freeradius 802.1X EAP-PEAP 认证失败问题的解决
使用freeradius 2.1.12版本测试 EAP-PEAP认证过程中,总是无法认证成功,查看相关的LOG显示, EAP-TLS 和 TUNNEL都已经完成,但是在mschapv2过程中出现报错,
经过检查 default文件中eap和sql相关的配置都配置没有问题;进一步分析LOG,报错位置在 Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel,因此
重点分析 inner-tunnel 文件,发现 server inner-tunnel 项下 sql 模块并未放开,从而导致认真过程中无法查到对应的用户。将sql模块放开,再次测试可以成功认证了。
附radius LOG:
NAS-Identifier = "Quidway"
NAS-Port-Type = Ethernet
NAS-Port-Id = "slot=0;subslot=0;port=48;vlanid=100"
State = 0x878b252182413cfe24d5a185fce21670
EAP-Message = 0x02ca00061900
Message-Authenticator = 0x0af65760553e31c79b9723cd74ce955d
Login-IP-Host = 0.0.0.0
Huawei-Startup-Stamp = 1361362410
Huawei-IPHost-Addr = "255.255.255.255 c4:2c:03:38:be:22"
Huawei-Connect-ID = 192
Huawei-Version = "Huawei S9300"
Huawei-Product-ID = "S9300"
NAS-IP-Address = 192.168.1.1
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "wyw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 202 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 90 to 192.168.1.1 port 1812
EAP-Message = 0x01cb002b190017030100208f5f2856e0d38769c25a80f99b6e8769ab6248a090d042536582634939f5d312
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x878b252181403cfe24d5a185fce21670
Finished request 20.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=91, length=278
User-Name = "wyw"
NAS-Port = 196708
Service-Type = Framed-User
Framed-Protocol = 4294967295
Calling-Station-Id = "C42C-0338-BE22"
NAS-Identifier = "Quidway"
NAS-Port-Type = Ethernet
NAS-Port-Id = "slot=0;subslot=0;port=48;vlanid=100"
State = 0x878b252181403cfe24d5a185fce21670
EAP-Message = 0x02cb002b190017030100209736b1d515854cf8078894adcd353f9b5c27380bd9a79cbca97515a2f5e34518
Message-Authenticator = 0x2acacf7a967b7b5c370896f75004c58d
Login-IP-Host = 0.0.0.0
Huawei-Startup-Stamp = 1361362410
Huawei-IPHost-Addr = "255.255.255.255 c4:2c:03:38:be:22"
Huawei-Connect-ID = 192
Huawei-Version = "Huawei S9300"
Huawei-Product-ID = "S9300"
NAS-IP-Address = 192.168.1.1
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "wyw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 203 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - wyw
[peap] Got inner identity 'wyw'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x02cb000801777977
server {
[peap] Setting User-Name to wyw
Sending tunneled request
EAP-Message = 0x02cb000801777977
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "wyw"
server inner-tunnel {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "wyw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 203 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x01cc001d1a01cc00181085a9ab78319049545bed0ff5fe07293c777977
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x03a77cf3036b6607e9508ac9687cba29
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x01cc001d1a01cc00181085a9ab78319049545bed0ff5fe07293c777977
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x03a77cf3036b6607e9508ac9687cba29
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 91 to 192.168.1.1 port 1812
EAP-Message = 0x01cc003b19001703010030a6be5436fa853a6f715e74f502eef9bcc414e4c1e2f491f3122577b61201b3211f7ca0aa31c23ba34e1fcebc76342622
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x878b252180473cfe24d5a185fce21670
Finished request 21.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=92, length=326
User-Name = "wyw"
NAS-Port = 196708
Service-Type = Framed-User
Framed-Protocol = 4294967295
Calling-Station-Id = "C42C-0338-BE22"
NAS-Identifier = "Quidway"
NAS-Port-Type = Ethernet
NAS-Port-Id = "slot=0;subslot=0;port=48;vlanid=100"
State = 0x878b252180473cfe24d5a185fce21670
EAP-Message = 0x02cc005b1900170301005017477f31595d6a842d698f0a447f929c0c3f7686e4e78706e3c328cf412a7f2cc64c59680093a1ffe1219560e1f24e93dfa60b56ca1bdf44fc5355322b267547d2360080e57295accccf7f7691cd9698
Message-Authenticator = 0xa3923431814672b2cf8e350cae8c0564
Login-IP-Host = 0.0.0.0
Huawei-Startup-Stamp = 1361362410
Huawei-IPHost-Addr = "255.255.255.255 c4:2c:03:38:be:22"
Huawei-Connect-ID = 192
Huawei-Version = "Huawei S9300"
Huawei-Product-ID = "S9300"
NAS-IP-Address = 192.168.1.1
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "wyw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 204 length 91
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x02cc003e1a02cc003931149dd01dfbc8493a54453622855a78580000000000000000e135e4999721a41a3fe80a2e4532d9e00c676963a596a14800777977
server {
[peap] Setting User-Name to wyw
Sending tunneled request
EAP-Message = 0x02cc003e1a02cc003931149dd01dfbc8493a54453622855a78580000000000000000e135e4999721a41a3fe80a2e4532d9e00c676963a596a14800777977
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "wyw"
State = 0x03a77cf3036b6607e9508ac9687cba29
server inner-tunnel {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "wyw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 204 length 62
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: wyw
[mschap] Client is using MS-CHAPv2 for wyw, we need NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\314E=691 R=1"
EAP-Message = 0x04cc0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\314E=691 R=1"
EAP-Message = 0x04cc0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 92 to 192.168.1.1 port 1812
EAP-Message = 0x01cd002b19001703010020993478f9be023a7ee7a29d6b3c044c46d0db59828f7d4df179e1ffecbd7c8707
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x878b25218f463cfe24d5a185fce21670
Finished request 22.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=93, length=278
User-Name = "wyw"
NAS-Port = 196708
Service-Type = Framed-User
Framed-Protocol = 4294967295
Calling-Station-Id = "C42C-0338-BE22"
NAS-Identifier = "Quidway"
NAS-Port-Type = Ethernet
NAS-Port-Id = "slot=0;subslot=0;port=48;vlanid=100"
State = 0x878b25218f463cfe24d5a185fce21670
EAP-Message = 0x02cd002b19001703010020d91727067896ae944ad11027b8046af0edea010e7dca7787fb220fe6ef715e43
Message-Authenticator = 0xa502ea6d3f33af69dd18a9fca2e08f26
Login-IP-Host = 0.0.0.0
Huawei-Startup-Stamp = 1361362410
Huawei-IPHost-Addr = "255.255.255.255 c4:2c:03:38:be:22"
Huawei-Connect-ID = 192
Huawei-Version = "Huawei S9300"
Huawei-Product-ID = "S9300"
NAS-IP-Address = 192.168.1.1
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "wyw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 205 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> wyw
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 23 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 23
Sending Access-Reject of id 93 to 192.168.1.1 port 1812
EAP-Message = 0x04cd0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
freeradius 802.1X EAP-PEAP 认证失败问题的解决相关推荐
- 802.1x EAP(证书)、PEAP(证书、EAP-MSCHAP v2)认证配置(NPS、组策略)
802.1x EAP(证书) NPS 组策略 PEAP(证书.EAP-MSCHAP v2) NPS 组策略按需配置,下图是PEAP证书
- 锐捷网络:校园网基于802.1x无感知认证
一.现状与需求分析 随着智能终端的普及,接入校园网络的终端类型正在逐渐发生变化.智能终端需要通过3G.GPRS.WIFI接入Internet网络.但目前3G.GPRS上网资费较贵,所以WIFI成为校园 ...
- 802.1X的wpa认证流程-------4-way handshake过程分析
WPA系统在工作的时候,先由AP向外公布自身对WPA的支持,在Beacons.Probe Response等报文中使用新定义的WPA信息元素(Information Element),这些信息元素中包 ...
- 最新 | Windows和信创终端都能顺滑使用宁盾802.1X账密认证了
802.1X技术为企业级的网络提供了安全和便捷的解决方案.在不同场景.不同需求下,802.1X账密认证.证书认证都有各自的拥趸.继<802.1X证书认证能力优化,员工入网还能这么玩?>让我 ...
- 802.1x和MAC认证
(自看用) 关于准入认证 准入认证有三种:802.1x.MAC认证以及Portal认证.下面是三种认证方式的优缺点: 802.1x 优点:安全性高.缺点:部署不灵活,需要安装客户端. MAC ...
- eap方法 华为手机怎么连wifi_如何手动连接802.1x EAP证书加密WIFI
首先声明一点:本文只是从实用角度来阐述如何免第三方工具连接通过802.1x EAP PRE START:为什么要这么做 其实我也不知道这么做的好处是啥,充其量也就是为了研究那些所谓的自动wifi连接工 ...
- eap wifi 证书_如何手动连接802.1x EAP证书加密WIFI
首先声明一点:本文只是从实用角度来阐述如何免第三方工具连接通过802.1x EAP PRE START:为什么要这么做 其实我也不知道这么做的好处是啥,充其量也就是为了研究那些所谓的自动wifi连接工 ...
- Ubuntu出现Authentication failure(认证失败)的解决方法(转)
当我们想在刚安装的Linux系统启动某些服务或者想进入root用户时提示认证失败或者权限不够时,原因是刚安装Ubuntu后,root用户默认是未激活的,不允许登录,也不允许使用su命令到转到root用 ...
- svn 认证失败请看解决办法
第一次在eclipse使用svn时,提交项目是可能出现svn 认证失败,我们需要在配置文件中进行配置. 在自己的svn版本库中找工程对应的版本库,进入后打开conf文件,里面会看到如下文件: 首先打开 ...
最新文章
- 蜻蜓resin服务器虚拟目录的设置
- Python 列表复制
- 数组---进制转换(查表法)
- 硬件知识:电脑硬盘的数据保护与恢复,新手必备的知识!
- 1.7 编程基础之字符串 34 回文子串 python
- 机器学习(六)支持向量机svm初级篇
- Linux驱动(11)--生成设备节点
- 怎么用php myadmin连接远程MYSQL数据库
- 【转发】 iphone开发随笔,有用的
- SQL Cumulative Sum累积求和
- LeetCode链表简单题
- CNN(卷积神经网络)、RNN(循环神经网络)、DNN(深度神经网络)概念区分理解
- 视频ToneMapping(HDR转SDR)中的颜色空间转换问题(BT2020转BT709,YCbCr、YUV和RGB)
- oracle中文转全拼音,Oracle数据库之oracle汉字转拼音
- 「数据架构」什么是实体关系图(ERD)?
- OpenCV-Python实现有参照物条件下的长方形物体尺寸推算(可实时、附源码)
- 微信小程序自定义头部导航栏
- C# 30分钟完成百度人脸识别——进阶篇(文末附源码)
- 荣耀70什么时候发布 荣耀70发布时间曝光
- 个人收款码跟聚合码的区别