(RADIATOR) PEAP ms-chap-v2 "Desired EAP type 25 not permitted"
Mike McCauley
mikem at open.com.au
Wed Jun 11 07:58:34 CDT 2003
Hello,
You did not send you configuration file: it makes it much easier for us to
diagnose problems if you send your configuration file (ne secrets)
It looks like you have your EAPType set to just MSCHAP-V2, and the client is
trying to the do the outer authetiocaiton PEAP first.
You probably need to set your EAPType to
EAPType PEAP,MSCHAP-V2
See goodies/eap_peap.cfg for examples on how to configure for PEAP.
Cheers.
On Wed, 11 Jun 2003 09:55 pm, Mobic.com wrote:
> Hi
>
> I am testing different eap methods, and I have successfully tested:
>
> eap-md5
> eap-tls
> eap-ttls (ms-chap-v2)
>
> using the Odyssey supplicant.
>
> But I have problems testing peap (ms-chap-v2), the log says "Access
> rejected for testUser: Desired EAP type 25 not permitted" (se log file
> below).
>
> I am using the eap_multi.cfg configuration and the demo certificates. I am
> using the Zyxel B-1000 AP.
>
> Any ideas how to resolv this?
>
> This is what I get from the log:
>
> Code: Access-Request
> Identifier: 227
> Authentic: Q<236>o<156>GjC<226><150>e<179><16><30><251>Ba
> Attributes:
> User-Name = "testUser"
> NAS-IP-Address = 195.134.48.28
> NAS-Identifier = "WI_test"
> Framed-MTU = 1496
> Called-Station-Id = "00-a0-c5-37-3e-62:Wireless"
> Calling-Station-Id = "00-04-75-df-ae-e3"
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message = <2>)<0><6><13><0>
> Message-Authenticator =
> 8}<150><137><138><239><232><29><136><14>><21>;<243><241><6>
>
> Wed Jun 11 12:54:08 2003: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Wed Jun 11 12:54:08 2003: DEBUG: Rewrote user name to testUser
> Wed Jun 11 12:54:08 2003: DEBUG: Deleting session for testUser,
> 195.134.48.28,
> Wed Jun 11 12:54:08 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Jun 11 12:54:08 2003: DEBUG: Handling with EAP: code 2, 41, 6
> Wed Jun 11 12:54:08 2003: DEBUG: Response type 13
> Wed Jun 11 12:54:08 2003: DEBUG: Radius::AuthFILE looks for match with
> testUser
> Wed Jun 11 12:54:08 2003: DEBUG: Radius::AuthFILE ACCEPT:
> Wed Jun 11 12:54:08 2003: DEBUG: Access accepted for testUser
> Wed Jun 11 12:54:08 2003: DEBUG: Packet dump:
> *** Sending to 195.134.48.28 port 1026 ....
> Code: Access-Accept
> Identifier: 227
> Authentic: Q<236>o<156>GjC<226><150>e<179><16><30><251>Ba
> Attributes:
> EAP-Message = <3>)<0><4>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Jun 11 12:54:35 2003: DEBUG: Packet dump:
> *** Received from 195.134.48.28 port 1026 ....
> Code: Access-Request
> Identifier: 228
> Authentic: Z<208><199><142><252>5<139>d<199><187><213>w<127><203>40
> Attributes:
> User-Name = "testUser"
> NAS-IP-Address = 195.134.48.28
> NAS-Identifier = "WI_test"
> Framed-MTU = 1496
> Called-Station-Id = "00-a0-c5-37-3e-62:Wireless"
> Calling-Station-Id = "00-04-75-df-ae-e3"
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message = <2>*<0><13><1>testUser
> Message-Authenticator =
> <130><194><168>'<178><146><147><156><142>x+<189><190><18>'*
>
> Wed Jun 11 12:54:35 2003: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Wed Jun 11 12:54:35 2003: DEBUG: Rewrote user name to testUser
> Wed Jun 11 12:54:35 2003: DEBUG: Deleting session for testUser,
> 195.134.48.28,
> Wed Jun 11 12:54:35 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Jun 11 12:54:35 2003: DEBUG: Handling with EAP: code 2, 42, 13
> Wed Jun 11 12:54:35 2003: DEBUG: Response type 1
> Wed Jun 11 12:54:35 2003: DEBUG: Access challenged for testUser: EAP
> MSCHAP-V2 Challenge
> Wed Jun 11 12:54:35 2003: DEBUG: Packet dump:
> *** Sending to 195.134.48.28 port 1026 ....
> Code: Access-Challenge
> Identifier: 228
> Authentic: Z<208><199><142><252>5<139>d<199><187><213>w<127><203>40
> Attributes:
> EAP-Message =
> <1>+<0>/<26><1>+<0>*<16>G4<193>lC:<216><191><12><189><133>|<244><22>!<227>i
>n novasjon.mobinor.no
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Jun 11 12:54:35 2003: DEBUG: Packet dump:
> *** Received from 195.134.48.28 port 1026 ....
> Code: Access-Request
> Identifier: 229
> Authentic: <164><254>}w<153><236>?M<139><166><149>/<254><239><180><253>
> Attributes:
> User-Name = "testUser"
> NAS-IP-Address = 195.134.48.28
> NAS-Identifier = "WI_test"
> Framed-MTU = 1496
> Called-Station-Id = "00-a0-c5-37-3e-62:Wireless"
> Calling-Station-Id = "00-04-75-df-ae-e3"
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message = <2>+<0><6><3><25>
> Message-Authenticator =
> <180>h<24><219>a<149>,<159><201><249><236>rk<<161><28>
>
> Wed Jun 11 12:54:35 2003: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Wed Jun 11 12:54:35 2003: DEBUG: Rewrote user name to testUser
> Wed Jun 11 12:54:35 2003: DEBUG: Deleting session for testUser,
> 195.134.48.28,
> Wed Jun 11 12:54:35 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Jun 11 12:54:35 2003: DEBUG: Handling with EAP: code 2, 43, 6
> Wed Jun 11 12:54:35 2003: DEBUG: Response type 3
> Wed Jun 11 12:54:35 2003: INFO: EAP Nak desires type 25
> Wed Jun 11 12:54:35 2003: INFO: Access rejected for testUser: Desired EAP
> type 25 not permitted
> Wed Jun 11 12:54:35 2003: DEBUG: Packet dump:
> *** Sending to 195.134.48.28 port 1026 ....
> Code: Access-Reject
> Identifier: 229
> Authentic: <164><254>}w<153><236>?M<139><166><149>/<254><239><180><253>
> Attributes:
> Reply-Message = "Request Denied"
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list