I'm trying to set up a FreeRadius-Server on a Raspberry-Pi B in connection with a WLAN Access Point. I created the certificates just like it is described in the Readme files. When I try to Login on the access point i get the following debug-output from the server.
... adding new socket proxy address * port 60940
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.155.44 port 3072, id=239, length=174
User-Name = "14cc20-1a6f73"
User-Password = "\312G'\275\3138\034\036\020\t\022ZE\243\376N"
NAS-Identifier = "Access-Point"
NAS-IP-Address = 192.168.155.44
Called-Station-Id = "EC-E5-55-FF-D2-B8:Access-Point"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
NAS-Port = 1
NAS-Port-Id = "1"
Calling-Station-Id = "14-CC-20-1A-6F-73"
Connect-Info = "CONNECT 150 Mbps 802.11g/n"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "14cc20-1a6f73", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> 14cc20-1a6f73
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
I wrote the user to the users file as
ExampleUser Cleartext-Password := "PASSWORD"
what bothers me is that the User-Password and User-Name seem to be sent to the server in an encrypted format, which might be the reason why it does not work, but I have no idea what causes this. I'm trying to log in over WPA/WPA2 Enterprise with PEAP V0 MSCHAPv2 on Xubuntu, which should work. If I chose Dynamic WEP (802.1x) the Radius-Server does not even receive a request (I'm monitoring traffic with tshark).
The User-Name is not sent from the server in an encrypted format, the User-Password is. There's no way for FreeRADIUS to check if decryption was successful, so the only way you know is if the decrypted password matches the users password.
A good hint is if the password contains lots of unprintable chars, as the one above does, then it's likely the secret between the RADIUS server and the NAS is incorrect.
If you fix that, you should see the actual password in debug output, and you can then working on getting the server sending an accept.