Hallo zusammen,
ich habe WPA2-Enterprise vor etwa einen Jahr genau so wie hier beschrieben eingerichtet
es hat auch alles wunderbar funktioniert und ich war zufrieden.
seit dem letzten Update von der LMN gab es schon mal probleme mit dem anmelden aber da hat ein neustart der APs geholfen. Die hatten wohl schluckauf
Jetzt nach dem letzen Update funktioniert es aber gar nicht mehr.
Ich habe erst mal kontrolliert ob sich config dateien geändert haben und ja ich habe eine Änderung in der
/etc/samba/smb.conf
gefunden da fehle ntlm auth = yes
ganz unten in der datei steht aber das man änderungen ja in der /etc/samba/smb.conf.admin
eintragen soll. Dies habe ich auch getan und den ad service neu gestartet leider funktioniert es trotzdem nicht.
Hier ist die Ausgabe aus dem freeradius debug log:
(8) Received Access-Request Id 251 from 172.16.16.5:36544 to 10.16.1.1:1812 length 268
(8) User-Name = "maxmuster"
(8) NAS-Identifier = "b4fbe44d9158"
(8) Called-Station-Id = "B4-FB-E4-4D-91-58:Lehrer-WLAN"
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Calling-Station-Id = "AC-AF-B9-8A-F0-2C"
(8) Connect-Info = "CONNECT 0Mbps 802.11b"
(8) Acct-Session-Id = "DE00678CF62DCA4A"
(8) Acct-Multi-Session-Id = "D2F5F03EBFEC1871"
(8) WLAN-Pairwise-Cipher = 1027076
(8) WLAN-Group-Cipher = 1027076
(8) WLAN-AKM-Suite = 1027073
(8) Framed-MTU = 1400
(8) EAP-Message = 0x02fb002e190017030300230000000000000003b52036f21799bad6526a3fb1f5830d9e00a48f63205b7c76044ea3
(8) State = 0x061eae5701e5b7c8d7443e44b29f7f43
(8) Message-Authenticator = 0x0af41675ca2364f9c54a9c19d95e3ddf
(8) Restoring &session-state
(8) &session-state:Module-Failure-Message := "mschap: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'"
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "maxmuster", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 251 length 46
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x061eae5701e5b7c8
(8) eap: Finished EAP session with state 0x061eae5701e5b7c8
(8) eap: Previous EAP request found for state 0x061eae5701e5b7c8, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state send tlv failure
(8) eap_peap: Received EAP-TLV response
(8) eap_peap: ERROR: The users session was previously rejected: returning reject (again.)
(8) eap_peap: This means you need to read the PREVIOUS messages in the debug output
(8) eap_peap: to find out the reason why the user was rejected
(8) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
(8) eap_peap: what went wrong, and how to fix the problem
(8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(8) eap: Sending EAP Failure (code 4) ID 251 length 4
(8) eap: Failed in EAP select
(8) [eap] = invalid
(8) } # authenticate = invalid
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) Post-Auth-Type REJECT {
(8) attr_filter.access_reject: EXPAND %{User-Name}
(8) attr_filter.access_reject: --> maxmuster
(8) attr_filter.access_reject: Matched entry DEFAULT at line 11
(8) [attr_filter.access_reject] = updated
(8) [eap] = noop
(8) policy remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message) {
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else {
(8) [noop] = noop
(8) } # else = noop
(8) } # policy remove_reply_message_if_eap = noop
(8) } # Post-Auth-Type REJECT = updated
(8) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(8) Sending delayed response
(8) Sent Access-Reject Id 251 from 10.16.1.1:1812 to 172.16.16.5:36544 length 44
(8) EAP-Message = 0x04fb0004
(8) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
(0) Cleaning up request packet ID 243 with timestamp +12
(1) Cleaning up request packet ID 244 with timestamp +12
(2) Cleaning up request packet ID 245 with timestamp +12
(3) Cleaning up request packet ID 246 with timestamp +12
(4) Cleaning up request packet ID 247 with timestamp +12
(5) Cleaning up request packet ID 248 with timestamp +12
(6) Cleaning up request packet ID 249 with timestamp +12
(7) Cleaning up request packet ID 250 with timestamp +12
(8) Cleaning up request packet ID 251 with timestamp +12
Ready to process requests
Kann mit jemand helfen das Problem zu finden?
Lg Pascal