Active directory and MS-CHAP Authentication.
Antonio Matera
antonio.matera at create-net.it
Wed May 10 10:29:46 CEST 2006
Hallo, thanks for your answer.
Now I post all my configuration and log, in this way I suppose that is
much easy understand my problem.
my eap.conf file is:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/masterkeys2/cert-srv.pem
certificate_file = ${raddbdir}/certs/masterkeys2/cert-srv.pem
# Trusted Root CA list
CA_file = ${raddbdir}/certs/masterkeys2/root.pem
CA_path = ${raddbdir}/certs/masterkeys2/
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
# Check the Certificate Revocation List
check_crl = yes
check_cert_cn = %{User-Name}
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
#use_tunneled_reply = no
# proxy_tunneled_request_as_eap = yes
}
mschapv2 {
}
}
I have a EAP-TLS configuration but I suppose that it isn't a problem.
The radiusd.conf file has:
mschap {
authtype = MS-CHAP
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
authorize {
preprocess
mschap
suffix
#eap
files
}
authenticate {
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
#eap
}
I don't know if I have to insert in the authorize and authenticate
module eap. Whitout it I have this log:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=93,
length=180
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0x2f697be434714d8586f8cc481b01874f
EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "291"
NAS-Port = 291
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
modcall[authorize]: module "files" returns notfound for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [create-net\\antonio/<no User-Password attribute>]
(from client ap-test-ivan port 291 cli 000c.f135.f1ba)
Delaying request 0 for 1 seconds
Finished request 0
and with eap I have:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: bind_address = 192.168.20.2 IP address [192.168.20.2]
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = yes
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded LDAP
ldap: server = "localhost"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = ""
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = ""
ldap: basedn = "dc=create-net,dc=org"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "userPassword"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0x8e63138
Module: Instantiated ldap (ldap)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "/usr/local/etc/raddb/certs/masterkeys2/"
tls: pem_file_type = yes
tls: private_key_file =
"/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem"
tls: certificate_file =
"/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/masterkeys2/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = yes
tls: check_cert_cn = "%{User-Name}"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = yes
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = yes
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication 192.168.20.2:1812
Listening on accounting 192.168.20.2:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=45,
length=180
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0x013d2a6afd29bd2556daee278fe075b4
EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "267"
NAS-Port = 267
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
modcall[authorize]: module "files" returns notfound for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [create-net\\antonio/<no User-Password attribute>]
(from client ap-test-ivan port 267 cli 000c.f135.f1ba)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 45 to 192.168.20.4 port 1645
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 45 with timestamp 446198f5
Nothing to do. Sleeping until we see a request.
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: bind_address = 192.168.20.2 IP address [192.168.20.2]
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = yes
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = yes
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "/usr/local/etc/raddb/certs/masterkeys2/"
tls: pem_file_type = yes
tls: private_key_file =
"/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem"
tls: certificate_file =
"/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/masterkeys2/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = yes
tls: check_cert_cn = "%{User-Name}"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = yes
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication 192.168.20.2:1812
Listening on accounting 192.168.20.2:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=85,
length=180
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0xdd3a1e5aaa36d303e7009f7e1f2da8d7
EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "283"
NAS-Port = 283
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 23
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
modcall[authorize]: module "files" returns notfound for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
ERROR: Unknown value specified for Auth-Type. Cannot perform
requested action.
auth: Failed to validate the user.
Login incorrect: [create-net\\antonio/<no User-Password attribute>]
(from client ap-test-ivan port 283 cli 000c.f135.f1ba)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=86,
length=180
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0x63937b177de95f58fc530d735cd24806
EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "284"
NAS-Port = 284
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 1 length 23
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
modcall[authorize]: module "files" returns notfound for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
ERROR: Unknown value specified for Auth-Type. Cannot perform
requested action.
auth: Failed to validate the user.
Login incorrect: [create-net\\antonio/<no User-Password attribute>]
(from client ap-test-ivan port 284 cli 000c.f135.f1ba)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 85 to 192.168.20.4 port 1645
Sending Access-Reject of id 86 to 192.168.20.4 port 1645
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 85 with timestamp 44619a3e
Cleaning up request 1 ID 86 with timestamp 44619a3e
Nothing to do. Sleeping until we see a request.
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: bind_address = 192.168.20.2 IP address [192.168.20.2]
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = yes
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "/usr/local/etc/raddb/certs/masterkeys2/"
tls: pem_file_type = yes
tls: private_key_file =
"/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem"
tls: certificate_file =
"/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/masterkeys2/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = yes
tls: check_cert_cn = "%{User-Name}"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = yes
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = yes
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication 192.168.20.2:1812
Listening on accounting 192.168.20.2:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=116,
length=180
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0x4689ca731f1671fe47b9e772ba963b3b
EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "298"
NAS-Port = 298
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 23
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
modcall[authorize]: module "files" returns notfound for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 116 to 192.168.20.4 port 1645
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7078d497654015d4e9ffac34c1f69dba
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=117,
length=181
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0x67d07687e13a023149efa9d5209569f7
EAP-Message = 0x020200060319
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "298"
NAS-Port = 298
State = 0x7078d497654015d4e9ffac34c1f69dba
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
modcall[authorize]: module "files" returns notfound for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 117 to 192.168.20.4 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x214439adc1f5064d306391aa74819e33
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=118,
length=281
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0x3a743361e356903d37d8a39d97abf926
EAP-Message =
0x0203006a198000000060160301005b01000057030144619b897b6ae039294c3a2335211479a1c27d2d9ed2b81220b04ffd33e89ad100003000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "298"
NAS-Port = 298
State = 0x214439adc1f5064d306391aa74819e33
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 3 length 106
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
modcall[authorize]: module "files" returns notfound for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0673], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 118 to 192.168.20.4 port 1645
EAP-Message =
0x0104040a19c0000006d0160301004a02000046030144619b6ab0457599907bd0dfbdff0a0df822e2b23393a73181d9d8ca10968a3120e94aa539ca0a5176b10d0e535d7edfb5651373eb94b935018ba68f15f97906fc00350016030106730b00066f00066c0002bd308202b930820222a003020102020101300d06092a864886f70d0101050500308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d
EAP-Message =
0x010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974301e170d3036303331353135313230345a170d3037303331353135313230345a308196310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310f300d06035504031306534552564552312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e697430819f300d06092a864886f70d010101050003818d0030818902818100e81d9a2a8804
EAP-Message =
0x4b630c0153075c2a1dc066c99392cc5af660adbbad91ef4eeff866c5f20fa2c5fb7965a3c12b674f90f04985eab710cd97852b1ce3e08f04aa06d4717254338f62a05d6344c311578a02f9fae0aca2aa336ed9121874c86c1124fd4a7f8832b652be20f2c3ad20951e1099300f4d6c27a695aeb757501c36383d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810026e9f99eee1bd9d0a221d725e9dad88ad2b9d1385db136076fda84de1ccfc1e2a5a3fa237fd9c88c4fb98267dd827f96418a007782246380e2c488310eb1df77e5fda4b05143777dcd627fe6f6a948be43e0
EAP-Message =
0x377fa815cd412cb80b442714852fe94cb9aae46c08f2e84cc7092bdf887d069e2ab1fd2cf56c9332b87e83990d670003a9308203a53082030ea003020102020900d6c51af184c17a13300d06092a864886f70d0101050500308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974301e170d30363033313531353130
EAP-Message = 0x30305a170d3038303331343135313030305a30819431
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcdade1c297ef345ee14a30af41907d95
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=119,
length=181
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0xc81faebb51a4b05feb72e6f30de54232
EAP-Message = 0x020400061900
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "298"
NAS-Port = 298
State = 0xcdade1c297ef345ee14a30af41907d95
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
modcall[authorize]: module "files" returns notfound for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 119 to 192.168.20.4 port 1645
EAP-Message =
0x010502d619000b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e697430819f300d06092a864886f70d010101050003818d0030818902818100b9d2e4970beba1cac75125d76679fcede5da675985ae70ca7a7414cca08fa27f7de577e293ad03a5217d3d5c8f48a3d39ed4579e38ac4e7fbf650f80d3b80253683e15948edebf
EAP-Message =
0x789e3379e90e8eb5690af994d98cc6d4e702e96db90bbb1bfc642b2ddbdd026812efdcd22664bf27ae6b5cd56737db61cf5b22c2eaa415ce0b0203010001a381fc3081f9301d0603551d0e04160414f877a449a82f70e28ff7d3238ed22fca5f76d7b43081c90603551d230481c13081be8014f877a449a82f70e28ff7d3238ed22fca5f76d7b4a1819aa48197308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b30290609
EAP-Message =
0x2a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974820900d6c51af184c17a13300c0603551d13040530030101ff300d06092a864886f70d0101050500038181009afe6349178f51966293fa52eafafe825e9441722f5f86ebb1e995589569640a40f04f3c969ea63173a875d9f055a0b19dc2c463a1c5de3a447dc04f369d5fb56fdff6bca5ef16e785a46f3646e062ac0c7cacc7cbfd163ccbb314bc66e8bbc68ac6d594e47d0cd76d66aec45508952892553bbe957973f8e6c5ac901f86881b16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd1b33ebf766f32bd02ac1218c6ab0773
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=120,
length=383
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0x09b15accb2d5990b246e768358f7c62f
EAP-Message =
0x020500d01980000000c6160301008610000082008011c4672df05a1702efe782790a045aa376013e71a9bf0e35f33bc5c4e4e5c2ea8fd014f588a822d0628db20071571b4940ddf8ab60b5dc837b111a12dbbf51ad8d1c173b0fa3c928c6364496abe68b4f57948ec2187c9f5492dc752115bf1756bd97ed1105e4f9d4e4fddfa597003a4a54134ff46d88b5cb6a8088b68eb322bc1403010001011603010030bbd76fd1e8317c2d8da5de1e73dbd24aabfb92fc2f5abd33d1f542a0b2a47e91e91e4e1ac4bb838e368a9a7397fe7edf
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "298"
NAS-Port = 298
State = 0xd1b33ebf766f32bd02ac1218c6ab0773
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 5 length 208
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
modcall[authorize]: module "files" returns notfound for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 120 to 192.168.20.4 port 1645
EAP-Message =
0x01060041190014030100010116030100301c68c162410a59004fc3222c41efc32b11ab9c2d2f37ca2ec06a92265d2c69191d2136aa5059ff8ae838241bc84f795b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x794f9dc43c91b1671a730e2975cdd639
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=121,
length=181
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0x2ed02e409d91ef49bc159389d745f9f8
EAP-Message = 0x020600061900
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "298"
NAS-Port = 298
State = 0x794f9dc43c91b1671a730e2975cdd639
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: EAP packet type response id 6 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
modcall[authorize]: module "files" returns notfound for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 121 to 192.168.20.4 port 1645
EAP-Message =
0x0107005019001703010020bbd90b904dc723d66d36fd1af4b58c6c65bb025370acf98a7f1af4a0bd93b9e617030100207e05857c1d290580b581c571201394893630a8db7785104f6d4e55f3475fd2b1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8d74feb3df35c485dc76d9fb5357ec3
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=122,
length=271
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0xad718ebf13b1257f31d18c5022aff07f
EAP-Message =
0x02070060190017030100202129be555177c48c3f5141721ab34827949098e33876273cb5693ff7f446a57a1703010030c7a61433edd0219c0a366026eba728bbe63c5d32943c35fbb4d01072a12959e7893e7c109f2dde239212a7bf41f3af7f
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "298"
NAS-Port = 298
State = 0xa8d74feb3df35c485dc76d9fb5357ec3
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 7 length 96
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
modcall[authorize]: module "files" returns notfound for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - create-net\antonio
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled identity of create-net\antonio
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to create-net\antonio
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 7 length 23
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
modcall[authorize]: module "files" returns notfound for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
Sending Access-Challenge of id 122 to 192.168.20.4 port 1645
EAP-Message =
0x0108007019001703010020b131c7991eef9cae67c0bae03404fed5be8df806097f0fec54b78cb1a3309af21703010040c1ee99a53bcab8e374839925aadabe538a814e8273c14740fd398b7545ef80f411c1e85e9079c18362cf4293464db334d17a9fa0dba80cdaa1518c91a441a6df
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x75b845e17e1fcb6b158bd81702b47466
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=123,
length=180
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0x5635b56a303a83e59e60521981978c54
EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "299"
NAS-Port = 299
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_eap: EAP packet type response id 1 length 23
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
modcall[authorize]: module "files" returns notfound for request 7
modcall: leaving group authorize (returns updated) for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 7
modcall: leaving group authenticate (returns handled) for request 7
Sending Access-Challenge of id 123 to 192.168.20.4 port 1645
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6c79567ac2bbb6c4cc7faf735d77b1d9
Finished request 7
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=124,
length=181
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0x2a84b8c8a791aa8589bb7ddbd8ec6f9f
EAP-Message = 0x020200060319
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "299"
NAS-Port = 299
State = 0x6c79567ac2bbb6c4cc7faf735d77b1d9
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
modcall[authorize]: module "files" returns notfound for request 8
modcall: leaving group authorize (returns updated) for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 8
modcall: leaving group authenticate (returns handled) for request 8
Sending Access-Challenge of id 124 to 192.168.20.4 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6f00b2c41be51dfe80e655278ffd38f4
Finished request 8
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=125,
length=281
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0x8996c98463dcc86342f01ea0d24a6e7d
EAP-Message =
0x0203006a198000000060160301005b01000057030144619b89eb4b209dee29c3968727bf23ff7d96e1332df693ca83f4de07d6681900003000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "299"
NAS-Port = 299
State = 0x6f00b2c41be51dfe80e655278ffd38f4
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
modcall[authorize]: module "preprocess" returns ok for request 9
modcall[authorize]: module "mschap" returns noop for request 9
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 9
rlm_eap: EAP packet type response id 3 length 106
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 9
modcall[authorize]: module "files" returns notfound for request 9
modcall: leaving group authorize (returns updated) for request 9
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 9
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0673], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 9
modcall: leaving group authenticate (returns handled) for request 9
Sending Access-Challenge of id 125 to 192.168.20.4 port 1645
EAP-Message =
0x0104040a19c0000006d0160301004a02000046030144619b6a4b02a7512ba70b82ededf45a470e12e67bcd95dcbe33366b3a8479f02056e4158900eeaae4d8ab9228e74c3f3a88d3711eab4bf4f82a7de25858ba41eb00350016030106730b00066f00066c0002bd308202b930820222a003020102020101300d06092a864886f70d0101050500308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d
EAP-Message =
0x010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974301e170d3036303331353135313230345a170d3037303331353135313230345a308196310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310f300d06035504031306534552564552312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e697430819f300d06092a864886f70d010101050003818d0030818902818100e81d9a2a8804
EAP-Message =
0x4b630c0153075c2a1dc066c99392cc5af660adbbad91ef4eeff866c5f20fa2c5fb7965a3c12b674f90f04985eab710cd97852b1ce3e08f04aa06d4717254338f62a05d6344c311578a02f9fae0aca2aa336ed9121874c86c1124fd4a7f8832b652be20f2c3ad20951e1099300f4d6c27a695aeb757501c36383d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810026e9f99eee1bd9d0a221d725e9dad88ad2b9d1385db136076fda84de1ccfc1e2a5a3fa237fd9c88c4fb98267dd827f96418a007782246380e2c488310eb1df77e5fda4b05143777dcd627fe6f6a948be43e0
EAP-Message =
0x377fa815cd412cb80b442714852fe94cb9aae46c08f2e84cc7092bdf887d069e2ab1fd2cf56c9332b87e83990d670003a9308203a53082030ea003020102020900d6c51af184c17a13300d06092a864886f70d0101050500308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974301e170d30363033313531353130
EAP-Message = 0x30305a170d3038303331343135313030305a30819431
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0020158401d472c8bf55c967ad21e856
Finished request 9
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=126,
length=181
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0x39ad505b2b5565d68799b3661a00690e
EAP-Message = 0x020400061900
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "299"
NAS-Port = 299
State = 0x0020158401d472c8bf55c967ad21e856
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 10
modcall[authorize]: module "preprocess" returns ok for request 10
modcall[authorize]: module "mschap" returns noop for request 10
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 10
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 10
modcall[authorize]: module "files" returns notfound for request 10
modcall: leaving group authorize (returns updated) for request 10
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 10
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 10
modcall: leaving group authenticate (returns handled) for request 10
Sending Access-Challenge of id 126 to 192.168.20.4 port 1645
EAP-Message =
0x010502d619000b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e697430819f300d06092a864886f70d010101050003818d0030818902818100b9d2e4970beba1cac75125d76679fcede5da675985ae70ca7a7414cca08fa27f7de577e293ad03a5217d3d5c8f48a3d39ed4579e38ac4e7fbf650f80d3b80253683e15948edebf
EAP-Message =
0x789e3379e90e8eb5690af994d98cc6d4e702e96db90bbb1bfc642b2ddbdd026812efdcd22664bf27ae6b5cd56737db61cf5b22c2eaa415ce0b0203010001a381fc3081f9301d0603551d0e04160414f877a449a82f70e28ff7d3238ed22fca5f76d7b43081c90603551d230481c13081be8014f877a449a82f70e28ff7d3238ed22fca5f76d7b4a1819aa48197308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b30290609
EAP-Message =
0x2a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974820900d6c51af184c17a13300c0603551d13040530030101ff300d06092a864886f70d0101050500038181009afe6349178f51966293fa52eafafe825e9441722f5f86ebb1e995589569640a40f04f3c969ea63173a875d9f055a0b19dc2c463a1c5de3a447dc04f369d5fb56fdff6bca5ef16e785a46f3646e062ac0c7cacc7cbfd163ccbb314bc66e8bbc68ac6d594e47d0cd76d66aec45508952892553bbe957973f8e6c5ac901f86881b16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6fb344f276334e17c5366c08afd9f1e7
Finished request 10
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=127,
length=383
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0x4466cca9dbdd714fa57d213f35b88d17
EAP-Message =
0x020500d01980000000c616030100861000008200809e775e311f66f680ff5091fb907861d20ee14e886af13ca3ec929ad8362962f5a858e0abbdce80c4da61fa91a2a24ea7011e31002caf80f1b808b5758fcb32ebf72808ebfde666677f9ab22e4d4cc6e0219549c2377d8738e68d0ba7b08c1ac915c3a51fd920115852bf11be419c372677bcda9e2b66dbcb2697f1d01891a5f914030100010116030100306eb490fbc5228bb610320535ac44e66fbab19132096b6e1de47d20205b750803b6c9fa5276394c65fd8004a84ba332f9
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "299"
NAS-Port = 299
State = 0x6fb344f276334e17c5366c08afd9f1e7
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 11
modcall[authorize]: module "preprocess" returns ok for request 11
modcall[authorize]: module "mschap" returns noop for request 11
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 11
rlm_eap: EAP packet type response id 5 length 208
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 11
modcall[authorize]: module "files" returns notfound for request 11
modcall: leaving group authorize (returns updated) for request 11
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 11
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 11
modcall: leaving group authenticate (returns handled) for request 11
Sending Access-Challenge of id 127 to 192.168.20.4 port 1645
EAP-Message =
0x010600411900140301000101160301003095c113681002b9ebab907a6687261e0bb2ef1ef69552ca17be310c06ec73b907fb2e6454eb09922ba34b384d5fb436f2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x553761a5a78cfa8b5274698ffadd6a1e
Finished request 11
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=128,
length=181
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0xa59d5be2c35c3d931e4391f2457867ec
EAP-Message = 0x020600061900
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "299"
NAS-Port = 299
State = 0x553761a5a78cfa8b5274698ffadd6a1e
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 12
modcall[authorize]: module "preprocess" returns ok for request 12
modcall[authorize]: module "mschap" returns noop for request 12
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 12
rlm_eap: EAP packet type response id 6 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 12
modcall[authorize]: module "files" returns notfound for request 12
modcall: leaving group authorize (returns updated) for request 12
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 12
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
modcall[authenticate]: module "eap" returns handled for request 12
modcall: leaving group authenticate (returns handled) for request 12
Sending Access-Challenge of id 128 to 192.168.20.4 port 1645
EAP-Message =
0x0107005019001703010020e0bff9b284ec84452a7efb49123ef5db591bed955b9706c0232d7531bf46dc10170301002093712e7c24cd9752530af1f2e3acac9f7a87f926311592daf2cbfbbd9e345699
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd97101c4f9c28ba2350124da55c59ec3
Finished request 12
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=129,
length=271
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0x033b89d322ba7fa0a3ad46d470f69119
EAP-Message =
0x0207006019001703010020c11e3555238ee4ad15cc9f6d2c7e57ac822481dbbf6014443a504a599e5edfc7170301003093ce7a947886a076c151050cac65b260f87273a86177b9475d86e5d3493aa0c577ab18a204f09380c2484d7d4a267782
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "299"
NAS-Port = 299
State = 0xd97101c4f9c28ba2350124da55c59ec3
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 13
modcall[authorize]: module "preprocess" returns ok for request 13
modcall[authorize]: module "mschap" returns noop for request 13
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 13
rlm_eap: EAP packet type response id 7 length 96
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 13
modcall[authorize]: module "files" returns notfound for request 13
modcall: leaving group authorize (returns updated) for request 13
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 13
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - create-net\antonio
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled identity of create-net\antonio
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to create-net\antonio
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 13
modcall[authorize]: module "preprocess" returns ok for request 13
modcall[authorize]: module "mschap" returns noop for request 13
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 13
rlm_eap: EAP packet type response id 7 length 23
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 13
modcall[authorize]: module "files" returns notfound for request 13
modcall: leaving group authorize (returns updated) for request 13
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 13
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 13
modcall: leaving group authenticate (returns handled) for request 13
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 13
modcall: leaving group authenticate (returns handled) for request 13
Sending Access-Challenge of id 129 to 192.168.20.4 port 1645
EAP-Message =
0x0108007019001703010020c29c4d290cf573a17108c95ff8a439dbd0fffa49d72f2f0b28e2273b0102a6fd1703010040dea801076b9a22410691839215ef52879139b8898ab28457921cc3827c52faf8ddb0cb0e50abc1b5083013c6ea9624c0d11857f52be415423bbcbf7d65f62c6f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x95075d4dcb79ab0ebdacb9728c3494f8
Finished request 13
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=130,
length=319
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0x71f9a58ea58241a92054f4a7e8d6c00d
EAP-Message =
0x0208009019001703010020594a88c304d09eb0732b89e79ba40b1ee4ecaf0712f342791d3d606c3cb424de17030100601ea441d59af9832c3de109c77fb79c76a1493d909043a3acc1f23445b396e6f25521925847409f203f7c548b29aa9349c88471a6809833e226d9881344051afebd1cc7c1f1e74570529103c2ea9392f3d8a0402811ec5572664e39c2f8c146c1
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "299"
NAS-Port = 299
State = 0x95075d4dcb79ab0ebdacb9728c3494f8
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 14
modcall[authorize]: module "preprocess" returns ok for request 14
modcall[authorize]: module "mschap" returns noop for request 14
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 14
rlm_eap: EAP packet type response id 8 length 144
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 14
modcall[authorize]: module "files" returns notfound for request 14
modcall: leaving group authorize (returns updated) for request 14
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 14
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Setting User-Name to create-net\antonio
PEAP: Adding old state with da 5f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 14
modcall[authorize]: module "preprocess" returns ok for request 14
modcall[authorize]: module "mschap" returns noop for request 14
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 14
rlm_eap: EAP packet type response id 8 length 77
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 14
modcall[authorize]: module "files" returns notfound for request 14
modcall: leaving group authorize (returns updated) for request 14
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 14
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 14
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for antonio with NT-Password
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Domain'
radius_xlat: Running registered xlat function of module mschap for
string 'User-Name'
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
mschap2: 6b
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Response'
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --domain=create-net
--username=antonio --challenge=bede046aa1e50281
--nt-response=d483da3fd5896df961259f08a02a57a8e6d1e5de14c5ac81'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=create-net
--username=antonio --challenge=bede046aa1e50281
--nt-response=d483da3fd5896df961259f08a02a57a8e6d1e5de14c5ac81
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 14
modcall: leaving group MS-CHAP (returns reject) for request 14
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 14
modcall: leaving group authenticate (returns reject) for request 14
auth: Failed to validate the user.
Login incorrect: [create-net\\antonio/<no User-Password attribute>]
(from client cn-radius port 299 cli 000c.f135.f1ba)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 14
modcall: leaving group authenticate (returns handled) for request 14
Sending Access-Challenge of id 130 to 192.168.20.4 port 1645
EAP-Message =
0x010900501900170301002017a8c7804c669134ce5470ff557afd425785018a89d3ae565641ae49bef6202d1703010020831e156b1ccfdea1032f92c0db9352fb820d192298c99780d36351a961d6462c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcd8399f25420353544f29a1769a77b43
Finished request 14
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=131,
length=255
User-Name = "create-net\\antonio"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=cn-test"
Service-Type = Login-User
Message-Authenticator = 0x23d6eafb525a98891ed7910a6ec48442
EAP-Message =
0x02090050190017030100209210f7668d2920dbf89af8cd2c06ca059afa741dc2e78e21c8a0233501bcf4bf170301002090034080f6f9c21882ca088401957fdfc84942b8ca82179176efc2eb1e0f4f96
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "299"
NAS-Port = 299
State = 0xcd8399f25420353544f29a1769a77b43
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 15
modcall[authorize]: module "preprocess" returns ok for request 15
modcall[authorize]: module "mschap" returns noop for request 15
rlm_realm: No '@' in User-Name = "create-net\antonio", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 15
rlm_eap: EAP packet type response id 9 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 15
modcall[authorize]: module "files" returns notfound for request 15
modcall: leaving group authorize (returns updated) for request 15
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 15
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure. User was rejcted rejected
earlier in this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 15
modcall: leaving group authenticate (returns invalid) for request 15
auth: Failed to validate the user.
Login incorrect: [create-net\\antonio/<no User-Password attribute>]
(from client ap-test-ivan port 299 cli 000c.f135.f1ba)
Delaying request 15 for 1 seconds
Finished request 15
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=131,
length=255
Sending Access-Reject of id 131 to 192.168.20.4 port 1645
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Nothing to do. Sleeping until we see a request.
In this case I have a radius_xlat entry with the ntlm_auth request, but
it is rejected.
Can you help me?
Thanks bye Antonio
on 09/05/2006 18.26 Alan DeKok said the following:
>
>> If I insert in the users file "DEFAULT Auth-Type := MS-CHAP", in the log
>> file I read this error:
>
> Which is why the documentation says to NOT set Auth-Type.
>
> You didn't post the rest of the debug log (i.e. the packet), but
> it's obvious what's happening. The server is getting a packet without
> ms-chap, and you told it to do ms-chap, so it doesn't work.
>
> The solution is don't break the configuration of the server.
>
>> If I remove the DAFAULT user in the users file in the log I can't find a
>> mschap authentication and the user is reject.
>
> I doubt that very much. The default config works.
>
> If you're using "radtest", then it doesn't do ms-chap
> authentication, so you can't use it to test ms-chap on the server.
> You have to use another client.
>
> Alan DeKok.
More information about the Freeradius-Users
mailing list