Unable to authenticate to Open Directory
Kerry Tobin
kwtobin at wisc.edu
Wed Nov 5 21:42:58 CET 2008
I trimmed this down some, although I'm sure it could be trimmed a lot
more...
Ready to process requests.
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=158,
length=139
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0x9c667cafd791e54213885defa1c14f5f
EAP-Message = 0x020200140142494f4348454d5c6b77746f62696e
NAS-Port-Type = Wireless-802.11
NAS-Port = 26830
NAS-IP-Address = 72.33.52.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 0
rlm_eap: EAP packet type response id 2 length 20
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 0
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 72.33.52.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 158 to 72.33.52.18 port 1645
EAP-Message = 0x010300061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9ffcbe4309dcfe1624d52b4001437bc6
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=159,
length=143
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0x2a97d54ce690c33ab793c9d08a60af28
EAP-Message = 0x020300060319
NAS-Port-Type = Wireless-802.11
NAS-Port = 26830
State = 0x9ffcbe4309dcfe1624d52b4001437bc6
NAS-IP-Address = 72.33.52.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 1
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 1
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 72.33.52.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 159 to 72.33.52.18 port 1645
EAP-Message = 0x010400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x28e762b2e07141efde83bdebb85bb2c5
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=160,
length=295
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0xdb772428162765ec5ec66a0e883d323c
EAP-Message = 0x0204009e198000000094160301008f0100008b030
NAS-Port-Type = Wireless-802.11
NAS-Port = 26830
State = 0x28e762b2e07141efde83bdebb85bb2c5
NAS-IP-Address = 72.33.52.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 2
rlm_eap: EAP packet type response id 4 length 158
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 2
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 72.33.52.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 008f], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0652], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 160 to 72.33.52.18 port 1645
EAP-Message = 0x0105040a19c0000006af160301004a020
EAP-Message = 0x0b3009060355040613025553311230100
EAP-Message = 0x5d6e4a169057cacdca0c241f7664b4ee3
EAP-Message = 0x0d06092a864886f70d010105050003818
EAP-Message = 0x20417574686f72697479301e170d3938303832323136
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6f4f1292aabb7bebdee1f88f31407af8
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=161,
length=143
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0x105bbd75eae3037f337d028796f90340
EAP-Message = 0x020500061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 26830
State = 0x6f4f1292aabb7bebdee1f88f31407af8
NAS-IP-Address = 72.33.52.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 3
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 3
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 72.33.52.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 161 to 72.33.52.18 port 1645
EAP-Message = 0x010602b51900343135315a170d31383038323231363
EAP-Message = 0x0f3a88e7bf14fde0c7b90203010001a382010930820
EAP-Message = 0x0101ff301a06092a864886f67d074100040d300b1b0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee3b3812e9ee0e12d7bdb69c59963942
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=162,
length=345
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0x859d480da5b4827c223dd8358789478c
EAP-Message = 0x020600d01980000000c6160301008610000082008036
NAS-Port-Type = Wireless-802.11
NAS-Port = 26830
State = 0xee3b3812e9ee0e12d7bdb69c59963942
NAS-IP-Address = 72.33.52.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 4
rlm_eap: EAP packet type response id 6 length 208
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 4
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 72.33.52.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 162 to 72.33.52.18 port 1645
EAP-Message = 0x0107004119001403010001011603010030f3769ba79
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd002e1d1d12a1423701aa22fd36caecb
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=163,
length=143
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0xc7607f7b1b4df6de6d61f3ab291f389f
EAP-Message = 0x020700061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 26830
State = 0xd002e1d1d12a1423701aa22fd36caecb
NAS-IP-Address = 72.33.52.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 5
rlm_eap: EAP packet type response id 7 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 5
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 72.33.52.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 163 to 72.33.52.18 port 1645
EAP-Message = 0x0108002b190017030100204511cb4accee4ad2cbd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaf59a14428dc50b51e681cead9795e59
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=164,
length=196
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0x3c6cc76368bbd0064007012bd9a56286
EAP-Message = 0x0208003b19001703010030435e58e7bc3f43b1004d
NAS-Port-Type = Wireless-802.11
NAS-Port = 26830
State = 0xaf59a14428dc50b51e681cead9795e59
NAS-IP-Address = 72.33.52.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 6
rlm_eap: EAP packet type response id 8 length 59
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 6
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 72.33.52.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - DOMAIN\testuser
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x020800140142494f4348454d5c6b77746f62696e
PEAP: Got tunneled identity of DOMAIN\testuser
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to DOMAIN\testuser
PEAP: Sending tunneled request
EAP-Message = 0x020800140142494f4348454d5c6b77746f62696e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "DOMAIN\\testuser"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 6
rlm_eap: EAP packet type response id 8 length 20
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 215
modcall[authorize]: module "files" returns ok for request 6
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 127.0.0.1 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
PEAP: Got tunneled reply RADIUS code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
PEAP: Cancelling proxy to realm DOMAIN2 until the tunneled EAP
session has been established
PEAP: Processing from tunneled session code 0x3d1130 11
EAP-Message = 0x010900291a010900241023e844fb299922328bcd9afb85
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2eccb033105fdb6a479a942749c87c81
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
Sending Access-Challenge of id 164 to 72.33.52.18 port 1645
EAP-Message = 0x0109004b190017030100407a57237c993df0b86a51e4e9d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x297dcaf7b8e27012949b741e7450c53d
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=165,
length=244
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0x85fc0a7a6f33fd4e6ae3c878b1899924
EAP-Message = 0x0209006b190017030100608ff942023de3a18f37dcdd
NAS-Port-Type = Wireless-802.11
NAS-Port = 26830
State = 0x297dcaf7b8e27012949b741e7450c53d
NAS-IP-Address = 72.33.52.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 7
rlm_eap: EAP packet type response id 9 length 107
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 7
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 72.33.52.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 7
modcall: leaving group authorize (returns updated) for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x0209004a1a02090045314473091d3995ad42145fd87434b
PEAP: Setting User-Name to DOMAIN\testuser
PEAP: Adding old state with 2e cc
PEAP: Sending tunneled request
EAP-Message = 0x0209004a1a02090045314473091d3995ad42145fd87434b
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "DOMAIN\\testuser"
State = 0x2eccb033105fdb6a479a942749c87c81
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 7
rlm_eap: EAP packet type response id 9 length 74
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 215
modcall[authorize]: module "files" returns ok for request 7
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 127.0.0.1 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 7
modcall: leaving group authorize (returns updated) for request 7
PEAP: Got tunneled reply RADIUS code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Not-EAP proxy set. Not composing EAP
modcall[authenticate]: module "eap" returns handled for request 7
modcall: leaving group authenticate (returns handled) for request 7
PEAP: Tunneled authentication will be proxied to DOMAIN2
PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
Tunneled session will be proxied. Not doing EAP.
modcall[authenticate]: module "eap" returns handled for request 7
modcall: leaving group authenticate (returns handled) for request 7
Sending Access-Request of id 0 to 128.104.117.22 port 1812
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
MS-CHAP-Challenge = 0x23e844fb299922328bcd9afb85604ade
MS-CHAP2-Response = 0x09494473091d3995ad42145fd87434bc693200000000
Proxy-State = 0x313635
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 128.104.117.22:1812, id=0,
length=76
MS-CHAP2-Success = 0x09533d46414634414241314436303436383634313932
Proxy-State = 0x313635
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 7
PEAP: Passing reply from proxy back into the tunnel.
PEAP: Passing reply back for EAP-MS-CHAP-V2 0x3d2d80 2
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 7
rlm_eap_mschapv2: Passing reply from proxy back into the tunnel
0x3d2d80 2.
rlm_eap_mschapv2: Authentication succeeded.
MSCHAP Success
modcall[post-proxy]: module "eap" returns ok for request 7
modcall: leaving group post-proxy (returns ok) for request 7
POST-PROXY 2
POST-AUTH 2
PEAP: Final reply from tunneled session code 11
Proxy-State = 0x313635
EAP-Message = 0x010a00331a0309002e533d46414634414241314436303
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x33ada0ae4018cfd21fc1676f5cde8477
PEAP: Got reply 11
PEAP: Processing from tunneled session code 0x3d2ca0 11
Proxy-State = 0x313635
EAP-Message = 0x010a00331a0309002e533d464146344142413144363
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x33ada0ae4018cfd21fc1676f5cde8477
PEAP: Got tunneled Access-Challenge
PEAP: Reply was handled
modcall[post-proxy]: module "eap" returns ok for request 7
modcall: leaving group post-proxy (returns ok) for request 7
Sending Access-Challenge of id 165 to 72.33.52.18 port 1645
EAP-Message = 0x010a005b19001703010050ab3d27c44ba17259fa4f5a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3c06f6d9b33bbb14f5aa5d3120fdc7c6
Finished request 7
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=166,
length=180
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0xcc902bdbb6da0a2113692c7cbe6f0e22
EAP-Message = 0x020a002b190017030100202fd67124633b5504682f
NAS-Port-Type = Wireless-802.11
NAS-Port = 26830
State = 0x3c06f6d9b33bbb14f5aa5d3120fdc7c6
NAS-IP-Address = 72.33.52.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
modcall[authorize]: module "chap" returns noop for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 8
rlm_eap: EAP packet type response id 10 length 43
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 8
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 72.33.52.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 8
modcall: leaving group authorize (returns updated) for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x020a00061a03
PEAP: Setting User-Name to DOMAIN\testuser
PEAP: Adding old state with 33 ad
PEAP: Sending tunneled request
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "DOMAIN\\testuser"
State = 0x33ada0ae4018cfd21fc1676f5cde8477
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
modcall[authorize]: module "chap" returns noop for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 8
rlm_eap: EAP packet type response id 10 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 215
modcall[authorize]: module "files" returns ok for request 8
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 127.0.0.1 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 8
modcall: leaving group authorize (returns updated) for request 8
PEAP: Got tunneled reply RADIUS code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request not found in the list
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown
EAP-request
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 8
modcall: leaving group authenticate (returns invalid) for request 8
PEAP: Can't handle the return code 4
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 8
modcall: leaving group authenticate (returns invalid) for request 8
auth: Failed to validate the user.
Login incorrect: [testuser] (from client BiochemWireless port 26830
cli 001f.5bbe.f006)
Delaying request 8 for 1 seconds
Finished request 8
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=166,
length=180
Sending Access-Reject of id 166 to 72.33.52.18 port 1645
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Cleaning up request 0 ID 158 with timestamp 49120210
Cleaning up request 1 ID 159 with timestamp 49120210
Cleaning up request 2 ID 160 with timestamp 49120210
Cleaning up request 3 ID 161 with timestamp 49120210
Cleaning up request 4 ID 162 with timestamp 49120210
Cleaning up request 5 ID 163 with timestamp 49120210
Cleaning up request 6 ID 164 with timestamp 49120210
Cleaning up request 7 ID 165 with timestamp 49120210
Cleaning up request 8 ID 166 with timestamp 49120210
Nothing to do. Sleeping until we see a request.
^C
sh-3.2#
Kerry Tobin
>
> ------------------------------
>
> Message: 4
> Date: Wed, 05 Nov 2008 16:24:44 +0100
> From: <tnt at kalik.net>
> Subject: Re: Freeradius-Users Digest, Vol 43, Issue 17
> To: "FreeRadius users mailing list"
> <freeradius-users at lists.freeradius.org>
> Message-ID: <wdb2w2Tp.1225898684.9428930.tnt at kalik.net>
> Content-Type: text/plain; charset=ISO-8859-2
>
>> OK, I think I'm another step closer now. I made the suggested change
>> and there was no change in the logs. EAP still was not being done on
>> the local machine and was failing on the proxy. However, I tried
>> creating a second domain, set the original domain to go to LOCAL and
>> the second domain to go to the proxy server. When I do that the
>> proxy
>> properly authenticates to Open Directory, step one. However,
>> eventually I get a failure in rlm_eap again.
>>
>> modcall: entering group authenticate for request 8
>> rlm_eap: Request not found in the list
>> rlm_eap: Either EAP-request timed out OR EAP-response to an unknown
>> EAP-request
>> rlm_eap: Failed in handler
>>
>> Am I on to the beginning of a solution by using two domains or do I
>> need to go back and then change something else?
>>
>
> Can you post both debugs from the server that is terminating eap.
> You can
> start with the request before it decides to proxy (you can leave out
> eap-tls tunnel creation).
>
> Ivan Kalik
> Kalik Informatika ISP
More information about the Freeradius-Users
mailing list