Freeradius não Autentica - Falha no Login

[profrxf]

Estou implementando um servidor de autenticação Freeradius com lista de usuários em uma _base_ mysql.
Sempre que tento logar na rede sem fio, mesmo passando usuário e senha corretos o freeradius informa que está apresentando erro no login, conforme log abaixo.

Alguém já passou por isso?
Alguma sugestão ?

Inseri no mysql o usuário teste com senha teste.
Configurei o AP Dlink DI524 como WPA2(AES) e servidor RADIUS (ip, porta e senha).
Inseri este AP como cliente freeradius e as solicitações de autenticação estão chegando, porém não autentica.

Estou utilizando Debian 6.
Segue o log do freeradius e o arquivo radiusd.conf que estou utilizando.
Configurei também o /etc/freeradius/sites-enabled/default, descomentando as opções de sql.
também o sql.conf, onde inseri o ip, usuário e senha do mysql.


LOG FREERADIUS

rad_recv: Access-Request packet from host 192.168.254.150 port 65477, id=98, length=159
User-Name = "teste"
NAS-Port-Type = Wireless-802.11
Called-Station-Id = "F0-7D-68-DE-61-36"
Calling-Station-Id = "00-17-C4-D5-BD-0C"
NAS-IP-Address = 192.168.254.150
_frame_d-MTU = 1400
State = 0xd1a6913dd7ae8861f8697a9f708854fd
EAP-Message = 0x020800261900170301001b4a99f77f99a0cd35053469923583b0298457602d93943dd80252ff
Message-Authenticator = 0x66668c3dbffce63e6dde5c47ed540a8f
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "teste", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [teste/] (from client ap port 0 cli 00-17-C4-D5-BD-0C)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[sql] expand: %{User-Name} -> teste
[sql] sql_set_user escaped user --> 'teste'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{replyacket-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'teste', '', 'Access-Reject', '2011-12-30 18:44:58')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'teste', '', 'Access-Reject', '2011-12-30 18:44:58')
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
[attr_filter.access_reject] expand: %{User-Name} -> teste
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 19 for 1 seconds
Going to the next request
Waking up in 0.8 seconds.
Sending delayed reject for request 19
Sending Access-Reject of id 98 to 192.168.254.150 port 65477
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.9 seconds.
Cleaning up request 12 ID 91 with timestamp +579
Waking up in 0.1 seconds.
Cleaning up request 13 ID 92 with timestamp +579
Waking up in 0.1 seconds.
Cleaning up request 14 ID 93 with timestamp +579
Waking up in 0.1 seconds.
Cleaning up request 15 ID 94 with timestamp +579
Cleaning up request 16 ID 95 with timestamp +579
Waking up in 0.1 seconds.
Cleaning up request 17 ID 96 with timestamp +580
Waking up in 0.2 seconds.
Cleaning up request 18 ID 97 with timestamp +580
Waking up in 1.0 seconds.
Cleaning up request 19 ID 98 with timestamp +580
Ready to process requests.



RADIUSD.CONF

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct

name = freeradius

# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}

# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}

libdir = /usr/lib/freeradius

pidfile = ${run_dir}/${name}.pid

# The server will also try to use "initgroups" to read /etc/groups.
# It will join all groups where "user" is a member. This can allow
# for some finer-grained access controls.
#
user = freerad
group = freerad

# max_request_time: The maximum time (in seconds) to handle a request.
# Useful range of values: 5 to 120
#
max_request_time = 30

# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5

# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
# Useful range of values: 256 to infinity
#
max_requests = 1024

listen {
# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
# proxy IP to use for sending proxied packets
# detail Read from the detail file. For examples, see
# raddb/sites-available/copy-acct-to-home-server
# status listen for Status-Server packets. For examples,
# see raddb/sites-available/status
# coa listen for CoA-Request and Disconnect-Request
# packets. For examples, see the file
# raddb/sites-available/coa-server
#
type = auth

# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
ipaddr = 192.168.254.13

# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost

# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
port = 1812

# interface = eth0

}

# This second "listen" section is for listening on the accounting
# port, too.
#
listen {
ipaddr = *
# ipv6addr = ::
port = 0
type = acct
# interface = eth0
# clients = per_socket_clients
}

#
# allowed values: {no, yes}
#
hostname_lookups = no

# Core dumps are a bad thing. This should only be set to 'yes'
# if you're debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no

# Regular expressions
#
regular_expressions = yes
extended_expressions = yes

#
# Logging section. The various "log_*" configuration items
# will eventually be moved here.
#
log {
destination = files

#
#
file = ${logdir}/radius.log

syslog_facility = daemon

stripped_names = no

# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
auth = yes

# allowed values: {no, yes}
#
auth_badpass = yes
auth_goodpass = yes


# msg_goodpass = ""
# msg_badpass = ""
}

# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad

# SECURITY CONFIGURATION
security {
#
#
# Setting this number to 0 means "allow any number of attributes"
max_attributes = 200

#
reject_delay = 1
#
# See also raddb/sites-available/status
#
status_server = yes
}

# PROXY CONFIGURATION
#
proxy_requests = yes
$INCLUDE proxy.conf


# CLIENTS CONFIGURATION
#
# Client configuration is defined in "clients.conf".
#

$INCLUDE clients.conf

# THREAD POOL CONFIGURATION
#
#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 5

max_servers = 32

min_spare_servers = 3
max_spare_servers = 10

max_requests_per_server = 0
}

# MODULE CONFIGURATION
#
modules {
#
$INCLUDE ${confdir}/modules/

$INCLUDE eap.conf

$INCLUDE sql.conf

# $INCLUDE sql/mysql/counter.conf

#
# IP addresses managed in an SQL table.
#
# $INCLUDE sqlippool.conf
}

# Instantiation
#
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253 bytes.
#
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
exec

#
expr

#

# daily
expiration
logintime

#redundant redundant_sql {
# sql1
# sql2
#}
}

######################################################################
$INCLUDE policy.conf

######################################################################
$INCLUDE sites-enabled/

http://img.vivaolinux.com.br/comunid.../edit_ico1.png

[profrxf]

Ainda não consegui resolver.

Alguma idéia ?

[Cobausque]

Ja experimentou remover o modulo EAP ??? comenta ele ai no seu radius.conf... vc precisa de um ok so do modulo do sql não ? ?

[profrxf]

O módulo sql é para o freeradius conseguir interagir com a base de dados do mysql, onde estão os usuários e senhas.
Acho que ainda assim o freeradius utiliza o eap para autenticar também.

Mais de toda forma eu comentei a linha do módulo eap, com isso o freeradius nem inicia.

Valeu.. Vou tentar instalar em outra distribuição aqui.

[ebatista]

Estava com o mesmo problema e para resolver foi necessário editar o arquivo /etc/freeradius/sites-enabled/inner-tunnel, descomentar a entrada sql e restartar o freeradius.

Espero que ajude

[ ] 's