Need help with 802.1X authentication to Active Directory

tnt at kalik.co.yu tnt at kalik.co.yu
Wed Jun 20 01:17:34 CEST 2007 

>rad_recv: Access-Request packet from host 10.10.2.174:21645, id=168,
>length=137
>        User-Name = "CORP\\bugman"
>        Service-Type = Framed-User
>        Framed-MTU = 1500
>        Called-Station-Id = "00-0F-34-A8-FB-0A"
>        Calling-Station-Id = "00-14-38-A7-F4-2B"
>        EAP-Message = 0x0202001001434f52505c6275676d616e
>        Message-Authenticator = 0xc99fddd5d26268a110ee68d3ccba91d0
>        NAS-Port = 50010
>        NAS-Port-Type = Ethernet
>        NAS-IP-Address = 10.10.2.174
>  Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 6
>  modcall[authorize]: module "preprocess" returns ok for request 6
>  modcall[authorize]: module "chap" returns noop for request 6
>  modcall[authorize]: module "mschap" returns noop for request 6
>    rlm_realm: No '@' in User-Name = "CORP\bugman", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 6
>    rlm_realm: Looking up realm "CORP" for User-Name = "CORP\bugman"
>    rlm_realm: No such realm "CORP"
>  modcall[authorize]: module "ntdomain" returns noop for request 6
>  rlm_eap: EAP packet type response id 2 length 16
>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>  modcall[authorize]: module "eap" returns updated for request 6
>    users: Matched entry DEFAULT at line 152
>    users: Matched entry DEFAULT at line 171
>  modcall[authorize]: module "files" returns ok for request 6
>modcall: leaving group authorize (returns updated) for request 6
>  rad_check_password:  Found Auth-Type EAP
>auth: type "EAP"
>  Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 6
>  rlm_eap: EAP Identity
>  rlm_eap: processing type tls
>  rlm_eap_tls: Initiate
>  rlm_eap_tls: Start returned 1
>  modcall[authenticate]: module "eap" returns handled for request 6
>modcall: leaving group authenticate (returns handled) for request 6
>Sending Access-Challenge of id 168 to 10.10.2.174 port 21645
>        Framed-IP-Address = 255.255.255.254
>        Framed-MTU = 576
>        Service-Type = Framed-User
>        EAP-Message = 0x010300061920
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x6b41a15d99600d47f03b461bf870cbb6
>Finished request 6
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 6 seconds...
>rad_recv: Access-Request packet from host 10.10.2.174:21645, id=168,
>length=137
>Sending duplicate reply to client 10.10.2.174:21645 - ID: 168
>Re-sending Access-Challenge of id 168 to 10.10.2.174 port 21645
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Cleaning up request 6 ID 168 with timestamp 46782c03
>Nothing to do.  Sleeping until we see a request.
>

OK, you send a request, server sends challenge ... and then nothing
happens. Request is repeated, so is the challenge. Have you installed
(self signed) CA certificate on your XP client?

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list