Authorization?? pb Authentication against AD

Reveal MAP revealmapp at yahoo.fr
Fri Jun 27 15:07:15 CEST 2008


Hello,

trying to authenticate wireless users against Active Directory using freeradius 2.0.2-3.
I can authenticate users using EAP-PEAP or EAP-TLS.

First question: is EAP system mandatory to authenticate against Active Directory?


- i follow the this HOWTO (http://wiki.freeradius.org/Syslog_HOWTO), so "wbinfo" and "Ntlm_Auth" function properly like the HOWTO says

- user "glouglou" with password "glouglou" exists in AD.

On authentication attempt against AD, i have thoses messages that i don't undertand so well:

1. Part of Log of Radiusd -X
////////////////////////////////////////////////////////////////////////////////////////////////////
+- entering group MS-CHAP
  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
        expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=PLUTON\glouglou
 mschap2: ca
        expand: --challenge=%{mschap:Challenge:-00} -> --challenge=b7b4f66d1ed49fa6
        expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=1f96c63c6a98e87af339d1226e5feef41e327666f3ccd175
Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. (0xc0000022)
Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. (0xc0000022)
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
  rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [PLUTON\\glouglou/<via Auth-Type = EAP>] (from client Access_Point_DWL-8500AP+_A1_L1 port 1 cli 00-12-F0-0C-97-61)
} # server (null)
////////////////////////////////////////////////////////////////////////////////////////////////////


2. "Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. (0xc0000022)
Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. (0xc0000022)"
////////////////////////////////////////////////////////////////////////////////////////////////////
Part of /var/lib/samba files:
------------------------------------
# aaa:/var/lib/samba # ls win*
# winbindd_cache.tdb      winbindd_cache.tdb.bak.old
# winbindd_cache.tdb.bak  winbindd_idmap.tdb

# winbindd_privileged:
# pipe
# aaa:/var/lib/samba #   
------------------------
# aaa:/var/lib/samba # ll winbindd_privileged/
# total 0
# srwxrwxrwx 1 root root 0 Jun 25 16:17 pipe
aaa:/var/lib/samba #     

I am not so expert at Linux stuff. but i think it could just be an authorization problem. and i really don't know if some other stuffs are needed to authenticate against AD. may i have some advices?

thank you all for your responses
**************************************************************************

ENTIRE LOG BELOW:
----------------------------------------
rad_recv: Access-Request packet from host 10.10.44.246 port 1027, id=49, length=168
        User-Name = "PLUTON\\glouglou"
        NAS-IP-Address = 10.10.44.246
        NAS-Port = 1
        Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo"
        Calling-Station-Id = "00-12-F0-0C-97-61"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 54Mbps 802.11g"
        EAP-Message = 0x020a001401504c55544f4e5c676c6f75676c6f75
        Message-Authenticator = 0xf46afa6cebe1a6532bda4720c452b684
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 10 length 20
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 49 to 10.10.44.246 port 1027
        EAP-Message = 0x010b00061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x56748010567f99f247f2f989f1c443b2
Finished request 50.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.10.44.246 port 1027, id=50, length=246
        User-Name = "PLUTON\\glouglou"
        NAS-IP-Address = 10.10.44.246
        NAS-Port = 1
        Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo"
        Calling-Station-Id = "00-12-F0-0C-97-61"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 54Mbps 802.11g"
        EAP-Message = 0x020b005019800000004616030100410100003d03014864e9ca6f5373caeef782f84ee725f6fd57b421fde7913f318d1f6ff0aac6c800001600040005000a000900640062000300060013001200630100
        State = 0x56748010567f99f247f2f989f1c443b2
        Message-Authenticator = 0x71516277d5597dd13b90fa56bfc8a9e0
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 11 length 80
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  TLS Length 70
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0641], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 50 to 10.10.44.246 port 1027
        EAP-Message = 0x010c040019c00000069e160301004a0200004603014864e8a53e27f6d97c706cd17f4501780c540984d8cc3a25921b0547b9042c75203997dfd8b795b86fac5393d5a7e5e95536f63ac703698b68336f4b1239ad13b300040016030106410b00063d00063a0002a6308202a23082020ba003020102020101300d06092a864886f70d010105050030818b310b3009060355040613024d41310e300c060355040813055261626174310e300c06035504071305416764616c310f300d060355040a1306454e5349415331143012060355040b130b43656e74726520496e666f3112301006035504031409454e534941535f43413121301f06092a864886f7
        EAP-Message = 0x0d01090116126d62615f6f796f6e65407961686f6f2e6672301e170d3038303530363134323832385a170d3039303530363134323832385a308188310b3009060355040613024d41310e300c060355040813055261626174310f300d060355040a1306454e5349415331143012060355040b130b43656e74726520496e666f311c301a06035504031413454e534941535f5365727665725261646975733124302206092a864886f70d01090116156d62616f796f6e6540636172616d61696c2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100bb95115e0a9b09647fcc2cc822240624842ae80bd3b8d5fd51bb9b9d0e
        EAP-Message = 0xfc65f768a58d0fd976268b8cb576905b2ae47089e70356e3b6a539f8debc381b98ae9b242ca42e3d7d85b08a66dcc5b7268c10911676e6a4517dc3e2130ce9eaee01388f6fe3696ea193320635c4c677009c17e4f0c40e00c8fc2f969e8e20a53112b90203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181005b553acadf73c7b78ba5f4a1700cb2326eb6e26c93b948d763705b44812933f1df17131e87744577c1c01a6d4ade88fe6ce1133fac1dedcf14f2490070301fa3e9ddd96ff4fa143f0aa853e5e15a055c45f34c7e18b8c3fc135e3e7f22e49d6007287911a4806494e4
        EAP-Message = 0xf548d12f4a8fcfbc11d49ec1a035f4013de94243c014b600038e3082038a308202f3a003020102020900bed8f7f713ad2741300d06092a864886f70d010105050030818b310b3009060355040613024d41310e300c060355040813055261626174310e300c06035504071305416764616c310f300d060355040a1306454e5349415331143012060355040b130b43656e74726520496e666f3112301006035504031409454e534941535f43413121301f06092a864886f70d01090116126d62615f6f796f6e65407961686f6f2e6672301e170d3038303530363134313134375a170d3138303530343134313134375a30818b310b300906035504061302
        EAP-Message = 0x4d41310e300c060355040813
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x56748010577899f247f2f989f1c443b2
Finished request 51.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.10.44.246 port 1027, id=51, length=172
        User-Name = "PLUTON\\glouglou"
        NAS-IP-Address = 10.10.44.246
        NAS-Port = 1
        Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo"
        Calling-Station-Id = "00-12-F0-0C-97-61"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 54Mbps 802.11g"
        EAP-Message = 0x020c00061900
        State = 0x56748010577899f247f2f989f1c443b2
        Message-Authenticator = 0x66d1a8307eaffc06f9a08c946ceaec4e
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 12 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 51 to 10.10.44.246 port 1027
        EAP-Message = 0x010d02ae1900055261626174310e300c06035504071305416764616c310f300d060355040a1306454e5349415331143012060355040b130b43656e74726520496e666f3112301006035504031409454e534941535f43413121301f06092a864886f70d01090116126d62615f6f796f6e65407961686f6f2e667230819f300d06092a864886f70d010101050003818d0030818902818100bf61b0669592b605195963d5382583d0e5115ccbdfe0f1c4ff9fcad9171f017d41eb27cf1d1a7a52db1c88665ce519c4f4bbb4ead5426825149fef16c52418fbdb933af73a051ebdd28373fa4879977d441d473f3dfd3ccd17874a1572cc1d4287290161798b
        EAP-Message = 0xc364ee28de1c671daa5f172ccdabb34b3d03f5da76857ff454950203010001a381f33081f0301d0603551d0e041604147526799856863b751619010ffc74602c7ab7565d3081c00603551d230481b83081b580147526799856863b751619010ffc74602c7ab7565da18191a4818e30818b310b3009060355040613024d41310e300c060355040813055261626174310e300c06035504071305416764616c310f300d060355040a1306454e5349415331143012060355040b130b43656e74726520496e666f3112301006035504031409454e534941535f43413121301f06092a864886f70d01090116126d62615f6f796f6e65407961686f6f2e667282
        EAP-Message = 0x0900bed8f7f713ad2741300c0603551d13040530030101ff300d06092a864886f70d010105050003818100ab43dca4037042bca22b306a18b60eb9c28743208bc80727147bc80283ebe81cf182aaab8a9ffe8def8d30713c87d1135689ad72660efb61b0fcb8971dc37c36eb18ed6d32544026fe57b34bcbe819193341e0cebaa9b9c6d58d99a5af37557d1e9cb093a27658e7430cdc39fb2a3f331404807e4969fdc4f30a9963a997af1616030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x56748010547999f247f2f989f1c443b2
Finished request 52.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.10.44.246 port 1027, id=52, length=358
        User-Name = "PLUTON\\glouglou"
        NAS-IP-Address = 10.10.44.246
        NAS-Port = 1
        Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo"
        Calling-Station-Id = "00-12-F0-0C-97-61"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 54Mbps 802.11g"
        EAP-Message = 0x020d00c01980000000b61603010086100000820080a09d13c7c124673a58b5dde71c8223571f9cd3414359c7818a4d8f95d7fdc04a4aeb3841ceaf9b6d39bab24619660043acc7277cc744ff6b020c4040f7f1ca7a50179053ee27dd5b5fbd8f8b373012f6bf0ee90b4fc1964de222bd63263efe014c0b6941347e5bc538d79ae23c8c99bc3440e6cf723969ab37c671db6715c0c614030100010116030100207ba294a9552ee15c39fb55bf3e8656293c7dab2a757dcf5b22f9c695fb33ab05
        State = 0x56748010547999f247f2f989f1c443b2
        Message-Authenticator = 0xea20985ef156f3ca1d289460bd9d2be1
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 13 length 192
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  TLS Length 182
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 52 to 10.10.44.246 port 1027
        EAP-Message = 0x010e003119001403010001011603010020c345278c8df213925709e6088b0f731aab25a0d8385798c0a2c4db729262c8a6
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x56748010557a99f247f2f989f1c443b2
Finished request 53.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.10.44.246 port 1027, id=53, length=172
        User-Name = "PLUTON\\glouglou"
        NAS-IP-Address = 10.10.44.246
        NAS-Port = 1
        Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo"
        Calling-Station-Id = "00-12-F0-0C-97-61"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 54Mbps 802.11g"
        EAP-Message = 0x020e00061900
        State = 0x56748010557a99f247f2f989f1c443b2
        Message-Authenticator = 0x2b8d1b169bbee8ce550ca9e214df3c94
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 14 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake is finished
  eaptls_verify returned 3
  eaptls_process returned 3
  rlm_eap_peap: EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 53 to 10.10.44.246 port 1027
        EAP-Message = 0x010f0020190017030100151d867f83da3241029a7114e888c7cf60babf0e02d0
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x56748010527b99f247f2f989f1c443b2
Finished request 54.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.10.44.246 port 1027, id=54, length=209
        User-Name = "PLUTON\\glouglou"
        NAS-IP-Address = 10.10.44.246
        NAS-Port = 1
        Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo"
        Calling-Station-Id = "00-12-F0-0C-97-61"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 54Mbps 802.11g"
        EAP-Message = 0x020f002b190017030100206fe05a76b2fae56696fffa2228ce92c191ee66a85461f6090415af436ac843ca
        State = 0x56748010527b99f247f2f989f1c443b2
        Message-Authenticator = 0xd09d1d3774b211590555be066a70a8d5
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 15 length 43
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Identity - PLUTON\glouglou
  PEAP: Got tunneled EAP-Message
        EAP-Message = 0x020f001401504c55544f4e5c676c6f75676c6f75
  PEAP: Got tunneled identity of PLUTON\glouglou
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to PLUTON\glouglou
  PEAP: Sending tunneled request
        EAP-Message = 0x020f001401504c55544f4e5c676c6f75676c6f75
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "PLUTON\\glouglou"
        NAS-IP-Address = 10.10.44.246
        NAS-Port = 1
        Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo"
        Calling-Station-Id = "00-12-F0-0C-97-61"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 54Mbps 802.11g"
server (null) {
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 15 length 20
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server (null)
  PEAP: Got tunneled reply RADIUS code 11
        EAP-Message = 0x011000291a0110002410ca599c00d22c084762ea6a53c13a5d2b504c55544f4e5c676c6f75676c6f75
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x18e71c2c18f706a7a1507180b3671108
  PEAP: Processing from tunneled session code 0x8193750 11
        EAP-Message = 0x011000291a0110002410ca599c00d22c084762ea6a53c13a5d2b504c55544f4e5c676c6f75676c6f75
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x18e71c2c18f706a7a1507180b3671108
  PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 54 to 10.10.44.246 port 1027
        EAP-Message = 0x0110004019001703010035956c4cf08a6ab0bfe1df4631b8fd06250693f7860a05c35348bd0b12064b45bc7dacfeccc8db66434df13655cdb562cecc68ed1886
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x56748010536499f247f2f989f1c443b2
Finished request 55.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.10.44.246 port 1027, id=55, length=263
        User-Name = "PLUTON\\glouglou"
        NAS-IP-Address = 10.10.44.246
        NAS-Port = 1
        Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo"
        Calling-Station-Id = "00-12-F0-0C-97-61"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 54Mbps 802.11g"
        EAP-Message = 0x02100061190017030100566d4d35418ad77fca42e9b02823f08213269331fae81fc0fc8c7c8d32df6d8353777e01f72461069c6b8ff46b8af9ae103b3652ba4a3a8cab3024aef70b6f5178fd21d6c680ab940da848bc70986816005ecde4d32124
        State = 0x56748010536499f247f2f989f1c443b2
        Message-Authenticator = 0x457d4f556b9681c25a43b1cbf68fa24c
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 16 length 97
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  PEAP: Got tunneled EAP-Message
        EAP-Message = 0x0210004a1a0210004531574a3bb95c0c018b05e6c2ef8940230c00000000000000001f96c63c6a98e87af339d1226e5feef41e327666f3ccd17500504c55544f4e5c676c6f75676c6f75
  PEAP: Setting User-Name to PLUTON\glouglou
  PEAP: Sending tunneled request
        EAP-Message = 0x0210004a1a0210004531574a3bb95c0c018b05e6c2ef8940230c00000000000000001f96c63c6a98e87af339d1226e5feef41e327666f3ccd17500504c55544f4e5c676c6f75676c6f75
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "PLUTON\\glouglou"
        State = 0x18e71c2c18f706a7a1507180b3671108
        NAS-IP-Address = 10.10.44.246
        NAS-Port = 1
        Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo"
        Calling-Station-Id = "00-12-F0-0C-97-61"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 54Mbps 802.11g"
server (null) {
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 16 length 74
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
+- entering group MS-CHAP
  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
        expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=PLUTON\glouglou
 mschap2: ca
        expand: --challenge=%{mschap:Challenge:-00} -> --challenge=b7b4f66d1ed49fa6
        expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=1f96c63c6a98e87af339d1226e5feef41e327666f3ccd175
Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. (0xc0000022)
Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. (0xc0000022)
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
  rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [PLUTON\\glouglou/<via Auth-Type = EAP>] (from client Access_Point_DWL-8500AP+_A1_L1 port 1 cli 00-12-F0-0C-97-61)
} # server (null)
  PEAP: Got tunneled reply RADIUS code 3
        MS-CHAP-Error = "\020E=691 R=1"
        EAP-Message = 0x04100004
        Message-Authenticator = 0x00000000000000000000000000000000
  PEAP: Processing from tunneled session code 0x81930e0 3
        MS-CHAP-Error = "\020E=691 R=1"
        EAP-Message = 0x04100004
        Message-Authenticator = 0x00000000000000000000000000000000
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
++[eap] returns handled
Sending Access-Challenge of id 55 to 10.10.44.246 port 1027
        EAP-Message = 0x011100261900170301001b1471747ad76849d8dbd00fc980acdd80e3ecab794abb3f1be839db
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x56748010506599f247f2f989f1c443b2
Finished request 56.
Going to the next request
Waking up in 0.8 seconds.
rad_recv: Access-Request packet from host 10.10.44.246 port 1027, id=56, length=204
        User-Name = "PLUTON\\glouglou"
        NAS-IP-Address = 10.10.44.246
        NAS-Port = 1
        Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo"
        Calling-Station-Id = "00-12-F0-0C-97-61"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 54Mbps 802.11g"
        EAP-Message = 0x021100261900170301001bfa6d913e5662305d0263ee856da52043e1b236e5ffc5423828edc4
        State = 0x56748010506599f247f2f989f1c443b2
        Message-Authenticator = 0x84c6191562a7454ae511824190170812
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 17 length 38
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap:  Had sent TLV failure.  User was rejected earlier in this session.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [PLUTON\\glouglou/<via Auth-Type = EAP>] (from client Access_Point_DWL-8500AP+_A1_L1 port 1 cli 00-12-F0-0C-97-61)
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> PLUTON\glouglou
++[attr_filter.access_reject] returns noop
Delaying reject of request 57 for 1 seconds
Going to the next request
Waking up in 0.8 seconds.
Sending delayed reject for request 57
Sending Access-Reject of id 56 to 10.10.44.246 port 1027
        EAP-Message = 0x04110004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 50 ID 49 with timestamp +160171
Cleaning up request 51 ID 50 with timestamp +160171
Cleaning up request 52 ID 51 with timestamp +160171
Cleaning up request 53 ID 52 with timestamp +160171
Cleaning up request 54 ID 53 with timestamp +160171
Cleaning up request 55 ID 54 with timestamp +160171
Cleaning up request 56 ID 55 with timestamp +160171
Waking up in 1.0 seconds.
Cleaning up request 57 ID 56 with timestamp +160171
Ready to process requests.
                                          
----------------------------------------



      _____________________________________________________________________________ 
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080627/98f1ae96/attachment.html>


More information about the Freeradius-Users mailing list