Hi cshsysadmin,
>>Explicit Eap failure received
There are many reasons could cause “Explicit EAP failure received”. Usually we will first to collect the wireless logs by enabling logging with command “netsh ras set tracing * enable” and “netsh wlan set tracing mode=yes” at client when this issue
be reproduced and analyze entries in its corresponding logging file.And post the complet logs to us,it will be helpful to analyze.
>>I did notice her pc certificate is pointing to our old certificate authority but has not expired. Could it be a certificate issue?
It could be.Please try to give her certificate from the server you are using.
In addition,which authentication methods did you set to use in network or connection request policies that you defined in NPS server ? what OS is running on client ??
Here is some link for your reference:
A Support Guide for Wireless Diagnostics and Troubleshooting
http://technet.microsoft.com/en-us/library/bb457018.aspx
Authentication Problem on a 802.1x Wireless Network
http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wireless-network.aspx
Best Regards,
Cartman
Please remember to mark the replies as answers if they help and unmark them if they provide
no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
-
Помечено в качестве ответа
rdprice_cshco.com
28 марта 2016 г. 15:24
Hi cshsysadmin,
>>Explicit Eap failure received
There are many reasons could cause “Explicit EAP failure received”. Usually we will first to collect the wireless logs by enabling logging with command “netsh ras set tracing * enable” and “netsh wlan set tracing mode=yes” at client when this issue
be reproduced and analyze entries in its corresponding logging file.And post the complet logs to us,it will be helpful to analyze.
>>I did notice her pc certificate is pointing to our old certificate authority but has not expired. Could it be a certificate issue?
It could be.Please try to give her certificate from the server you are using.
In addition,which authentication methods did you set to use in network or connection request policies that you defined in NPS server ? what OS is running on client ??
Here is some link for your reference:
A Support Guide for Wireless Diagnostics and Troubleshooting
http://technet.microsoft.com/en-us/library/bb457018.aspx
Authentication Problem on a 802.1x Wireless Network
http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wireless-network.aspx
Best Regards,
Cartman
Please remember to mark the replies as answers if they help and unmark them if they provide
no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
- Помечено в качестве ответа
rdprice_cshco.com
28 марта 2016 г. 15:24
Hi cshsysadmin,
>>Explicit Eap failure received
There are many reasons could cause “Explicit EAP failure received”. Usually we will first to collect the wireless logs by enabling logging with command “netsh ras set tracing * enable” and “netsh wlan set tracing mode=yes” at client when this issue
be reproduced and analyze entries in its corresponding logging file.And post the complet logs to us,it will be helpful to analyze.
>>I did notice her pc certificate is pointing to our old certificate authority but has not expired. Could it be a certificate issue?
It could be.Please try to give her certificate from the server you are using.
In addition,which authentication methods did you set to use in network or connection request policies that you defined in NPS server ? what OS is running on client ??
Here is some link for your reference:
A Support Guide for Wireless Diagnostics and Troubleshooting
http://technet.microsoft.com/en-us/library/bb457018.aspx
Authentication Problem on a 802.1x Wireless Network
http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wireless-network.aspx
Best Regards,
Cartman
Please remember to mark the replies as answers if they help and unmark them if they provide
no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
- Marked as answer by
rdprice_cshco.com
Monday, March 28, 2016 3:24 PM
Hi cshsysadmin,
>>Explicit Eap failure received
There are many reasons could cause “Explicit EAP failure received”. Usually we will first to collect the wireless logs by enabling logging with command “netsh ras set tracing * enable” and “netsh wlan set tracing mode=yes” at client when this issue
be reproduced and analyze entries in its corresponding logging file.And post the complet logs to us,it will be helpful to analyze.
>>I did notice her pc certificate is pointing to our old certificate authority but has not expired. Could it be a certificate issue?
It could be.Please try to give her certificate from the server you are using.
In addition,which authentication methods did you set to use in network or connection request policies that you defined in NPS server ? what OS is running on client ??
Here is some link for your reference:
A Support Guide for Wireless Diagnostics and Troubleshooting
http://technet.microsoft.com/en-us/library/bb457018.aspx
Authentication Problem on a 802.1x Wireless Network
http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wireless-network.aspx
Best Regards,
Cartman
Please remember to mark the replies as answers if they help and unmark them if they provide
no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
- Marked as answer by
rdprice_cshco.com
Monday, March 28, 2016 3:24 PM
I’m back on this now Christmas is out of the way 
I had some default policies still enabled on my 2016 NPS Server, which I’ve disabled. They were:
Connection Request Policies > Use Windows authentication for all users.
Network Policies > Connections to other access servers.
Network Policies > Connections to Microsoft Routing and Remote Access server.
With those 3 disabled, I’m no longer getting the following Information level event logged in Event Viewer:
Reason code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Instead, I am now getting:
Reason code: 48
Reason: The connection request did not match any configured network policy.
I have 3 conditions set for the Staff WiFi Network Policy:
Condition: NAS Port Type, Value: Wireless — IEEE 802.11 OR Wireless — Other
Condition: User Groups, Value: MYDOMAINMeraki Staff Group
Condition: Machine Groups, Value: MYDOMAINMeraki Computer Group
The laptop I’m testing on is a member of the Meraki Computer Group, and the user account I’m logged on with belongs to the Meraki Staff Group.
I get a ‘Reason Code: 48’ event logged twice each time I try to connect; first for the user, then 10 seconds later for the machine:
————————————————————————————————————-
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: MYDOMAINElectroDan
Account Name: MYDOMAINElectroDan
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAINElectroDan
Client Machine:
Security ID: NULL SID
Account Name: —
Fully Qualified Account Name: —
Called Station Identifier: 9A-15-54-AB-52-67:Radius_Test
Calling Station Identifier: 84-3A-4B-56-F4-5C
NAS:
NAS IPv4 Address: 10.99.108.26
NAS IPv6 Address: —
NAS Identifier: —
NAS Port-Type: Wireless — IEEE 802.11
NAS Port: —
RADIUS Client:
Client Friendly Name: Meraki — Purchasing
Client IP Address: 10.99.108.26
Authentication Details:
Connection Request Policy Name: WiFi_Staff
Network Policy Name: —
Authentication Provider: Windows
Authentication Server: DC03.mydomain.local
Authentication Type: EAP
EAP Type: —
Account Session Identifier: 41413346334133424138354636383335
Logging Results: Accounting information was written to the local log file.
Reason Code: 48
Reason: The connection request did not match any configured network policy.
————————————————————————————————————-
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: MYDOMAINITSPARE01$
Account Name: host/ITSPARE01.mydomain.local
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAINITSPARE01$
Client Machine:
Security ID: NULL SID
Account Name: —
Fully Qualified Account Name: —
Called Station Identifier: 9A-15-54-AB-56-2D:Radius_Test
Calling Station Identifier: 84-3A-4B-56-F4-5C
NAS:
NAS IPv4 Address: 10.99.108.25
NAS IPv6 Address: —
NAS Identifier: —
NAS Port-Type: Wireless — IEEE 802.11
NAS Port: —
RADIUS Client:
Client Friendly Name: Meraki — Accounts
Client IP Address: 10.99.108.25
Authentication Details:
Connection Request Policy Name: WiFi_Staff
Network Policy Name: —
Authentication Provider: Windows
Authentication Server: DC03.mydomain.local
Authentication Type: EAP
EAP Type: —
Account Session Identifier: 41433342464337434233394535444334
Logging Results: Accounting information was written to the local log file.
Reason Code: 48
Reason: The connection request did not match any configured network policy.
————————————————————————————————————-
A couple of things I’ve noticed.
1) The machine account (MYDOMAINITSPARE01$) is being listed in the User section, and the Client Machine section is empty.
2) The 2nd entry (for MYDOMAINITSPARE01$) is registering via a different AP (Meraki — Accounts). Both AP’s are within range of my test laptop.
Fun.
Not.
I am having an issue with Windows 7 workstations connecting to our wireless ssid that authenticates user based via the Radius server. Windows 10 systems, mobile devices, and Mac devices are all able to authenticate and connect.
I have the NPS set up on a Windows Server 2012 R2 box utilizing Sophos UTM 9 as a Radius Client.
The Radius Sever authenticates the user as seen below:
On the Windows 7 workstations, I am prompted for the user authentication (as the NPS policy is set up for). I receive logs regarding «Explicit Eap failure received.» Please see below for those logs.
————————————————————————————
Wireless security failed.
Network Adapter: Intel(R) Dual Band Wireless-AC 7260
Interface GUID: {941fcf87-19a6-40b1-9338-879ef205cf6a}
Local MAC Address: 0C:8B:FD:CD:3A:7F
Network SSID: PSACorporate
BSS Type: Infrastructure
Peer MAC Address: 00:1A:8C:8C:04:C1
Reason: Explicit Eap failure received
Error: 0x80074005
Wireless 802.1x authentication failed.
Network Adapter: Intel(R) Dual Band Wireless-AC 7260
Interface GUID: {941fcf87-19a6-40b1-9338-879ef205cf6a}
Local MAC Address: 0C:8B:FD:CD:3A:7F
Network SSID: PSACorporate
BSS Type: Infrastructure
Peer MAC Address: 00:1A:8C:8C:04:C1
Identity: test1
User: TFrazier
Domain: PSA_NT
Reason: Explicit Eap failure received
Error: 0x80074005
EAP Reason: 0x4005
EAP Root cause String:
EAP Error: 0x4005
————————————————————————————
I have manually configure the wireless settings to avoid the PC from using the wrong creds. Please see the wireless settings below:
I’ve pretty much hit a road block and could use some assistance as to where to look next. Thanks in advanced.
— Tim
I am trying to get NPS (Running Windows Server 2008 R2) setup as a RADIUS server to authenticate my wireless clients (running Windows 7 Enterprise). When attempting this, I get the following in the event log on the DC/NPS:
— System
— Provider
[ Name] Schannel
[ Guid] {1F678132-5938-4686-9FDC-C8FF68F15C85}
EventID 36888
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x8000000000000000
— TimeCreated
[ SystemTime] 2009-08-17T20:27:15.913829000Z
EventRecordID 136791
Correlation
— Execution
[ ProcessID] 540
[ ThreadID] 1748
Channel System
Computer DOMAINCONTROLLER.domain
— Security
[ UserID] S-1-5-18
— EventData
AlertDesc 20
ErrorState 960
And the following in the NPS log:
«DOMAINCONTROLLER»,»IAS»,08/18/2009,09:13:28,1,»DOMAINUSER»,»DOMAINuser»,»001c1011af08″,»001bfcb1bd23″,,,»001c1011af08″,»WAP IP»,47,0,»WAP IP»,»WAP Hostname»,,,19,,,,11,»Secure Wireless Connections»,0,»311 1 DOMAINCONTROLLERIP 08/17/2009 16:55:48 120″,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,»Secure Wireless Connections»,1,,,,
«DOMAINCONTROLLER»,»IAS»,08/18/2009,09:13:28,3,,»DOMAINuser»,,,,,,,,0,»WAP IP»,»WAP Hostname»,,,,,,,11,»Secure Wireless Connections»,23,»311 1 DOMAINCONTROLLERIP 08/17/2009 16:55:48 120″,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,»Secure Wireless Connections»,1,,,,
And the following in the client security log:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/18/2009 9:13:28 AM
Event ID: 5632
Task Category: Other Logon/Logoff Events
Level: Information
Keywords: Audit Failure
User: N/A
Computer: LAPTOP.domain
Description:
A request was made to authenticate to a wireless network.
Subject:
Security ID: DOMAINuser
Account Name: user
Account Domain: DOMAIN
Logon ID: 0x23e79
Network Information:
Name (SSID): DOMAIN-wlan
Interface GUID: {90952a3d-ac07-4f0d-9598-50afdea22da8}
Local MAC Address: 00:1B:FC:B1:BD:23
Peer MAC Address: 00:1C:10:11:AF:08
Additional Information:
Reason Code: Explicit Eap failure received (0x50005)
Error Code: 0x0
EAP Reason Code: 0x0
EAP Root Cause String:
EAP Error Code: 0x0
The client is receiving the root certificate that has an intended purpose of <All> according to the certificate MMC snap-in. Is there some other kind of certificate I need to issue, and if so, how? Also, if I’m reading the NPS log correctly I’m getting authentication type 11 and Result Code 23 neither of which show up in http://technet.microsoft.com/en-us/library/cc771748%28WS.10%29.aspx.
Very confused.
[SOLVED | See edit #2]
I saw another user have that issue on their school network back on build 10240, but I’m seeing it happen to me on the new fast ring build, 10565. Can anyone else confirm this? My event viewer is riddled with these errors after failing to connect:
Authentication failed for EAP method type 25. The error was 0x54F
and
EapHostPeerGetResult returned a failure.
Eap Method Friendly Name: Microsoft: Protected EAP (PEAP)
Reason code: 0
Root Cause String: NULL
Repair String: NULL
The guest network is fine, since there’s no authentication (obviously)
Is there a fix for this somewhere or will I have to resort to using ethernet/guest networking for the while?
(I hope MS fixes this soon… this is enterprise-breaking levels of bad)
Edit: Posted in the wrong sub, can someone help me fix this please? Made a new post linking to here for now: https://www.reddit.com/r/windowsinsiders/comments/3ort8f/8021x_peap_is_broken_with_wpa2enterprise_windows10/
Edit #2: I GOT IT! A Software Lead Designer at MS contacted me and he walked through the issue. The fix was to add a registry key:
reg add HKLMSYSTEMCurrentControlSetServicesRasManPPPEAP13 /v TlsVersion /t REG_DWORD /d 0xc0
following that, restart and try connecting again. Hopefully this helps someone else
Hi cshsysadmin,
>>Explicit Eap failure received
There are many reasons could cause “Explicit EAP failure received”. Usually we will first to collect the wireless logs by enabling logging with command “netsh ras set tracing * enable” and “netsh wlan set tracing mode=yes” at client when this issue
be reproduced and analyze entries in its corresponding logging file.And post the complet logs to us,it will be helpful to analyze.
>>I did notice her pc certificate is pointing to our old certificate authority but has not expired. Could it be a certificate issue?
It could be.Please try to give her certificate from the server you are using.
In addition,which authentication methods did you set to use in network or connection request policies that you defined in NPS server ? what OS is running on client ??
Here is some link for your reference:
A Support Guide for Wireless Diagnostics and Troubleshooting
http://technet.microsoft.com/en-us/library/bb457018.aspx
Authentication Problem on a 802.1x Wireless Network
http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wireless-network.aspx
Best Regards,
Cartman
Please remember to mark the replies as answers if they help and unmark them if they provide
no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
-
Marked as answer by
rdprice_cshco.com
Monday, March 28, 2016 3:24 PM
I am trying to get NPS (Running Windows Server 2008 R2) setup as a RADIUS server to authenticate my wireless clients (running Windows 7 Enterprise). When attempting this, I get the following in the event log on the DC/NPS:
— System
— Provider
[ Name] Schannel
[ Guid] {1F678132-5938-4686-9FDC-C8FF68F15C85}
EventID 36888
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x8000000000000000
— TimeCreated
[ SystemTime] 2009-08-17T20:27:15.913829000Z
EventRecordID 136791
Correlation
— Execution
[ ProcessID] 540
[ ThreadID] 1748
Channel System
Computer DOMAINCONTROLLER.domain
— Security
[ UserID] S-1-5-18
— EventData
AlertDesc 20
ErrorState 960
And the following in the NPS log:
«DOMAINCONTROLLER»,»IAS»,08/18/2009,09:13:28,1,»DOMAINUSER»,»DOMAINuser»,»001c1011af08″,»001bfcb1bd23″,,,»001c1011af08″,»WAP IP»,47,0,»WAP IP»,»WAP Hostname»,,,19,,,,11,»Secure Wireless Connections»,0,»311 1 DOMAINCONTROLLERIP 08/17/2009 16:55:48 120″,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,»Secure Wireless Connections»,1,,,,
«DOMAINCONTROLLER»,»IAS»,08/18/2009,09:13:28,3,,»DOMAINuser»,,,,,,,,0,»WAP IP»,»WAP Hostname»,,,,,,,11,»Secure Wireless Connections»,23,»311 1 DOMAINCONTROLLERIP 08/17/2009 16:55:48 120″,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,»Secure Wireless Connections»,1,,,,
And the following in the client security log:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/18/2009 9:13:28 AM
Event ID: 5632
Task Category: Other Logon/Logoff Events
Level: Information
Keywords: Audit Failure
User: N/A
Computer: LAPTOP.domain
Description:
A request was made to authenticate to a wireless network.
Subject:
Security ID: DOMAINuser
Account Name: user
Account Domain: DOMAIN
Logon ID: 0x23e79
Network Information:
Name (SSID): DOMAIN-wlan
Interface GUID: {90952a3d-ac07-4f0d-9598-50afdea22da8}
Local MAC Address: 00:1B:FC:B1:BD:23
Peer MAC Address: 00:1C:10:11:AF:08
Additional Information:
Reason Code: Explicit Eap failure received (0x50005)
Error Code: 0x0
EAP Reason Code: 0x0
EAP Root Cause String:
EAP Error Code: 0x0
The client is receiving the root certificate that has an intended purpose of <All> according to the certificate MMC snap-in. Is there some other kind of certificate I need to issue, and if so, how? Also, if I’m reading the NPS log correctly I’m getting authentication type 11 and Result Code 23 neither of which show up in http://technet.microsoft.com/en-us/library/cc771748%28WS.10%29.aspx.
Very confused.
Приветствую друзья.
Пытаюсь поднять WPA2-EAP на микротике, freeradius отрабатывает нормально при авторизации на свитчах и куче сетевых железок но вот настроить WPA2-EAP не получается.
В логе имеет:
(220) Received Access-Request Id 234 from 10.10.3.189:42134 to 172.17.0.2:1812 length 264
(220) Service-Type = Framed-User
(220) Framed-MTU = 1400
(220) User-Name = "sys"
(220) State = 0x9c1eed869b17f40c954b4359550f8eb4
(220) NAS-Port-Id = "radius"
(220) NAS-Port-Type = Wireless-802.11
(220) Acct-Session-Id = "82000020"
(220) Acct-Multi-Session-Id = "6E-3B-6B-F2-A3-84-80-A5-89-00-3D-A3-82-00-00-00-00-00-00-1D"
(220) Calling-Station-Id = "80-A5-89-00-3D-A3"
(220) Called-Station-Id = "6E-3B-6B-F2-A3-84:Radius"
(220) EAP-Message = 0x0209002b19001703010020f6f18e3b9d1144351e61353162621a3e6de737d51713a7746737b0d5689bf84d
(220) Message-Authenticator = 0x24d64cf0c1f4b2596164e3b4faca09d1
(220) NAS-Identifier = "MikroTik"
(220) NAS-IP-Address = 10.10.3.189
(220) Restoring &session-state
(220) &session-state:Module-Failure-Message := "No Auth-Type found: rejecting the user via Post-Auth-Type = Reject"
(220) # Executing section authorize from file /radius/conf/sites-enabled/default
(220) authorize {
(220) policy filter_username {
(220) if (&User-Name) {
(220) if (&User-Name) -> TRUE
(220) if (&User-Name) {
(220) if (&User-Name =~ / /) {
(220) if (&User-Name =~ / /) -> FALSE
(220) if (&User-Name =~ /@[^@]*@/ ) {
(220) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(220) if (&User-Name =~ /../ ) {
(220) if (&User-Name =~ /../ ) -> FALSE
(220) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) {
(220) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) -> FALSE
(220) if (&User-Name =~ /.$/) {
(220) if (&User-Name =~ /.$/) -> FALSE
(220) if (&User-Name =~ /@./) {
(220) if (&User-Name =~ /@./) -> FALSE
(220) } # if (&User-Name) = notfound
(220) } # policy filter_username = notfound
(220) [preprocess] = ok
(220) [chap] = noop
(220) [mschap] = noop
(220) [digest] = noop
(220) suffix: Checking for suffix after "@"
(220) suffix: No '@' in User-Name = "sys", looking up realm NULL
(220) suffix: No such realm "NULL"
(220) [suffix] = noop
(220) eap: Peer sent EAP Response (code 2) ID 9 length 43
(220) eap: Continuing tunnel setup
(220) [eap] = ok
(220) } # authorize = ok
(220) Found Auth-Type = eap
(220) # Executing group from file /radius/conf/sites-enabled/default
(220) authenticate {
(220) eap: Expiring EAP session with state 0x9c1eed869b17f40c
(220) eap: Finished EAP session with state 0x9c1eed869b17f40c
(220) eap: Previous EAP request found for state 0x9c1eed869b17f40c, released from the list
(220) eap: Peer sent packet with method EAP PEAP (25)
(220) eap: Calling submodule eap_peap to process data
(220) eap_peap: Continuing EAP-TLS
(220) eap_peap: [eaptls verify] = ok
(220) eap_peap: Done initial handshake
(220) eap_peap: [eaptls process] = ok
(220) eap_peap: Session established. Decoding tunneled attributes
(220) eap_peap: PEAP state send tlv failure
(220) eap_peap: Received EAP-TLV response
(220) eap_peap: The users session was previously rejected: returning reject (again.)
(220) eap_peap: This means you need to read the PREVIOUS messages in the debug output
(220) eap_peap: to find out the reason why the user was rejected
(220) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
(220) eap_peap: what went wrong, and how to fix the problem
(220) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(220) eap: Sending EAP Failure (code 4) ID 9 length 4
(220) eap: Failed in EAP select
(220) [eap] = invalid
(220) } # authenticate = invalid
(220) Failed to authenticate the user
(220) Using Post-Auth-Type Reject
(220) # Executing group from file /radius/conf/sites-enabled/default
(220) Post-Auth-Type REJECT {
(220) sql: EXPAND .query
(220) sql: --> .query
(220) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (30)
(220) sql: EXPAND %{User-Name}
(220) sql: --> sys
(220) sql: SQL-User-Name set to 'sys'
(220) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW())
(220) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('sys', 'Chap-Password', 'Access-Reject', NOW())
(220) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('sys', 'Chap-Password', 'Access-Reject', NOW())
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
(220) sql: SQL query returned: success
(220) sql: 1 record(s) updated
rlm_sql (sql): Released connection (30)
(220) [sql] = ok
(220) attr_filter.access_reject: EXPAND %{User-Name}
(220) attr_filter.access_reject: --> sys
(220) attr_filter.access_reject: Matched entry DEFAULT at line 11
(220) [attr_filter.access_reject] = updated
(220) policy remove_reply_message_if_eap {
(220) if (&reply:EAP-Message && &reply:Reply-Message) {
(220) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(220) else {
(220) [noop] = noop
(220) } # else = noop
(220) } # policy remove_reply_message_if_eap = noop
(220) } # Post-Auth-Type REJECT = updated
(220) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
(220) Discarding duplicate request from client 0.0.0.0/0 port 42134 - ID: 234 due to delayed response
Waking up in 0.6 seconds.
(220) Discarding duplicate request from client 0.0.0.0/0 port 42134 - ID: 234 due to delayed response
Waking up in 0.4 seconds.
(220) Sending delayed response
(220) Sent Access-Reject Id 234 from 172.17.0.2:1812 to 10.10.3.189:42134 length 44
(220) EAP-Message = 0x04090004
(220) Message-Authenticator = 0x00000000000000000000000000000000
Смущает строка(220) eap_peap: PEAP state send tlv failure
но гугл что-то не прояснил ситуацию.
В качестве клиента выступает Windows7, настройки подключения
Mikrosoft EAP(PEAP) + EAP-MSCHAPv2
Прошу поделится опытом, какие конфиги нужны, покажу.
Решение:
mods-avaliable/eap, строку default_eap_type = tls
необходимо привести к видуdefault_eap_type = tls,peap
(с третьей версии разделитель запятая а не пробел)
и потом собственно настроить и сам mschap
mods-avaliable/mschap
use_mppe = yes
require_encryption = yes
require_strong = yes