使用freeradius 2.1.12版本测试 EAP-PEAP认证过程中,总是无法认证成功,查看相关的LOG显示, EAP-TLS 和 TUNNEL都已经完成,但是在mschapv2过程中出现报错,
经过检查 default文件中eap和sql相关的配置都配置没有问题;进一步分析LOG,报错位置在 Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel,因此
重点分析 inner-tunnel 文件,发现 server inner-tunnel 项下 sql 模块并未放开,从而导致认真过程中无法查到对应的用户。将sql模块放开,再次测试可以成功认证了。
附radius LOG:
NAS-Identifier = "Quidway"
NAS-Port-Type = Ethernet
NAS-Port-Id = "slot=0;subslot=0;port=48;vlanid=100"
State = 0x878b252182413cfe24d5a185fce21670
EAP-Message = 0x02ca00061900
Message-Authenticator = 0x0af65760553e31c79b9723cd74ce955d
Login-IP-Host = 0.0.0.0
Huawei-Startup-Stamp = 1361362410
Huawei-IPHost-Addr = "255.255.255.255 c4:2c:03:38:be:22"
Huawei-Connect-ID = 192
Huawei-Version = "Huawei S9300"
Huawei-Product-ID = "S9300"
NAS-IP-Address = 192.168.1.1
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "wyw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 202 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 90 to 192.168.1.1 port 1812
EAP-Message = 0x01cb002b190017030100208f5f2856e0d38769c25a80f99b6e8769ab6248a090d042536582634939f5d312
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x878b252181403cfe24d5a185fce21670
Finished request 20.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=91, length=278
User-Name = "wyw"
NAS-Port = 196708
Service-Type = Framed-User
Framed-Protocol = 4294967295
Calling-Station-Id = "C42C-0338-BE22"
NAS-Identifier = "Quidway"
NAS-Port-Type = Ethernet
NAS-Port-Id = "slot=0;subslot=0;port=48;vlanid=100"
State = 0x878b252181403cfe24d5a185fce21670
EAP-Message = 0x02cb002b190017030100209736b1d515854cf8078894adcd353f9b5c27380bd9a79cbca97515a2f5e34518
Message-Authenticator = 0x2acacf7a967b7b5c370896f75004c58d
Login-IP-Host = 0.0.0.0
Huawei-Startup-Stamp = 1361362410
Huawei-IPHost-Addr = "255.255.255.255 c4:2c:03:38:be:22"
Huawei-Connect-ID = 192
Huawei-Version = "Huawei S9300"
Huawei-Product-ID = "S9300"
NAS-IP-Address = 192.168.1.1
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "wyw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 203 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - wyw
[peap] Got inner identity 'wyw'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x02cb000801777977
server {
[peap] Setting User-Name to wyw
Sending tunneled request
EAP-Message = 0x02cb000801777977
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "wyw"
server inner-tunnel {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "wyw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 203 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x01cc001d1a01cc00181085a9ab78319049545bed0ff5fe07293c777977
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x03a77cf3036b6607e9508ac9687cba29
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x01cc001d1a01cc00181085a9ab78319049545bed0ff5fe07293c777977
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x03a77cf3036b6607e9508ac9687cba29
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 91 to 192.168.1.1 port 1812
EAP-Message = 0x01cc003b19001703010030a6be5436fa853a6f715e74f502eef9bcc414e4c1e2f491f3122577b61201b3211f7ca0aa31c23ba34e1fcebc76342622
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x878b252180473cfe24d5a185fce21670
Finished request 21.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=92, length=326
User-Name = "wyw"
NAS-Port = 196708
Service-Type = Framed-User
Framed-Protocol = 4294967295
Calling-Station-Id = "C42C-0338-BE22"
NAS-Identifier = "Quidway"
NAS-Port-Type = Ethernet
NAS-Port-Id = "slot=0;subslot=0;port=48;vlanid=100"
State = 0x878b252180473cfe24d5a185fce21670
EAP-Message = 0x02cc005b1900170301005017477f31595d6a842d698f0a447f929c0c3f7686e4e78706e3c328cf412a7f2cc64c59680093a1ffe1219560e1f24e93dfa60b56ca1bdf44fc5355322b267547d2360080e57295accccf7f7691cd9698
Message-Authenticator = 0xa3923431814672b2cf8e350cae8c0564
Login-IP-Host = 0.0.0.0
Huawei-Startup-Stamp = 1361362410
Huawei-IPHost-Addr = "255.255.255.255 c4:2c:03:38:be:22"
Huawei-Connect-ID = 192
Huawei-Version = "Huawei S9300"
Huawei-Product-ID = "S9300"
NAS-IP-Address = 192.168.1.1
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "wyw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 204 length 91
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x02cc003e1a02cc003931149dd01dfbc8493a54453622855a78580000000000000000e135e4999721a41a3fe80a2e4532d9e00c676963a596a14800777977
server {
[peap] Setting User-Name to wyw
Sending tunneled request
EAP-Message = 0x02cc003e1a02cc003931149dd01dfbc8493a54453622855a78580000000000000000e135e4999721a41a3fe80a2e4532d9e00c676963a596a14800777977
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "wyw"
State = 0x03a77cf3036b6607e9508ac9687cba29
server inner-tunnel {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "wyw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 204 length 62
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: wyw
[mschap] Client is using MS-CHAPv2 for wyw, we need NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\314E=691 R=1"
EAP-Message = 0x04cc0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\314E=691 R=1"
EAP-Message = 0x04cc0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 92 to 192.168.1.1 port 1812
EAP-Message = 0x01cd002b19001703010020993478f9be023a7ee7a29d6b3c044c46d0db59828f7d4df179e1ffecbd7c8707
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x878b25218f463cfe24d5a185fce21670
Finished request 22.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=93, length=278
User-Name = "wyw"
NAS-Port = 196708
Service-Type = Framed-User
Framed-Protocol = 4294967295
Calling-Station-Id = "C42C-0338-BE22"
NAS-Identifier = "Quidway"
NAS-Port-Type = Ethernet
NAS-Port-Id = "slot=0;subslot=0;port=48;vlanid=100"
State = 0x878b25218f463cfe24d5a185fce21670
EAP-Message = 0x02cd002b19001703010020d91727067896ae944ad11027b8046af0edea010e7dca7787fb220fe6ef715e43
Message-Authenticator = 0xa502ea6d3f33af69dd18a9fca2e08f26
Login-IP-Host = 0.0.0.0
Huawei-Startup-Stamp = 1361362410
Huawei-IPHost-Addr = "255.255.255.255 c4:2c:03:38:be:22"
Huawei-Connect-ID = 192
Huawei-Version = "Huawei S9300"
Huawei-Product-ID = "S9300"
NAS-IP-Address = 192.168.1.1
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "wyw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 205 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]
expand: %{User-Name} -> wyw
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 23 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 23
Sending Access-Reject of id 93 to 192.168.1.1 port 1812
EAP-Message = 0x04cd0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.