RADIUS PROBLEM

Riccardo_Burrai · May 28, 2019, 2:29pm

Hello, we have installed radius for WPA, our radius work fine with AP but we have problem for authorize SM, at moment i'm testing with Force 180, this is the log of authentication process:

rad_recv: Access-Request packet from host 192.168.223.30 port 55139, id=116, length=169
User-Name = "testcpe"
NAS-Identifier = "ePMP-RADIUS-AP"
NAS-Port = 0
Called-Station-Id = "00-04-56-E2-DE-BD:CMB-EAP-TEST"
Calling-Station-Id = "00-04-56-E2-D0-77"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x023b000c0174657374637065
Message-Authenticator = 0x74d704ae0aa83c16cd69be2e0eb8faae
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testcpe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 59 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry testcpe at line 204
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 116 to 192.168.223.30 port 55139
Reply-Message = "USER OK"
EAP-Message = 0x013c00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7449754874756cf7e97b2e99b1743af5
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.223.30 port 55139, id=117, length=181
User-Name = "testcpe"
NAS-Identifier = "ePMP-RADIUS-AP"
NAS-Port = 0
Called-Station-Id = "00-04-56-E2-DE-BD:CMB-EAP-TEST"
Calling-Station-Id = "00-04-56-E2-D0-77"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x023c00060315
State = 0x7449754874756cf7e97b2e99b1743af5
Message-Authenticator = 0x57140b1fe54b0afbe6fff3686487e369
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testcpe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 60 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry testcpe at line 204
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 117 to 192.168.223.30 port 55139
Reply-Message = "USER OK"
EAP-Message = 0x013d00061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x74497548757460f7e97b2e99b1743af5
Finished request 12.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.223.30 port 55139, id=118, length=237
User-Name = "testcpe"
NAS-Identifier = "ePMP-RADIUS-AP"
NAS-Port = 0
Called-Station-Id = "00-04-56-E2-DE-BD:CMB-EAP-TEST"
Calling-Station-Id = "00-04-56-E2-D0-77"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x023d003e150016030100330100002f030155e4f33f0a77e820403acd61a26806eeb5d77bf09449eb678567124428d7de1f000008002f000a000500040100
State = 0x74497548757460f7e97b2e99b1743af5
Message-Authenticator = 0xa40b39485b34c14d2cab0ce4173a673f
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testcpe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 61 length 62
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< TLS 1.0 Handshake [length 0033], ClientHello
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> TLS 1.0 Handshake [length 004a], ServerHello
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> TLS 1.0 Handshake [length 06ab], Certificate
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 118 to 192.168.223.30 port 55139
EAP-Message = 0x013e040015c000000708160301004a02000046030159945bbeba1e9f742a68e02eb11cece846f8f48f86a7e1ec0535b366a3909ad1204cdc7789c41dfc725215bcc5b7102a37a8ae8027decc4eed5b1a666d6e25e1c7002f0016030106ab0b0006a70006a40003523082034e308202b7a003020102020101300d06092a864886f70d01010505003081c0310b30090603550406130255533111300f06035504081308496c6c696e6f69733121301f060355040a13184d6f746f726f6c6120536f6c7574696f6e732c20496e632e31223020060355040b131943616e6f707920576972656c6573732042726f616462616e64312230200603550403131943
EAP-Message = 0x616e6f707920414141205365727665722044656d6f2043413133303106092a864886f70d0109011624746563686e6963616c2d737570706f72744063616e6f7079776972656c6573732e636f6d301e170d3031303130313030303030305a170d3439313233313233353935395a3081c9310b30090603550406130255533111300f06035504081308496c6c696e6f69733121301f060355040a13184d6f746f726f6c6120536f6c7574696f6e732c20496e632e31223020060355040b131943616e6f707920576972656c6573732042726f616462616e64312b30290603550403132243616e6f707920414141205365727665722044656d6f2043657274
EAP-Message = 0x696669636174653133303106092a864886f70d0109011624746563686e6963616c2d737570706f72744063616e6f7079776972656c6573732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100c32657829c0a23f3e456cbcb0128a00d9c180e00b857bcaecd388d159b14c017ff8e104968a1ab43622449c88cfcd301a5e78b3d54cbde59a1792118a2865b4359912727d8eff49120fdef4f16a0dd6d57298d4d8154c3cf5d7eaf0c2ff6d2464820206d9b1ce8eea199790cbffadc6da11ea78fa49717944f82a6e2f79396bd0203010001a34d304b30090603551d1304023000301d0603551d0e04160414c02f761f28
EAP-Message = 0xade55e9451ed89078a0a74230811b8301f0603551d23041830168014eb8c22114d8cc6f0968ff7e23373b77b2eb56940300d06092a864886f70d010105050003818100bbb34e7519ee8671fafa40eddaa5a35aeaf5d3c693f9edb171649daa0d4e1344517235eec07129b379c54ef5cc7bf973104e1ff809539c92b7609dcf54017f5943a86f09a4ec427954b926789b27a2aa13202128eca10f06f5f87935112e776441859d9c65d21b225c4e68189151445c0bd5ecddb60b737747dd693cc7baba4100034c30820348308202b1a003020102020100300d06092a864886f70d01010505003081c0310b30090603550406130255533111300f06035504
EAP-Message = 0x081308496c6c696e6f697331
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x74497548767760f7e97b2e99b1743af5
Finished request 13.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.223.30 port 55139, id=119, length=181
User-Name = "testcpe"
NAS-Identifier = "ePMP-RADIUS-AP"
NAS-Port = 0
Called-Station-Id = "00-04-56-E2-DE-BD:CMB-EAP-TEST"
Calling-Station-Id = "00-04-56-E2-D0-77"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x023e00061500
State = 0x74497548767760f7e97b2e99b1743af5
Message-Authenticator = 0x83dedbb8aa780f5db6c81625f79306ff
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testcpe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 62 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 119 to 192.168.223.30 port 55139
EAP-Message = 0x013f031c15800000070821301f060355040a13184d6f746f726f6c6120536f6c7574696f6e732c20496e632e31223020060355040b131943616e6f707920576972656c6573732042726f616462616e64312230200603550403131943616e6f707920414141205365727665722044656d6f2043413133303106092a864886f70d0109011624746563686e6963616c2d737570706f72744063616e6f7079776972656c6573732e636f6d301e170d3031303130313030303030305a170d3439313233313233353935395a3081c0310b30090603550406130255533111300f06035504081308496c6c696e6f69733121301f060355040a13184d6f746f726f
EAP-Message = 0x6c6120536f6c7574696f6e732c20496e632e31223020060355040b131943616e6f707920576972656c6573732042726f616462616e64312230200603550403131943616e6f707920414141205365727665722044656d6f2043413133303106092a864886f70d0109011624746563686e6963616c2d737570706f72744063616e6f7079776972656c6573732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100c0a0b87b37f1cab947267e48f511647106226ab3567a8c786eb048cd14d620a59af65c2efb8c7abd4438573a6984093cf44531efa8b5c776e2c8b88d1a2be829283d709a984b7e4ac91ea9fcf413b20379
EAP-Message = 0x285b7ead840b68e0c586b5bf2ade8e8dc0d6822b31bcfaf9f15abc23d47991b99f8c7024ac0d3618cff88ea93e3ef10203010001a350304e300c0603551d13040530030101ff301d0603551d0e04160414eb8c22114d8cc6f0968ff7e23373b77b2eb56940301f0603551d23041830168014eb8c22114d8cc6f0968ff7e23373b77b2eb56940300d06092a864886f70d0101050500038181000360b68c65dde686acea14798fe0e4029fbda711f2045a40be3f76cd787312e9bcb022578026481262cc20b501ce55680dc88696e25d99d01d78f56d9f72473387c959208584dba1f7d29b2e9b2bca043d7454bc11d29cf395d9b15e501c5d3f10d8f908
EAP-Message = 0x9544be01959ef9c6bc226f2b4042cf2db63d06918ea3c735fa891cd316030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x74497548777660f7e97b2e99b1743af5
Finished request 14.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.223.30 port 55139, id=120, length=379
User-Name = "testcpe"
NAS-Identifier = "ePMP-RADIUS-AP"
NAS-Port = 0
Called-Station-Id = "00-04-56-E2-DE-BD:CMB-EAP-TEST"
Calling-Station-Id = "00-04-56-E2-D0-77"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x023f00cc150016030100861000008200802ce0ce36de3a2bb4f26f55521f99d88ebf7ee8038cadd538bfac325117b78f295bff0fd7369fbd3ab77211a13c72b5e5496429a9e4e00cad6264020f7d304212f8a83f1653700db223edbe181ebdb3de5b856b800ce61e80fa556945fda97627e0edfbaa74b0910bf18ce87e29d98305a8befdf3d63d48db42dc5db4730c996f140301000101160301003060b6ccc39e88815d0ee13af15f37a5843dae8371d44c19593aa967797f41b98dc96b1b2a0a526e1a3d5344e9830ebae0
State = 0x74497548777660f7e97b2e99b1743af5
Message-Authenticator = 0x4d0ccd6585a3358d3c503a6ad1550581
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testcpe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 63 length 204
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
SSL: adding session 4cdc7789c41dfc725215bcc5b7102a37a8ae8027decc4eed5b1a666d6e25e1c7 to cache
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 120 to 192.168.223.30 port 55139
EAP-Message = 0x0140004515800000003b1403010001011603010030b33f33743a595309db73110f0871edcb9c6d738310e1b35463c2955d9d91ac3bc37f745655ff0cb7f0e23bf2e3c27628
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x74497548700960f7e97b2e99b1743af5
Finished request 15.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.223.30 port 55139, id=121, length=330
User-Name = "testcpe"
NAS-Identifier = "ePMP-RADIUS-AP"
NAS-Port = 0
Called-Station-Id = "00-04-56-E2-DE-BD:CMB-EAP-TEST"
Calling-Station-Id = "00-04-56-E2-D0-77"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x0240009b15001703010090a767d73f21d8a3b13f0fde2fd6ce0d9c987e04c7cefd503aeac72065de137188e3c07167178dd4ec23919beddb81a28e9ea1a86d2ec678febd3be7f05d1db63da0a2f2ae45920c78a5a96b14f3a3df430a5df3c58ea480d5495d0f608f292692112b136b488052569eff4a0963f7f60d35eda444de392f904795e44a9f2b3ecf76fbc3b322b17cb435020d0c79bd0837
State = 0x74497548700960f7e97b2e99b1743af5
Message-Authenticator = 0xe6dc34b0c36d0f46671026291dce0a3a
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testcpe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 64 length 155
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = "testcpe"
MS-CHAP-Challenge = 0xc266d97db4574a1b9ce41a4ba5e35684
MS-CHAP2-Response = 0xbc00000018000000210048e9300048dc785500000000000000006f0ace61e45015f127f06527942e9356a503f46133ff40f3
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "testcpe"
MS-CHAP-Challenge = 0xc266d97db4574a1b9ce41a4ba5e35684
MS-CHAP2-Response = 0xbc00000018000000210048e9300048dc785500000000000000006f0ace61e45015f127f06527942e9356a503f46133ff40f3
FreeRADIUS-Proxied-To = 127.0.0.1
NAS-Identifier = "ePMP-RADIUS-AP"
NAS-Port = 0
Called-Station-Id = "00-04-56-E2-DE-BD:CMB-EAP-TEST"
Calling-Station-Id = "00-04-56-E2-D0-77"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
NAS-IP-Address = 192.168.223.30
server {
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] = ok
++[digest] = noop
[suffix] No '@' in User-Name = "testcpe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry testcpe at line 204
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group MS-CHAP {
[mschap] Creating challenge hash with username: testcpe
[mschap] Client is using MS-CHAPv2 for testcpe, we need NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] = ok
+} # group MS-CHAP = ok
Login OK: [testcpe/<via Auth-Type = MSCHAP>] (from client rete192168 port 0 cli 00-04-56-E2-D0-77 via TLS tunnel)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[exec] = noop
++update reply {
expand: %{TLS-Cert-Serial} ->
expand: %{TLS-Cert-Expiration} ->
expand: %{TLS-Cert-Subject} ->
expand: %{TLS-Cert-Issuer} ->
expand: %{TLS-Cert-Common-Name} ->
expand: %{TLS-Cert-Subject-Alt-Name-Email} ->
expand: %{TLS-Client-Cert-Serial} ->
expand: %{TLS-Client-Cert-Expiration} ->
expand: %{TLS-Client-Cert-Subject} ->
expand: %{TLS-Client-Cert-Issuer} ->
expand: %{TLS-Client-Cert-Common-Name} ->
expand: %{TLS-Client-Cert-Subject-Alt-Name-Email} ->
++} # update reply = noop
+} # group post-auth = noop
} # server
[ttls] Got tunneled reply code Access-Accept
Reply-Message = "USER OK"
MS-CHAP2-Success = 0xbc533d37414232413036433046324645303836353337363338353546453735433938364639343644373345
MS-MPPE-Recv-Key = 0x5e3eb8b2184c040513bd2e724b0d6aaa
MS-MPPE-Send-Key = 0x7a52a86e727f6a4294f4c3948d180cff
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x00000004
Reply-Message = ""
Reply-Message = ""
Reply-Message = ""
Reply-Message = ""
Reply-Message = ""
Reply-Message = ""
Reply-Message = ""
Reply-Message = ""
Reply-Message = ""
Reply-Message = ""
Reply-Message = ""
Reply-Message = ""
[ttls] Got tunneled Access-Accept
[ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge.
[ttls] >>> Unknown TLS version [length 0005]
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 121 to 192.168.223.30 port 55139
EAP-Message = 0x0141005f15800000005517030100501d62d75e5d573808a60a447719d69c0fed61b7dd0ea01b95903fb263a92fdb667b17afa6e75aa7cf1280b4cdc380b722c2754248dde1eb769e1063576fc96734449efda43d4b18799d205ad858c322a6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x74497548710860f7e97b2e99b1743af5
Finished request 16.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.223.30 port 55139, id=122, length=181
User-Name = "testcpe"
NAS-Identifier = "ePMP-RADIUS-AP"
NAS-Port = 0
Called-Station-Id = "00-04-56-E2-DE-BD:CMB-EAP-TEST"
Calling-Station-Id = "00-04-56-E2-D0-77"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x024100061500
State = 0x74497548710860f7e97b2e99b1743af5
Message-Authenticator = 0xdc81d172c2c0bd8e8737e62c8c2d28bc
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testcpe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 65 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK default
[ttls] Invalid ACK received: 0
[ttls] eaptls_verify returned 4
[ttls] eaptls_process returned 4
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [testcpe/<via Auth-Type = EAP>] (from client rete192168 port 0 cli 00-04-56-E2-D0-77)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[eap] Reply already contained an EAP-Message, not inserting EAP-Failure
++[eap] = noop
[attr_filter.access_reject] expand: %{User-Name} -> testcpe
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 17 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 17
Sending Access-Reject of id 122 to 192.168.223.30 port 55139
EAP-Message = 0x04410004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.

freeradius config is standard with cambium original certificate and CA

this is my configuration

Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 1024
}
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/aaasvr_key.pem"
certificate_file = "/etc/freeradius/certs/aaasvr_cert.pem"
CA_file = "/etc/freeradius/certs/cacert_aaasvr.pem"
private_key_password = "password"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
check_all_crl = no
cipher_list = "HIGH"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "secp521r1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = yes
send_error = no
}

I've tested all combo in peap, ttls mschap ecc....

I've tested this configuration with other AP and all work fine.

Thanks

Riccardo

Andrii_Khyzhnyi · May 29, 2019, 7:58am

Here is an example of a working eap configuration from free-radius 3.0:

eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls-config tls-common {
private_key_file = ${certdir}/cambium_default_certs/key-829.pem

certificate_file = ${certdir}/cambium_default_certs/cert-829.pem

ca_file = ${certdir}/cambium_default_certs/camb-ca.crt
dh_file = ${certdir}/dh

ca_path = ${cadir}

cipher_list = “DEFAULT”

cipher_server_preference = no

ecdh_curve = “prime256v1”

cache {

enable = no

}

verify {

}

ocsp {

enable = no

override_cert_url = yes

url = “http://127.0.0.1/ocsp/”

}

}

tls {

tls = tls-common

}

ttls {

tls = tls-common

default_eap_type = ttls

copy_request_to_tunnel = yes

use_tunneled_reply = yes

virtual_server = “inner-tunnel”

}

peap {

tls = tls-common

default_eap_type = mschapv2

copy_request_to_tunnel = no

use_tunneled_reply = no

virtual_server = “inner-tunnel”

}

mschapv2 {

}

}

Probably the issue is in default_eap_type