PEAP with Windows supplicant, Automatically use my windows credentials

splintered thoughts splinteredthoughts at yahoo.com
Thu Dec 18 00:33:57 CET 2008


Ivan,

Here is the radiusd -X output:

Thanks


main {
 prefix = "/usr"
 localstatedir = "/var"
 logdir = "/usr/local/jboss/server/zzjbossserver/log"
 libdir = "/usr/lib"
 radacctdir = "/usr/local/jboss/server/zzjbossserver/log/radacct"
 hostname_lookups = no
 max_request_time = 30
 cleanup_delay = 5
 max_requests = 1024
 allow_core_dumps = no
 pidfile = "/var/run/radiusd/radiusd.pid"
 checkrad = "/usr/sbin/checkrad"
 debug_level = 0
 proxy_requests = yes
 log {
 stripped_names = no
 auth = no
 auth_badpass = no
 auth_goodpass = no
 }
 security {
 max_attributes = 200
 reject_delay = 1
 status_server = no
 }
}
 client 10.12.18.4 {
 require_message_authenticator = no
 secret = "zz"
 shortname = "3750"
 }
 client 127.0.0.1 {
 require_message_authenticator = no
 secret = "zz"
 shortname = "example"
 }
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
 retry_delay = 5
 retry_count = 3
 default_fallback = yes
 dead_time = 100
 wake_all_if_all_dead = no
 }
 realm example {
 authhost = LOCAL
 accthost = LOCAL
 }
 realm tpw5.com {
 authhost = LOCAL
 accthost = LOCAL
 }
 realm tpw5 {
 authhost = LOCAL
 accthost = LOCAL
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
 wait = yes
 input_pairs = "request"
 shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 }
radiusd: #### Loading Virtual Servers ####
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
 encryption_scheme = "crypt"
 auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
 use_mppe = yes
 require_encryption = yes
 require_strong = no
 with_ntdomain_hack = yes
 ntlm_auth = "/usr/bin/sudo /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-%{mschap:User-Name}}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
 radwtmp = "/usr/local/jboss/server/zzjbossserver/log/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
 default_eap_type = "md5"
 timer_expire = 60
 ignore_unknown_eap_types = no
 cisco_accounting_username_bug = no
 max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
 challenge = "Password: "
 auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
 rsa_key_exchange = no
 dh_key_exchange = yes
 rsa_key_length = 512
 dh_key_length = 512
 verify_depth = 0
 pem_file_type = yes
 private_key_file = "/opt/zz/current/radius/raddb/port_1812/cert_privkey.key"
 certificate_file = "/opt/zz/current/radius/raddb/port_1812/cert_certificate.pem"
 CA_file = "/opt/zz/current/radius/raddb/port_1812/cert_ca_cert.pem"
 private_key_password = "whatever"
 dh_file = "/etc/raddb/certs/dh"
 random_file = "/etc/raddb/certs/random"
 fragment_size = 1024
 include_length = yes
 check_crl = yes
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
 default_eap_type = "md5"
 copy_request_to_tunnel = yes
 use_tunneled_reply = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
 default_eap_type = "mschapv2"
 copy_request_to_tunnel = yes
 use_tunneled_reply = yes
 proxy_tunneled_request_as_eap = yes
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
 with_ntdomain_hack = no
   }
 Module: Linked to module rlm_ldap
 Module: Instantiating tpw5.com
  ldap tpw5.com {
 server = "10.12.19.12"
 port = 3268
 password = "password"
 identity = "Administrator at tpw5.com"
 net_timeout = 10
 timeout = 20
 timelimit = 20
 tls_mode = no
 start_tls = no
 tls_require_cert = "allow"
 basedn = "CN=Users,DC=tpw5,DC=com"
 filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
 base_filter = "(objectclass=radiusprofile)"
 auto_header = no
 access_attr_used_for_allow = yes
 groupname_attribute = "cn"
 groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 dictionary_mapping = "/opt/zz/current/radius/raddb/port_1812/ldap.attrmap"
 ldap_debug = 0
 ldap_connections_number = 5
 compare_check_items = no
 do_xlat = yes
 edir_account_policy_check = yes
 set_auth_type = yes
  }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute tpw5.com-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for tpw5.com-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name tpw5.com
rlm_ldap: reading ldap<->radius mappings from file /opt/zz/current/radius/raddb/port_1812/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0x9db9aa0
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
 huntgroups = "/opt/zz/current/radius/raddb/port_1812/huntgroups"
 hints = "/opt/zz/current/radius/raddb/port_1812/hints"
 with_ascend_hack = no
 ascend_channels_per_line = 23
 with_ntdomain_hack = no
 with_specialix_jetstream_hack = no
 with_cisco_vsa_hack = no
 with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_realm
 Module: Instantiating realmpercent
  realm realmpercent {
 format = "suffix"
 delimiter = "%"
 ignore_default = no
 ignore_null = yes
  }
 Module: Instantiating ntdomain
  realm ntdomain {
 format = "prefix"
 delimiter = "\"
 ignore_default = no
 ignore_null = yes
  }
 Module: Instantiating suffix
  realm suffix {
 format = "suffix"
 delimiter = "@"
 ignore_default = no
 ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating files
  files {
 usersfile = "/opt/zz/current/radius/raddb/port_1812/users"
 acctusersfile = "/opt/zz/current/radius/raddb/port_1812/acct_users"
 preproxy_usersfile = "/opt/zz/current/radius/raddb/port_1812/preproxy_users"
 compat = "no"
  }
 Module: Checking preacct {...} for more modules to load
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
 detailfile = "/usr/local/jboss/server/zzjbossserver/log/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 header = "%t"
 detailperm = 384
 dirperm = 493
 locking = no
 log_packet_header = no
  }
 Module: Linked to module rlm_radutmp
 Module: Instantiating radutmp
  radutmp {
 filename = "/usr/local/jboss/server/zzjbossserver/log/radutmp"
 username = "%{User-Name}"
 case_sensitive = yes
 check_with_nas = yes
 perm = 384
 callerid = yes
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_jradius
radiusd: #### Opening IP addresses and Ports ####
listen {
 type = "auth"
 ipaddr = *
 port = 1812
}
Listening on authentication address * port 1812
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=100, length=126
 NAS-IP-Address = 10.12.18.4
 NAS-Port-Type = Async
 User-Name = "TPW5\\administrator"
 Service-Type = Framed
 Framed-MTU = 1500
 Calling-Station-Id = "00-0b-db-0a-ed-eb"
 EAP-Message = 0x0200001701545057355c61646d696e6973747261746f72
 Message-Authenticator = 0x06f820c71907e184080fd19cd6e84fd0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied.  Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 23
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 100 to 10.12.18.4 port 1812
 EAP-Message = 0x0101001604105ad65c5e373632a60f58c8699b2db79e
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0x6ccc7ea76ccd7ad3e72180cc6356312d
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=101, length=127
 NAS-IP-Address = 10.12.18.4
 NAS-Port-Type = Async
 User-Name = "TPW5\\administrator"
 Service-Type = Framed
 Framed-MTU = 1500
 Calling-Station-Id = "00-0b-db-0a-ed-eb"
 State = 0x6ccc7ea76ccd7ad3e72180cc6356312d
 EAP-Message = 0x020100060319
 Message-Authenticator = 0x2c9415792a87d0100d36482b8e227326
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied.  Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 101 to 10.12.18.4 port 1812
 EAP-Message = 0x010200061920
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0x6ccc7ea76dce67d3e72180cc6356312d
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=102, length=201
 NAS-IP-Address = 10.12.18.4
 NAS-Port-Type = Async
 User-Name = "TPW5\\administrator"
 Service-Type = Framed
 Framed-MTU = 1500
 Calling-Station-Id = "00-0b-db-0a-ed-eb"
 State = 0x6ccc7ea76dce67d3e72180cc6356312d
 EAP-Message = 0x0202005019800000004616030100410100003d030149497fc0589d066d3182d4e06110415db7e9cce189ba524ed9da5a2b90466e9400001600040005000a000900640062000300060013001200630100
 Message-Authenticator = 0x1b286efae0fc2cac4e562d2c8b06225f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied.  Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 2 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap]     (other): before/accept initialization 
[peap]     TLS_accept: before/accept initialization 
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello  
[peap]     TLS_accept: SSLv3 read client hello A 
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello  
[peap]     TLS_accept: SSLv3 write server hello A 
[peap] >>> TLS 1.0 Handshake [length 06ef], Certificate  
[peap]     TLS_accept: SSLv3 write certificate A 
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: SSLv3 write server done A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 102 to 10.12.18.4 port 1812
 EAP-Message = 
 EAP-Message = 
 EAP-Message = 
 EAP-Message = 
 EAP-Message = 
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0x6ccc7ea76ecf67d3e72180cc6356312d
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=103, length=127
 NAS-IP-Address = 10.12.18.4
 NAS-Port-Type = Async
 User-Name = "TPW5\\administrator"
 Service-Type = Framed
 Framed-MTU = 1500
 Calling-Station-Id = "00-0b-db-0a-ed-eb"
 State = 0x6ccc7ea76ecf67d3e72180cc6356312d
 EAP-Message = 0x020300061900
 Message-Authenticator = 0xf25c9f0d7a0c9a2a5873708bddf1901f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied.  Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 103 to 10.12.18.4 port 1812
 EAP-Message = 
 EAP-Message =
 EAP-Message = 
 EAP-Message = 
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0x6ccc7ea76fc867d3e72180cc6356312d
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=104, length=313
 NAS-IP-Address = 10.12.18.4
 NAS-Port-Type = Async
 User-Name = "TPW5\\administrator"
 Service-Type = Framed
 Framed-MTU = 1500
 Calling-Station-Id = "00-0b-db-0a-ed-eb"
 State = 0x6ccc7ea76fc867d3e72180cc6356312d
 EAP-Message = 
 Message-Authenticator = 
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied.  Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 4 length 192
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 182
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange  
[peap]     TLS_accept: SSLv3 read client key exchange A 
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[peap] <<< TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 read finished A 
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[peap]     TLS_accept: SSLv3 write change cipher spec A 
[peap] >>> TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 write finished A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     (other): SSL negotiation finished successfully 
SSL Connection Established 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 104 to 10.12.18.4 port 1812
 EAP-Message = 0x0105003119001403010001011603010020a1ba5949221dd59f2e8453311aec9c6c1d2e60cff4a6b017df386d2fa527f2c7
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0x6ccc7ea768c967d3e72180cc6356312d
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=105, length=127
 NAS-IP-Address = 10.12.18.4
 NAS-Port-Type = Async
 User-Name = "TPW5\\administrator"
 Service-Type = Framed
 Framed-MTU = 1500
 Calling-Station-Id = "00-0b-db-0a-ed-eb"
 State = 0x6ccc7ea768c967d3e72180cc6356312d
 EAP-Message = 0x020500061900
 Message-Authenticator = 0x1de51ad1c24ebe21f7be45e6177e6693
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied.  Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3 
[peap] eaptls_process returned 3 
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 105 to 10.12.18.4 port 1812
 EAP-Message = 0x0106002019001703010015772e7cc1d5e3d2757502d491ac6a9ecbcb24c165c4
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0x6ccc7ea769ca67d3e72180cc6356312d
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=106, length=167
 NAS-IP-Address = 10.12.18.4
 NAS-Port-Type = Async
 User-Name = "TPW5\\administrator"
 Service-Type = Framed
 Framed-MTU = 1500
 Calling-Station-Id = "00-0b-db-0a-ed-eb"
 State = 0x6ccc7ea769ca67d3e72180cc6356312d
 EAP-Message = 0x0206002e190017030100230e1c053c3bcebe8892859e8bbfac2208ed26c7cf5f2f9c25627c2c0115038d12e7392f
 Message-Authenticator = 0xdd0722594d8f86b0139a64ac045cc96a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied.  Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 6 length 46
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - TPW5\administrator
[peap] Got tunneled request
 EAP-Message = 0x0206001701545057355c61646d696e6973747261746f72
server  {
  PEAP: Got tunneled identity of TPW5\administrator
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to TPW5\administrator
Sending tunneled request
 EAP-Message = 0x0206001701545057355c61646d696e6973747261746f72
 FreeRADIUS-Proxied-To = 127.0.0.1
 User-Name = "TPW5\\administrator"
 NAS-IP-Address = 10.12.18.4
 NAS-Port-Type = Async
 Service-Type = Framed
 Framed-MTU = 1500
 Calling-Station-Id = "00-0b-db-0a-ed-eb"
server  {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied.  Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 6 length 23
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server 
[peap] Got tunneled reply code 11
 EAP-Message = 0x0107002c1a010700271094f96e94ba4375f4d745f33741fac11e545057355c61646d696e6973747261746f72
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0xbd40b48fbd47ae4a573dddc94033f1de
[peap] Got tunneled reply RADIUS code 11
 EAP-Message = 0x0107002c1a010700271094f96e94ba4375f4d745f33741fac11e545057355c61646d696e6973747261746f72
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0xbd40b48fbd47ae4a573dddc94033f1de
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 106 to 10.12.18.4 port 1812
 EAP-Message = 0x01070043190017030100387cd98b9fe8e33bc0bc8dbbf8a2f139fd27cc793f0241af4a18afa6962c75c5183a63822faa5bf18b3d9460cf6a05071729ea6565ea039db5
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0x6ccc7ea76acb67d3e72180cc6356312d
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=107, length=221
 NAS-IP-Address = 10.12.18.4
 NAS-Port-Type = Async
 User-Name = "TPW5\\administrator"
 Service-Type = Framed
 Framed-MTU = 1500
 Calling-Station-Id = "00-0b-db-0a-ed-eb"
 State = 0x6ccc7ea76acb67d3e72180cc6356312d
 EAP-Message = 0x0207006419001703010059f5d5f237a8b1b6a12ce80c36564ceed7ea4b77a2e021c87ab5c01015f679ab43a21c96092d0eb36c944690044e81504bf30d9a0ff0dcd6c5d5a6c036b298245967f69705f3c87d2ca8481b02cf79f3053546eeb7e09a5467ee
 Message-Authenticator = 0x80fc39ba54f43c51ba004c1d30942c56
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied.  Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 7 length 100
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
 EAP-Message = 0x0207004d1a020700483182563e83f60fc3886ae6a29eeaa3353c0000000000000000edfe77fdefdc346cfcb795de77c1bfb7e882075da213a53200545057355c61646d696e6973747261746f72
server  {
  PEAP: Setting User-Name to TPW5\administrator
Sending tunneled request
 EAP-Message = 0x0207004d1a020700483182563e83f60fc3886ae6a29eeaa3353c0000000000000000edfe77fdefdc346cfcb795de77c1bfb7e882075da213a53200545057355c61646d696e6973747261746f72
 FreeRADIUS-Proxied-To = 127.0.0.1
 User-Name = "TPW5\\administrator"
 State = 0xbd40b48fbd47ae4a573dddc94033f1de
 NAS-IP-Address = 10.12.18.4
 NAS-Port-Type = Async
 Service-Type = Framed
 Framed-MTU = 1500
 Calling-Station-Id = "00-0b-db-0a-ed-eb"
server  {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied.  Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 7 length 77
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for administrator with NT-Password
[mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[mschap]  expand: --username=%{Stripped-User-Name:-%{User-Name:-%{mschap:User-Name}}} -> --username=administrator
[mschap]  mschap2: 94
[mschap]  expand: --challenge=%{mschap:Challenge:-00} -> --challenge=c92aee56ea24cca3
[mschap]  expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=edfe77fdefdc346cfcb795de77c1bfb7e882075da213a532
Exec-Program output: NT_KEY: 0B31E07CE9C3855E7B73F3A94ED21EB5 
Exec-Program-Wait: plaintext: NT_KEY: 0B31E07CE9C3855E7B73F3A94ED21EB5 
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success 
++[eap] returns handled
} # server 
[peap] Got tunneled reply code 11
 EAP-Message = 0x010800331a0307002e533d30353238303737363038373744463839323931393436433734384142333131334443383345423534
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0xbd40b48fbc48ae4a573dddc94033f1de
[peap] Got tunneled reply RADIUS code 11
 EAP-Message = 0x010800331a0307002e533d30353238303737363038373744463839323931393436433734384142333131334443383345423534
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0xbd40b48fbc48ae4a573dddc94033f1de
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 107 to 10.12.18.4 port 1812
 EAP-Message = 0x0108004a1900170301003fa21a6406b72762e386f075bc1c01d6b83e271b811a3b126616dff52b1befad49d665e40cf12309fcf4c0675abd66826102e54fdfa02f4f5b9dc78fba4be828
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0x6ccc7ea76bc467d3e72180cc6356312d
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=108, length=150
 NAS-IP-Address = 10.12.18.4
 NAS-Port-Type = Async
 User-Name = "TPW5\\administrator"
 Service-Type = Framed
 Framed-MTU = 1500
 Calling-Station-Id = "00-0b-db-0a-ed-eb"
 State = 0x6ccc7ea76bc467d3e72180cc6356312d
 EAP-Message = 0x0208001d190017030100123215a25025b2f991889e532eab1acc707509
 Message-Authenticator = 0x4ad3f4a678eb190c4ba1f842ab5c4b31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied.  Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 8 length 29
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
 EAP-Message = 0x020800061a03
server  {
  PEAP: Setting User-Name to TPW5\administrator
Sending tunneled request
 EAP-Message = 0x020800061a03
 FreeRADIUS-Proxied-To = 127.0.0.1
 User-Name = "TPW5\\administrator"
 State = 0xbd40b48fbc48ae4a573dddc94033f1de
 NAS-IP-Address = 10.12.18.4
 NAS-Port-Type = Async
 Service-Type = Framed
 Framed-MTU = 1500
 Calling-Station-Id = "00-0b-db-0a-ed-eb"
server  {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied.  Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 8 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
[peap] Got tunneled reply code 2
 EAP-Message = 0x03080004
 Message-Authenticator = 0x00000000000000000000000000000000
 User-Name = "administrator"
 Session-Timeout := 900
 Tunnel-Type:0 := VLAN
 Tunnel-Medium-Type:0 := IEEE-802
 Tunnel-Private-Group-Id:0 := "100"
[peap] Got tunneled reply RADIUS code 2
 EAP-Message = 0x03080004
 Message-Authenticator = 0x00000000000000000000000000000000
 User-Name = "administrator"
 Session-Timeout := 900
 Tunnel-Type:0 := VLAN
 Tunnel-Medium-Type:0 := IEEE-802
 Tunnel-Private-Group-Id:0 := "100"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 108 to 10.12.18.4 port 1812
 EAP-Message = 0x010900261900170301001b80018f7d29f8c5f428c963bc1a2fb0d9eb4a5635fe3dd9ccecdee9
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0x6ccc7ea764c567d3e72180cc6356312d
Finished request 8.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=109, length=159
 NAS-IP-Address = 10.12.18.4
 NAS-Port-Type = Async
 User-Name = "TPW5\\administrator"
 Service-Type = Framed
 Framed-MTU = 1500
 Calling-Station-Id = "00-0b-db-0a-ed-eb"
 State = 0x6ccc7ea764c567d3e72180cc6356312d
 EAP-Message = 0x020900261900170301001b5c1ed2599bd67049afbec5788577faf4dd886681d22bf37c1188f0
 Message-Authenticator = 0x86a410ea19f9df8d6d6b7a4bfd926745
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied.  Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 9 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
rlm_eap_tls: add_reply failed to create attribute EAP-MSK: Invalid octet string "" for attribute name "EAP-MSK" 
rlm_eap_tls: add_reply failed to create attribute EAP-EMSK: Invalid octet string "" for attribute name "EAP-EMSK" 
[eap] Freeing handler
++[eap] returns ok
Sending Access-Accept of id 109 to 10.12.18.4 port 1812
 User-Name = "administrator"
 MS-MPPE-Recv-Key = 0x829a5f395e0ba2e486cf04409ee945b8d3b68e65b40b207b9117722222d890e2
 MS-MPPE-Send-Key = 0x4680664366c2b27dd92f9b94d0d00a289f409040fcfc3d26d4e8500e8bd41cbc
 EAP-Message = 0x03090004
 Message-Authenticator = 0x00000000000000000000000000000000
 Session-Timeout := 900
 Tunnel-Type:0 := VLAN
 Tunnel-Medium-Type:0 := IEEE-802
 Tunnel-Private-Group-Id:0 := "100"
Finished request 9.
Going to the next request

 

________________________________
From: "tnt at kalik.net" <tnt at kalik.net>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Sent: Wednesday, December 17, 2008 3:06:27 PM
Subject: Re: PEAP with Windows supplicant, Automatically use my windows credentials

>I've configured a PEAP with the Windows SP3 supplicant with freeradius 2.1.3, and the authentication succeeds when "Automatically use my windows logon name and password (and domain if any)" is unselected, which forces a manual logon. However, when "Automatically use my ..." is selected with the same user name/domain, the authentication fails.

How same is "the same user name/domain"? Post the debug of the good
attempt. Please use radiusd -X. We don't need to see "Wed Dec 17
09:07:24 2008 : Debug:" in front of every line.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081217/5cc71fc7/attachment.html>


More information about the Freeradius-Users mailing list