(8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "[Username]", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 118 length 94 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x06375c52064146aa (8) eap: Finished EAP session with state 0x61256d0c665374eb (8) eap: Previous EAP request found for state 0x61256d0c665374eb, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x0276003f1a0276003a314b1271199b3d6031d3df94119fc80ad900000000000000006b173eea96358893683fd1eecf562feed5cb568fc41b9e7c0067616269 (8) eap_peap: Setting User-Name to [Username] (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x0276003f1a0276003a314b1271199b3d6031d3df94119fc80ad900000000000000006b173eea96358893683fd1eecf562feed5cb568fc41b9e7c0067616269 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "[Username]" (8) eap_peap: State = 0x06375c52064146aada139aec8aed87b8 (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x0276003f1a0276003a314b1271199b3d6031d3df94119fc80ad900000000000000006b173eea96358893683fd1eecf562feed5cb568fc41b9e7c0067616269 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "[Username]" (8) State = 0x06375c52064146aada139aec8aed87b8 (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "[Username]", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 118 length 63 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Reserved connection (5) (8) ldap: Performing search in "dc=gwch,dc=net" with filter "(uid=%{%{Stripped-User-Name}:-%{User-Name}})", scope "sub" (8) ldap: Waiting for search result... (8) ldap: Search returned no results rlm_ldap (ldap): Released connection (5) Need 1 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (7), 1 of 30 pending slots used rlm_ldap (ldap): Connecting to ldap://frodo.gwch.net:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (8) [ldap] = notfound (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0x06375c52064146aa (8) eap: Finished EAP session with state 0x06375c52064146aa (8) eap: Previous EAP request found for state 0x06375c52064146aa, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) eap_mschapv2: authenticate { (8) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (8) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (8) mschap: Creating challenge hash with username: [Username] (8) mschap: Client is using MS-CHAPv2 (8) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (8) mschap: ERROR: MS-CHAP2-Response is incorrect (8) [mschap] = reject (8) } # authenticate = reject (8) eap: Sending EAP Failure (code 4) ID 118 length 4 (8) eap: Freeing handler (8) [eap] = reject (8) } # authenticate = reject (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> [Username] (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) update outer.session-state { (8) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication' (8) } # update outer.session-state = noop (8) } # Post-Auth-Type REJECT = updated (8) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [[Username]/] (from client Radius-Clients LAN 1 port 0 via TLS tunnel) (8) } # server inner-tunnel (8) Virtual server sending reply (8) MS-CHAP-Error = "vE=691 R=1 C=32b5124e6b2fb0e07abd00f8043cfb5c V=3 M=Authentication rejected" (8) EAP-Message = 0x04760004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply code 3 (8) eap_peap: MS-CHAP-Error = "vE=691 R=1 C=32b5124e6b2fb0e07abd00f8043cfb5c V=3 M=Authentication rejected" (8) eap_peap: EAP-Message = 0x04760004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply RADIUS code 3 (8) eap_peap: MS-CHAP-Error = "vE=691 R=1 C=32b5124e6b2fb0e07abd00f8043cfb5c V=3 M=Authentication rejected" (8) eap_peap: EAP-Message = 0x04760004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Tunneled authentication was rejected (8) eap_peap: FAILURE (8) eap: Sending EAP Request (code 1) ID 119 length 46 (8) eap: EAP session adding &reply:State = 0x61256d0c695274eb (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) session-state: Saving cached attributes (8) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" (8) Sent Access-Challenge Id 164 from 192.168.1.1:1812 to 192.168.1.22:42251 length 0 (8) EAP-Message = 0x0177002e19001703030023d9e294b92dee8c38d582002fcc1bab3d55b901cb8bd5dd0211124b20f14344c4e96eff (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x61256d0c695274ebfdf23bad26f6ec3a (8) Finished request Waking up in 4.6 seconds. (9) Received Access-Request Id 165 from 192.168.1.22:42251 to 192.168.1.1:1812 length 246 (9) User-Name = "[Username]" (9) NAS-Identifier = "18e82916d86c" (9) Called-Station-Id = "3A-E8-29-18-D8-6C:[WLAN SSID]" (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) Calling-Station-Id = "04-B1-67-13-2E-AA" (9) Connect-Info = "CONNECT 0Mbps 802.11b" (9) Acct-Session-Id = "651654D7FD6D607F" (9) WLAN-Pairwise-Cipher = 1027076 (9) WLAN-Group-Cipher = 1027076 (9) WLAN-AKM-Suite = 1027073 (9) Framed-MTU = 1400 (9) EAP-Message = 0x0277002e190017030300230000000000000003bec63f1ed28e965699d70773099e53823958d502eb9f6d5106aa9d (9) State = 0x61256d0c695274ebfdf23bad26f6ec3a (9) Message-Authenticator = 0x87de957d2d502f3dd5480aeb80633798 (9) Restoring &session-state (9) &session-state:Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "[Username]", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 119 length 46 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x61256d0c695274eb (9) eap: Finished EAP session with state 0x61256d0c695274eb (9) eap: Previous EAP request found for state 0x61256d0c695274eb, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv failure (9) eap_peap: Received EAP-TLV response (9) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (9) eap_peap: This means you need to read the PREVIOUS messages in the debug output (9) eap_peap: to find out the reason why the user was rejected (9) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (9) eap_peap: what went wrong, and how to fix the problem (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 119 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> [Username] (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [[Username]/] (from client Radius-Clients LAN 1 port 0 cli 04-B1-67-13-2E-AA) (9) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 165 from 192.168.1.1:1812 to 192.168.1.22:42251 length 44 (9) EAP-Message = 0x04770004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.6 seconds. (0) Cleaning up request packet ID 156 with timestamp +62 Waking up in 0.1 seconds. (1) Cleaning up request packet ID 157 with timestamp +62 (2) Cleaning up request packet ID 158 with timestamp +63 (3) Cleaning up request packet ID 159 with timestamp +63 (4) Cleaning up request packet ID 160 with timestamp +63 (5) Cleaning up request packet ID 161 with timestamp +63 (6) Cleaning up request packet ID 162 with timestamp +63 (7) Cleaning up request packet ID 163 with timestamp +63 (8) Cleaning up request packet ID 164 with timestamp +63 (9) Cleaning up request packet ID 165 with timestamp +63