Need help for adding dictionary and used for check item

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Need help for adding dictionary and used for check item

吳子境 Matt.Wu/TP/FITI
Hello,

I have problem in adding new dictionary in FreeRADIUS Version 2.2.8,
and use the attribute to users check item, but always response Access-Reject.

Below is my create step:
First, Create 'dictionary.fitivision' in '/usr/share/freeradius2/', as following:
# -*- text -*-
#
# As posted to the list.
#
# Version: $Id$
#
VENDOR Fitivision 49809
BEGIN-VENDOR Fitivision

ATTRIBUTE       Fitivision-Essid-Name              1     string

END-VENDOR Fitivision


And add include in '/usr/share/freeradius2/dictionary':
$INCLUDE dictionary.fitivision

When I test it on reply item, it's workable.

But when I used for check item, it always response Access-Reject.

The users config as following:
"test3" Cleartext-Password := "testpwd", Fitivision-Essid-Name == "test"

And the radiux log as following:
radiusd: FreeRADIUS Version 2.2.8, for host arm-openwrt-linux-gnu, built on Apr 28 2017 at 10:22:04
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius2/radiusd.conf
including configuration file /etc/freeradius2/clients.conf
including files in directory /etc/freeradius2/modules/
including configuration file /etc/freeradius2/modules/attr_filter
including configuration file /etc/freeradius2/modules/attr_rewrite
including configuration file /etc/freeradius2/modules/chap
including configuration file /etc/freeradius2/modules/echo
including configuration file /etc/freeradius2/modules/exec
including configuration file /etc/freeradius2/modules/files
including configuration file /etc/freeradius2/modules/mschap
including configuration file /etc/freeradius2/modules/pap
including configuration file /etc/freeradius2/eap.conf
including files in directory /etc/freeradius2/sites/
including configuration file /etc/freeradius2/sites/default
main {
        allow_core_dumps = no
}
including dictionary file /etc/freeradius2/dictionary
main {
        name = "radiusd"
        prefix = "/usr"
        localstatedir = "/var"
        sbindir = "/usr/sbin"
        logdir = "/var/log"
        run_dir = "/var/run"
        libdir = "/usr/lib/freeradius2"
        radacctdir = "/var/db/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 1024
        pidfile = "/var/run/radiusd.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = no
 log {
  stripped_names = no
  auth = no
  auth_badpass = no
  auth_goodpass = no
 }
 security {
  max_attributes = 200
  reject_delay = 1
  status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
 client 0.0.0.0/0 {
  require_message_authenticator = no
  secret = "testing123"
  nastype = "other"
 }
radiusd: #### Instantiating modules ####
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius2/radiusd.conf
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /etc/freeradius2/modules/pap
  pap {
  encryption_scheme = "auto"
  auto_header = yes
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /etc/freeradius2/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /etc/freeradius2/modules/mschap
  mschap {
  use_mppe = no
  require_encryption = no
  require_strong = no
  with_ntdomain_hack = no
  allow_retry = yes
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/freeradius2/eap.conf
  eap {
  default_eap_type = "peap"
  timer_expire = 60
  ignore_unknown_eap_types = no
  cisco_accounting_username_bug = no
  max_sessions = 4096
  }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
    rsa_key_exchange = no
    dh_key_exchange = yes
    rsa_key_length = 512
    dh_key_length = 512
    verify_depth = 0
    CA_path = "/etc/freeradius2/certs"
    pem_file_type = yes
    private_key_file = "/etc/freeradius2/certs/server.pem"
    certificate_file = "/etc/freeradius2/certs/server.pem"
    CA_file = "/etc/freeradius2/certs/ca.pem"
    private_key_password = "whatever"
    dh_file = "/etc/freeradius2/certs/dh"
    random_file = "/etc/freeradius2/certs/random"
    fragment_size = 1024
    include_length = yes
    check_crl = no
    check_all_crl = no
    cipher_list = "DEFAULT"
    ecdh_curve = "prime256v1"
    verify {
    }
    ocsp {
    enable = no
    override_cert_url = yes
    url = "http://127.0.0.1/ocsp/"
    use_nonce = yes
    timeout = 0
    softfail = no
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
    default_eap_type = "mschapv2"
    copy_request_to_tunnel = yes
    use_tunneled_reply = yes
    include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
    default_eap_type = "mschapv2"
    copy_request_to_tunnel = yes
    use_tunneled_reply = yes
    proxy_tunneled_request_as_eap = no
    soh = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
    with_ntdomain_hack = no
    send_error = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file /etc/freeradius2/modules/files
  files {
  usersfile = "/etc/freeradius2/users"
  acctusersfile = "/etc/freeradius2/acct_users"
  preproxy_usersfile = "/etc/freeradius2/preproxy_users"
  compat = "cistron"
  }
reading pairlist file /etc/freeradius2/users
[/etc/freeradius2/users]:21 Cistron compatibility checks for entry test3 ...
reading pairlist file /etc/freeradius2/acct_users
reading pairlist file /etc/freeradius2/preproxy_users
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /etc/freeradius2/modules/exec
  exec {
  wait = no
  input_pairs = "request"
  shell_escape = yes
  timeout = 10
  }
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
Listening on authentication address 192.168.168.205 port 1812
Listening on accounting address 192.168.168.205 port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=18, length=197
        User-Name = "test3"
        Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "A4-67-06-6D-A8-2E"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "BF8FD357-00000002"
        Attr-186 = 0x0050f202
        Attr-187 = 0x0050f202
        Attr-188 = 0x000fac01
        Fitivision-Essid-Name = "test"
        Framed-MTU = 1400
        EAP-Message = 0x021b000a017465737433
        Message-Authenticator = 0x07abb25c6fcac61aeb3d0f1e49cc98d6
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 27 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 18 to 192.168.168.205 port 42115
        EAP-Message = 0x011c00061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc30eff1bc312e6f65e8768c16e09584c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=19, length=336
        User-Name = "test3"
        Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "A4-67-06-6D-A8-2E"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "BF8FD357-00000002"
        Attr-186 = 0x0050f202
        Attr-187 = 0x0050f202
        Attr-188 = 0x000fac01
        Fitivision-Essid-Name = "test"
        Framed-MTU = 1400
011000500040100001f000a00080006001700180019000b0002010000050005010000000000120000
        State = 0xc30eff1bc312e6f65e8768c16e09584c
        Message-Authenticator = 0x97c6fbb9e1abd4ef3a74f02b493bd9d9
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 28 length 131
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 121
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< Unknown TLS version [length 0005]  
[peap] <<< TLS 1.0 Handshake [length 0074], ClientHello  
[peap]     TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]  
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello  
[peap]     TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]  
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate  
[peap]     TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]  
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange  
[peap]     TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]  
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: Need to read more data: unknown state
[peap]     TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
[603087.097870] [wifi0]
                        [peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eFWLOG: [81054832] ap] = handled
+} # group authenticate = handled
Sending AccessRATE: ChainMask 1, peer_mac a8:2e, phymode 1, ni_flags 0x00040016, vht_mcs_set 0x0000, ht_mcs_set 0xffffffff, legacy_rate_set 0x0fff
-Challenge of id 19 to 192.168.168.205 port 42115
071309536f6d65776865726531153013060355040a130c4578616d706c65200x73496e632e3120301e06092a864886f70d010901161161646d696e406578616d70, 6c652e636f6d312630240603550403131d4578616d706c6520436572746966
0xa EAP-Message = 0x696361746520417574686f72697479301e170d313630363, 0x90 )
, 0x90 )
96e406578616d706c652e636f6d30820122300d06092a864, 0x3, 0x479, 0x0, 0x9 )
886f70d01010105000382010f003082010a0282010100c946423265b4772617374660729c3c023d379b4681413b66f0de07f15b16eb15b5ee002373b664f5c61e11551f35c7
3f493e1437188fd72840aeeb6ceaf96f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505
fba07a9ee61c4c06d633ec4ec0c0885d07b45952f31d2edea03bb0bb93aa6e42fe7580a3d2f58b052a1fb56bde36002acee20f2e3b92bb99b72b0c67
        EAP-Message = 0x65011ccb33e94e5fd90004ab
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc30eff1bc213e6f65e8768c16e09584c
Finished request 1.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=20, length=211
        User-Name = "test3"
        Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "A4-67-06-6D-A8-2E"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "BF8FD357-00000002"
        Attr-186 = 0x0050f202
        Attr-187 = 0x0050f202
        Attr-188 = 0x000fac01
        Fitivision-Essid-Name = "test"
        Framed-MTU = 1400
        EAP-Message = 0x021d00061900
        State = 0xc30eff1bc213e6f65e8768c16e09584c
        Message-Authenticator = 0xf40ff990a4a13753cc3f28b33ca5a182
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 29 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 20 to 192.168.168.205 port 42115
7479301e170d3136303632313037343833345a170d3137303632313037343833345a308193310b3009060355040613024652310f300d060355040813
25d9d75e9faa36bacf2d256d8087504d1055532185e593fa3e07f9e6ddad8e457bf8979b2546bdc2768018764158ab0f21ae77998cecd6d1809b278b
0f8d572ebd0d9e887d3081c80603551d230481c03081bd80140e28c41f34600d01ab674c0f8d572ebd0d9e887da18199a48196308193310b30090603
fffb4632ebeca0865b13c0303e9485f59828369fe812f32b4d77d3d9706c7e97666a331797210b32c9cab80c500d4bf29224708affda268acc6bc612
        EAP-Message = 0x68d2a1ab15f206e8
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc30eff1bc110e6f65e8768c16e09584c
Finished request 2.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=21, length=211
        User-Name = "test3"
        Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "A4-67-06-6D-A8-2E"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "BF8FD357-00000002"
        Attr-186 = 0x0050f202
        Attr-187 = 0x0050f202
        Attr-188 = 0x000fac01
        Fitivision-Essid-Name = "test"
        Framed-MTU = 1400
        EAP-Message = 0x021e00061900
        State = 0xc30eff1bc110e6f65e8768c16e09584c
        Message-Authenticator = 0xee0d464855fa5a53cf755d16de6fdb07
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 30 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 21 to 192.168.168.205 port 42115
0001470300174104975e7a95fb4a34da8edb2ed340d161af75e08b4a69b597f4cbda60518ee060eeb29b016c3f54fd1ff7fa5f5723e02b9b2409daaa
155596da9065984a02f00d19716a270374c21be8cec30236a14cf2e6eff550a27c26bce5e22b7314a6141ecf8695d2a5a74d9ee2dfe30413058ccb62
        EAP-Message = 0xadbf51cc6d2a30b94b8ba5cc45dfc686b316030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc30eff1bc011e6f65e8768c16e09584c
Finished request 3.
Going to the next request
Waking up in 4.1 seconds.
rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=22, length=349
        User-Name = "test3"
        Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "A4-67-06-6D-A8-2E"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "BF8FD357-00000002"
        Attr-186 = 0x0050f202
        Attr-187 = 0x0050f202
        Attr-188 = 0x000fac01
        Fitivision-Essid-Name = "test"
        Framed-MTU = 1400
116030100304477833ffd6e82754c90f5ccfc4fd75f7c67c30f13f0e3b07d3dbd903b794dc8bf52b3eb26040ed2925a094f71bebf30
        State = 0xc30eff1bc011e6f65e8768c16e09584c
        Message-Authenticator = 0x981d19112699f36bcaa048ac6d5cb917
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 31 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< Unknown TLS version [length 0005]  
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange  
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: unknown state
[peap] <<< Unknown TLS version [length 0005]  
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[peap] <<< Unknown TLS version [length 0005]  
[peap] <<< TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]  
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[peap]     TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]  
[peap] >>> TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: unknown state
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 22 to 192.168.168.205 port 42115
        EAP-Message = 0x0120004119001403010001011603010030743a197efba6673363d52e38c84ee6af1156dc98475b254286422eec8c0d0c5e4a55682ec8483c791906496be38ca2b0
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc30eff1bc72ee6f65e8768c16e09584c
Finished request 4.
Going to the next request
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=23, length=211
        User-Name = "test3"
        Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "A4-67-06-6D-A8-2E"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "BF8FD357-00000002"
        Attr-186 = 0x0050f202
        Attr-187 = 0x0050f202
        Attr-188 = 0x000fac01
        Fitivision-Essid-Name = "test"
        Framed-MTU = 1400
        EAP-Message = 0x022000061900
        State = 0xc30eff1bc72ee6f65e8768c16e09584c
        Message-Authenticator = 0x3ad860d004ef3fcabba5f7614d629707
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 32 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
[peap] >>> Unknown TLS version [length 0005]  
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 23 to 192.168.168.205 port 42115
        EAP-Message = 0x0121002b1900170301002038f0a9de8c6c35bb8c25d91742508de0756c5f96898a5f807bbf622d860fd702
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc30eff1bc62fe6f65e8768c16e09584c
Finished request 5.
Going to the next request
Waking up in 3.5 seconds.
rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=24, length=248
        User-Name = "test3"
        Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "A4-67-06-6D-A8-2E"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "BF8FD357-00000002"
        Attr-186 = 0x0050f202
        Attr-187 = 0x0050f202
        Attr-188 = 0x000fac01
        Fitivision-Essid-Name = "test"
        Framed-MTU = 1400
        EAP-Message = 0x0221002b19001703010020d9a51a72f4d3f026ee29713f988b5ea384f63c39bca9d72cbd454c22dc9f7f6b
        State = 0xc30eff1bc62fe6f65e8768c16e09584c
        Message-Authenticator = 0x9598e5c8853b46372c49e0eab0d847b1
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 33 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< Unknown TLS version [length 0005]  
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - test3
[peap] Got inner identity 'test3'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
        EAP-Message = 0x0221000a017465737433
server  {
[peap] Setting User-Name to test3
Sending tunneled request
        EAP-Message = 0x0221000a017465737433
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "test3"
        Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "A4-67-06-6D-A8-2E"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "BF8FD357-00000002"
        Attr-186 = 0x0050f202
        Attr-187 = 0x0050f202
        Attr-188 = 0x000fac01
        Fitivision-Essid-Name = "test"
        Framed-MTU = 1400
server  {
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 33 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server
[peap] Got tunneled reply code 11
        EAP-Message = 0x0122001f1a0122001a1038b1d4f1ac9d9e2d502428bcd4be1b877465737433
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xaacefa4baaece0d52cbb51841f6886cc
[peap] Got tunneled reply RADIUS code Access-Challenge
        EAP-Message = 0x0122001f1a0122001a1038b1d4f1ac9d9e2d502428bcd4be1b877465737433
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xaacefa4baaece0d52cbb51841f6886cc
[peap] Got tunneled Access-Challenge
[peap] >>> Unknown TLS version [length 0005]  
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 24 to 192.168.168.205 port 42115
        EAP-Message = 0x0122003b19001703010030d70c7180d63f7345328c82eee2d29cc97bcbfd56bd375a88759bec5058ea295a12563bc4e70233b1f386d332e063d5c9
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc30eff1bc52ce6f65e8768c16e09584c
Finished request 6.
Going to the next request
Waking up in 3.2 seconds.
rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=25, length=312
        User-Name = "test3"
        Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "A4-67-06-6D-A8-2E"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "BF8FD357-00000002"
        Attr-186 = 0x0050f202
        Attr-187 = 0x0050f202
        Attr-188 = 0x000fac01
        Fitivision-Essid-Name = "test"
        Framed-MTU = 1400
10519e089ae2095a3afea8dc67f17dc4b
        State = 0xc30eff1bc52ce6f65e8768c16e09584c
        Message-Authenticator = 0xea0f404b1fdc40e787d84bac706215d1
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 34 length 107
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< Unknown TLS version [length 0005]  
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x022200401a0222003b3131bc7ac09237790b1b2f2de3c9da70d10000000000000000ff91457ee5eb447396e409f6847c1759fead5ba59f6f7b0a007465737433
server  {
[peap] Setting User-Name to test3
Sending tunneled request
        EAP-Message = 0x022200401a0222003b3131bc7ac09237790b1b2f2de3c9da70d10000000000000000ff91457ee5eb447396e409f6847c1759fead5ba59f6f7b0a007465737433
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "test3"
        State = 0xaacefa4baaece0d52cbb51841f6886cc
        Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "A4-67-06-6D-A8-2E"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "BF8FD357-00000002"
        Attr-186 = 0x0050f202
        Attr-187 = 0x0050f202
        Attr-188 = 0x000fac01
        Fitivision-Essid-Name = "test"
        Framed-MTU = 1400
server  {
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 34 length 64
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius2/sites/default
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: test3
[mschap] Client is using MS-CHAPv2 for test3, we need NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
  WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform requested action.
} # server
[peap] Got tunneled reply code 3
        MS-CHAP-Error = "\"E=691 R=1"
        EAP-Message = 0x04220004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code Access-Reject
        MS-CHAP-Error = "\"E=691 R=1"
        EAP-Message = 0x04220004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
[peap] >>> Unknown TLS version [length 0005]  
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 25 to 192.168.168.205 port 42115
        EAP-Message = 0x0123002b190017030100200a019db07d5b363141790d2b79f35448849fb36c234d074dbdcaa68b4ec312f0
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc30eff1bc42de6f65e8768c16e09584c
Finished request 7.
Going to the next request
Waking up in 2.8 seconds.
rad_recv: Access-Request packet from host 192.168.168.205 port 42115, id=26, length=248
        User-Name = "test3"
        Called-Station-Id = "00-03-7F-19-4E-45:fws2310-Mm2"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "A4-67-06-6D-A8-2E"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "BF8FD357-00000002"
        Attr-186 = 0x0050f202
        Attr-187 = 0x0050f202
        Attr-188 = 0x000fac01
        Fitivision-Essid-Name = "test"
        Framed-MTU = 1400
        EAP-Message = 0x0223002b19001703010020b8cd3f0acc578a073928fe39c5cd9910ae9fa867c95ddf1aade29daba16fd349
        State = 0xc30eff1bc42de6f65e8768c16e09584c
        Message-Authenticator = 0xfa5287fca7371b423b4170722af255c2
# Executing section authorize from file /etc/freeradius2/sites/default
+group authorize {
++[mschap] = noop
[eap] EAP packet type response id 35 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius2/sites/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< Unknown TLS version [length 0005]  
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
  WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform requested action.
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 26 to 192.168.168.205 port 42115
        EAP-Message = 0x04230004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1.7 seconds.
Cleaning up request 0 ID 18 with timestamp +3
Waking up in 0.1 seconds.
Cleaning up request 1 ID 19 with timestamp +3
Waking up in 0.4 seconds.
Cleaning up request 2 ID 20 with timestamp +4
Waking up in 0.3 seconds.
Cleaning up request 3 ID 21 with timestamp +4
Waking up in 0.1 seconds.
Cleaning up request 4 ID 22 with timestamp +4
Waking up in 0.3 seconds.
Cleaning up request 5 ID 23 with timestamp +4
Waking up in 0.3 seconds.
Cleaning up request 6 ID 24 with timestamp +5
Waking up in 0.4 seconds.
Cleaning up request 7 ID 25 with timestamp +5
Waking up in 1.0 seconds.
Cleaning up request 8 ID 26 with timestamp +5
Ready to process requests.


Do I missing something?

Thanks

Matt Wu


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: Need help for adding dictionary and used for check item

Matthew Newton
On Tue, May 09, 2017 at 08:38:48AM +0000, 吳子境 Matt.Wu/TP/FITI wrote:
> I have problem in adding new dictionary in FreeRADIUS Version 2.2.8,
> and use the attribute to users check item, but always response Access-Reject.

Dunno, doesn't work here in v2. It works fine in v3.

Version 2 is unsupported now, so upgrade to v3.0.13.

Matthew


--
Matthew Newton, Ph.D. <[hidden email]>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <[hidden email]>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html