FreeRadius 2.0.5 AD PEAP
Brooks, Kyle
Kyle.Brooks at nrc-cnrc.gc.ca
Thu Aug 14 16:57:38 CEST 2008
In follow up to 'FreeRadius 2.0.3 setup help' on Jul 27.
We have tested using the certificate creation scripts and WinCA signed
certificates with the same result of an access challenge. We have tested
with both a Windows XP and Linux client with the same result. We are
using Cisco switches.
What am I missing? We have provided debug and radius.conf and eap.conf
files
FreeRADIUS Version 2.0.5, for host i386-redhat-linux-gnu, built on Jul
30 2008 at 10:41:14
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
group = root
user = root
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.0.1.9 {
require_message_authenticator = no
secret = "c3750test"
shortname = "switch-man-lan"
nastype = "cisco"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth+acct"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm ads.****.org {
authhost = LOCAL
accthost = LOCAL
}
realm **** {
authhost = LOCAL
accthost = LOCAL
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan
"
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = no
require_encryption = yes
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=****
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "cnsradius"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "gtc"
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = "cnsad.ads.****.org"
port = 3268
password = "3MFmqw_6f"
identity = "bckup at ads.****.org"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "dc=ads,dc=****,dc=org"
filter = "(&(samaccountName=%{mschap:User-Name}))"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = "memberOf"
dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed
in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file
/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS
Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS
Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS
Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0x9b846b0
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
}
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
main {
snmp = no
smux_password = ""
snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.1.9 port 1645, id=143,
length=135
User-Name = "bradbrookc"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-13-19-EE-6F-03"
Calling-Station-Id = "00-12-3F-7F-5C-04"
EAP-Message = 0x028a000f016272616462726f6f6b63
Message-Authenticator = 0xb0b894efc68bbcc34ff27f2d91c75d2b
NAS-Port-Type = Ethernet
NAS-Port = 50103
NAS-IP-Address = 10.0.1.9
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 138 length 15
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
rlm_ldap: Entering ldap_groupcmp()
expand: dc=ads,dc=****,dc=org -> dc=ads,dc=****,dc=org
expand: (&(samaccountName=%{mschap:User-Name})) ->
(&(samaccountName=bradbrookc))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to cnsad.ads.****.org:3268, authentication 0
rlm_ldap: bind as bckup at ads.****.org/3MFmqw_6f to
cnsad.ads.****.org:3268
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=ads,dc=****,dc=org, with filter
(&(samaccountName=bradbrookc))
rlm_ldap: ldap_release_conn: Release Id: 0
expand:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gro
upOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ->
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueName
s)(uniquemember=)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ads,dc=****,dc=org, with filter
(&(cn=RCNS-Group)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=
GroupOfUniqueNames)(uniquemember=))))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=Bradbrooke\,
Charles,OU=CNS,OU=SupportGrp,DC=ads,DC=****,DC=org, with filter
(objectclass=*)
rlm_ldap: performing search in
CN=RCNS-Group,OU=CNS,OU=SupportGrp,DC=ads,DC=****,DC=org, with filter
(cn=RCNS-Group)
rlm_ldap::ldap_groupcmp: User found in group RCNS-Group
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 203
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 143 to 10.0.1.9 port 1645
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Tunnel-Private-Group-Id:0 = "254"
EAP-Message = 0x018b00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5cf8051f5c731c7cb75d3413cdb392a6
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.1.9 port 1645, id=144,
length=231
User-Name = "bradbrookc"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-13-19-EE-6F-03"
Calling-Station-Id = "00-12-3F-7F-5C-04"
EAP-Message =
0x028b005d190016030100520100004e030148a43cc9f896abde9b7d71450c10c37c2be3
0121f136d9348559c14ecffb0ed600002600390038003500160013000a00330032002f00
05000400150012000900140011000800060003020100
Message-Authenticator = 0xbe78ac8d63ad8a6efb21e2118aad45c7
NAS-Port-Type = Ethernet
NAS-Port = 50103
State = 0x5cf8051f5c731c7cb75d3413cdb392a6
NAS-IP-Address = 10.0.1.9
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 139 length 93
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0052], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 081f], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
TLS_accept: SSLv3 write key exchange A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 144 to 10.0.1.9 port 1645
EAP-Message =
0x018c040019c000000a8e160301004a02000046030148a43caa449ef77ad477974fbe9b
7b860df9b8e0fbd2b2c5cbd1f00dfa86a30720f5f9c4c259241c6687264f0fafe922821d
99a377f1d49093dfab4d669132e8e7003901160301081f0b00081b00081800038e308203
8a30820272a003020102020101300d06092a864886f70d0101040500308186310b300906
0355040613024341310b30090603550408130241423111300f0603550407130845646d6f
6e746f6e310d300b060355040a13044e494e543120301e06092a864886f70d0109011611
61646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520
4365
EAP-Message =
0x72746966696361746520417574686f72697479301e170d303830383133313833303533
5a170d3039303831333138333035335a3071310b3009060355040613024341310b300906
0355040813024142310d300b060355040a13044e494e54311430120603550403130b636e
7372616469757330323130302e06092a864886f70d0109011621436861726c65732e4272
616462726f6f6b65406e72632d636e72632e67632e636130820122300d06092a864886f7
0d01010105000382010f003082010a0282010100c57ab80d08bdc0ca54b7545f240b4cc0
a2166402a93b8e578a2136da9fd3749df72fddbbc22a6e1b40d1e44631fb755849d5fa46
2cd5
EAP-Message =
0x01835196ab0bd72e7d6e07dabbffc24bfc00f73af318eeeccdb2e5c099af4134e9e543
6e4e06695b66c29957768971327b282e47b2a6faf5020f0dca1bdabaf258059f730843ac
8de91f3fc12d3291d181b19afeed7bf8e8f9b70b0110956582798e330f2809ecbba54109
defc30042f3f5f7ce6da188fc41e3c24e3da978c0d08255384fc1e02075c8ebf180dd79e
2dad38fc6dbb30caf54f96528fafea44506e6740ada51d659b2ac6bed389cce7f1f50782
4f343fe555cba46703e00440cc3d67b2162c87e9b7dba50203010001a317301530130603
551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101
0083
EAP-Message =
0xc40faab28bad5cc1c60c4dd066cc11beb1b42643d81ad4f0cc2a42f95b013d146fe581
29632e76877f82d87affc875de8b80f3180ccedfa083a1b5c561faea5c3537fcfc7cfe76
90f7b233d48bbb2069197a56cc39d764ebc830c8479c4a9c468922acac9b5e6088f4057b
f4960d3e4cfbbd949c14e6ce22ea20d91486c3f41f6d8f59ebd6cae90ef68e791e424793
d16cee554857e8fc9e8caf5b68b93fd039ecb8e3dbe62bbcfbf162383a2a8116b12dc744
12768d2d61192fc0462c93cdf00797e97f666ed27b7ce3aaa42f7d6a473767dc8d29dbd9
b723aa0b4ba377b5ca35dcd700c58f7e37ec1610f9fd1c65e4713a8d2e19e4d38e33a100
adf0
EAP-Message = 0x41c300048430820480308203
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5cf8051f5d741c7cb75d3413cdb392a6
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.1.9 port 1645, id=145,
length=144
User-Name = "bradbrookc"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-13-19-EE-6F-03"
Calling-Station-Id = "00-12-3F-7F-5C-04"
EAP-Message = 0x028c00061900
Message-Authenticator = 0xe44235d5f951628eb87fba1604cedccd
NAS-Port-Type = Ethernet
NAS-Port = 50103
State = 0x5cf8051f5d741c7cb75d3413cdb392a6
NAS-IP-Address = 10.0.1.9
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 140 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 145 to 10.0.1.9 port 1645
EAP-Message =
0x018d03fc194068a003020102020900f4b9b2ef3de44dfe300d06092a864886f70d0101
050500308186310b3009060355040613024341310b30090603550408130241423111300f
0603550407130845646d6f6e746f6e310d300b060355040a13044e494e543120301e0609
2a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d
3038303831333138333035335a170d3038303931323138333035335a308186310b300906
0355040613024341310b30090603550408130241423111300f0603550407130845646d6f
6e74
EAP-Message =
0x6f6e310d300b060355040a13044e494e543120301e06092a864886f70d010901161161
646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043
6572746966696361746520417574686f7269747930820122300d06092a864886f70d0101
0105000382010f003082010a0282010100d29105b3d7fc51a9c7d98e0b5c177d7905a464
677a17f9fc2858a6143289f73384bfd87de5b4f809b4bfc9d3a18d2822b835c0708151e1
e22ec35cc3f90e03db24fb5b13fe3cb38d821c125db42e615c2d3b647f77123a268eea47
04dfe893242ddff5db3530cce2370975a519e1bd0a221062da59a22ba9066f03d775a489
4daa
EAP-Message =
0xdbfc9f026e2aaeeac3c74f9a67439ce416228c3aa71c276c7458621c547a727a67e7a5
387e2ff87c314f4c466478d11399e1201b04d6e482d4047b33f4783a67fa6e54c4b607ce
89b5d5e2f44ff9eed48897cd8c40b49b147ae1b875f2b802bb2509fb410079a8cfbdbb82
3cff3db4adc4b57867900f6510aab632ef0040ad0203010001a381ee3081eb301d060355
1d0e0416041491a79064dca6caafd9eca4feb23ec538946597383081bb0603551d230481
b33081b0801491a79064dca6caafd9eca4feb23ec53894659738a1818ca4818930818631
0b3009060355040613024341310b30090603550408130241423111300f06035504071308
4564
EAP-Message =
0x6d6f6e746f6e310d300b060355040a13044e494e543120301e06092a864886f70d0109
01161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d70
6c6520436572746966696361746520417574686f72697479820900f4b9b2ef3de44dfe30
0c0603551d13040530030101ff300d06092a864886f70d01010505000382010100bfc74d
ef2a575a64195a7339a20f437c1e35472f31468bb932ef2fea64b713c430a45546dac8ac
d3f182aeb33b282342fcd96376f02eeddfc9630d61a5db664a99b90aabcda8bf77d14797
dace0dfdb524714b43b6188e7d48b67fed7f03ba88fd275d8dd0b22b2508c62cd0fdc83c
4c82
EAP-Message = 0x153901ede4159d53
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5cf8051f5e751c7cb75d3413cdb392a6
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.1.9 port 1645, id=146,
length=144
User-Name = "bradbrookc"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-13-19-EE-6F-03"
Calling-Station-Id = "00-12-3F-7F-5C-04"
EAP-Message = 0x028d00061900
Message-Authenticator = 0x23e3dd8f009687ee99c8bcbf0fd46215
NAS-Port-Type = Ethernet
NAS-Port = 50103
State = 0x5cf8051f5e751c7cb75d3413cdb392a6
NAS-IP-Address = 10.0.1.9
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 141 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 146 to 10.0.1.9 port 1645
EAP-Message =
0x018e02a81900e1b75b6faa7c88dad6b3e62540575b9a78c81727403426b6c2421e2dac
4d75ea2e7ca267fdc0b837d7fc638fda3cfd04640368538c5eb68729161be53d3e805e03
20a7ab84e785de8caff26b40fbba358f2dd1a5a072798f948fb2d3fce302a8e06e19829a
5c7a7530b04793b02014fff7742ebb9d493478cd09e0fb8beaca7699694c77492bc11603
01020d0c0002090080afa9699bb948224d23912763c0ba347734b56a9d657c7def80ecf8
a632911af0a8e733d6a9e211fda817981da44b5fb369519cb7ee82f442cb5132b2baf4a0
db056f68adf026afefbb1a7ad74433aeae8203a8dd709b80e935aad155c1d3d1bdb7615d
3f90
EAP-Message =
0xd81bb1b1c6b533da114b242f7ae20de085e7ef7970ec914c4de01b0001020080aee726
6211cfb1b1c2de5229ff1965f4dfd4a5ec4a88bf981a440b81b1e35d35c3ffaaf7ac1c17
c436c8f31150f80374c864ce8902d5fc10b912e5b670c5186b55f34c37b78e091885cc13
2def7465c367f65ef074967db6d73c7b2ac8b6308b2a9bd12432c34ac7b553e1c7b38691
3e2f524a5c7629e199bbc139a95e33a530010025c966932e245809cc99114c9b6006ecf3
45a19e0b3eb075f671d80524eb4796ebc9f4335e20dccbbb1efbab6914afca7276a8b884
01fd7a643511b96d6c37746fa777d93b8e9bd0454ddd30170ddfaa4d38229946ee377caf
3f2e
EAP-Message =
0x44c10c17c69d72eecdd4cd86e4370eb90b8670c9fffb2b886aaf4d868b0deb87b50cc9
b1c1940536c65e952c8c43a1f6307331bc5365b9ffd6dbd75ec553ed942587da7733ea7a
a0da0f26bcc92e75320ad0d64eb825ff5eb4773eb321ed16294c6c00ac326ad5897f5753
1040743401aa524455a2f9158265537a2ab7ac4b0fa7e5cb29724e433783fbaafd30701a
65604b88312d7e2b5ab8278671235a55bab4f969afd116030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5cf8051f5f761c7cb75d3413cdb392a6
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.1.9 port 1645, id=147,
length=342
User-Name = "bradbrookc"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-13-19-EE-6F-03"
Calling-Station-Id = "00-12-3F-7F-5C-04"
EAP-Message =
0x028e00cc1900160301008610000082008091b63d950e11c91046e3f725dcd7d304492f
57c1dadf1e7495681b43529b362c499841ba71597055f5654c3ca98c27b7e03a177199dd
3057a5d5b21e5e783b4216b943a1ab23387e6cc064a9829979da98770f1b07b55b2e6007
3e842666d6e4af3d4d6ff0ed8beadef6a2e2301f9a0d88a0f6dd6afa3370d1747cc776c4
4c0214030100010116030100300e7f8ffdf9dd3e9051c8572c21adb963d53260c49c98f1
418f7950444848770f7ad731dc389fcefdd65e0914b7c56a16
Message-Authenticator = 0xae09db613bd97099219416d6c598a6a2
NAS-Port-Type = Ethernet
NAS-Port = 50103
State = 0x5cf8051f5f761c7cb75d3413cdb392a6
NAS-IP-Address = 10.0.1.9
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 142 length 204
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 147 to 10.0.1.9 port 1645
EAP-Message =
0x018f004119001403010001011603010030bc7b1f21090f1bdaa4abcf797903113688aa
47a3094114ee3d638c1617c37d0ca4f9b1dbec7a967007ecb6c13bffb21d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5cf8051f58771c7cb75d3413cdb392a6
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.1.9 port 1645, id=148,
length=144
User-Name = "bradbrookc"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-13-19-EE-6F-03"
Calling-Station-Id = "00-12-3F-7F-5C-04"
EAP-Message = 0x028f00061900
Message-Authenticator = 0x2104a6c0ee38a2bd3fe9b6bb57211e28
NAS-Port-Type = Ethernet
NAS-Port = 50103
State = 0x5cf8051f58771c7cb75d3413cdb392a6
NAS-IP-Address = 10.0.1.9
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 143 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 148 to 10.0.1.9 port 1645
EAP-Message =
0x0190002b19001703010020e2b7a169db2e1f8d75824f92cfed7c6cadf098286227525b
6627d0963e6dbe34
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5cf8051f59681c7cb75d3413cdb392a6
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.1.9 port 1645, id=149,
length=234
User-Name = "bradbrookc"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-13-19-EE-6F-03"
Calling-Station-Id = "00-12-3F-7F-5C-04"
EAP-Message =
0x02900060190017030100207693f88474ff4aaaefd99931f7ffdf4bfc4fdf19d23453e1
916222bb6beb9a0f17030100307d33a13faa21e5f630826e553a455593e65c4c2fb4a10d
88e516a3299d40afd58468e6a62f79618ecfa3b14bc0295a3d
Message-Authenticator = 0x4d6137af4ebd3f0f3000bf316473cb6b
NAS-Port-Type = Ethernet
NAS-Port = 50103
State = 0x5cf8051f59681c7cb75d3413cdb392a6
NAS-IP-Address = 10.0.1.9
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 144 length 96
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - bradbrookc
PEAP: Got tunneled EAP-Message
EAP-Message = 0x0290000f016272616462726f6f6b63
PEAP: Got tunneled identity of bradbrookc
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to bradbrookc
PEAP: Sending tunneled request
EAP-Message = 0x0290000f016272616462726f6f6b63
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "bradbrookc"
server inner-tunnel {
+- entering group authorize
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
rlm_eap: EAP packet type response id 144 length 15
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_ldap: Entering ldap_groupcmp()
expand: dc=ads,dc=****,dc=org -> dc=ads,dc=****,dc=org
expand: (&(samaccountName=%{mschap:User-Name})) ->
(&(samaccountName=bradbrookc))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ads,dc=****,dc=org, with filter
(&(samaccountName=bradbrookc))
rlm_ldap: ldap_release_conn: Release Id: 0
expand:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gro
upOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ->
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueName
s)(uniquemember=)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ads,dc=****,dc=org, with filter
(&(cn=RCNS-Group)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=
GroupOfUniqueNames)(uniquemember=))))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=Bradbrooke\,
Charles,OU=CNS,OU=SupportGrp,DC=ads,DC=****,DC=org, with filter
(objectclass=*)
rlm_ldap: performing search in
CN=RCNS-Group,OU=CNS,OU=SupportGrp,DC=ads,DC=****,DC=org, with filter
(cn=RCNS-Group)
rlm_ldap::ldap_groupcmp: User found in group RCNS-Group
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 203
++[files] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for bradbrookc
expand: (&(samaccountName=%{mschap:User-Name})) ->
(&(samaccountName=bradbrookc))
expand: dc=ads,dc=****,dc=org -> dc=ads,dc=****,dc=org
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ads,dc=****,dc=org, with filter
(&(samaccountName=bradbrookc))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
rlm_ldap: user bradbrookc authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
PEAP: Got tunneled reply RADIUS code 11
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Tunnel-Private-Group-Id:0 = "254"
EAP-Message =
0x019100241a0191001f10bca484b2a5e1f5483e9740469841cd066272616462726f6f6b
63
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdf7495b4dfe58f4948b665ba90c853df
PEAP: Processing from tunneled session code 0x9bbaff0 11
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Tunnel-Private-Group-Id:0 = "254"
EAP-Message =
0x019100241a0191001f10bca484b2a5e1f5483e9740469841cd066272616462726f6f6b
63
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdf7495b4dfe58f4948b665ba90c853df
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 149 to 10.0.1.9 port 1645
EAP-Message =
0x0191004b19001703010040cb9a244436d27cd878af3574f9810e43f9b62173c3ec951e
4b1e9e9fce8f1f718767449092ed5b011ebdf60d1eb89cfdc8a89b0f0f5dcec691a83037
85c87b7f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5cf8051f5a691c7cb75d3413cdb392a6
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.1.9 port 1645, id=150,
length=282
User-Name = "bradbrookc"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-13-19-EE-6F-03"
Calling-Station-Id = "00-12-3F-7F-5C-04"
EAP-Message =
0x02910090190017030100205e1f6a8f5e21e3242cc251cc76bb1d38a571a67fb9cfc0e9
4d601720d34c508e1703010060b3267c099baeef90e14bdf7b6674745b1c3a2a732413a0
b36843e7dc59239dcb33bec8a8318a33078dbef9f0bd4b0a7f5199be207f42ec01a7ccce
79a125ca8a7cef0a47036e31b6ea76bbcfee284b2273d8eeab6b7aee10f2459459f10b1a
14
Message-Authenticator = 0x936b24e5e67b6078b7f8796275532377
NAS-Port-Type = Ethernet
NAS-Port = 50103
State = 0x5cf8051f5a691c7cb75d3413cdb392a6
NAS-IP-Address = 10.0.1.9
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 145 length 144
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
PEAP: Got tunneled EAP-Message
EAP-Message =
0x029100451a0291004031b03934b274ed47570a4fc25d067bc51d0000000000000000da
0e34697f0cff1a9e0fc5be2411176a21a23fe4c55e03e2006272616462726f6f6b63
PEAP: Setting User-Name to bradbrookc
PEAP: Sending tunneled request
EAP-Message =
0x029100451a0291004031b03934b274ed47570a4fc25d067bc51d0000000000000000da
0e34697f0cff1a9e0fc5be2411176a21a23fe4c55e03e2006272616462726f6f6b63
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "bradbrookc"
State = 0xdf7495b4dfe58f4948b665ba90c853df
server inner-tunnel {
+- entering group authorize
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
rlm_eap: EAP packet type response id 145 length 69
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_ldap: Entering ldap_groupcmp()
expand: dc=ads,dc=****,dc=org -> dc=ads,dc=****,dc=org
expand: (&(samaccountName=%{mschap:User-Name})) ->
(&(samaccountName=bradbrookc))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ads,dc=****,dc=org, with filter
(&(samaccountName=bradbrookc))
rlm_ldap: ldap_release_conn: Release Id: 0
expand:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gro
upOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ->
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueName
s)(uniquemember=)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ads,dc=****,dc=org, with filter
(&(cn=RCNS-Group)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=
GroupOfUniqueNames)(uniquemember=))))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=Bradbrooke\,
Charles,OU=CNS,OU=SupportGrp,DC=ads,DC=****,DC=org, with filter
(objectclass=*)
rlm_ldap: performing search in
CN=RCNS-Group,OU=CNS,OU=SupportGrp,DC=ads,DC=****,DC=org, with filter
(cn=RCNS-Group)
rlm_ldap::ldap_groupcmp: User found in group RCNS-Group
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 203
++[files] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for bradbrookc
expand: (&(samaccountName=%{mschap:User-Name})) ->
(&(samaccountName=bradbrookc))
expand: dc=ads,dc=****,dc=org -> dc=ads,dc=****,dc=org
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ads,dc=****,dc=org, with filter
(&(samaccountName=bradbrookc))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
rlm_ldap: user bradbrookc authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create
LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create
NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for bradbrookc with NT-Password
expand: --username=%{mschap:User-Name} -> --username=bradbrookc
mschap2: bc
expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=8f745c0c9417c51d
expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=da0e34697f0cff1a9e0fc5be2411176a21a23fe4c55e03e2
Exec-Program output: NT_KEY: 42207E9FF1BBB532486C8C59D014F7AA
Exec-Program-Wait: plaintext: NT_KEY: 42207E9FF1BBB532486C8C59D014F7AA
Exec-Program: returned: 0
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
PEAP: Got tunneled reply RADIUS code 11
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Tunnel-Private-Group-Id:0 = "254"
EAP-Message =
0x019200331a0391002e533d393344414646324336354533353533383635353131413838
39324537373946334642464230383734
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdf7495b4dee68f4948b665ba90c853df
PEAP: Processing from tunneled session code 0x9bbaff0 11
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Tunnel-Private-Group-Id:0 = "254"
EAP-Message =
0x019200331a0391002e533d393344414646324336354533353533383635353131413838
39324537373946334642464230383734
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdf7495b4dee68f4948b665ba90c853df
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 150 to 10.0.1.9 port 1645
EAP-Message =
0x0192005b190017030100502648c6639d8e11269cab8d17c667d1fbfd193feeb88cd647
3b7aa7ac33da7112db432c81e25a1e0e5486b2f0989d556f3dc20291a73e4e1c951b7d98
1974aafe78efa247b31f910a7fc8d421a6050163
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5cf8051f5b6a1c7cb75d3413cdb392a6
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 0 ID 143 with timestamp +23
Cleaning up request 1 ID 144 with timestamp +23
Cleaning up request 2 ID 145 with timestamp +23
Cleaning up request 3 ID 146 with timestamp +23
Cleaning up request 4 ID 147 with timestamp +23
Cleaning up request 5 ID 148 with timestamp +23
Cleaning up request 6 ID 149 with timestamp +23
Cleaning up request 7 ID 150 with timestamp +23
Ready to process requests.
More information about the Freeradius-Users
mailing list