 |
|
Authentication with eap/mschapv2
Hello
I would like to authenticate my Windows XP wireless users with freeradius against a AD. Test with the local ntlm_auth against the AD worked fine as well radtest with a local user in the users file. It seems to me that Problem ist somewhere here: Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 rlm_eap_mschapv2: Invalid response type 4 [eap] Handler failed in EAP/mschapv2 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. I have read in the archive that "Code 4 is MS-CHAP failure. It means that the client told the server it didn't like the previous packet" But I have no idea what the server does not like. The whole debug output is below Any help it greatliy appreciated regards stefan FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Sep 2 2009 at 13:59:26 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy..conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel group = freerad user = freerad including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127..0.0.1 require_message_authenticator = no secret = "testing123-1" shortname = "localhost" nastype = "other" } client 10.0.0.1 { require_message_authenticator = no secret = "testing123-1" shortname = "wireless" nastype = "others" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-mydomain:-mydomain} --username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/demoCA/nzzwire01-0.key" certificate_file = "/etc/freeradius/certs/demoCA/nzzwire01-0.crt" CA_file = "/etc/freeradius/certs/demoCA/CA_cert.crt" private_key_password = "WireKey*!4" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no proxy_tunneled_request_as_eap = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {....} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=104, length=145 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User Message-Authenticator = 0xa1f051e8488f5a50cb044187a8c4c674 EAP-Message = 0x02010010015a4830315c532e486f747a NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 104 to 10.0.0.1 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x80e9682e80eb716d23cf4280d3865bd8 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=105, length=253 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User Message-Authenticator = 0x8ea63d676026bf116dc956f454e8088e EAP-Message = 0x0202006a1900160301005f0100005b03014ab1f239fed58a9540ea7eeff0e2d184bfde52a76c671ae71e9ecf769581c7ff00003400390038003500160013000a00330032002f006600050004006500640063006200610060001500120009001400110008000600030100 NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 State = 0x80e9682e80eb716d23cf4280d3865bd8 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 106 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005f], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 05ce], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 105 to 10.0.0.1 port 1645 EAP-Message = 0x0103040019c00000071d160301002a0200002603014ab1f237fbca05f523e033ce4b7b8ef2489ee1d6fe7016bbe3ffc2f4ab5acb540000390016030105ce0b0005ca0005c7000302308202fe30820267a003020102020103300d06092a864886f70d0101040500304e310b3009060355040613026368310b3009060355040813027a68310f300d060355040713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b301e170d3038313230343037333630395a170d3133313230333037333630395a3066310b3009060355040613026368310b3009060355040813027a68310c300a060355040a13 EAP-Message = 0x036e7a7a31133011060355040b130a696e666f726d6174696b312730250603550403131e6e7a7a7769726530312d302e7a6830312e6e7a7a6772757070652e6e657430819f300d06092a864886f70d010101050003818d0030818902818100bf2852a1be32bc65d8a6bf27c34453b53ae9a378b98943a31b5d4cffd28e96dd9b0fe69212027623d91a92682a238cd190adecad171cee0a76a5c264efd4e159242c850c78c1e8ec9acc7d222c3970510dd21a06596b40b25001fcb62b617d02a3c2cba3821cafd6b656e9eeca3c84a5e4c271b3786a2089de9ce97b9d894b630203010001a381d33081d030090603551d1304023000302c060960864801 EAP-Message = 0x86f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414c93199967c5bdf132d1d5ab3fa15ac9b72ecc78530760603551d23046f306d8014727ea255965d8fbf177009121c46c0ca5c761743a152a450304e310b3009060355040613026368310b3009060355040813027a68310f300d060355040713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b820100300d06092a864886f70d0101040500038181002f9130e3625335befa4741b20897377a22f325d6436e1c36f9be24facaf7d1eb54deaa81edb224429c0854f0f6 EAP-Message = 0x9e6475e665843ce0370b2c4dcfa7fd912d359404dbc1b027aadf3de96180dba9be61bf82785b63a41ec73f7f6b84bcd80990704441a9a84945a2ba2f68c77c8c56880b191482c87285bb22fc9351db0fed03c40002bf308202bb30820224a003020102020100300d06092a864886f70d0101040500304e310b3009060355040613026368310b3009060355040813027a68310f300d060355040713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b301e170d3038313230333135343235395a170d3138313230313135343235395a304e310b3009060355040613026368310b30090603550408 EAP-Message = 0x13027a68310f300d06035504 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x80e9682e81ea716d23cf4280d3865bd8 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=106, length=153 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User Message-Authenticator = 0x918316a7a500e443230e4bbc47d5ad7d EAP-Message = 0x020300061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 State = 0x80e9682e81ea716d23cf4280d3865bd8 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" +- entering group authorize {....} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 106 to 10.0.0.1 port 1645 EAP-Message = 0x0104032d19000713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b30819f300d06092a864886f70d010101050003818d0030818902818100c6c1ffce3fe668d765c1dd77d608b27ae5168f1f7316dfe1a61a51fecf6f027c376b13047d11e34eaefd6ed682d3a580106b2b085f78571cdf1c97d02fff9db2b45ecff5512bf42627b38bb49fcf492066930dd04d889258035bd804da3b43e36fb19fd3c6ade9dc1010b9f2d0886c90a26b5f9d22cd17a296867ecc4c709bab0203010001a381a83081a5301d0603551d0e04160414727ea255965d8fbf177009121c46c0ca5c76174330760603 EAP-Message = 0x551d23046f306d8014727ea255965d8fbf177009121c46c0ca5c761743a152a450304e310b3009060355040613026368310b3009060355040813027a68310f300d060355040713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b820100300c0603551d13040530030101ff300d06092a864886f70d0101040500038181009b2b4c150f7620aaf113a2855c0750f0f50f3265f6dc9fd8fc45c87192e5989f36e2b223cce00d9c2e289c59d7f552348f1befc5041ea840047c8c51b742070d2038a1d8f30d149f97b4cbfc136bfa0953625647d75e1865d30c12c56cd30417e427107d7ac14ab8 EAP-Message = 0xc3a50f63708713e4de5f2a257c536d7c8ec6401d29067103160301010d0c0001090040bc35b1fa5e7e1a1ac57b7f4b1d4bdb2aa0c090840cf3995df0fd2a2125315aeab4113d78cdd6f01841f720a3f51032069994b119ac5e013e6d1c1bdb60055c0b0001020040bb26e792b1a9496427dd930c8f921185af6d0b1301223b7bfff07ab237f63ecd5152d2a79716c1f6d95317f4105666565fc951027f12bdce2a6fec51a49ffa880080562d6f74e16994a4a2757f46b77009569a38e063190ba54e6d395c04837f42a48cb81baee48328a2844d446293b40effd6fa3ba3f2ab86032c5e5d3310ad86eb11ae0eab3c4b922b461f833c66b44a39f19b4b EAP-Message = 0x1fee35da981a6e3f4939e5c3e0187867094c41b1e6bf6da839f737f42dfefea18aa18718509de0791f15edde5316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x80e9682e82ed716d23cf4280d3865bd8 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=107, length=287 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User Message-Authenticator = 0xf6e713150b71eaf618f12fde46e3bcbb EAP-Message = 0x0204008c190016030100461000004200401c3ab7dc1a753b6ae3020d96d1d144cadf21b5f3422a6783f77bc954b33441514b12044ddacd7ca955d4e1c23c8fc697df9f9e4cdd9361aca2ed8f9ac3f1e04314030100010116030100309180e1b3bc25f45e673fbe76685a95ecc6440b1b0309c47624f75142ae6c9ada63fa12674301b56444c21b450c6b32e7 NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 State = 0x80e9682e82ed716d23cf4280d3865bd8 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 140 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 107 to 10.0.0.1 port 1645 EAP-Message = 0x010500411900140301000101160301003020196b841f13a063342315f0272e8781d4be5a2e7147e5bdbbfbdc21aeef3d4ea2affdacf672abbd8534b15150719e00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x80e9682e83ec716d23cf4280d3865bd8 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=108, length=153 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User Message-Authenticator = 0x4e257a44e0eb615236e7e6132d5d661f EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 State = 0x80e9682e83ec716d23cf4280d3865bd8 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 108 to 10.0.0.1 port 1645 EAP-Message = 0x0106002b190017030100204ac0995a7016dc6e2823fe58aa1a8ff6714e685167aa9168e2a18516a34ce6d6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x80e9682e84ef716d23cf4280d3865bd8 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=109, length=243 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User Message-Authenticator = 0xa1c6ce6def0c9de02466b5c65e1cf9c3 EAP-Message = 0x0206006019001703010020d89c686f3a414d7446d857dee8506108223b5dc794ab421d80fb05f03f0a2bd21703010030de672b9ad28edfa510afb0379d769393b37e8de8f1cc4e4f7e9153bc4b7c4b9ccae6f4b26cc5a1bf7fcdc31537a79ea0 NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 State = 0x80e9682e84ef716d23cf4280d3865bd8 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - mydomain\user [peap] Got tunnled request EAP-Message = 0x02060010017a6830315c732e686f747a server (null) { PEAP: Got tunneled identity of mydomain\user PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to mydomain\user Sending tunneled request EAP-Message = 0x02060010017a6830315c732e686f747a FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010700251a0107002010c508956d066adc8e3bc9b92127fb2fe27a6830315c732e686f747a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x03371cd203300629664a8ed6dcdcbe2d [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700251a0107002010c508956d066adc8e3bc9b92127fb2fe27a6830315c732e686f747a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x03371cd203300629664a8ed6dcdcbe2d [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 109 to 10.0.0.1 port 1645 EAP-Message = 0x0107004b19001703010040fd04cc1b4a2605a649d63355aabdeb2632f6f349527cb4013d00d87573592aab6137e23b1f600379195c551950397cce371207f6be612863a7984b38637b9992 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x80e9682e85ee716d23cf4280d3865bd8 Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=110, length=291 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User Message-Authenticator = 0x1cd29e39402a6e840e8f6556bf46928e EAP-Message = 0x0207009019001703010020bd76d0b1af16c027e5a9da101b14ee7fe6ff2cf97814650047851242be007a711703010060c32b500bc499db805ab72b291f00d4005f04d993d16bb7061e2d52b47c7d9556b3c7c11b69878df2bb9d162d0785d085987181a73a81d9315139e4662efa7b54369921d174a6047bb7746897a46c93a795a8ebc3c4856481f9e1323ad8bcbdb5 NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 State = 0x80e9682e85ee716d23cf4280d3865bd8 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x020700461a0207004131f57076f6190b1451606d6ed9d3c3b80f0000000000000000758dee0f5cf4b7ea3cd150fa32ff165723887bae940074c4007a6830315c732e686f747a server (null) { PEAP: Setting User-Name to mydomain\user Sending tunneled request EAP-Message = 0x020700461a0207004131f57076f6190b1451606d6ed9d3c3b80f0000000000000000758dee0f5cf4b7ea3cd150fa32ff165723887bae940074c4007a6830315c732e686f747a FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "mydomain\\user" State = 0x03371cd203300629664a8ed6dcdcbe2d Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560..3e95" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 70 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for user with NT-Password expand: --domain=%{mschap:NT-mydomain:-mydomain} -> --domain=mydomain expand: --username=%{mschap:User-Name:-None} -> --username=user [mschap] mschap2: c5 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=8660dea0f174464c expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=758dee0f5cf4b7ea3cd150fa32ff165723887bae940074c4 Exec-Program output: NT_KEY: B9C1923227672CF3D5079723D78E41A0 Exec-Program-Wait: plaintext: NT_KEY: B9C1923227672CF3D5079723D78E41A0 Exec-Program: returned: 0 ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800331a0307002e533d32423538443738374433374635314433313846413736343432333539463034384645433535353044 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x03371cd2023f0629664a8ed6dcdcbe2d [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800331a0307002e533d32423538443738374433374635314433313846413736343432333539463034384645433535353044 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x03371cd2023f0629664a8ed6dcdcbe2d [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 110 to 10.0.0.1 port 1645 EAP-Message = 0x0108005b1900170301005055895bdec32accf23e83a028b4dacbd15c004660b5f7894904db99814756478b5e75b0d7784be8499937b31e7b49ac566dea2f9ffcfec48f52c6187290e8531f7f1f1227f27d7b589aea4033a7d24ea9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x80e9682e86e1716d23cf4280d3865bd8 Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10..0.0.1 port 1645, id=111, length=227 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User Message-Authenticator = 0xca25c9fefffe68fb16b7540330f886cd EAP-Message = 0x0208005019001703010020218fcc3ddf31542a1f4561375cb7b54f876cad08360a35bbee7cffcc512cd1a1170301002029173c496b16779ef3bb3d5172702d36c240bd8357def389fac4eb3212046f6e NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 State = 0x80e9682e86e1716d23cf4280d3865bd8 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x020800061a04 server (null) { PEAP: Setting User-Name to mydomain\user Sending tunneled request EAP-Message = 0x020800061a04 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "mydomain\\user" State = 0x03371cd2023f0629664a8ed6dcdcbe2d Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {....} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 rlm_eap_mschapv2: Invalid response type 4 [eap] Handler failed in EAP/mschapv2 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 111 to 10.0.0.1 port 1645 EAP-Message = 0x0109002b19001703010020b12908003d5c6d7d90cd3130cf111d70753d81ca7757744970195793cf356978 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x80e9682e87e0716d23cf4280d3865bd8 Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=112, length=227 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User Message-Authenticator = 0x508935028611f6b0a47361317bf28b8f EAP-Message = 0x02090050190017030100203ce39908b6bbd121e3b74f1b47e4df5e0a3b29c6bad8add51bdfad7e96ecb35917030100208618b9c909461c0afd54c4187f4fc76076ec42ed2d702e7cdd3e3099dc3b0f6b NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 State = 0x80e9682e87e0716d23cf4280d3865bd8 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> mydomain\user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 112 to 10.0.0.1 port 1645 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.4 seconds. Bookmark with:  Delicious
 Digg
 reddit
 Facebook
 StumbleUpon
Related Messages
opensubscriber is not affiliated with the authors of this message nor responsible for its content. |
All rights reserved.
Alternate link - Alternate link