handling with EAP: code 2, 12, 60, 26 > Tue Feb 22 12:23:19 2011: DEBUG: Response type 26 > Tue Feb 22 12:23:19 2011: DEBUG: Reading users file /etc/radiator/users > Tue Feb 22 12:23:19 2011: DEBUG: Radius::AuthFILE looks for match with mikem > [anonymous] > Tue Feb 22 12:23:19 2011: DEBUG: Radius::AuthFILE ACCEPT: : mikem [anonymous] > Tue Feb 22 12:23:19 2011: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication > failure > Tue Feb 22 12:23:19 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP-V2 > Authentication failure > Tue Feb 22 12:23:19 2011: INFO: Access rejected for anonymous: EAP MSCHAP-V2 > Authentication failure > Tue Feb 22 12:23:19 2011: DEBUG: Returned PEAP tunnelled packet dump: > Code: Access-Reject > Identifier: UNDEF > Authentic: <26>Y<152><144><228><185>S'3w<207><248><200><4><170>^ > Attributes: > EAP-Message = <4><12><0><4> > Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > Reply-Message = "Request Denied" > > Tue Feb 22 12:23:19 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication > redispatched to a Handler > Tue Feb 22 12:23:19 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP > inner authentication redispatched to a Handler > Tue Feb 22 12:23:19 2011: DEBUG: Access challenged for mikem: EAP PEAP inner > authentication redispatched to a Handler > Tue Feb 22 12:23:19 2011: DEBUG: Packet dump: > *** Sending to <WLC IP> port 32768 .... > Code: Access-Challenge > Identifier: 216 > Authentic: <20><212><236><140>G<192>iVF<225><234><248><165><239><128><171> > Attributes: > EAP-Message = > <1><13><0>&<25><0><23><3><1><0><27>w<235><158><132><202><146><217><246><174><196><159><127><135><233><217>r<211><153><190><150>Hq<178>B<164><3><7> > Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > > Tue Feb 22 12:23:19 2011: DEBUG: Packet dump: > *** Received from <WLC IP> port 32768 .... > Code: Access-Request > Identifier: 217 > Authentic: R<139><173><202><152><143>oz<172>R<195><214>z+<235>1 > Attributes: > User-Name = "mikem" > Calling-Station-Id = "<MAC AP>" > Called-Station-Id = "<MAC WLC>:Prueba" > NAS-Port = 13 > NAS-IP-Address = <WLC IP> > NAS-Identifier = "<WLC 1>" > Airespace-WLAN-Id = 4 > Service-Type = Framed-User > Framed-MTU = 1300 > NAS-Port-Type = Wireless-IEEE-802-11 > Tunnel-Type = 0:VLAN > Tunnel-Medium-Type = 0:802 > Tunnel-Private-Group-ID = 509 > EAP-Message = > <2><13><0>&<25><0><23><3><1><0><27>z<1><138><217><25>S<183><234>'<1><162><214><176>x > V<147>=<194>7<218><164><239>L<245>GO > Message-Authenticator = > S<23><243>80<10><196>M<204><173><253><181><245><<227>U > > Tue Feb 22 12:23:19 2011: DEBUG: Handling request with Handler > 'NAS-IP-Address="<WLC IP>"', Identifier 'EAP-PEAP' > Tue Feb 22 12:23:19 2011: DEBUG: Deleting session for mikem, <WLC IP>, 13 > Tue Feb 22 12:23:19 2011: DEBUG: Handling with Radius::AuthFILE: > Tue Feb 22 12:23:19 2011: DEBUG: Handling with EAP: code 2, 13, 38, 25 > Tue Feb 22 12:23:19 2011: DEBUG: Response type 25 > Tue Feb 22 12:23:19 2011: DEBUG: EAP result: 1, PEAP Authentication Failure > Tue Feb 22 12:23:19 2011: DEBUG: AuthBy FILE result: REJECT, PEAP > Authentication Failure > Tue Feb 22 12:23:19 2011: INFO: Access rejected for mikem: PEAP > Authentication Failure > Tue Feb 22 12:23:19 2011: DEBUG: Packet dump: > *** Sending to <WLC IP> port 32768 .... > Code: Access-Reject > Identifier: 217 > Authentic: $<9>N<172><128><12>v<252><235><204><183><194><31><142>Qi > Attributes: > EAP-Message = <4><13><0><4> > Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > Reply-Message = "Request Denied" -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator