02-20-2020 07:29 PM
We have C35 Extreme EWC WIFI Controller.
I need to authenticate wifi users with an external Freeradius server running on a VMWare host.
I do not find guidelines for implementing/configure this solution on both C35 and Freeradius server side.
Any help is very appreciated.
Currently and temporarily I am testing the authentication with a Radiusdesk server.
The error I got from the Freeradius (now Radiusdesk) debugoutput is the following:
(6) Received Access-Request Id 24 from 10.91.1.10:56363 to 10.91.1.191:1812 length 193
(6) User-Name = "sandro@meshdesk"
(6) NAS-IP-Address = 10.91.231.10
(6) NAS-Port = 102
(6) Framed-MTU = 1400
(6) Called-Station-Id = "D88466D899D8"
(6) Acct-Session-Id = "M19cfa54e0001"
(6) Calling-Station-Id = "34028601D209"
(6) NAS-Port-Type = Wireless-802.11
(6) NAS-Identifier = "GT-VNS.2"
(6) EAP-Message = 0x0236002919800000001f150303001a0000000000000001f110cf2add66881a53241d5ba2c51cd60dd2
(6) State = 0x981aa3849d2cba321a51838d77a5a723
(6) Message-Authenticator = 0xe02c8ba40bda1404439d2b360d253306
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(6) authorize {
(6) policy RADIUSdesk_filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy RADIUSdesk_filter_username = notfound
(6) policy RADIUSdesk_rewrite_calling_station_id {
(6) if (&request:Calling-Station-Id){
(6) if (&request:Calling-Station-Id) -> TRUE
(6) if (&request:Calling-Station-Id) {
(6) if (&request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
(6) if (&request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE
(6) if (&request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) {
(6) update request {
(6) EXPAND %{1}-%{2}-%{3}-%{4}-%{5}-%{6}
(6) --> 34-02-86-01-D2-09
(6) Calling-Station-Id := 34-02-86-01-D2-09
(6) } # update request = noop
(6) } # if (&request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) = noop
(6) ... skipping else: Preceding "if" was taken
(6) } # if (&request:Calling-Station-Id) = noop
(6) ... skipping else: Preceding "if" was taken
(6) } # policy RADIUSdesk_rewrite_calling_station_id = noop
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "meshdesk" for User-Name = "sandro@meshdesk"
(6) suffix: No such realm "meshdesk"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 54 length 41
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x981aa3849d2cba32
(6) eap: Finished EAP session with state 0x981aa3849d2cba32
(6) eap: Previous EAP request found for state 0x981aa3849d2cba32, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer indicated complete TLS record size will be 31 bytes
(6) eap_peap: Got complete TLS record (31 bytes)
(6) eap_peap: [eaptls verify] = length included
(6) eap_peap: <<< recv TLS 1.2 [length 0002]
(6) eap_peap: ERROR: TLS Alert read:fatal:access denied
(6) eap_peap: WARNING: No data inside of the tunnel
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state ?
(6) eap_peap: ERROR: Tunneled data is invalid
(6) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(6) eap: Sending EAP Failure (code 4) ID 54 length 4
(6) eap: Failed in EAP select
(6) [eap] = invalid
(6) } # authenticate = invalid
(6) Failed to authenticate the user
(6) Using Post-Auth-Type Reject
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) Post-Auth-Type REJECT {
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject: --> sandro@meshdesk
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6) [attr_filter.access_reject] = updated
(6) [eap] = noop
(6) policy remove_reply_message_if_eap {
(6) if (&reply:EAP-Message && &reply:Reply-Message) {
(6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(6) else {
(6) [noop] = noop
(6) } # else = noop
(6) } # policy remove_reply_message_if_eap = noop
(6) if (reply:Reply-Message =~ /You are already logged in/i){
(6) ERROR: Failed retrieving values required to evaluate condition
(6) policy RADIUSdesk_last_reject {
(6) if (EAP-Message){
(6) if (EAP-Message) -> TRUE
(6) if (EAP-Message) {
(6) if (!&reply:Reply-Message){
(6) if (!&reply:Reply-Message) -> TRUE
(6) if (!&reply:Reply-Message) {
(6) update reply {
(6) Reply-Message := "Most likely PEAP failure. Run in debug"
(6) } # update reply = noop
(6) } # if (!&reply:Reply-Message) = noop
(6) } # if (EAP-Message) = noop
(6) EXPAND %{User-Name}
(6) --> sandro@meshdesk
(6) SQL-User-Name set to 'sandro@meshdesk'
rlm_sql (sql): Reserved connection (1)
(6) Executing query: UPDATE `permanent_users` SET last_reject_time=now(),last_reject_nas='10.91.231.10',last_reject_message='Most likely PEAP failure. Run in debug' where username='sandro@meshdesk'
rlm_sql_mysql: Rows matched: 1 Changed: 1 Warnings: 0
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'rd' on Localhost via UNIX socket, server version 5.7.18-0ubuntu0.16.04.1, protocol version 10
(6) EXPAND %{sql:UPDATE `permanent_users` SET last_reject_time=now(),last_reject_nas='%{NAS-IP-Address}',last_reject_message='%{%{reply:Reply-Message}:-N/A}' where username='%{User-Name}'}
(6) --> 1
(6) EXPAND %{User-Name}
(6) --> sandro@meshdesk
(6) SQL-User-Name set to 'sandro@meshdesk'
rlm_sql (sql): Reserved connection (2)
(6) Executing query: UPDATE `devices` SET last_reject_time=now(),last_reject_nas='10.91.231.10',last_reject_message='Most likely PEAP failure. Run in debug' where name='34-02-86-01-D2-09'
rlm_sql_mysql: Rows matched: 0 Changed: 0 Warnings: 0
(6) SQL query affected no rows
rlm_sql (sql): Released connection (2)
(6) EXPAND %{sql:UPDATE `devices` SET last_reject_time=now(),last_reject_nas='%{NAS-IP-Address}',last_reject_message='%{%{reply:Reply-Message}:-N/A}' where name='%{Calling-Station-Id}'}
(6) -->
(6) EXPAND %{User-Name}
(6) --> sandro@meshdesk
(6) SQL-User-Name set to 'sandro@meshdesk'
rlm_sql (sql): Reserved connection (3)
(6) Executing query: UPDATE `vouchers` SET last_reject_time=now(),last_reject_nas='10.91.231.10',last_reject_message='Most likely PEAP failure. Run in debug' where name='sandro@meshdesk'
rlm_sql_mysql: Rows matched: 0 Changed: 0 Warnings: 0
(6) SQL query affected no rows
rlm_sql (sql): Released connection (3)
(6) EXPAND %{sql:UPDATE `vouchers` SET last_reject_time=now(),last_reject_nas='%{NAS-IP-Address}',last_reject_message='%{%{reply:Reply-Message}:-N/A}' where name='%{User-Name}'}
(6) -->
(6) } # policy RADIUSdesk_last_reject = noop
(6) } # Post-Auth-Type REJECT = updated
(6) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(6) Sending delayed response
(6) Sent Access-Reject Id 24 from 10.91.1.191:1812 to 10.91.1.10:56363 length 84
(6) EAP-Message = 0x04360004
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) Reply-Message := "Most likely PEAP failure. Run in debug"
Waking up in 3.7 seconds.
(0) Cleaning up request packet ID 204 with timestamp +17
(1) Cleaning up request packet ID 187 with timestamp +17
(2) Cleaning up request packet ID 168 with timestamp +17
(3) Cleaning up request packet ID 247 with timestamp +17
(4) Cleaning up request packet ID 164 with timestamp +17
(5) Cleaning up request packet ID 194 with timestamp +17
(6) Cleaning up request packet ID 24 with timestamp +17
Ready to process requests
03-21-2020 06:46 AM
It looks like you have EAP/Innter tunnel problems. please verify EAP settings on both the client and the freeradius server. What certificate are you using?