Some help with etc_smbpasswd auth and eap ttls
Josh Hiner
josh at remc1.org
Wed Jan 7 06:22:28 CET 2009
Trying to configure eap ttls with mschapv2 using Freeradius version
Version 1.1.3 in Redhat enterprise Linux 5.
I have configured everything and gotten free radius to authenticate off
/etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have
run into is when I switch the securew2 windows xp eap-ttls client to use
the current logged on user credentials. Then, SecureW2 sends the
username in the format of DOMAIN/user (which in this case is HTN/josh).
Authentication then fails because of this extra domain part in the user.
Ok fine, I first enable the nt_domain_hack in the mschap module then I
configured realm ntdomain and simply set a default realm in proxy.conf
to strip off the domain part. Nope, that fails (output will be included
below). I also tried nostrip but that also fails obviously. Also tried
silently stripping the domain in pre-process in radiusd.conf. Auth is
successful but finally rejected because the user doesnt match the
original HTN/josh user sent.
Finally I simply added the username and password I was testing to the
users file. It works there. My default realm strips the domain, proxies
it back to localhost, authenticates of the users file and is successful.
Arrg what Im I doing wrong. I really need to use the etc_smbpasswd
module as I cant get ntlm_auth to work. It says no logon servers found.
I think its because I am running it on the actual samba server I want to
auth off of.
Anyways, anyone know of how to get etc_smbpasswd module to work. I dont
want to use the users file (blech) even though it does work when I put
the user in there, and again, if I just supply the username and password
(and leave the domain part blank in SecureW2 ttls client) authentication
does work of /etc/samba/smbpasswd.
Here is the /usr/sbin/radiusd -X output. Sorry its long. Below that I
will put the relevant lines of config. Thanks a ton for any help. -Josh
[root at file raddb]# /usr/sbin/radiusd -s -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "ttls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/raddb/certs/server_key.pem"
tls: certificate_file = "/etc/raddb/certs/server_cert.pem"
tls: CA_file = "/etc/raddb/certs/cacert.pem"
tls: private_key_password = "serverH08ght0n23kip"
tls: dh_file = "/etc/raddb/certs/dh"
tls: random_file = "/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
tls: cipher_list = "(null)"
tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = "mschapv2"
ttls: copy_request_to_tunnel = no
ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = yes
Module: Instantiated realm (suffix)
realm: format = "prefix"
realm: delimiter = "\"
realm: ignore_default = no
realm: ignore_null = yes
Module: Instantiated realm (ntdomain)
Module: Loaded passwd
passwd: filename = "/etc/samba/smbpasswd"
passwd: format =
"*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
passwd: authtype = "MS-CHAP"
passwd: delimiter = ":"
passwd: ignorenislike = no
passwd: ignoreempty = yes
passwd: allowmultiplekeys = no
passwd: hashsize = 100
rlm_passwd: nfields: 7 keyfield 0(User-Name) listable: no
Module: Instantiated passwd (etc_smbpasswd)
passwd: filename = "/etc/group"
passwd: format = "=Group-Name:::*,User-Name"
passwd: authtype = "(null)"
passwd: delimiter = ":"
passwd: ignorenislike = yes
passwd: ignoreempty = yes
passwd: allowmultiplekeys = yes
passwd: hashsize = 50
rlm_passwd: nfields: 4 keyfield 3(User-Name) listable: yes
Module: Instantiated passwd (etc_group)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.100.13.12:19527, id=104,
length=202
User-Name = "HTN\\josh"
Called-Station-Id = "00-17-A4-9C-00-AF:HTNStaff"
Calling-Station-Id = "00-0E-35-B6-74-AF"
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1400
Service-Type = Framed-User
NAS-IP-Address = 10.100.13.12
NAS-Identifier = "Houghton Wireless Services"
NAS-Port-Id = "HTNStaff"
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0201000d0148544e5c6a6f7368
Message-Authenticator = 0xdf195f238143503d49244d6203620b10
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
rlm_realm: No '@' in User-Name = "HTN\josh", skipping NULL due to
config.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_realm: Looking up realm "HTN" for User-Name = "HTN\josh"
rlm_realm: Found realm "DEFAULT"
rlm_realm: Adding Stripped-User-Name = "josh"
rlm_realm: Proxying request from user josh to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "ntdomain" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
modcall[authorize]: module "etc_smbpasswd" returns notfound for request 0
modcall[authorize]: module "etc_group" returns notfound for request 0
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 104 to 10.100.13.12 port 19527
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x61bf2476da0a8dbee700d7b52748377c
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.100.13.12:19527, id=105,
length=263
User-Name = "HTN\\josh"
Called-Station-Id = "00-17-A4-9C-00-AF:HTNStaff"
Calling-Station-Id = "00-0E-35-B6-74-AF"
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1400
Service-Type = Framed-User
NAS-IP-Address = 10.100.13.12
NAS-Identifier = "Houghton Wireless Services"
NAS-Port-Id = "HTNStaff"
Connect-Info = "CONNECT 54Mbps 802.11g"
State = 0x61bf2476da0a8dbee700d7b52748377c
EAP-Message =
0x020200381500160301002d010000290301e9a07acc81410bcdf08077330d07ad8f018e56a6641624ec64a66da3f79bd121000002000a0100
Message-Authenticator = 0x0334fb063e9a6d53bd8682ba37d0620e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
rlm_realm: No '@' in User-Name = "HTN\josh", skipping NULL due to
config.
modcall[authorize]: module "suffix" returns noop for request 1
rlm_realm: Looking up realm "HTN" for User-Name = "HTN\josh"
rlm_realm: Found realm "DEFAULT"
rlm_realm: Adding Stripped-User-Name = "josh"
rlm_realm: Proxying request from user josh to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "ntdomain" returns noop for request 1
rlm_eap: EAP packet type response id 2 length 56
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
modcall[authorize]: module "etc_smbpasswd" returns notfound for request 1
modcall[authorize]: module "etc_group" returns notfound for request 1
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 1
modcall[authorize]: module "mschap" returns noop for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 03d2], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 105 to 10.100.13.12 port 19527
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message =
0x0103040a15c00000042f160301004a02000046030149642f7ba9e448ca30ab30a9b6ed817c8aff8c408e4023e6940c762c1f36a6de20e1a7c54190eaf152b7593b2b138e0c050f4d101a4e1791b3f21981bd0acbe
EAP-Message =
0x092a864886f70d010901161972656d637374616666406c697374732e72656d63312e6e6574301e170d3038313231353230323332365a170d3138313231333230323332365a308198310b300906035504061302555
EAP-Message =
0x82010100a721638f80275c7d8c29f90e3669da66da29a4dcb0e6d18b17c9349bd6eb88e205da76218efdf67065ee07977b86ccfbc278e1c229e5f9f32340cc2a04dc418528588e667ccb783bc13133bc15a0a0936
EAP-Message =
0xd5652a17fa2f1b0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038201010064900d552e6d98d35cde88dc41403c05fb45c2a2bdb2f5d6f9f0fdc
EAP-Message = 0x21eaab40c755b46a6e7892ae526d055d6da3c8c3190a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x60ab04b8fd2e304f5d42050b620e1513
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.100.13.12:19527, id=106,
length=213
User-Name = "HTN\\josh"
Called-Station-Id = "00-17-A4-9C-00-AF:HTNStaff"
Calling-Station-Id = "00-0E-35-B6-74-AF"
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1400
Service-Type = Framed-User
NAS-IP-Address = 10.100.13.12
NAS-Identifier = "Houghton Wireless Services"
NAS-Port-Id = "HTNStaff"
Connect-Info = "CONNECT 54Mbps 802.11g"
State = 0x60ab04b8fd2e304f5d42050b620e1513
EAP-Message = 0x020300061500
Message-Authenticator = 0x85c0f98d60c740ec669de9a9c7da4986
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
rlm_realm: No '@' in User-Name = "HTN\josh", skipping NULL due to
config.
modcall[authorize]: module "suffix" returns noop for request 2
rlm_realm: Looking up realm "HTN" for User-Name = "HTN\josh"
rlm_realm: Found realm "DEFAULT"
rlm_realm: Adding Stripped-User-Name = "josh"
rlm_realm: Proxying request from user josh to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "ntdomain" returns noop for request 2
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
modcall[authorize]: module "etc_smbpasswd" returns notfound for request 2
modcall[authorize]: module "etc_group" returns notfound for request 2
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 2
modcall[authorize]: module "mschap" returns noop for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 106 to 10.100.13.12 port 19527
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message =
0x0104003915800000042f639f242a6f6541ec7b1afbb86af1958c2e4ed1ab48a226b2d15b08e4b7887f25691e005162bd16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xabc302506c895702968419cddb2c0be9
Finished request 2
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.100.13.12:19527, id=107,
length=533
User-Name = "HTN\\josh"
Called-Station-Id = "00-17-A4-9C-00-AF:HTNStaff"
Calling-Station-Id = "00-0E-35-B6-74-AF"
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1400
Service-Type = Framed-User
NAS-IP-Address = 10.100.13.12
NAS-Identifier = "Houghton Wireless Services"
NAS-Port-Id = "HTNStaff"
Connect-Info = "CONNECT 54Mbps 802.11g"
State = 0xabc302506c895702968419cddb2c0be9
EAP-Message =
0x020401441500160301010610000102010037c452398dbb3df5559e7ef631f93adac1c31949e8b2e189e656c42563825fedb650c87be7a05cfa2b6ab6d25b111dfb5ed36ceafc6a81c2d90982bc4b9514fc25cca8f
EAP-Message =
0xb50e2ba24d87acf465b6923ae7229fe4e011258f1403010001011603010028faee95c6e785c7a0c1f7794e71c76e67ff5ba2f4006e2aa188af3b9da28d6e2419833ca0820678c1
Message-Authenticator = 0xc0ff62f05516e184511c415d87cbbc2c
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
rlm_realm: No '@' in User-Name = "HTN\josh", skipping NULL due to
config.
modcall[authorize]: module "suffix" returns noop for request 3
rlm_realm: Looking up realm "HTN" for User-Name = "HTN\josh"
rlm_realm: Found realm "DEFAULT"
rlm_realm: Adding Stripped-User-Name = "josh"
rlm_realm: Proxying request from user josh to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "ntdomain" returns noop for request 3
rlm_eap: EAP packet type response id 4 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
modcall[authorize]: module "etc_smbpasswd" returns notfound for request 3
modcall[authorize]: module "etc_group" returns notfound for request 3
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 3
modcall[authorize]: module "mschap" returns noop for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
SSL Connection Established
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 107 to 10.100.13.12 port 19527
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message =
0x0105003d1580000000331403010001011603010028721fb19555db97969e579863ff1f6fce4169183c7a0abb3ea443be416f722adbc21b355b7ac01a45
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe4bddc9ecec467abc03da29934752e16
Finished request 3
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.100.13.12:19527, id=108,
length=290
User-Name = "HTN\\josh"
Called-Station-Id = "00-17-A4-9C-00-AF:HTNStaff"
Calling-Station-Id = "00-0E-35-B6-74-AF"
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1400
Service-Type = Framed-User
NAS-IP-Address = 10.100.13.12
NAS-Identifier = "Houghton Wireless Services"
NAS-Port-Id = "HTNStaff"
Connect-Info = "CONNECT 54Mbps 802.11g"
State = 0xe4bddc9ecec467abc03da29934752e16
EAP-Message =
0x02050053150017030100485562de8771e70ff92e34bb96bf0f6c24b6e6aca70841355cc05a96146c524e1c2b177149e577817012b73f9bb41d96639692cbab41f711878b16e20d5a7c04b16bc67577457b2d47
Message-Authenticator = 0x37c5fec48b0fa7f5c14dddc680e8c4f2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
rlm_realm: No '@' in User-Name = "HTN\josh", skipping NULL due to
config.
modcall[authorize]: module "suffix" returns noop for request 4
rlm_realm: Looking up realm "HTN" for User-Name = "HTN\josh"
rlm_realm: Found realm "DEFAULT"
rlm_realm: Adding Stripped-User-Name = "josh"
rlm_realm: Proxying request from user josh to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "ntdomain" returns noop for request 4
rlm_eap: EAP packet type response id 5 length 83
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
modcall[authorize]: module "etc_smbpasswd" returns notfound for request 4
modcall[authorize]: module "etc_group" returns notfound for request 4
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 4
modcall[authorize]: module "mschap" returns noop for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled
attributes.
TTLS: Got tunneled request
EAP-Message = 0x0200000d0148544e5c6a6f7368
Message-Authenticator = 0x00000000000000000000000000000000
FreeRADIUS-Proxied-To = 127.0.0.1
TTLS: Got tunneled identity of HTN\josh
TTLS: Setting default EAP type for tunneled EAP session.
TTLS: Sending tunneled request
EAP-Message = 0x0200000d0148544e5c6a6f7368
Message-Authenticator = 0x00000000000000000000000000000000
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "HTN\\josh"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
rlm_realm: No '@' in User-Name = "HTN\josh", skipping NULL due to
config.
modcall[authorize]: module "suffix" returns noop for request 4
rlm_realm: Looking up realm "HTN" for User-Name = "HTN\josh"
rlm_realm: Found realm "DEFAULT"
rlm_realm: Adding Stripped-User-Name = "josh"
rlm_realm: Proxying request from user josh to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "ntdomain" returns noop for request 4
rlm_eap: EAP packet type response id 0 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
modcall[authorize]: module "etc_smbpasswd" returns notfound for request 4
modcall[authorize]: module "etc_group" returns notfound for request 4
modcall[authorize]: module "files" returns notfound for request 4
modcall[authorize]: module "mschap" returns noop for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
TTLS: Got tunneled reply RADIUS code 11
EAP-Message =
0x010100221a0101001d1023197ffb3fbee0431fa33dd4ffe6ee4848544e5c6a6f7368
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9023e8d5cfb89d9eedf0b95ea0ea8077
TTLS: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 108 to 10.100.13.12 port 19527
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message =
0x0106007415800000006a170301001869103bd6a2fc06d853c018dec840fcee432f605b3bbd5c7b170301004882ddab817db15367d699b45444ae600ef8afaba3ca3c2eae0b4be817885fde9ab28ecedeca71e5371
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc1a3900bb47d4eeed37494a4af610f6a
Finished request 4
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.100.13.12:19527, id=109,
length=346
User-Name = "HTN\\josh"
Called-Station-Id = "00-17-A4-9C-00-AF:HTNStaff"
Calling-Station-Id = "00-0E-35-B6-74-AF"
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1400
Service-Type = Framed-User
NAS-IP-Address = 10.100.13.12
NAS-Identifier = "Houghton Wireless Services"
NAS-Port-Id = "HTNStaff"
Connect-Info = "CONNECT 54Mbps 802.11g"
State = 0xc1a3900bb47d4eeed37494a4af610f6a
EAP-Message =
0x0206008b15001703010080ec308e1a81a20c80b07a9399135ce92cb9856ea5b98bf1d18e5b53c8959c899f7e0a5ac3cb31cd966591961318eb728dc0cdc95c3a09318920c6f9fba21b88827380f0ca91a8b66b9da
Message-Authenticator = 0x24e4740de40c15633d63d47b2e2dcc5e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
rlm_realm: No '@' in User-Name = "HTN\josh", skipping NULL due to
config.
modcall[authorize]: module "suffix" returns noop for request 5
rlm_realm: Looking up realm "HTN" for User-Name = "HTN\josh"
rlm_realm: Found realm "DEFAULT"
rlm_realm: Adding Stripped-User-Name = "josh"
rlm_realm: Proxying request from user josh to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "ntdomain" returns noop for request 5
rlm_eap: EAP packet type response id 6 length 139
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
modcall[authorize]: module "etc_smbpasswd" returns notfound for request 5
modcall[authorize]: module "etc_group" returns notfound for request 5
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 5
modcall[authorize]: module "mschap" returns noop for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled
attributes.
TTLS: Got tunneled request
EAP-Message =
0x020100431a0201003e310fc0026c362449dfb52a48226b9bf58e000000000000000055a52026985b92247cf83d076fd500b15479fccd5f204f5f0048544e5c6a6f7368
Message-Authenticator = 0x00000000000000000000000000000000
FreeRADIUS-Proxied-To = 127.0.0.1
TTLS: Adding old state with 90 23
TTLS: Sending tunneled request
EAP-Message =
0x020100431a0201003e310fc0026c362449dfb52a48226b9bf58e000000000000000055a52026985b92247cf83d076fd500b15479fccd5f204f5f0048544e5c6a6f7368
Message-Authenticator = 0x00000000000000000000000000000000
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "HTN\\josh"
State = 0x9023e8d5cfb89d9eedf0b95ea0ea8077
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
rlm_realm: No '@' in User-Name = "HTN\josh", skipping NULL due to
config.
modcall[authorize]: module "suffix" returns noop for request 5
rlm_realm: Looking up realm "HTN" for User-Name = "HTN\josh"
rlm_realm: Found realm "DEFAULT"
rlm_realm: Adding Stripped-User-Name = "josh"
rlm_realm: Proxying request from user josh to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "ntdomain" returns noop for request 5
rlm_eap: EAP packet type response id 1 length 67
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
modcall[authorize]: module "etc_smbpasswd" returns notfound for request 5
modcall[authorize]: module "etc_group" returns notfound for request 5
modcall[authorize]: module "files" returns notfound for request 5
modcall[authorize]: module "mschap" returns noop for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 5
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for josh with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 5
modcall: leaving group MS-CHAP (returns reject) for request 5
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 5
modcall: leaving group authenticate (returns reject) for request 5
auth: Failed to validate the user.
TTLS: Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\001E=691 R=1"
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
TTLS: Freeing handler for user HTN\josh
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 104 with timestamp 49642f7a
Sending Access-Reject of id 109 to 10.100.13.12 port 19527
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1 seconds...
[root at file raddb]#
Relevent lines of config (all else is default pretty much)
proxy.conf
realm DEFAULT {
type = radius
authhost = LOCAL
accthost = LOCAL
# authhost = radius.company.com:1600
# accthost = radius.company.com:1601
secret = testing123
# nostrip
}
In radiusd.conf here is my etc_smbpasswd section
passwd etc_smbpasswd {
filename = /etc/samba/smbpasswd
format =
"*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
authtype = MS-CHAP
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}
My ntdomain realm definition
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = yes
}
More information about the Freeradius-Users
mailing list