FreeRADIUS and Active Directory

Tomas tomas.radius at googlemail.com
Thu Feb 19 10:57:53 CET 2009


Hi,

I believe I did all I had to enable my freeradius server to chat to
windows AD

##########################################################
Kerberos:
root at radius:/home/radius# kinit Administrator at AD.LAB.COM
Password for Administrator at AD.LAB.COM: 
root at radius:/home/radius# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at AD.LAB.COM

Valid starting     Expires            Service principal
02/19/09 09:44:44  02/19/09 19:44:51  krbtgt/AD.LAB.COM at AD.LAB.COM
        renew until 02/20/09 09:44:44


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
##########################################################
ntlm_auth:
root at radius:/home/radius# ntlm_auth --request-nt-key --domain=AD.LAB.COM
--username=Administrator
password: 
NT_STATUS_OK: Success (0x0)
##########################################################

I did changes to my FreeRADIUS configuration according
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
(I had to change names of .pem files in eap.conf for my certificates)
This is my eap.conf (less the comments and empty lines):
        eap {
                default_eap_type = peap
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                max_sessions = 2048
                md5 {
                }
                leap {
                }
                gtc {
                        auth_type = PAP
                }
                tls {
        private_key_password = whatever
        private_key_file = ${raddbdir}/certs/server.pem
        certificate_file = ${raddbdir}/certs/server.pem
        CA_file = ${raddbdir}/certs/ca.pem
        dh_file = ${raddbdir}/certs/dh
        random_file = ${raddbdir}/certs/random
        random_file = /dev/urandom
                        }

                ttls {
                        default_eap_type = md5
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                        virtual_server = "inner-tunnel"
                }
                peap {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                        virtual_server = "inner-tunnel"
                }
                mschapv2 {
                }
        }


So here I am trying to authenticate using my AD username and the
password and having no joy :(


radiusd -X
FreeRADIUS Version 2.1.3, for host i686-pc-linux-gnu, built on Jan 19 2009 at 13:48:26
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /home/radius/etc/raddb/radiusd.conf
including configuration file /home/radius/etc/raddb/proxy.conf
including configuration file /home/radius/etc/raddb/clients.conf
including files in directory /home/radius/etc/raddb/modules/
including configuration file /home/radius/etc/raddb/modules/etc_group
including configuration file /home/radius/etc/raddb/modules/files
including configuration file /home/radius/etc/raddb/modules/expiration
including configuration file /home/radius/etc/raddb/modules/detail.log
including configuration file /home/radius/etc/raddb/modules/smbpasswd
including configuration file /home/radius/etc/raddb/modules/chap
including configuration file /home/radius/etc/raddb/modules/mschap
including configuration file /home/radius/etc/raddb/modules/ippool
including configuration file /home/radius/etc/raddb/modules/digest
including configuration file /home/radius/etc/raddb/modules/radutmp
including configuration file /home/radius/etc/raddb/modules/realm
including configuration file /home/radius/etc/raddb/modules/attr_rewrite
including configuration file /home/radius/etc/raddb/modules/echo
including configuration file /home/radius/etc/raddb/modules/policy
including configuration file /home/radius/etc/raddb/modules/mac2vlan
including configuration file /home/radius/etc/raddb/modules/sql_log
including configuration file /home/radius/etc/raddb/modules/preprocess
including configuration file /home/radius/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /home/radius/etc/raddb/modules/krb5
including configuration file /home/radius/etc/raddb/modules/pam
including configuration file /home/radius/etc/raddb/modules/wimax
including configuration file /home/radius/etc/raddb/modules/linelog
including configuration file /home/radius/etc/raddb/modules/always
including configuration file /home/radius/etc/raddb/modules/exec
including configuration file /home/radius/etc/raddb/modules/inner-eap
including configuration file /home/radius/etc/raddb/modules/checkval
including configuration file /home/radius/etc/raddb/modules/passwd
including configuration file /home/radius/etc/raddb/modules/expr
including configuration file /home/radius/etc/raddb/modules/perl
including configuration file /home/radius/etc/raddb/modules/detail.example.com
including configuration file /home/radius/etc/raddb/modules/pap
including configuration file /home/radius/etc/raddb/modules/ldap
including configuration file /home/radius/etc/raddb/modules/unix
including configuration file /home/radius/etc/raddb/modules/detail
including configuration file /home/radius/etc/raddb/modules/counter
including configuration file /home/radius/etc/raddb/modules/sradutmp
including configuration file /home/radius/etc/raddb/modules/attr_filter
including configuration file /home/radius/etc/raddb/modules/mac2ip
including configuration file /home/radius/etc/raddb/modules/logintime
including configuration file /home/radius/etc/raddb/modules/acct_unique
including configuration file /home/radius/etc/raddb/eap.conf
including configuration file /home/radius/etc/raddb/sql.conf
including configuration file /home/radius/etc/raddb/sql/mysql/dialup.conf
including configuration file /home/radius/etc/raddb/sql/mysql/counter.conf
including configuration file /home/radius/etc/raddb/policy.conf
including files in directory /home/radius/etc/raddb/sites-enabled/
including configuration file /home/radius/etc/raddb/sites-enabled/inner-tunnel
including configuration file /home/radius/etc/raddb/sites-enabled/default
including dictionary file /home/radius/etc/raddb/dictionary
main {
	prefix = "/home/radius"
	localstatedir = "/home/radius/var"
	logdir = "/home/radius/var/log/radius"
	libdir = "/home/radius/lib"
	radacctdir = "/home/radius/var/log/radius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 1024
	allow_core_dumps = no
	pidfile = "/home/radius/var/run/radiusd/radiusd.pid"
	checkrad = "/home/radius/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
 log {
	stripped_names = no
	auth = no
	auth_badpass = no
	auth_goodpass = no
 }
 security {
	max_attributes = 200
	reject_delay = 1
	status_server = yes
 }
}
 client localhost {
	ipaddr = 127.0.0.1
	require_message_authenticator = no
	secret = "testing123"
	nastype = "other"
 }
 client 192.168.0.50 {
	require_message_authenticator = no
	secret = "testing123"
	shortname = "Procurve2824"
 }
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
	retry_delay = 5
	retry_count = 3
	default_fallback = no
	dead_time = 120
	wake_all_if_all_dead = no
 }
 home_server localhost {
	ipaddr = 127.0.0.1
	port = 1812
	type = "auth"
	secret = "testing123"
	response_window = 20
	max_outstanding = 65536
	zombie_period = 40
	status_check = "status-server"
	ping_interval = 30
	check_interval = 30
	num_answers_to_alive = 3
	num_pings_to_alive = 3
	revive_interval = 120
	status_check_timeout = 4
 }
 home_server_pool my_auth_failover {
	type = fail-over
	home_server = localhost
 }
 realm example.com {
	auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
	wait = no
	input_pairs = "request"
	shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
	reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
	reply-message = "You are calling outside your allowed timespan  "
	minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
	encryption_scheme = "auto"
	auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
	use_mppe = yes
	require_encryption = no
	require_strong = no
	with_ntdomain_hack = no
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
	radwtmp = "/home/radius/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
	default_eap_type = "peap"
	timer_expire = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
	challenge = "Password: "
	auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
	rsa_key_exchange = no
	dh_key_exchange = yes
	rsa_key_length = 512
	dh_key_length = 512
	verify_depth = 0
	pem_file_type = yes
	private_key_file = "/home/radius/etc/raddb/certs/server.pem"
	certificate_file = "/home/radius/etc/raddb/certs/server.pem"
	CA_file = "/home/radius/etc/raddb/certs/ca.pem"
	private_key_password = "whatever"
	dh_file = "/home/radius/etc/raddb/certs/dh"
	random_file = "/home/radius/etc/raddb/certs/random"
	fragment_size = 1024
	include_length = yes
	check_crl = no
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
	default_eap_type = "md5"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
	default_eap_type = "mschapv2"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	proxy_tunneled_request_as_eap = yes
	virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
	with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating suffix
  realm suffix {
	format = "suffix"
	delimiter = "@"
	ignore_default = no
	ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating files
  files {
	usersfile = "/home/radius/etc/raddb/users"
	acctusersfile = "/home/radius/etc/raddb/acct_users"
	preproxy_usersfile = "/home/radius/etc/raddb/preproxy_users"
	compat = "no"
  }
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating radutmp
  radutmp {
	filename = "/home/radius/var/log/radius/radutmp"
	username = "%{User-Name}"
	case_sensitive = yes
	check_with_nas = yes
	perm = 384
	callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating attr_filter.access_reject
  attr_filter attr_filter.access_reject {
	attrsfile = "/home/radius/etc/raddb/attrs.access_reject"
	key = "%{User-Name}"
  }
 }
}
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
	huntgroups = "/home/radius/etc/raddb/huntgroups"
	hints = "/home/radius/etc/raddb/hints"
	with_ascend_hack = no
	ascend_channels_per_line = 23
	with_ntdomain_hack = no
	with_specialix_jetstream_hack = no
	with_cisco_vsa_hack = no
	with_alvarion_vsa_hack = no
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating acct_unique
  acct_unique {
	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
	detailfile = "/home/radius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
	header = "%t"
	detailperm = 384
	dirperm = 493
	locking = no
	log_packet_header = no
  }
 Module: Instantiating attr_filter.accounting_response
  attr_filter attr_filter.accounting_response {
	attrsfile = "/home/radius/etc/raddb/attrs.accounting_response"
	key = "%{User-Name}"
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 }
radiusd: #### Opening IP addresses and Ports ####
listen {
	type = "auth"
	ipaddr = *
	port = 0
}
listen {
	type = "acct"
	ipaddr = *
	port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=145, length=219
	Framed-MTU = 1480
	NAS-IP-Address = 192.168.0.50
	NAS-Identifier = "HP ProCurve Switch 2824"
	User-Name = "AD\\tomas"
	Service-Type = Framed-User
	Framed-Protocol = PPP
	NAS-Port = 1
	NAS-Port-Type = Ethernet
	NAS-Port-Id = "1"
	Called-Station-Id = "00-11-0a-fe-a9-3f"
	Calling-Station-Id = "00-17-a4-4e-77-47"
	Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "1"
	EAP-Message = 0x0202000d0141445c746f6d6173
	Message-Authenticator = 0x6284ee873372cae375d55f623802b513
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 145 to 192.168.0.50 port 1024
	Framed-Protocol = PPP
	Framed-Compression = Van-Jacobson-TCP-IP
	EAP-Message = 0x010300061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa7700ab4a77313314b7c55c3e8534adf
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=146, length=304
	Framed-MTU = 1480
	NAS-IP-Address = 192.168.0.50
	NAS-Identifier = "HP ProCurve Switch 2824"
	User-Name = "AD\\tomas"
	Service-Type = Framed-User
	Framed-Protocol = PPP
	NAS-Port = 1
	NAS-Port-Type = Ethernet
	NAS-Port-Id = "1"
	Called-Station-Id = "00-11-0a-fe-a9-3f"
	Calling-Station-Id = "00-17-a4-4e-77-47"
	Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "1"
	State = 0xa7700ab4a77313314b7c55c3e8534adf
	EAP-Message = 0x0203005019800000004616030100410100003d0301499d286e3a35671559855ef2c8bef05802fabc183a42eb4b669d9e474e085ba900001600040005000a000900640062000300060013001200630100
	Message-Authenticator = 0x46b2eaa942dba96799d4336312d6c698
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap]     (other): before/accept initialization 
[peap]     TLS_accept: before/accept initialization 
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello  
[peap]     TLS_accept: SSLv3 read client hello A 
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello  
[peap]     TLS_accept: SSLv3 write server hello A 
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate  
[peap]     TLS_accept: SSLv3 write certificate A 
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: SSLv3 write server done A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 146 to 192.168.0.50 port 1024
	EAP-Message = 0x0104040019c00000089b160301002a020000260301499d286cdb1f8ce8a5fb2621e05e22740ec7ed76ffc6abf318cd00d5c16dc61f00000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
	EAP-Message = 0x301e170d3039303131393134333032365a170d3130303131393134333032365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ad98162664ec45dd610f43757b3f3a8bb0b400ca026307492cf50ba142af109378da58248572a1236fa439be790fd3ef17c1b22b9503739d7c3bc56a2240
	EAP-Message = 0xdf4fd855dfabba9ffe67ebc9ef0772e1036cc8fd8c275e0eae813442b6bf713746f7caa8af848002c6edfa5596eab50667945e95a7e7befaf1139d04ed6a453c062b1e4849b21597302c4c730ef9b69e6934d8336d607baf2c61b9cf544b58d2633d34804e705a1c675be9887f32e0d677317e3635c17f65c18bcd6c8b3033d351dfa77b36ea7feca91b41a707ca37452102f40a18a0832dcdc4cd8a5a2c01e4c8a62bdce1f0b886193c155ef4c8bbbf8ad66d51573c6eb0a21966d47ac9c1a5f4230203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100352858d2b93777f989
	EAP-Message = 0x37da2562908c3391559a6f1bd9b0e41adef4c2cfc393c0b9668ceaf6df7227112867a48853e921a9da6783fda2614d07cc0b011a11b4feacb4b61d43628e2d2c4e95e747fa03849decf26051807a9e51136df5f81f698fe88f6d1a8ad5a2151ed4f45a8385e02cb9e3d3b10cd6103212d488d27126e8e6a974cc5c282813abd411657bf5be22f91dbc7a58d08237b38915736ed1f01ebb384f91eadda353743ca7d4e62b23e85e60d04c58c280dbea9cd505bf234cfaee1a0a51754954c9e3e6f7960d0a9a9f85243199d986671a1db32e5fcca17b62ce9bb1ff312500f1ffd8874de9fe53c828ec2a3fdb8a2e186a28c5b59c53dcce9b0004ab308204
	EAP-Message = 0xa73082038fa0030201020209
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa7700ab4a67413314b7c55c3e8534adf
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=147, length=230
	Framed-MTU = 1480
	NAS-IP-Address = 192.168.0.50
	NAS-Identifier = "HP ProCurve Switch 2824"
	User-Name = "AD\\tomas"
	Service-Type = Framed-User
	Framed-Protocol = PPP
	NAS-Port = 1
	NAS-Port-Type = Ethernet
	NAS-Port-Id = "1"
	Called-Station-Id = "00-11-0a-fe-a9-3f"
	Calling-Station-Id = "00-17-a4-4e-77-47"
	Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "1"
	State = 0xa7700ab4a67413314b7c55c3e8534adf
	EAP-Message = 0x020400061900
	Message-Authenticator = 0xaa295b159651be4a3e1a80fde7805ea7
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 147 to 192.168.0.50 port 1024
	EAP-Message = 0x010503fc19400094a001b5eb25441d300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303131393134333032365a170d3130303131393134333032365a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
	EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a987d28b942573bad6f47cc07eed6c6dcdad586632c29f838248874e1ad78ef744cf491992803212afca36a03f2a06be90c1da8bca6032b677a48dd26e6449d498b3e83d5569dca2b7a743fa3d96007884ed81616e0ad61f51dca6814fac86c6120d71ceddc0dd9798711b36dd8005
	EAP-Message = 0x85a94e3cd2ab01503bd1f2a702e10d06aa6c16c62c0cefe59f96c89307137c5e1d5fce113e0c0da426c435f454f1e83437c48b74f52a68e67ab0236e1f63bcce0289f57d98147134ec577b2faa50155611f8280bd7a5768e09c2fccb6b2ad0d7050d44292c988df7e1571ce10baa2105ca2e553deab5ea75728e7b090aaf2918540d48769fdb597d2df70d6b1855ebfb690203010001a381fb3081f8301d0603551d0e0416041472880f64c1fc1753474b579032ea3663716e23543081c80603551d230481c03081bd801472880f64c1fc1753474b579032ea3663716e2354a18199a48196308193310b3009060355040613024652310f300d06035504
	EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747982090094a001b5eb25441d300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100699e12dabf9c108ba7200bee0c69f2ff01ac37886fdd207b3ccde9311f7684959ed3dfda0936a2781ac286612ef24d987159c2b28e9d756b53701e15967b73c3f82c8517cbfefa2d3e9ac1275e180c97ccbb
	EAP-Message = 0x5f8391f0cafc40c7
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa7700ab4a57513314b7c55c3e8534adf
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=148, length=230
	Framed-MTU = 1480
	NAS-IP-Address = 192.168.0.50
	NAS-Identifier = "HP ProCurve Switch 2824"
	User-Name = "AD\\tomas"
	Service-Type = Framed-User
	Framed-Protocol = PPP
	NAS-Port = 1
	NAS-Port-Type = Ethernet
	NAS-Port-Id = "1"
	Called-Station-Id = "00-11-0a-fe-a9-3f"
	Calling-Station-Id = "00-17-a4-4e-77-47"
	Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "1"
	State = 0xa7700ab4a57513314b7c55c3e8534adf
	EAP-Message = 0x020500061900
	Message-Authenticator = 0x34ca3ab594dd2c388a8df2f3da5faed6
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 148 to 192.168.0.50 port 1024
	EAP-Message = 0x010600b51900290a8a1becaa5f95acd275a8b07d4ce8e2b56745877efd21ca5cee0c39bd7e66d625688c05a22f43c49f90c057109d12adf008cfe513d4219f84bcd4e123caf1548e368bff658efb2f8c8c674a2e5ec896136ea044eeef99fd52220ecb2ee8192aeacb6bac2e30b29b670e2532924a6cd60dae38584514d46c38e550a52dd719060d7468bc87833fc6e65fba911ee8610e5ca515ecf58705dee114e2954fced9276ff4e6356f16030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa7700ab4a47613314b7c55c3e8534adf
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=149, length=546
	Framed-MTU = 1480
	NAS-IP-Address = 192.168.0.50
	NAS-Identifier = "HP ProCurve Switch 2824"
	User-Name = "AD\\tomas"
	Service-Type = Framed-User
	Framed-Protocol = PPP
	NAS-Port = 1
	NAS-Port-Type = Ethernet
	NAS-Port-Id = "1"
	Called-Station-Id = "00-11-0a-fe-a9-3f"
	Calling-Station-Id = "00-17-a4-4e-77-47"
	Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "1"
	State = 0xa7700ab4a47613314b7c55c3e8534adf
	EAP-Message = 0x020601401980000001361603010106100001020100575cf08b5efe3bfa2b102efb0ccb399c4342bf15303bcda0d80a24e279d3dd313a533bf8ea78b9c5b24c7d260ab666177e58e7c1aff14556f6fafa12206b50b5adf1f13fe7f5ec5e00829b8bee526b4bf5ef581d553c074759eb470f7a7cc565f48a14cef18ad00135bcf3b62960458c46e867f50d9edc063cf647eec87a752b75f4af5645330f7f053632f8b16f32987a90da3e59273e34d8a78dc788d0abe7a5673aafccd6b1ca9d45c1d54468cbdc3799c2e3cccc16711f6a0d003dd76d65aaf855fd7b548f48f11d6631461cbefc6e086929d1fac902eaf2e60b9956a0b72d4bef20b370d3b1
	EAP-Message = 0x642d63cce135fa576f57f33de4bb616254ea741a3a8208811403010001011603010020f1391a72bcb5f269d5ada83203e8331fee69e6868c4a8d0d31943c7c6305ec99
	Message-Authenticator = 0x1a1423af25e5958dee7cd9461c03528e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange  
[peap]     TLS_accept: SSLv3 read client key exchange A 
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[peap] <<< TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 read finished A 
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[peap]     TLS_accept: SSLv3 write change cipher spec A 
[peap] >>> TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 write finished A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     (other): SSL negotiation finished successfully 
SSL Connection Established 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 149 to 192.168.0.50 port 1024
	EAP-Message = 0x0107003119001403010001011603010020b495378da34cbeed0a1086ff1286b15a94a2192612e0c0297da1b7de831a43f9
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa7700ab4a37713314b7c55c3e8534adf
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=150, length=230
	Framed-MTU = 1480
	NAS-IP-Address = 192.168.0.50
	NAS-Identifier = "HP ProCurve Switch 2824"
	User-Name = "AD\\tomas"
	Service-Type = Framed-User
	Framed-Protocol = PPP
	NAS-Port = 1
	NAS-Port-Type = Ethernet
	NAS-Port-Id = "1"
	Called-Station-Id = "00-11-0a-fe-a9-3f"
	Calling-Station-Id = "00-17-a4-4e-77-47"
	Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "1"
	State = 0xa7700ab4a37713314b7c55c3e8534adf
	EAP-Message = 0x020700061900
	Message-Authenticator = 0x9eac8aa44c87e5f81ddbb063c1a035df
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3 
[peap] eaptls_process returned 3 
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 150 to 192.168.0.50 port 1024
	EAP-Message = 0x01080020190017030100156326f7e95daa4403b150b4d521beb8d093cbd081e3
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa7700ab4a27813314b7c55c3e8534adf
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=151, length=260
	Framed-MTU = 1480
	NAS-IP-Address = 192.168.0.50
	NAS-Identifier = "HP ProCurve Switch 2824"
	User-Name = "AD\\tomas"
	Service-Type = Framed-User
	Framed-Protocol = PPP
	NAS-Port = 1
	NAS-Port-Type = Ethernet
	NAS-Port-Id = "1"
	Called-Station-Id = "00-11-0a-fe-a9-3f"
	Calling-Station-Id = "00-17-a4-4e-77-47"
	Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "1"
	State = 0xa7700ab4a27813314b7c55c3e8534adf
	EAP-Message = 0x02080024190017030100193dd421cda8cc1de66a7b0b59210efb5ca9d83c3ff457175d04
	Message-Authenticator = 0x691b308cd5d03042fefeac42e8e0f48d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 36
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - AD\tomas
[peap] Got tunneled request
	EAP-Message = 0x0208000d0141445c746f6d6173
server  {
  PEAP: Got tunneled identity of AD\tomas
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to AD\tomas
Sending tunneled request
	EAP-Message = 0x0208000d0141445c746f6d6173
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "AD\\tomas"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry AD\tomas at line 206
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
	EAP-Message = 0x010900221a0109001d106bec785af6d4a846f669bb11bc7e7f6141445c746f6d6173
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xc45c7e91c455641081f4392f87dbe9b5
[peap] Got tunneled reply RADIUS code 11
	EAP-Message = 0x010900221a0109001d106bec785af6d4a846f669bb11bc7e7f6141445c746f6d6173
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xc45c7e91c455641081f4392f87dbe9b5
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 151 to 192.168.0.50 port 1024
	EAP-Message = 0x010900391900170301002e6fca7a90a0460e344377af0758cf4bce22ea505a7d792f6205364e13335debd60d8c6db5cf055f9b3f63ba4f7c3d
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa7700ab4a17913314b7c55c3e8534adf
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=152, length=314
	Framed-MTU = 1480
	NAS-IP-Address = 192.168.0.50
	NAS-Identifier = "HP ProCurve Switch 2824"
	User-Name = "AD\\tomas"
	Service-Type = Framed-User
	Framed-Protocol = PPP
	NAS-Port = 1
	NAS-Port-Type = Ethernet
	NAS-Port-Id = "1"
	Called-Station-Id = "00-11-0a-fe-a9-3f"
	Calling-Station-Id = "00-17-a4-4e-77-47"
	Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "1"
	State = 0xa7700ab4a17913314b7c55c3e8534adf
	EAP-Message = 0x0209005a1900170301004faad232040b1f6cccf41600b3a8dd5770d01f143ad5c343d50640de3f45460e946e6c6b801b5579f1cfe37c467deb86c87b4e34e1887859ebed92d93894b4d899c70d0d548e108231fe98af12711890
	Message-Authenticator = 0x6343ce9f44b16b4a87de883a0f0d2906
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 90
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
	EAP-Message = 0x020900431a0209003e312b850019e93cb20c529c6765c7a7797f0000000000000000c42c055a3b0f699414e441217450fc8c08739b1fdf908d0d0041445c746f6d6173
server  {
  PEAP: Setting User-Name to AD\tomas
Sending tunneled request
	EAP-Message = 0x020900431a0209003e312b850019e93cb20c529c6765c7a7797f0000000000000000c42c055a3b0f699414e441217450fc8c08739b1fdf908d0d0041445c746f6d6173
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "AD\\tomas"
	State = 0xc45c7e91c455641081f4392f87dbe9b5
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry AD\tomas at line 206
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap]   NT Domain delimeter found, should we have enabled with_ntdomain_hack?
[mschap] Told to do MS-CHAPv2 for AD\tomas with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
	MS-CHAP-Error = "\tE=691 R=1"
	EAP-Message = 0x04090004
	Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
	MS-CHAP-Error = "\tE=691 R=1"
	EAP-Message = 0x04090004
	Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 152 to 192.168.0.50 port 1024
	EAP-Message = 0x010a00261900170301001bb96920ded224eba0158d4d22140428c0ef2269ff50fc41776ab22a
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa7700ab4a07a13314b7c55c3e8534adf
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=153, length=262
	Framed-MTU = 1480
	NAS-IP-Address = 192.168.0.50
	NAS-Identifier = "HP ProCurve Switch 2824"
	User-Name = "AD\\tomas"
	Service-Type = Framed-User
	Framed-Protocol = PPP
	NAS-Port = 1
	NAS-Port-Type = Ethernet
	NAS-Port-Id = "1"
	Called-Station-Id = "00-11-0a-fe-a9-3f"
	Calling-Station-Id = "00-17-a4-4e-77-47"
	Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "1"
	State = 0xa7700ab4a07a13314b7c55c3e8534adf
	EAP-Message = 0x020a00261900170301001bc2d3a7dd4ad6836c4a105f8303ad99757ed6a51e896ea183e104a1
	Message-Authenticator = 0x3ac13246949bddb5666ab5a4b7b1e16b
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap]  Had sent TLV failure.  User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> AD\tomas
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 153 to 192.168.0.50 port 1024
	EAP-Message = 0x040a0004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 145 with timestamp +11
Cleaning up request 1 ID 146 with timestamp +11
Cleaning up request 2 ID 147 with timestamp +11
Cleaning up request 3 ID 148 with timestamp +11
Cleaning up request 4 ID 149 with timestamp +11
Cleaning up request 5 ID 150 with timestamp +11
Cleaning up request 6 ID 151 with timestamp +11
Cleaning up request 7 ID 152 with timestamp +11
Waking up in 0.9 seconds.
Cleaning up request 8 ID 153 with timestamp +11
Ready to process requests.

I am really new in this RADIUS business and would really appreciate if somebody could point me to the right direction.

Thanks very much!
Tomas




More information about the Freeradius-Users mailing list