freeradius SQL + EAP + Windows client
Guillaume Chartrand
guillaume.chartrand at collanaud.qc.ca
Thu Feb 28 19:49:05 CET 2008
Hi, I've got some problem when I try to Authorize with SQL and a windows client to Wireless connection.
I configure my windowx xp wireless connection to works with PEAP.
My freeradius version is 2.0.0 running on RHEL4 AS
When I make a test with the command
Radtest guillaume passtest localhost 1645 testing123
I've have this result
rad_recv: Access-Request packet from host 127.0.0.1 port 34468, id=204, length=61
User-Name = "guillaume"
User-Password = "passtest"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1645
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "guillaume", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
expand: %{User-Name} -> guillaume
rlm_sql (sql): sql_set_user escaped user --> 'guillaume'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "passtest"
rlm_pap: Using clear text password "passtest"
rlm_pap: User authenticated successfully
++[pap] returns ok
Sending Access-Accept of id 204 to 127.0.0.1 port 34468
Finished request 0.
So authorize with SQL working for now but it's when I try to connect with the same parameter with my windows client I've got a access-reject and I don't know why. Here's my log when I try to connect. It's a very long log but I prefer to put more than less
rad_recv: Access-Request packet from host 172.20.50.202 port 1063, id=0, length=207
Message-Authenticator = 0xc0f8d00a3b3681c80b0404fb1071f81a
Service-Type = Framed-User
User-Name = "guillaume\000"
Framed-MTU = 1488
Called-Station-Id = "00-0F-3D-AB-1C-07:testGuillaume"
Calling-Station-Id = "00-0E-35-99-F3-E9"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0200000e016775696c6c61756d65
NAS-IP-Address = 172.20.50.202
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "guillaume", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
expand: %{User-Name} -> guillaume
rlm_sql (sql): sql_set_user escaped user --> 'guillaume'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
rlm_eap: EAP packet type response id 0 length 14
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 172.20.50.202 port 1063
EAP-Message = 0x01010016041092804dde8d0a06d99e5261ceb9722ac7
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x520c3ced520d38a3a459d69bfb6e15b4
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 172.20.50.202 port 1063, id=1, length=217
Message-Authenticator = 0x9c0bc150cd03185ca99cfd2e204c58d7
Service-Type = Framed-User
User-Name = "guillaume\000"
Framed-MTU = 1488
State = 0x520c3ced520d38a3a459d69bfb6e15b4
Called-Station-Id = "00-0F-3D-AB-1C-07:testGuillaume"
Calling-Station-Id = "00-0E-35-99-F3-E9"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020100060319
NAS-IP-Address = 172.20.50.202
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "guillaume", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
expand: %{User-Name} -> guillaume
rlm_sql (sql): sql_set_user escaped user --> 'guillaume'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 172.20.50.202 port 1063
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x520c3ced530e25a3a459d69bfb6e15b4
Finished request 1.
Going to the next request
Waking up in 0.8 seconds.
rad_recv: Access-Request packet from host 172.20.50.202 port 1063, id=2, length=291
Message-Authenticator = 0x67008b1dd66cde4ee9ecd8b2b31c8d8c
Service-Type = Framed-User
User-Name = "guillaume\000"
Framed-MTU = 1488
State = 0x520c3ced530e25a3a459d69bfb6e15b4
Called-Station-Id = "00-0F-3D-AB-1C-07:testGuillaume"
Calling-Station-Id = "00-0E-35-99-F3-E9"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0202005019800000004616030100410100003d030147c6ffb92935badbb2f4def8539d5a52639b98a4363eec5b7ef740726e82e7c600001600040005000a000900640062000300060013001200630100
NAS-IP-Address = 172.20.50.202
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "guillaume", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
expand: %{User-Name} -> guillaume
rlm_sql (sql): sql_set_user escaped user --> 'guillaume'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
rlm_eap: EAP packet type response id 2 length 80
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
TLS Length 70
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0758], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 172.20.50.202 port 1063
EAP-Message = 0x0103040019c0000007b5160301004a02000046030147c7006b5023edb8251602c6ff946dd78f76617b824a3413c4287a156bf01c8f20c91369c561e17ded084d214911019abb12dae5ac73a2aec294d406ec242f7f3300040016030107580b0007540007510003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303132313135313733305a170d3039303132303135313733305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a2eb8fe96fc33d9cf9957b100a3a3f52fe91e6a5388d635360f6f5854b52
EAP-Message = 0x06242ce2a82441b626d21ae76b774d4fb1452a8879d0308f7b7ceb863728c892df20626b3c9b690c0dcfcf6ad3b2a7b238408c380ab0c7350f9b53cff7a2d8d9fc5d3c06429efe11fe985e169bbe26e5bdcf0bc82defec1ec1bdaeb2ef5d81ff5121beb0056852f050c316517aa687b2eba144f18d9eccbab9584c610078d7953572f32599359196437af21cb73e70314a6e6dceb7062ed3ea1ef35413e2f3d8d38cee20d756bb51adea8cd556706cbfcbe96acc8b4eddcc44a144092e865eb9354a21da4729f0f295e494c8f74f7584619dd667080dfd04119753cbbca8e02f30710203010001a317301530130603551d25040c300a06082b06010505
EAP-Message = 0x070301300d06092a864886f70d0101040500038201010056ade8e3773dd290a848cdbfad5c1a59b2f35473597493243ceb820892754b92868e742b44030f7068a5d825931c8721b0976d23c21283548b8549a357907fe7b6076a36852d51fd3b6b862d4852055b58b2f1c133ae6e2af7868fb394a806f076675b18d3e2919dca32e7a3101364f25b48c0a4ab5a7c207a60175dee981c5bc15ecec9e544d74fc7d9999cc6ea5d42fd994734698b9e6a502d6d6c8785091b9494f5771e5391283e05f05f91c65ad034ee22f0384b7a676bbc962cd656236970fa309ba4ce2ed667eb57b8012032d8d57a27a00681ef80c7552c1cdeb91cf5f07534cef0a1
EAP-Message = 0x4ef83b331774e71485811454
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x520c3ced500f25a3a459d69bfb6e15b4
Finished request 2.
Going to the next request
Waking up in 0.8 seconds.
rad_recv: Access-Request packet from host 172.20.50.202 port 1063, id=3, length=217
Message-Authenticator = 0xba417f3e033cd9fcf8c4c2e53f416738
Service-Type = Framed-User
User-Name = "guillaume\000"
Framed-MTU = 1488
State = 0x520c3ced500f25a3a459d69bfb6e15b4
Called-Station-Id = "00-0F-3D-AB-1C-07:testGuillaume"
Calling-Station-Id = "00-0E-35-99-F3-E9"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020300061900
NAS-IP-Address = 172.20.50.202
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "guillaume", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
expand: %{User-Name} -> guillaume
rlm_sql (sql): sql_set_user escaped user --> 'guillaume'
rlm_sql (sql): Reserving sql socket id: 1
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 172.20.50.202 port 1063
EAP-Message = 0x010403c5190013559c54570ad5a13906baeb81710003a5308203a130820289a003020102020100300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303132313135313732385a170d3038303232303135313732385a308193310b300906035504061302465231
EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a8a1e7188c420cb6ff8596090d8e233bc30e781e27043a496a27b5746c937995271af82aa455e0690890e59c8a555e217c36f8a3d54af84142255b3bc51f32154d86c907cfbafb817fc200b18f3bbc64ef55591eaa61e0
EAP-Message = 0x5a7982bbfd37ddf1aaf6f78b5fbc81f640296b0355495b9d02d25babddea1629f6b9e0385aa4996d92a04d61eae841fb011d60fd8b0b494889c6aa89e5c846fa59c3a7a442768ee1220808e12a26c28e72f5765e4ddff5b8a95d6ba839c1d300251f8ae324b5d6053ab65b617173924581d531f8c77f16a1f166beab51de3cf197e68ac22771de49054b2ac5b36b3d96c4786af29e0b8c8d310b2b025f61392a77459057f3b04da2250203010001300d06092a864886f70d0101040500038201010029695a2cc9d688aaa25217efc5282b4504670ceb8b29c5c706f4fa2fa5c3add45ee3a6c763e99518d6ba58018acd6a02c41bfd57dfd2f44954d404
EAP-Message = 0x71e3add200d77b9bd2e1c132a12a64342f319d54fa023e29fefe206b380fe3817e9390edca3ca4eebd64b539e53178b502897f08da96010c79a3ddc8624cda44c46e858f81975ba8d58d334519bee708117517cf9bdb0803289a13f568b60fbe3389ee6f0aad043510311730d6232c05d5781292590e2dd0c269461254122f461843eb17837a64fda6ffc7ba2c41a6c080d6660c1b7db277025167df8ad183b4dbce207cafdecdbf147208cee0d4214f8eecf0c0bb892c36ecdd5ae04f0feb0a5505030a9c16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x520c3ced510825a3a459d69bfb6e15b4
Finished request 3.
Going to the next request
Waking up in 0.7 seconds.
rad_recv: Access-Request packet from host 172.20.50.202 port 1063, id=4, length=533
Message-Authenticator = 0xe640831a6cc1058b837e7b6545553c8c
Service-Type = Framed-User
User-Name = "guillaume\000"
Framed-MTU = 1488
State = 0x520c3ced510825a3a459d69bfb6e15b4
Called-Station-Id = "00-0F-3D-AB-1C-07:testGuillaume"
Calling-Station-Id = "00-0E-35-99-F3-E9"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0204014019800000013616030101061000010201003ef99f78853242dd37a0999badd0c8e7bc39ba21ee71c1c9c633d152b26e7a310206e488e788890ef82ba0c3932be05b59061114e14feb774ecaeb4d4de693087ac94eaa32d2ed368128d6e56fbc56d44ae31e9c047d560fc66ee76908262459a7a5372daf0f72d94bfcd159d5d0114c7241e249ea8ac4461456ec8009194d5d2085fd0f16ae12f8a077288b94615178ce0ad69ca6b8ddedb7fd7a74e4b07c8362905a12baf6e2535342e453f8200c59aacba2e1aa0275fb3c15259a80cd6808d73c89dcd3fe009c3c0ccbd3d5e0d46e1ff38772f8e205de408a701aa310affa4f6fc4ad83645a8d
EAP-Message = 0x19aaf6afac987e2b53eacf2d5b558e1aad52e4c560f33fcc1403010001011603010020c30bee50878b3e356c158179fc51845d809915f2fbbf73dd7241b9a16a005793
NAS-IP-Address = 172.20.50.202
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "guillaume", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
expand: %{User-Name} -> guillaume
rlm_sql (sql): sql_set_user escaped user --> 'guillaume'
rlm_sql (sql): Reserving sql socket id: 0
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
rlm_eap: EAP packet type response id 4 length 253
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
TLS Length 310
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 172.20.50.202 port 1063
EAP-Message = 0x01050031190014030100010116030100208bb299fbb9a8ecc9529ec3acf8080b4fbee9264638e3344eeed742f31342fac0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x520c3ced560925a3a459d69bfb6e15b4
Finished request 4.
Going to the next request
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 172.20.50.202 port 1063, id=5, length=217
Message-Authenticator = 0x220b76bfe2d6dbe7846eb66729e647a3
Service-Type = Framed-User
User-Name = "guillaume\000"
Framed-MTU = 1488
State = 0x520c3ced560925a3a459d69bfb6e15b4
Called-Station-Id = "00-0F-3D-AB-1C-07:testGuillaume"
Calling-Station-Id = "00-0E-35-99-F3-E9"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020500061900
NAS-IP-Address = 172.20.50.202
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "guillaume", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
expand: %{User-Name} -> guillaume
rlm_sql (sql): sql_set_user escaped user --> 'guillaume'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 5 to 172.20.50.202 port 1063
EAP-Message = 0x0106002019001703010015b5d9ed38c16abe949007856112163c349f47653a9a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x520c3ced570a25a3a459d69bfb6e15b4
Finished request 5.
Going to the next request
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 172.20.50.202 port 1063, id=6, length=248
Message-Authenticator = 0x6915c4ca0dac6f36bcbb06a505b09b13
Service-Type = Framed-User
User-Name = "guillaume\000"
Framed-MTU = 1488
State = 0x520c3ced570a25a3a459d69bfb6e15b4
Called-Station-Id = "00-0F-3D-AB-1C-07:testGuillaume"
Calling-Station-Id = "00-0E-35-99-F3-E9"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020600251900170301001a6e27e83a583513f96734491893052bc45e331dea5a817514c96d
NAS-IP-Address = 172.20.50.202
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "guillaume", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
expand: %{User-Name} -> guillaume
rlm_sql (sql): sql_set_user escaped user --> 'guillaume'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
rlm_eap: EAP packet type response id 6 length 37
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - guillaume
PEAP: Got tunneled identity of guillaume
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to guillaume
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "guillaume", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
expand: %{User-Name} -> guillaume
rlm_sql (sql): sql_set_user escaped user --> 'guillaume'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
rlm_eap: EAP packet type response id 6 length 14
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 6 to 172.20.50.202 port 1063
EAP-Message = 0x0107003a1900170301002fecaf21a73ddbad75e42aa30dc5d0d2489a475ea8b653ef48600c15b788c513f3653ff92d6399cb21abb210cbc9374e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x520c3ced540b25a3a459d69bfb6e15b4
Finished request 6.
Going to the next request
Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host 172.20.50.202 port 1063, id=7, length=302
Message-Authenticator = 0x7287204fcda0fbdaa0909c61c390db5d
Service-Type = Framed-User
User-Name = "guillaume\000"
Framed-MTU = 1488
State = 0x520c3ced540b25a3a459d69bfb6e15b4
Called-Station-Id = "00-0F-3D-AB-1C-07:testGuillaume"
Calling-Station-Id = "00-0E-35-99-F3-E9"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0207005b190017030100501535a8ff853e55baa970b95035da4cc5ed023c4fc2bff19dacdb32c539c6fb422a96edb8dd7cf0b34268b75d80b0b850d575c6894afafca7e0be7250dddd00044bdd0fe6176b0b6afd5e670b2567f46c
NAS-IP-Address = 172.20.50.202
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "guillaume", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
expand: %{User-Name} -> guillaume
rlm_sql (sql): sql_set_user escaped user --> 'guillaume'
rlm_sql (sql): Reserving sql socket id: 1
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
rlm_eap: EAP packet type response id 7 length 91
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
PEAP: Setting User-Name to guillaume
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "guillaume", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
expand: %{User-Name} -> guillaume
rlm_sql (sql): sql_set_user escaped user --> 'guillaume'
rlm_sql (sql): Reserving sql socket id: 0
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
rlm_eap: EAP packet type response id 7 length 68
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: Told to do MS-CHAPv2 for guillaume with NT-Password
expand: --username=%{mschap:User-Name:-None} -> --username=guillaume
rlm_mschap: No NT-Domain was found in the User-Name.
expand: --domain=%{mschap:NT-Domain:-intranet} -> --domain=intranet
mschap2: c4
expand: --challenge=%{mschap:Challenge:-00} -> --challenge=4384da4f07ddf5b1
expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=b4e365eb0f01c659d845bd177f80139ebbe46ada409725f1
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
++[eap] returns handled
Sending Access-Challenge of id 7 to 172.20.50.202 port 1063
EAP-Message = 0x010800261900170301001b43e26227f37525d5072bc3647428c3fafce33dd5f49b549f0194e0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x520c3ced550425a3a459d69bfb6e15b4
Finished request 7.
Going to the next request
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host 172.20.50.202 port 1063, id=8, length=249
Message-Authenticator = 0x7c5457d18a2ab93316e3cb7416ec9acb
Service-Type = Framed-User
User-Name = "guillaume\000"
Framed-MTU = 1488
State = 0x520c3ced550425a3a459d69bfb6e15b4
Called-Station-Id = "00-0F-3D-AB-1C-07:testGuillaume"
Calling-Station-Id = "00-0E-35-99-F3-E9"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020800261900170301001b3116a7abe82507e5348d4e6f2e108f5b1c80d2e51db813beebcc1f
NAS-IP-Address = 172.20.50.202
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "guillaume", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
expand: %{User-Name} -> guillaume
rlm_sql (sql): sql_set_user escaped user --> 'guillaume'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
rlm_eap: EAP packet type response id 8 length 38
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> guillaume
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.4 seconds.
Waking up in 0.1 seconds.
Waking up in 0.1 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 8 to 172.20.50.202 port 1063
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.4 seconds.
Cleaning up request 0 ID 0 with timestamp +14
Waking up in 0.1 seconds.
Cleaning up request 1 ID 1 with timestamp +14
Cleaning up request 2 ID 2 with timestamp +14
Cleaning up request 3 ID 3 with timestamp +15
Cleaning up request 4 ID 4 with timestamp +15
Cleaning up request 5 ID 5 with timestamp +15
Cleaning up request 6 ID 6 with timestamp +15
Waking up in 0.1 seconds.
Cleaning up request 7 ID 7 with timestamp +15
Waking up in 1.0 seconds.
Cleaning up request 8 ID 8 with timestamp +15
Ready to process requests.
Thanks for the help
----------------------------
Guillaume Chartrand
Technicien informatique
Cégep régional de Lanaudière
Centre administratif, Repentigny
(450) 470-0911 poste 7218
More information about the Freeradius-Users
mailing list