PEAP Machine Authentication
Michael Griego
mgriego at utdallas.edu
Mon Nov 14 20:16:29 CET 2005
Is your machine truly a member of your AD domain? If so, it's not
sending a fully qualified domain name for some reason. Therefore the
code is setting the domain to the same as the machine name. I've only
ever seen Windows send *just* the machine name without the domain name
when the machine was standalone (not a domain member).
--Mike
Jérémy Cluzel wrote:
> Hi,
>
> I'm trying to set a PEAP Authentication with the rlm_mschap.c /
> cli_netlogon.c hacks provided by M. Griego.
> The user auth still working (as before), but the computer still not...
> (a copy of the debug log. is in attachement)
>
> According to the log, the rlm_mschap seems to be effective, but is there
> any way to check that the samba patch is effective too ?
>
> I use a "patched" FR 1.0.5 and a "patched" samba-3.0.20b,1 under FreeBSD
> 5.3-RELEASE
>
> Regards,
>
> Jeremy
>
>
> ------------------------------------------------------------------------
>
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /usr/local/etc/raddb/clients.conf
> Config: including file: /usr/local/etc/raddb/eap.conf
> main: prefix = "/usr/local"
> main: localstatedir = "/var"
> main: logdir = "/var/log"
> main: libdir = "/usr/local/lib"
> main: radacctdir = "/var/log/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/var/log/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/local/sbin/checkrad"
> main: proxy_requests = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> read_config_files: reading clients
> read_config_files: reading realms
> radiusd: entering modules setup
> Module: Library search path is /usr/local/lib
> Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
> mschap: require_strong = no
> mschap: with_ntdomain_hack = no
> mschap: passwd = "(null)"
> mschap: authtype = "MS-CHAP"
> mschap: ntlm_auth = "/usr/local/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain:-DEFAULTDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
> Module: Instantiated mschap (mschap)
> Module: Loaded eap
> eap: default_eap_type = "peap"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = yes
> eap: cisco_accounting_username_bug = no
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = "(null)"
> tls: pem_file_type = yes
> tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
> tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
> tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
> tls: private_key_password = "whatever"
> tls: dh_file = "/usr/local/etc/raddb/certs/dh"
> tls: random_file = "/usr/local/etc/raddb/certs/random"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = no
> tls: check_cert_cn = "(null)"
> rlm_eap: Loaded and initialized type tls
> peap: default_eap_type = "mschapv2"
> peap: copy_request_to_tunnel = no
> peap: use_tunneled_reply = no
> peap: proxy_tunneled_request_as_eap = yes
> rlm_eap: Loaded and initialized type peap
> mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (eap)
> Initializing the thread pool...
> thread: start_servers = 5
> thread: max_servers = 32
> thread: min_spare_servers = 3
> thread: max_spare_servers = 10
> thread: max_requests_per_server = 0
> thread: cleanup_delay = 5
> Thread spawned new child 1. Total threads in pool: 1
> Thread spawned new child 2. Total threads in pool: 2
> Thread spawned new child 3. Total threads in pool: 3
> Thread spawned new child 4. Total threads in pool: 4
> Thread spawned new child 5. Total threads in pool: 5
> Thread pool initialized
> Listening on authentication *:1812
> Listening on accounting *:1813
> Ready to process requests.
> Thread 1 waiting to be assigned a request
> Thread 2 waiting to be assigned a request
> Thread 3 waiting to be assigned a request
> Thread 4 waiting to be assigned a request
> Thread 5 waiting to be assigned a request
> rad_recv: Access-Request packet from host 192.168.0.241:6001, id=78, length=183
> --- Walking the entire request list ---
> Waking up in 31 seconds...
> Threads: total/active/spare threads = 5/0/5
> Thread 1 got semaphore
> Thread 1 handling request 0, (1 handled so far)
> User-Name = "host/portable"
> NAS-IP-Address = 192.168.0.241
> Called-Station-Id = "00-20-a6-56-73-76:TEST"
> Calling-Station-Id = "00-20-a6-57-83-f2"
> NAS-Identifier = "AP01"
> State = 0x63444a5a8824a6668f0c4039b3fa9564
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x020900261900170301001bbd4f0d6e5bb61569a12d5f373e1a1b958fda7a867f0e888ecf9134
> Message-Authenticator = 0x56fb29e69b4914d39ba20bf387f680a8
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> rlm_eap: EAP packet type response id 9 length 38
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 0
> modcall: group authorize returns updated for request 0
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_eap: Request not found in the list
> rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
> rlm_eap: Failed in handler
> modcall[authenticate]: module "eap" returns invalid for request 0
> modcall: group authenticate returns invalid for request 0
> auth: Failed to validate the user.
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> Thread 1 waiting to be assigned a request
> rad_recv: Access-Request packet from host 192.168.0.241:6001, id=80, length=148
> --- Walking the entire request list ---
> Sending Access-Reject of id 78 to 192.168.0.241:6001
> Waking up in 3 seconds...
> Thread 2 got semaphore
> Thread 2 handling request 1, (1 handled so far)
> User-Name = "host/portable"
> NAS-IP-Address = 192.168.0.241
> Called-Station-Id = "00-20-a6-56-73-76:TEST"
> Calling-Station-Id = "00-20-a6-57-83-f2"
> NAS-Identifier = "AP01"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x0202001501686f73742f6a632d706f727461626c65
> Message-Authenticator = 0xdcb1aa29004ed8c0024d87e5ae730392
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
> rlm_eap: EAP packet type response id 2 length 21
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 1
> modcall: group authorize returns updated for request 1
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
> rlm_eap: EAP Identity
> rlm_eap: processing type tls
> rlm_eap_tls: Initiate
> rlm_eap_tls: Start returned 1
> modcall[authenticate]: module "eap" returns handled for request 1
> modcall: group authenticate returns handled for request 1
> Sending Access-Challenge of id 80 to 192.168.0.241:6001
> EAP-Message = 0x010300061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xb1370512c2134397d46167c90c436dfc
> Finished request 1
> Going to the next request
> Thread 2 waiting to be assigned a request
> rad_recv: Access-Request packet from host 192.168.0.241:6001, id=82, length=148
> Waking up in 3 seconds...
> Thread 3 got semaphore
> Thread 3 handling request 2, (1 handled so far)
> User-Name = "host/portable"
> NAS-IP-Address = 192.168.0.241
> Called-Station-Id = "00-20-a6-56-73-76:TEST"
> Calling-Station-Id = "00-20-a6-57-83-f2"
> NAS-Identifier = "AP01"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x0204001501686f73742f6a632d706f727461626c65
> Message-Authenticator = 0x86b9014b85796c9dad0ee194a308342f
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 2
> rlm_eap: EAP packet type response id 4 length 21
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 2
> modcall: group authorize returns updated for request 2
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 2
> rlm_eap: EAP Identity
> rlm_eap: processing type tls
> rlm_eap_tls: Initiate
> rlm_eap_tls: Start returned 1
> modcall[authenticate]: module "eap" returns handled for request 2
> modcall: group authenticate returns handled for request 2
> Sending Access-Challenge of id 82 to 192.168.0.241:6001
> EAP-Message = 0x010500061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xb2415a16262a21ddc793ddd7df3e6b56
> Finished request 2
> Going to the next request
> Thread 3 waiting to be assigned a request
> rad_recv: Access-Request packet from host 192.168.0.241:6001, id=83, length=225
> Waking up in 3 seconds...
> Thread 4 got semaphore
> Thread 4 handling request 3, (1 handled so far)
> User-Name = "host/portable"
> NAS-IP-Address = 192.168.0.241
> Called-Station-Id = "00-20-a6-56-73-76:TEST"
> Calling-Station-Id = "00-20-a6-57-83-f2"
> NAS-Identifier = "AP01"
> State = 0xb2415a16262a21ddc793ddd7df3e6b56
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x0205005019800000004616030100410100003d03014378cfdf419830adfee6d61196470d31ef4e27c9898752991ac8d739c98c90dd00001600040005000a000900640062000300060013001200630100
> Message-Authenticator = 0x7e1132c1cf086ce6fd6699bd8d559d4a
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 3
> rlm_eap: EAP packet type response id 5 length 80
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 3
> modcall: group authorize returns updated for request 3
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 3
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/peap
> rlm_eap: processing type peap
> rlm_eap_peap: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Length Included
> eaptls_verify returned 11
> (other): before/accept initialization
> TLS_accept: before/accept initialization
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
> TLS_accept: SSLv3 read client hello A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
> TLS_accept: SSLv3 write server hello A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0673], Certificate
> TLS_accept: SSLv3 write certificate A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> TLS_accept: SSLv3 write server done A
> TLS_accept: SSLv3 flush data
> TLS_accept:error in SSLv3 read client certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> eaptls_process returned 13
> rlm_eap_peap: EAPTLS_HANDLED
> modcall[authenticate]: module "eap" returns handled for request 3
> modcall: group authenticate returns handled for request 3
> Sending Access-Challenge of id 83 to 192.168.0.241:6001
> EAP-Message = 0x0106040a19c0000006d0160301004a0200004603014378cdc09fd9d6bf139a736e9f28b1ee378a37c033684e5329bfccace641f47720633e88e73cf68f278ff6b4036ba430bb6646bcead57546ca1c7d1320bd6c4a4200040016030106730b00066f00066c0002bd308202b930820222a003020102020900be3106f507d71918300d06092a864886f70d0101040500308194310b3009060355040613024652310e300c060355040814055268f46e65310d300b060355040713044c796f6e3111300f060355040a13086169726d6564697331133011060355040b130a42656c6c652d49736c6531193017060355040313106169726d6564697320526f6f
> EAP-Message = 0x742043413123302106092a864886f70d01090116146a636c757a656c406169726d656469732e636f6d301e170d3035313032303132313831315a170d3135313031393132313831315a30818e310b3009060355040613024652310e300c060355040814055268f46e65310d300b060355040713044c796f6e3111300f060355040a13086169726d6564697331133011060355040b130a42656c6c652d49736c65311330110603550403130a62656c6c652d69736c653123302106092a864886f70d01090116146a636c757a656c406169726d656469732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100e96c634b36c0
> EAP-Message = 0xb0321b71e7442429893b4f9fe4fbd898bb02b4b835e08d2817a1034b660fdc78b2791378a0a1f9fa02b2bed298ad533d42d1b3126d78d4dcd5a6d107d47f0bc22aef392058f031bac8b4edb37c39e69a015265dd1455ce837daab1ab7cc81de8e02326445f4acf588d96cb84645e6189a2a94011527c757dbc450203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181006c3f5d76916ad642dcca36faf2738ffcad7677dc7966034adfcacaf4c4a44b9dc3bb784e290a02cc4c053fcedc1c2cf4f52f47ea0b033c6b31707538ad26173050d708ca7e0f04702307a5940d5169115c54
> EAP-Message = 0x3de460d50b5cc424668ce8fbad1264b18579ae6c6903747d260e42d4e377f936df8b6a3c89e24e21d26bbb0e53520003a9308203a53082030ea003020102020900be3106f507d71917300d06092a864886f70d0101040500308194310b3009060355040613024652310e300c060355040814055268f46e65310d300b060355040713044c796f6e3111300f060355040a13086169726d6564697331133011060355040b130a42656c6c652d49736c6531193017060355040313106169726d6564697320526f6f742043413123302106092a864886f70d01090116146a636c757a656c406169726d656469732e636f6d301e170d30353130323031323138
> EAP-Message = 0x31305a170d3135313031393132313831305a30819431
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x727295dacda7c4f03237c3e2890645bb
> Finished request 3
> Going to the next request
> Thread 4 waiting to be assigned a request
> rad_recv: Access-Request packet from host 192.168.0.241:6001, id=84, length=151
> Waking up in 3 seconds...
> Thread 5 got semaphore
> Thread 5 handling request 4, (1 handled so far)
> User-Name = "host/portable"
> NAS-IP-Address = 192.168.0.241
> Called-Station-Id = "00-20-a6-56-73-76:TEST"
> Calling-Station-Id = "00-20-a6-57-83-f2"
> NAS-Identifier = "AP01"
> State = 0x727295dacda7c4f03237c3e2890645bb
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x020600061900
> Message-Authenticator = 0x59143a9a0ec6bad4aa8fc684fc8d07d4
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 4
> rlm_eap: EAP packet type response id 6 length 6
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 4
> modcall: group authorize returns updated for request 4
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 4
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/peap
> rlm_eap: processing type peap
> rlm_eap_peap: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
> rlm_eap_tls: ack handshake fragment handler
> eaptls_verify returned 1
> eaptls_process returned 13
> rlm_eap_peap: EAPTLS_HANDLED
> modcall[authenticate]: module "eap" returns handled for request 4
> modcall: group authenticate returns handled for request 4
> Sending Access-Challenge of id 84 to 192.168.0.241:6001
> EAP-Message = 0x010702d619000b3009060355040613024652310e300c060355040814055268f46e65310d300b060355040713044c796f6e3111300f060355040a13086169726d6564697331133011060355040b130a42656c6c652d49736c6531193017060355040313106169726d6564697320526f6f742043413123302106092a864886f70d01090116146a636c757a656c406169726d656469732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100de286538dbd149fea2e50c3e5c30c15653cac0230d8355c5b28b44860ff55e2e7619d5d5e993962f4e4ee86e9e372596fe8b14e8c8d1e2b07b3859f727b5e9a04f54b61d2f4491
> EAP-Message = 0x9397aecca6b0f3499b45e9bd59df7a8ca2c701b8abd4d0363df7d26e4d957d8119dfaff924400da8e6cc71c983523fae2305fb923d48c927d70203010001a381fc3081f9301d0603551d0e0416041422306b5a55f8204218e5cfdcb6be96997eb143a93081c90603551d230481c13081be801422306b5a55f8204218e5cfdcb6be96997eb143a9a1819aa48197308194310b3009060355040613024652310e300c060355040814055268f46e65310d300b060355040713044c796f6e3111300f060355040a13086169726d6564697331133011060355040b130a42656c6c652d49736c6531193017060355040313106169726d6564697320526f6f7420
> EAP-Message = 0x43413123302106092a864886f70d01090116146a636c757a656c406169726d656469732e636f6d820900be3106f507d71917300c0603551d13040530030101ff300d06092a864886f70d010104050003818100764f77d21ba3622c6b4dbf8f8ae3811fa3ca529c9296af0864fead9056512831a52a5d2a433c972c160a1fec8e697afccb3fb0f1a97cc7f66be6a00fd49623c3223c02b43130fdeb8e2cf17a33d7b543ad539993a815ea3306c833e2e2ebb3daae5b7d86a83861e836557fadfe54330b5e5e0ac9ea7c010c4ef63d96eca402ba16030100040e000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xe6854d631d98ad8078f595437b699ed5
> Finished request 4
> Going to the next request
> Thread 5 waiting to be assigned a request
> rad_recv: Access-Request packet from host 192.168.0.241:6001, id=85, length=337
> Waking up in 3 seconds...
> Thread 1 got semaphore
> Thread 1 handling request 5, (2 handled so far)
> User-Name = "host/portable"
> NAS-IP-Address = 192.168.0.241
> Called-Station-Id = "00-20-a6-56-73-76:TEST"
> Calling-Station-Id = "00-20-a6-57-83-f2"
> NAS-Identifier = "AP01"
> State = 0xe6854d631d98ad8078f595437b699ed5
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x020700c01980000000b616030100861000008200801457e62cff8615490eed4e0665ffb7133c3a2ae72fef6eb6a9d041a692979ec242b93f3fea9f7582479097249260c4c0000e297afeb2aff0cb764e5199ab788354cd8fb9e283eb4b769f8e866c65de9e324401b69024c1621c078ec2733981ad6f3d50d2aa89d4bc1becb7ef481416e0f43279020a2984b36f69e7635d1172bf1403010001011603010020e09b95b93a29e33826fd6e9525dae4b614ae1c03724484b97299e4ac0f57f9bf
> Message-Authenticator = 0x91f11375ef42bb822e45e6165f37ac0e
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 5
> rlm_eap: EAP packet type response id 7 length 192
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 5
> modcall: group authorize returns updated for request 5
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 5
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/peap
> rlm_eap: processing type peap
> rlm_eap_peap: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Length Included
> eaptls_verify returned 11
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
> TLS_accept: SSLv3 read client key exchange A
> rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
> TLS_accept: SSLv3 read finished A
> rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
> TLS_accept: SSLv3 write change cipher spec A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
> TLS_accept: SSLv3 write finished A
> TLS_accept: SSLv3 flush data
> (other): SSL negotiation finished successfully
> SSL Connection Established
> eaptls_process returned 13
> rlm_eap_peap: EAPTLS_HANDLED
> modcall[authenticate]: module "eap" returns handled for request 5
> modcall: group authenticate returns handled for request 5
> Sending Access-Challenge of id 85 to 192.168.0.241:6001
> EAP-Message = 0x01080031190014030100010116030100209fc7116835f0ad29133a81d3d568b3aba897607858bba130f077538ea9dac86a
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xd5cba207907eb608a7ee5fcf484e8efd
> Finished request 5
> Going to the next request
> Thread 1 waiting to be assigned a request
> rad_recv: Access-Request packet from host 192.168.0.241:6001, id=86, length=151
> Waking up in 3 seconds...
> Thread 2 got semaphore
> Thread 2 handling request 6, (2 handled so far)
> User-Name = "host/portable"
> NAS-IP-Address = 192.168.0.241
> Called-Station-Id = "00-20-a6-56-73-76:TEST"
> Calling-Station-Id = "00-20-a6-57-83-f2"
> NAS-Identifier = "AP01"
> State = 0xd5cba207907eb608a7ee5fcf484e8efd
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x020800061900
> Message-Authenticator = 0x0c15a09ec13c9eb95faab11fcc7af68e
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 6
> rlm_eap: EAP packet type response id 8 length 6
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 6
> modcall: group authorize returns updated for request 6
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 6
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/peap
> rlm_eap: processing type peap
> rlm_eap_peap: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
> rlm_eap_tls: ack handshake is finished
> eaptls_verify returned 3
> eaptls_process returned 3
> rlm_eap_peap: EAPTLS_SUCCESS
> modcall[authenticate]: module "eap" returns handled for request 6
> modcall: group authenticate returns handled for request 6
> Sending Access-Challenge of id 86 to 192.168.0.241:6001
> EAP-Message = 0x01090020190017030100152a5280ecf8347a21ee80a3b9676dfb0eb75e798bce
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x4202ad4ac8fcc2cd7198fc3716666451
> Finished request 6
> Going to the next request
> Thread 2 waiting to be assigned a request
> rad_recv: Access-Request packet from host 192.168.0.241:6001, id=87, length=189
> Waking up in 3 seconds...
> Thread 3 got semaphore
> Thread 3 handling request 7, (2 handled so far)
> User-Name = "host/portable"
> NAS-IP-Address = 192.168.0.241
> Called-Station-Id = "00-20-a6-56-73-76:TEST"
> Calling-Station-Id = "00-20-a6-57-83-f2"
> NAS-Identifier = "AP01"
> State = 0x4202ad4ac8fcc2cd7198fc3716666451
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x0209002c190017030100215a4e16cf9683342f73c4850aa16470f58f918fad8b21ca3946157af835e1d7034a
> Message-Authenticator = 0x0eb5e8e55449b200cdd28e2a11c52a3a
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 7
> rlm_eap: EAP packet type response id 9 length 44
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 7
> modcall: group authorize returns updated for request 7
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 7
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/peap
> rlm_eap: processing type peap
> rlm_eap_peap: Authenticate
> rlm_eap_tls: processing TLS
> eaptls_verify returned 7
> rlm_eap_tls: Done initial handshake
> eaptls_process returned 7
> rlm_eap_peap: EAPTLS_OK
> rlm_eap_peap: Session established. Decoding tunneled attributes.
> rlm_eap_peap: Identity - host/portable
> rlm_eap_peap: Tunneled data is valid.
> PEAP: Got tunneled EAP-Message
> EAP-Message = 0x0209001501686f73742f6a632d706f727461626c65
> PEAP: Got tunneled identity of host/portable
> PEAP: Setting default EAP type for tunneled EAP session.
> PEAP: Setting User-Name to host/portable
> PEAP: Sending tunneled request
> EAP-Message = 0x0209001501686f73742f6a632d706f727461626c65
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "host/portable"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 7
> rlm_eap: EAP packet type response id 9 length 21
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 7
> modcall: group authorize returns updated for request 7
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 7
> rlm_eap: EAP Identity
> rlm_eap: processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> modcall[authenticate]: module "eap" returns handled for request 7
> modcall: group authenticate returns handled for request 7
> PEAP: Got tunneled reply RADIUS code 11
> EAP-Message = 0x010a002a1a010a002510bf42800e91ddf6bfe5155eb643e8bf54686f73742f6a632d706f727461626c65
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xd41587fcd15cf9a726e2e859d35310f1
> PEAP: Processing from tunneled session code 0x81951c0 11
> EAP-Message = 0x010a002a1a010a002510bf42800e91ddf6bfe5155eb643e8bf54686f73742f6a632d706f727461626c65
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xd41587fcd15cf9a726e2e859d35310f1
> PEAP: Got tunneled Access-Challenge
> modcall[authenticate]: module "eap" returns handled for request 7
> modcall: group authenticate returns handled for request 7
> Sending Access-Challenge of id 87 to 192.168.0.241:6001
> EAP-Message = 0x010a00411900170301003676b1c5b2f7bab5bab11766300da96cccfa4d23076b6812ed6e0eb9938df2274a70569cca9911185283330ae5569bfea386e8cf914978
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x7947de392fecc9fcd50a38604fcbefe9
> Finished request 7
> Going to the next request
> Thread 3 waiting to be assigned a request
> rad_recv: Access-Request packet from host 192.168.0.241:6001, id=88, length=243
> Waking up in 3 seconds...
> Thread 4 got semaphore
> Thread 4 handling request 8, (2 handled so far)
> User-Name = "host/portable"
> NAS-IP-Address = 192.168.0.241
> Called-Station-Id = "00-20-a6-56-73-76:TEST"
> Calling-Station-Id = "00-20-a6-57-83-f2"
> NAS-Identifier = "AP01"
> State = 0x7947de392fecc9fcd50a38604fcbefe9
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x020a0062190017030100571584c7104c035d46872460ac212f4a12a31bd3d29fef43aabdc520f419e98d318932baa71b0ae64ac3e134c01ab2f3fd096f8bbe0becb6f60e778b093391a5fb1b50f9393b59f37731e3da9f3579d40d9f7ba36fe64f0b
> Message-Authenticator = 0x19bb8e5ba237a8e9605a55b66b80de62
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 8
> rlm_eap: EAP packet type response id 10 length 98
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 8
> modcall: group authorize returns updated for request 8
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 8
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/peap
> rlm_eap: processing type peap
> rlm_eap_peap: Authenticate
> rlm_eap_tls: processing TLS
> eaptls_verify returned 7
> rlm_eap_tls: Done initial handshake
> eaptls_process returned 7
> rlm_eap_peap: EAPTLS_OK
> rlm_eap_peap: Session established. Decoding tunneled attributes.
> rlm_eap_peap: EAP type mschapv2
> rlm_eap_peap: Tunneled data is valid.
> PEAP: Got tunneled EAP-Message
> EAP-Message = 0x020a004b1a020a00463100f954a333e2d02d0ba5ac5e7b2929ec000000000000000015b13ebd33dcf6d1b4c4c22cdf1b2eb9e1db8821c003b26400686f73742f6a632d706f727461626c65
> PEAP: Setting User-Name to host/portable
> PEAP: Adding old state with d4 15
> PEAP: Sending tunneled request
> EAP-Message = 0x020a004b1a020a00463100f954a333e2d02d0ba5ac5e7b2929ec000000000000000015b13ebd33dcf6d1b4c4c22cdf1b2eb9e1db8821c003b26400686f73742f6a632d706f727461626c65
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "host/portable"
> State = 0xd41587fcd15cf9a726e2e859d35310f1
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 8
> rlm_eap: EAP packet type response id 10 length 75
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 8
> modcall: group authorize returns updated for request 8
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 8
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/mschapv2
> rlm_eap: processing type mschapv2
> Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 8
> rlm_mschap: No User-Password configured. Cannot create LM-Password.
> rlm_mschap: No User-Password configured. Cannot create NT-Password.
> rlm_mschap: Told to do MS-CHAPv2 for host/portable with NT-Password
> radius_xlat: Running registered xlat function of module mschap for string 'User-Name'
> radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain'
> rlm_mschap: setting NT-Domain to same as machine name
> radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
> mschap2: bf
> radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
> radius_xlat: '/usr/local/bin/ntlm_auth --request-nt-key --username=portable$ --domain=portable --challenge=df40e8392de543b7 --nt-response=15b13ebd33dcf6d1b4c4c22cdf1b2eb9e1db8821c003b264'
> Exec-Program: /usr/local/bin/ntlm_auth --request-nt-key --username=portable$ --domain=portable --challenge=df40e8392de543b7 --nt-response=15b13ebd33dcf6d1b4c4c22cdf1b2eb9e1db8821c003b264
> Exec-Program output: Logon failure (0xc000006d)
> Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
> Exec-Program: returned: 1
> rlm_mschap: External script failed.
> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
> modcall[authenticate]: module "mschap" returns reject for request 8
> modcall: group Auth-Type returns reject for request 8
> rlm_eap: Freeing handler
> modcall[authenticate]: module "eap" returns reject for request 8
> modcall: group authenticate returns reject for request 8
> auth: Failed to validate the user.
> PEAP: Got tunneled reply RADIUS code 3
> MS-CHAP-Error = "\nE=691 R=1"
> EAP-Message = 0x040a0004
> Message-Authenticator = 0x00000000000000000000000000000000
> PEAP: Processing from tunneled session code 0x8195280 3
> MS-CHAP-Error = "\nE=691 R=1"
> EAP-Message = 0x040a0004
> Message-Authenticator = 0x00000000000000000000000000000000
> PEAP: Tunneled authentication was rejected.
> rlm_eap_peap: FAILURE
> modcall[authenticate]: module "eap" returns handled for request 8
> modcall: group authenticate returns handled for request 8
> Sending Access-Challenge of id 88 to 192.168.0.241:6001
> EAP-Message = 0x010b00261900170301001bf03c106f745ae7e8df43eebd86e1be9651f19be2cad5ec89778e98
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x3acf7124cf49bb8a96cb38a5b1cbf543
> Finished request 8
> Going to the next request
> Thread 4 waiting to be assigned a request
> rad_recv: Access-Request packet from host 192.168.0.241:6001, id=89, length=183
> Waking up in 3 seconds...
> Thread 5 got semaphore
> Thread 5 handling request 9, (2 handled so far)
> User-Name = "host/portable"
> NAS-IP-Address = 192.168.0.241
> Called-Station-Id = "00-20-a6-56-73-76:TEST"
> Calling-Station-Id = "00-20-a6-57-83-f2"
> NAS-Identifier = "AP01"
> State = 0x3acf7124cf49bb8a96cb38a5b1cbf543
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x020b00261900170301001ba0d84d961a8c8810ba0963241386597ec460318e3f2af1d0559b05
> Message-Authenticator = 0x9f5299f265c8eb3c68a210a7dc54782e
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 9
> rlm_eap: EAP packet type response id 11 length 38
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 9
> modcall: group authorize returns updated for request 9
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 9
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/peap
> rlm_eap: processing type peap
> rlm_eap_peap: Authenticate
> rlm_eap_tls: processing TLS
> eaptls_verify returned 7
> rlm_eap_tls: Done initial handshake
> eaptls_process returned 7
> rlm_eap_peap: EAPTLS_OK
> rlm_eap_peap: Session established. Decoding tunneled attributes.
> rlm_eap_peap: Received EAP-TLV response.
> rlm_eap_peap: Tunneled data is valid.
> rlm_eap_peap: Had sent TLV failure, rejecting.
> rlm_eap: Handler failed in EAP/peap
> rlm_eap: Failed in EAP select
> modcall[authenticate]: module "eap" returns invalid for request 9
> modcall: group authenticate returns invalid for request 9
> auth: Failed to validate the user.
> Delaying request 9 for 1 seconds
> Finished request 9
> Going to the next request
> Thread 5 waiting to be assigned a request
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list