Good morning,
I've running an instance of freeradius 3.0 to use WPA2-Enterprise authentication on my wireless lan. The authentication aggainst the AD works like a charm using ntlm_auth, but now I'm trying to authenticate the users being not in the AD via sql. Looking into the debug output of freeradius it seems to be freeradius can authenticate aggainst the sql-server but tries to authenticate aggainst ntlm_auth in a second step, which fails of course. Why doesn't the server stop after authorizing aggainst the sql database? Can someone help me?
(6) eap_peap: EAP-Message = 0x024a00441a024a003f315a1ec9d6d261d4863243398e6d42e7270000000000000000081f156ef53b49e3f40ad099328680b4cbe74d674a7279cc00746573747573657232
(6) eap_peap: Setting User-Name to testuser2
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x024a00441a024a003f315a1ec9d6d261d4863243398e6d42e7270000000000000000081f156ef53b49e3f40ad099328680b4cbe74d674a7279cc00746573747573657232
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "testuser2"
(6) eap_peap: State = 0xda5f2291da153815c9b3938e14e46d4e
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x024a00441a024a003f315a1ec9d6d261d4863243398e6d42e7270000000000000000081f156ef53b49e3f40ad099328680b4cbe74d674a7279cc00746573747573657232
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "testuser2"
(6) State = 0xda5f2291da153815c9b3938e14e46d4e
(6) server inner-tunnel {
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "testuser2", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 74 length 68
(6) eap: No EAP Start, assuming it's an on-going EAP conversation
(6) [eap] = updated
(6) [files] = noop
(6) sql: EXPAND %{User-Name}
(6) sql: --> testuser2
(6) sql: SQL-User-Name set to 'testuser2'
rlm_sql (sql): Reserved connection (0)
(6) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(6) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser2' ORDER BY id
(6) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser2' ORDER BY id
(6) sql: User found in radcheck table
(6) sql: Conditional check items matched, merging assignment check items
(6) sql: Cleartext-Password := "test123"
(6) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(6) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser2' ORDER BY id
(6) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser2' ORDER BY id
(6) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(6) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testuser2' ORDER BY priority
(6) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testuser2' ORDER BY priority
(6) sql: User found in the group table
(6) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(6) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dynamic' ORDER BY id
(6) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dynamic' ORDER BY id
(6) sql: Group "dynamic": Conditional check items matched
(6) sql: Group "dynamic": Merging assignment check items
(6) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(6) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dynamic' ORDER BY id
(6) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dynamic' ORDER BY id
(6) sql: Group "dynamic": Merging reply items
(6) sql: Framed-Compression := Van-Jacobson-TCP-IP
(6) sql: Framed-Protocol := PPP
(6) sql: Service-Type := Framed-User
(6) sql: Acct-Interim-Interval = 60
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on wsrv01.wiesneth.local via TCP/IP, server version 5.5.57-MariaDB, protocol version 10
(6) [sql] = ok
(6) [expiration] = noop
(6) [logintime] = noop
(6) pap: WARNING: Auth-Type already set. Not setting to PAP
(6) [pap] = noop
(6) } # authorize = updated
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Expiring EAP session with state 0xda5f2291da153815
(6) eap: Finished EAP session with state 0xda5f2291da153815
(6) eap: Previous EAP request found for state 0xda5f2291da153815, released from the list
(6) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) eap_mschapv2: authenticate {
(6) mschap: Found Cleartext-Password, hashing to create NT-Password
(6) mschap: Found Cleartext-Password, hashing to create LM-Password
(6) mschap: Creating challenge hash with username: testuser2
(6) mschap: Client is using MS-CHAPv2
(6) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(6) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(6) mschap: --> --username=testuser2
(6) mschap: Creating challenge hash with username: testuser2
(6) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(6) mschap: --> --challenge=bdc871a668fce458
(6) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(6) mschap: --> --nt-response=081f156ef53b49e3f40ad099328680b4cbe74d674a7279cc
(6) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
(6) mschap: External script failed
(6) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
(6) mschap: ERROR: MS-CHAP2-Response is incorrect
(6) [mschap] = reject
(6) } # authenticate = reject
(6) eap: Sending EAP Failure (code 4) ID 74 length 4
(6) eap: Freeing handler
(6) [eap] = reject
(6) } # authenticate = reject
(6) Failed to authenticate the user
(6) Using Post-Auth-Type Reject
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) Post-Auth-Type REJECT {
(6) sql: EXPAND .query
(6) sql: --> .query
(6) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (1)
(6) sql: EXPAND %{User-Name}
(6) sql: --> testuser2
(6) sql: SQL-User-Name set to 'testuser2'
(6) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(6) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser2', '', 'Access-Reject', '2020-11-28 10:36:44')
(6) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser2', '', 'Access-Reject', '2020-11-28 10:36:44')
(6) sql: SQL query returned: success
(6) sql: 1 record(s) updated
rlm_sql (sql): Released connection (1)
(6) [sql] = ok
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject: --> testuser2
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6) [attr_filter.access_reject] = updated
(6) update outer.session-state {
(6) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: Program returned code (1) and output \'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)\''
(6) } # update outer.session-state = noop
(6) } # Post-Auth-Type REJECT = updated
(6) } # server inner-tunnel
