openLDAP & freeRADIUS
William E. Russell
wrussell at incnetworks.com
Fri Jun 27 16:55:43 CEST 2008
Below is the whole output.
I have two questions: 1. Is this correct because I kinda think this is the
problem. --> peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
}
2. How can I tell what MSCHAPv2 didn't like about the previous packet? I
still believe it is a password styled issue. I have tried NT hash,
cleartext, etc. nothing works.
Any help would be greatly appriecated! Thanks.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 120
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 10.2.1.55
netmask = 24
require_message_authenticator = no
secret = "inc123"
nastype = "other"
}
client 172.27.10.0/24 {
require_message_authenticator = no
secret = "inc123"
shortname = "172.27.10-network"
}
client 10.15.1.0/24 {
require_message_authenticator = no
secret = "inc123"
shortname = "10.15.1-network"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "incnetworks"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = "localhost"
port = 389
password = ""
identity = ""
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "dc=incnetworks,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
password_attribute = "LDAPRADIUSPassword"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap_debug = 40
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in
the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0x917f948
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
User-Name = "newME"
NAS-IP-Address = 0.0.0.0
Framed-MTU = 1488
Called-Station-Id = "00:0c:84:02:a2:59"
Calling-Station-Id = "00:1c:bf:86:6a:c4"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "NAP"
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0201000a016e65774d45
Message-Authenticator = 0x196dd1b8cec5514107a36a5bac05e008
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = "newME", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 10
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_ldap: - authorize
rlm_ldap: performing user authorization for newME
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=newME)
expand: dc=incnetworks,dc=com -> dc=incnetworks,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
request done: ld 0x918b8d8 msgid 1
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=incnetworks,dc=com, with filter
(uid=newME)
request done: ld 0x918b8d8 msgid 2
rlm_ldap: Added User-Password = william in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute
Tunnel-Private-Group-Id:0 == "300"
rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute
Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0
== VLAN
rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password ==
0x77696c6c69616d
rlm_ldap: looking for reply items in directory...
rlm_ldap: user newME authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rad_check_password: Found Auth-Type EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
!!! Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5709d887570bc1bb8ae83da2d1a3b270
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
User-Name = "newME"
NAS-IP-Address = 0.0.0.0
Framed-MTU = 1488
Called-Station-Id = "00:0c:84:02:a2:59"
Calling-Station-Id = "00:1c:bf:86:6a:c4"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "NAP"
Connect-Info = "CONNECT 11Mbps 802.11b"
State = 0x5709d887570bc1bb8ae83da2d1a3b270
EAP-Message =
0x0202006a1900160301005f0100005b03014863dae5d75432419526716b23fb30267cbc133c
331a154fb249d9300860db3a00003400390038003500160013000a00330032002f0066000500
04006500640063006200610060001500120009001400110008000600030100
Message-Authenticator = 0xd29a5f613a0b34f71837d0809f9d4f31
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = "newME", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 2 length 106
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 005f], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 08be], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
TLS_accept: SSLv3 write key exchange A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
EAP-Message =
0x0103040019c000000b2d160301004a0200004603014863dae370aecd4d502255cd2a84d641
b3691e6ad19845eb5de232d2cb59e7f9207829cefcb1e7a7a8525be4b0eab40cf8d4de729ef9
892ad5aaf2cd70e8698dab00390016030108be0b0008ba0008b70003cb308203c7308202afa0
03020102020101300d06092a864886f70d01010405003081a6310b3009060355040613025553
311330110603550408130a4e6577204a6572736579311430120603550407130b4c6f6e672042
72616e6368311a3018060355040a1311696e634e4554574f524b532c20496e632e3124302206
092a864886f70d010901161561646d696e40696e636e6574776f
EAP-Message =
0x726b732e636f6d312a302806035504031321696e634e4554574f524b532043657274696669
6361746520417574686f72697479301e170d3038303632353137353535345a170d3039303632
353137353535345a30818d310b3009060355040613025553311330110603550408130a4e6577
204a6572736579311a3018060355040a1311696e634e4554574f524b532c20496e632e312730
250603550403131e696e634e4554574f524b5320536572766572204365727469666963617465
3124302206092a864886f70d010901161561646d696e40696e636e6574776f726b732e636f6d
30820122300d06092a864886f70d01010105000382010f003082
EAP-Message =
0x010a0282010100b8bee7171eb400a47c91f548021e04d1f229b4d1e0d5c849db759be47184
e786cea4d36c21fbf989d4092ec2205954bc529e27fdbda7a1bc42473e5ecd0eff940e153fac
67e0fe4fa96550f3abfbc04077c0fe90b5a458d23e8322caafacdd8fb22b801fee24ae9ca6dc
bbe52573f8541e7abb083e5ff355cf103312e03ce557b4a8bab706a07d7d91518e8bd2bdd8f7
056ca64dfc784195f39f17295a289937b831990bf3aedf68dd14881d381c5ba11e0205f45cc3
2c2b731f22aa1ad569f26660a4f0e9186168dfc52fdecd30649038fe79d856ec5bca5429d4ca
ae5312f4d7212272ed33f9960e796e2147b1466bc5d60ffa5a42
EAP-Message =
0x357ce9865d86800b2c430203010001a317301530130603551d25040c300a06082b06010505
070301300d06092a864886f70d010104050003820101002547cd57ee76bd9b515194c765e0f5
29c96d7bed1c30873662dd6ae39b45451045eb4d7a10ec93b94f79d16eed1a074eaf5152275d
1bca6aae8c9bc03be921407d4f1cc39feb61f3c46c9c6b212bc1a3db44eeb494cc59865c774b
70e50ade1ff4a873bc8f20ddb38ac5fa6eef4716fe912875a87ab4f2ad18f63c86fb9d3dce67
94fa514be846f3e820fbf94c3723c589b3973df4ac9f90b859da63ef1638c6b8ba61ef04eb30
d4c431c18066571a06ae9c89467f5bedf1788e8224a8eed64614
EAP-Message = 0xed648d2c9c9750f70291603c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5709d887560ac1bb8ae83da2d1a3b270
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
User-Name = "newME"
NAS-IP-Address = 0.0.0.0
Framed-MTU = 1488
Called-Station-Id = "00:0c:84:02:a2:59"
Calling-Station-Id = "00:1c:bf:86:6a:c4"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "NAP"
Connect-Info = "CONNECT 11Mbps 802.11b"
State = 0x5709d887560ac1bb8ae83da2d1a3b270
EAP-Message = 0x020300061900
Message-Authenticator = 0xe1ca9d3ecc4544fc8498b79d1f9338b6
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = "newME", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
EAP-Message =
0x010403fc1940fb47bf22bba6e1f56e3b2be24091664c37ecf49a4f5b02d19c6f8cad66bc7c
054e4b96b8e3d395ab7a7c2995f929231fa8fa0d0004e6308204e2308203caa0030201020209
0090dde38fbeb1c1d1300d06092a864886f70d01010505003081a6310b300906035504061302
5553311330110603550408130a4e6577204a6572736579311430120603550407130b4c6f6e67
204272616e6368311a3018060355040a1311696e634e4554574f524b532c20496e632e312430
2206092a864886f70d010901161561646d696e40696e636e6574776f726b732e636f6d312a30
2806035504031321696e634e4554574f524b5320436572746966
EAP-Message =
0x696361746520417574686f72697479301e170d3038303632353137353535325a170d303830
3732353137353535325a3081a6310b3009060355040613025553311330110603550408130a4e
6577204a6572736579311430120603550407130b4c6f6e67204272616e6368311a3018060355
040a1311696e634e4554574f524b532c20496e632e3124302206092a864886f70d0109011615
61646d696e40696e636e6574776f726b732e636f6d312a302806035504031321696e634e4554
574f524b5320436572746966696361746520417574686f7269747930820122300d06092a8648
86f70d01010105000382010f003082010a0282010100d1208462
EAP-Message =
0xea8fd84d9e185c03a179b2a9d1c1104c445e6c8439ec8f337993a677b16657cdf8b3b08495
3ef59ccf92f2a407ed96606db0cb84f1b6691a487c0e0f394ee3ef92bf8c30ffa27ff5b0ef8d
dc995c159118f248a81f56f604dd22a23dc6d7fa7caa6d3215ce35127bb79cae11f44c279d1e
c30a5b5fef759ad724c448e80a8528de383a00e81bff0716a15352ec2723b6602654516b83da
31ea7cba4fab100a278d63784e7d3da2a1883fd8de1d7057788903300ba47add6d3b56b8c75d
ed94a14df2cc93b9b2613f9d0fc04cc157a9eb7099485356da5b8da147604f4c718a173ac0f6
34170117f43a532bd2498e3889f952ce413e0631017243d03902
EAP-Message =
0x03010001a382010f3082010b301d0603551d0e0416041471984cf66dfaf43b99e9b1b8ba03
27c3a38622083081db0603551d230481d33081d0801471984cf66dfaf43b99e9b1b8ba0327c3
a3862208a181aca481a93081a6310b3009060355040613025553311330110603550408130a4e
6577204a6572736579311430120603550407130b4c6f6e67204272616e6368311a3018060355
040a1311696e634e4554574f524b532c20496e632e3124302206092a864886f70d0109011615
61646d696e40696e636e6574776f726b732e636f6d312a302806035504031321696e634e4554
574f524b5320436572746966696361746520417574686f726974
EAP-Message = 0x7982090090dde38f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5709d887550dc1bb8ae83da2d1a3b270
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
User-Name = "newME"
NAS-IP-Address = 0.0.0.0
Framed-MTU = 1488
Called-Station-Id = "00:0c:84:02:a2:59"
Calling-Station-Id = "00:1c:bf:86:6a:c4"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "NAP"
Connect-Info = "CONNECT 11Mbps 802.11b"
State = 0x5709d887550dc1bb8ae83da2d1a3b270
EAP-Message = 0x020400061900
Message-Authenticator = 0xa7553af17b7b33879dda04b44243f5bf
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = "newME", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
EAP-Message =
0x010503471900beb1c1d1300c0603551d13040530030101ff300d06092a864886f70d010105
05000382010100c48c67a9affe2f0b3cc9a3efd411b69605499b2454953152ffb978ec064d9d
1bd675316282e03b3940e50c80b186c6209a067b6d41825e8cc4a538e424aefae267bbbab105
477a63157690d20b3cc27dc0d8e072e100ba786746c9a49757078239cbc1f56a7f0e4ef9b881
ab77cb045dbafbd17c2266ff0003fbc1722254de079643cfb2d5de4c33ca45d335eeef7c836f
7ddc4577649c22fee7a37357a1ff7e51c862fb214f642f84b76a2257b5ed453cf15085987df7
c90622a1d28d5fe19fa7f8277d2e32d67346b3b6ce1b5cee9177
EAP-Message =
0x24f9738c6b74c5c6cce59145a0d9038dd953a91b43b638d31741095abe6f7ceccfae9b5e66
083086bf3802beac4229160301020d0c0002090080f6f39ebeef4713cf31ffa55c7b649b3f25
4c526b9aeadeb0dbcbeac7a273e480c030e623adb5336041ed1fdee34107c77807d03b407264
7eea1b908a107412f51ad72f21d941c677dd24303351001ea3b85b08a7c9e0399b53ac6dd152
1800e6c1cccd91d68c33fc624c2d629cde053b033382c210af06b42745ca9f51f8e04b000102
0080abac109fc540c884538ca35c4b6b47764cf269be201de13349900cd763b17feb59527966
727f963e9cb61d0d2c691183a2f2175907e45d1081e011bdb7a1
EAP-Message =
0x4dbbdeaf63c9be69c2d8796df141d69fc65cf1bc393f536dfa206baeb5401869c3c61a8efa
2058c4539bbeb1f7700df48d0b38aa462fe16951df9f0f7b650a61f60c0100627b666f16674e
1968065868376843303b6cef391d185c7841a2ba64f9c8f9186a2570e329cc849120cde21f6c
fb6871479b8199423cbe4bf5b0ddb81c5e496cd3f35e1bffcfaa8cdcf17cc7c47f00c27b1807
2e123fc4a159ea93acb9029fbeb2812e41388cf42e03832e4794c71b9e1dfdab563436988a17
6efcf3d6744036d111af91c9a72308e6869cbee9d2143078a56239f89798a0c591b8dc40e9f4
e357ca4a36335137de3ad95644c0ab8b26ab98e0c78c82d657a6
EAP-Message =
0x023428638ae4992265968f0a929e80ccd650d82df8af8f22ea83a3693b9a76525056bd3308
ea3fe33efbaac761e4fecd665a5c57ee80fb6e780f83aa81c2f8fa0f47e87253045416030100
040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5709d887540cc1bb8ae83da2d1a3b270
Finished request 3.
Going to the next request
Waking up in 3.5 seconds.
User-Name = "newME"
NAS-IP-Address = 0.0.0.0
Framed-MTU = 1488
Called-Station-Id = "00:0c:84:02:a2:59"
Calling-Station-Id = "00:1c:bf:86:6a:c4"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "NAP"
Connect-Info = "CONNECT 11Mbps 802.11b"
State = 0x5709d887540cc1bb8ae83da2d1a3b270
EAP-Message =
0x020500cc19001603010086100000820080730f8d61efcc8d27b7253b7378745639a8abde94
b10901df83a8c2f397a8b7975dce45273b5b9c8c61adb75be948d5e0f74e964aa30cc0257186
77e689856f1cee2b8e298c80c23c5485716c9cbfda3cf409f356674b35578e4acade4af2732e
643cf0e57beabdbd29195fed7a6d3bcc74c1b9b2dd83093c82d04070eae39985140301000101
16030100302f01084a564d08fb60174d9ebcc44730a2a74d05f8c5f477fbb610b30dd6d7189f
c88b34e8790f12e2672b64b1ec3ffc
Message-Authenticator = 0xd748a6748bec76596e829b86b7a69b6f
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = "newME", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 5 length 204
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
EAP-Message =
0x0106004119001403010001011603010030c2d3b1aa2e22839b17ae374b3d11226b8fc4b953
aa3cfad00f22aafe669328d1cbc24e9512cffd0c6fd840bc4c8d8004
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5709d887530fc1bb8ae83da2d1a3b270
Finished request 4.
Going to the next request
Waking up in 3.4 seconds.
User-Name = "newME"
NAS-IP-Address = 0.0.0.0
Framed-MTU = 1488
Called-Station-Id = "00:0c:84:02:a2:59"
Calling-Station-Id = "00:1c:bf:86:6a:c4"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "NAP"
Connect-Info = "CONNECT 11Mbps 802.11b"
State = 0x5709d887530fc1bb8ae83da2d1a3b270
EAP-Message = 0x020600061900
Message-Authenticator = 0x1eda821bf40068808ce340e5b9a1aa37
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = "newME", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 6 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
++[eap] returns handled
EAP-Message =
0x0107002b19001703010020f1cd4cca3933b6de7604a72b8a749037b9c278f832e282073ffe
984571d4ef79
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5709d887520ec1bb8ae83da2d1a3b270
Finished request 5.
Going to the next request
Waking up in 3.3 seconds.
User-Name = "newME"
NAS-IP-Address = 0.0.0.0
Framed-MTU = 1488
Called-Station-Id = "00:0c:84:02:a2:59"
Calling-Station-Id = "00:1c:bf:86:6a:c4"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "NAP"
Connect-Info = "CONNECT 11Mbps 802.11b"
State = 0x5709d887520ec1bb8ae83da2d1a3b270
EAP-Message =
0x0207005019001703010020bf3a40a5b1e6800af9d4d1021a3eebd3a0968fcadcb426e714c3
7763805268581703010020775d23abc0e86c978c5f5c962d297798e094e41830f2be1e3b5256
00a4c6fc20
Message-Authenticator = 0x20b60734feebecc6229b631422bfaa18
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = "newME", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 7 length 80
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - newME
PEAP: Got tunneled identity of newME
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to newME
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = "newME", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 7 length 10
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_ldap: - authorize
rlm_ldap: performing user authorization for newME
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=newME)
expand: dc=incnetworks,dc=com -> dc=incnetworks,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=incnetworks,dc=com, with filter
(uid=newME)
request done: ld 0x918b8d8 msgid 3
rlm_ldap: Added User-Password = william in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute
Tunnel-Private-Group-Id:0 == "300"
rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute
Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0
== VLAN
rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password ==
0x77696c6c69616d
rlm_ldap: looking for reply items in directory...
rlm_ldap: user newME authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rad_check_password: Found Auth-Type EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
!!! Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
EAP-Message =
0x0108003b1900170301003055710cbfe022150dd25b8f60c6ee7d9052b0b7c28e7c8e462ab8
e0fa2a6595a16a66ab90422024d1524ddb735e555968
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5709d8875101c1bb8ae83da2d1a3b270
Finished request 6.
Going to the next request
Waking up in 3.3 seconds.
User-Name = "newME"
NAS-IP-Address = 0.0.0.0
Framed-MTU = 1488
Called-Station-Id = "00:0c:84:02:a2:59"
Calling-Station-Id = "00:1c:bf:86:6a:c4"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "NAP"
Connect-Info = "CONNECT 11Mbps 802.11b"
State = 0x5709d8875101c1bb8ae83da2d1a3b270
EAP-Message =
0x0208005019001703010020e312832ce10c356d5ba80016b88820450b10ec41a4e42b6ec344
8d31e814703b170301002001ea1cd711762165d36a5fdf66e918082c6292adae7809e357a45f
b6ef9605c0
Message-Authenticator = 0xd6b1ee295256aadfc9ba4a2d8d1041ed
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = "newME", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 8 length 80
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
PEAP: Setting User-Name to newME
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = "newME", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 8 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_ldap: - authorize
rlm_ldap: performing user authorization for newME
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=newME)
expand: dc=incnetworks,dc=com -> dc=incnetworks,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=incnetworks,dc=com, with filter
(uid=newME)
request done: ld 0x918b8d8 msgid 4
rlm_ldap: Added User-Password = william in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute
Tunnel-Private-Group-Id:0 == "300"
rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute
Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0
== VLAN
rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password ==
0x77696c6c69616d
rlm_ldap: looking for reply items in directory...
rlm_ldap: user newME authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rad_check_password: Found Auth-Type EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
!!! Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Invalid response type 4
rlm_eap: Handler failed in EAP/mschapv2
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [newME/<via Auth-Type = EAP>] (from client 10.15.1-network
port 0 cli 00:1c:bf:86:6a:c4)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
++[eap] returns handled
EAP-Message =
0x0109002b190017030100203ff4efba26d43a2c69d7f1bb068e99fa148c805ac6dbee568371
2eb53b9cbd1c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5709d8875000c1bb8ae83da2d1a3b270
Finished request 7.
Going to the next request
Waking up in 3.3 seconds.
User-Name = "newME"
NAS-IP-Address = 0.0.0.0
Framed-MTU = 1488
Called-Station-Id = "00:0c:84:02:a2:59"
Calling-Station-Id = "00:1c:bf:86:6a:c4"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "NAP"
Connect-Info = "CONNECT 11Mbps 802.11b"
State = 0x5709d8875000c1bb8ae83da2d1a3b270
EAP-Message =
0x020900501900170301002085ba3da041ea8350f49ddbe34a8c6b920096ca37d0dc585eabf2
233a49fdf7481703010020c0248ee54f98c6f850fe30b28259038254f7ccb7b3056b5c50ed0d
81fc0bf629
Message-Authenticator = 0xd2885c1162e5d5da2923cb526e0bdd65
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = "newME", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 9 length 80
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this
session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [newME/<via Auth-Type = EAP>] (from client 10.15.1-network
port 0 cli 00:1c:bf:86:6a:c4)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> newME
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.2 seconds.
Cleaning up request 0 ID 2 with timestamp +57
Cleaning up request 1 ID 4 with timestamp +57
Cleaning up request 2 ID 6 with timestamp +57
Waking up in 1.3 seconds.
Cleaning up request 3 ID 8 with timestamp +59
Waking up in 0.1 seconds.
Cleaning up request 4 ID 10 with timestamp +59
Cleaning up request 5 ID 12 with timestamp +59
Cleaning up request 6 ID 14 with timestamp +59
Cleaning up request 7 ID 16 with timestamp +59
Waking up in 1.0 seconds.
Cleaning up request 8 ID 18 with timestamp +59
Ready to process requests.
William E. W. Russell
Member of Technical Staff (Software Development)
198 Brighton Avenue
Long Branch, New Jersey 07740
Home #: 732-752-2037
Cell #: 732-744-6483
-----Original Message-----
From: freeradius-users-bounces+wrussell=incnetworks.com at lists.freeradius.org
[mailto:freeradius-users-bounces+wrussell=incnetworks.com at lists.freeradius.o
rg] On Behalf Of Alan DeKok
Sent: Thursday, June 26, 2008 4:36 AM
To: FreeRadius users mailing list
Subject: Re: openLDAP & freeRADIUS
William E. Russell wrote:
> I have correctly set up freeRADIUS to read from my openLDAP. I can't
> seem to authenticate my user. I have narrowed down the error to a single
> line, "rlm_eap_mschapv2: Invalid response type 4". From my hours of
> searching online, I have realized that all this means is that there was an
> error in the response packet.
Code 4 is MS-CHAP failure. It means that the client told the server
it didn't like the previous packet.
> I have no idea what error could have occurred.
> I believe it may have to do with the password_attribute. I read something
> documentation that said there was some issue with LDAP and passing a
> cleartext password. Also, as you can see, I am using EAP/PEAP with MSCHAP.
> Any body have any insight in to this type of thing? If I could just get
some
> help on how to set up the LDAP and RADIUS, that would be great - I have
read
> just about every single tutorial so please don't direct me to one of
those.
> I need someone who has a similar set up - what did you use for password
> attribute?
userPassword.
Step 1: Get PEAP working with an entry in the "users" file.
Step 2: Get LDAP working with PAP (radclient). Verify that it
is NOT doing "bind as user"
Step 3: Verify that PEAP works against LDAP.
PLEASE show the debug output. The reason we ask for it is because it
is the DEFINITIVE explanation of what's going on, and the ONLY way to
help you solve the problem.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list