[RADIATOR] PEAP Unknow Problem
Heikki Vatiainen
hvn at open.com.au
Wed Feb 23 15:40:32 CST 2011
On 02/22/2011 01:45 PM, Raúl Tejeda Calero wrote:
Hello Raúl,
>> However, it looks like you are using mikem as the username and it does
>> not get changed. Or is mikem exactly what you use with your client? You
>> may try commenting out RewriteUsername while you do testing.
>
> I have tried it. Using rewrite username with $1 (mikem), $2 (anonymous) and without "rewriteusername". And the result was the same.
Ok, so the username goes end-to-end without changes and is mikem. The
last of these three lines from your log shows that information was found
for user mikem:
Tue Feb 22 12:23:19 2011: DEBUG: Reading users file /etc/radiator/users
Tue Feb 22 12:23:19 2011: DEBUG: Radius::AuthFILE looks for match with
mikem [anonymous]
Tue Feb 22 12:23:19 2011: DEBUG: Radius::AuthFILE ACCEPT: : mikem
[anonymous]
Since we know that the user exists, I would say there is something wrong
with your users file /etc/radiator/users or the password is typed in
incorrectly.
Your PEAP config looks good and the log does not show anything special.
>> About your clients file. If you really had this:
>> mikem user-password = xxxxx
>> you would get an error since user-name is not written as User-Password.
>> The error would be something like this: "Check item user-password
>> expression 'password' does not match '' in request" for a line like this
>> in the users file:
>> mikem user-password = "password"
>
> Sorry, it was a writing-mistake. My user file is correct and works with AAA.
>
> Any troubleshooting idea?
Please post your users file too. The log shows it contains mikem as user
name, but I would like to see the rest too.
Thanks!
Heikki
> Regards and thanks in advance,
> Raúl Tejeda
>
> New Radius.cfg:
>> ######################################################################################################
>> ######################################################################################################
>>
>> #basic configuration
>> # inner auth with MS-CHAP-V2
>> <Handler NAS-IP-Address="<IP-WLC>",TunnelledByPEAP=1>
>> Identifier EAP-MSCHAP-V2
>> <AuthBy FILE>
>> EAPType MSCHAP-V2
>> Filename %D/users
>> </AuthBy>
>> </Handler>
>>
>> # outer auth with just PEAP
>> <Handler NAS-IP-Address="<IP-WLC>">
>> Identifier EAP-PEAP
>> <AuthBy FILE>
>> EAPType PEAP
>> Filename %D/users-eap
>> EAPTLS_CAFile %D/certificados/CA.pem
>> EAPTLS_CAPath %D/certificados
>> EAPTLS_CertificateFile %D/certificados/Serv.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile %D/certificados/Serv.key
>> EAPTLS_MaxFragmentSize 1000
>> </AuthBy>
>> </Handler>
>>
>
>
> New logfile:
> ###################################################################################################### ######################################################################################################
> Tue Feb 22 12:23:03 2011: NOTICE: SIGTERM received: stopping
> Tue Feb 22 12:23:04 2011: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg'
> Tue Feb 22 12:23:04 2011: DEBUG: Reading dictionary file '/etc/radiator/dictionary'
> Tue Feb 22 12:23:04 2011: DEBUG: Creating authentication port <RAD IP>:1812
> Tue Feb 22 12:23:04 2011: DEBUG: Creating accounting port <RAD IP>:1813
> Tue Feb 22 12:23:04 2011: NOTICE: Server started: Radiator 4.7 on <hostname>
>
> #############################################################################################
> # SOME Access Request - Access Challenge - PEAP -> MSCHAP-V2 ################################
> #############################################################################################
>
>
>
>
> Tue Feb 22 12:23:19 2011: DEBUG: Packet dump:
> *** Received from <WLC IP> port 32768 ....
> Code: Access-Request
> Identifier: 216
> Authentic: <140>x<254>U/o<215><214>E<160><14><205><2><183><224><144>
> Attributes:
> User-Name = "mikem"
> Calling-Station-Id = "<MAC AP>"
> Called-Station-Id = "<MAC WLC>:Prueba"
> NAS-Port = 13
> NAS-IP-Address = <WLC IP>
> NAS-Identifier = "<WLC 1>"
> Airespace-WLAN-Id = 4
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 509
> EAP-Message = <2><12><0>W<25><0><23><3><1><0>L<1>{<230><144><241><7>|@<227>X<193>?<17><222>Z<183><20><11>}m<160><236><181>OX<132><148>-<226><201><25>G<27><18><25><216>s<222>`_<203><154><14><227>[[<<166><180>q<135><162><154><211>wF<21><217><157>M<17><157><136><131>=<209><142><10><161><188><216><157><153>jo<201>
> Message-Authenticator = L<19>b<233><240><218><211>k<155><135><167>aww<23><226>
>
> Tue Feb 22 12:23:19 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<WLC IP>"', Identifier 'EAP-PEAP'
> Tue Feb 22 12:23:19 2011: DEBUG: Deleting session for mikem, <WLC IP>, 13
> Tue Feb 22 12:23:19 2011: DEBUG: Handling with Radius::AuthFILE:
> Tue Feb 22 12:23:19 2011: DEBUG: Handling with EAP: code 2, 12, 87, 25
> Tue Feb 22 12:23:19 2011: DEBUG: Response type 25
> Tue Feb 22 12:23:19 2011: DEBUG: EAP PEAP inner authentication request for anonymous
> Tue Feb 22 12:23:19 2011: DEBUG: PEAP Tunnelled request Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: <26>Y<152><144><228><185>S'3w<207><248><200><4><170>^
> Attributes:
> EAP-Message = <2><12><0><<26><2><12><0>;1<177><183>Jv<24>KJ<169>I<169><31><140><251>,.<214><0><0><0><0><0><0><0><0>I<175>d<206><166><160>Gn-<233>Q<12>{<5><186><12><178><166><217><189><232><28><176>h<0>mikem
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> NAS-IP-Address = <WLC IP>
> NAS-Identifier = "<WLC 1>"
> NAS-Port = 13
> Calling-Station-Id = "<MAC AP>"
> User-Name = "anonymous"
>
> Tue Feb 22 12:23:19 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<WLC IP>",TunnelledByPEAP=1', Identifier 'EAP-MSCHAP-V2'
> Tue Feb 22 12:23:19 2011: DEBUG: Deleting session for anonymous, <WLC IP>, 13
> Tue Feb 22 12:23:19 2011: DEBUG: Handling with Radius::AuthFILE:
> Tue Feb 22 12:23:19 2011: DEBUG: Handling with EAP: code 2, 12, 60, 26
> Tue Feb 22 12:23:19 2011: DEBUG: Response type 26
> Tue Feb 22 12:23:19 2011: DEBUG: Reading users file /etc/radiator/users
> Tue Feb 22 12:23:19 2011: DEBUG: Radius::AuthFILE looks for match with mikem [anonymous]
> Tue Feb 22 12:23:19 2011: DEBUG: Radius::AuthFILE ACCEPT: : mikem [anonymous]
> Tue Feb 22 12:23:19 2011: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
> Tue Feb 22 12:23:19 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP-V2 Authentication failure
> Tue Feb 22 12:23:19 2011: INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication failure
> Tue Feb 22 12:23:19 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Reject
> Identifier: UNDEF
> Authentic: <26>Y<152><144><228><185>S'3w<207><248><200><4><170>^
> Attributes:
> EAP-Message = <4><12><0><4>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
> Tue Feb 22 12:23:19 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 22 12:23:19 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 22 12:23:19 2011: DEBUG: Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 22 12:23:19 2011: DEBUG: Packet dump:
> *** Sending to <WLC IP> port 32768 ....
> Code: Access-Challenge
> Identifier: 216
> Authentic: <20><212><236><140>G<192>iVF<225><234><248><165><239><128><171>
> Attributes:
> EAP-Message = <1><13><0>&<25><0><23><3><1><0><27>w<235><158><132><202><146><217><246><174><196><159><127><135><233><217>r<211><153><190><150>Hq<178>B<164><3><7>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Feb 22 12:23:19 2011: DEBUG: Packet dump:
> *** Received from <WLC IP> port 32768 ....
> Code: Access-Request
> Identifier: 217
> Authentic: R<139><173><202><152><143>oz<172>R<195><214>z+<235>1
> Attributes:
> User-Name = "mikem"
> Calling-Station-Id = "<MAC AP>"
> Called-Station-Id = "<MAC WLC>:Prueba"
> NAS-Port = 13
> NAS-IP-Address = <WLC IP>
> NAS-Identifier = "<WLC 1>"
> Airespace-WLAN-Id = 4
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 509
> EAP-Message = <2><13><0>&<25><0><23><3><1><0><27>z<1><138><217><25>S<183><234>'<1><162><214><176>x V<147>=<194>7<218><164><239>L<245>GO
> Message-Authenticator = S<23><243>80<10><196>M<204><173><253><181><245><<227>U
>
> Tue Feb 22 12:23:19 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<WLC IP>"', Identifier 'EAP-PEAP'
> Tue Feb 22 12:23:19 2011: DEBUG: Deleting session for mikem, <WLC IP>, 13
> Tue Feb 22 12:23:19 2011: DEBUG: Handling with Radius::AuthFILE:
> Tue Feb 22 12:23:19 2011: DEBUG: Handling with EAP: code 2, 13, 38, 25
> Tue Feb 22 12:23:19 2011: DEBUG: Response type 25
> Tue Feb 22 12:23:19 2011: DEBUG: EAP result: 1, PEAP Authentication Failure
> Tue Feb 22 12:23:19 2011: DEBUG: AuthBy FILE result: REJECT, PEAP Authentication Failure
> Tue Feb 22 12:23:19 2011: INFO: Access rejected for mikem: PEAP Authentication Failure
> Tue Feb 22 12:23:19 2011: DEBUG: Packet dump:
> *** Sending to <WLC IP> port 32768 ....
> Code: Access-Reject
> Identifier: 217
> Authentic: $<9>N<172><128><12>v<252><235><204><183><194><31><142>Qi
> Attributes:
> EAP-Message = <4><13><0><4>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list