802.1x problems

Keith Ledford kledford at uga.edu
Thu Jan 15 15:31:45 CET 2009


Hello all,

I am having some issues with setting up 802.1x using
freeradius-server-2.1.1-2.el5. I have 3 SSIDs setup. One of them is
doing Mac Auth against a file. One is using ldap auth and the other is
setup to use 802.1x. Mac auth and ldap auth works great so I know my
ldap config in radius should be setup correctly. It looks like the
authorize part of 802.1x works but it fails during the authenticate
part. Does anyone see what I have messed up? I am sure it is something
simple that I am overlooking. I am using windows xp sp3 to try to
connect to this network. My wireless network is all Cisco LWAPP AP's
connecting to Cisco WLAN controllers and we use Cisco WCS to manage
all of these devices. I am trying to setup a secure network using wpa
and wpa2 with 802.1x using eap-peap.

The message 

'WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?'

shows up also on the non-802.1x ldap auth wlan that works. Let me know
if more detail is needed.

TIA!

Config file snippets:
authorize {
        preprocess
        chap
        mschap
        suffix
        eap {
                ok = return
        }
        unix
        files
        ldap
        ldap_all_myids
        expiration
        logintime
        pap
}

authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        unix
        Auth-Type LDAP {
                ldap
        }
        Auth-Type LDAP_ALL_MYIDS {
                ldap_all_myids
        }
        eap
}

ldap ldap_all_myids {
    server = "localhost"
    identity = "cn=blah,ou=something,o=uga"
    password = "my_pass"
    basedn = "ou=users,o=uga"
    filter = "(cn=%u)"
    start_tls = no
    tls_mode = no
#   access_attr = "dialupAccess"
    access_attr = "ugaelmkprov"
    dictionary_mapping = ${raddbdir}/ldap.attrmap
    ldap_connections_number = 5
    timeout = 4
    timelimit = 3
    net_timeout = 1
}

eap {
        default_eap_type = peap
        timer_expire     = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 2048
        md5 {
        }
        leap {
        }
        gtc {
                auth_type = PAP
        }
        tls {
                certdir = ${confdir}/certs
                cadir = ${confdir}/certs
                private_key_password = whatever
                private_key_file = ${certdir}/server.pem
                certificate_file = ${certdir}/server.pem
                CA_file = ${cadir}/ca.pem
                dh_file = ${certdir}/dh
                random_file = ${certdir}/random
                cipher_list = "DEFAULT"
                make_cert_command = "${certdir}/bootstrap"
                cache {
                      enable = no
                      max_entries = 255
                }
        }
        ttls {
                default_eap_type = md5
                copy_request_to_tunnel = no
                use_tunneled_reply = no
                virtual_server = "inner-tunnel"
        }
        peap {
                default_eap_type = mschapv2
                copy_request_to_tunnel = no
                use_tunneled_reply = no
                virtual_server = "inner-tunnel"
        }
        mschapv2 {
        }
}


Log file:

rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=191, length=181
        User-Name = "kledford"
        Calling-Station-Id = "00-11-95-D9-07-77"
        Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
        NAS-Port = 29
        NAS-IP-Address = 172.17.6.205
        NAS-Identifier = "South6"
        Airespace-Wlan-Id = 3
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "1999"
        EAP-Message = 0x020b000d016b6c6564666f7264
        Message-Authenticator = 0xb4fdd87de3f264b7a28bd05a07ceae23
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for kledford
[ldap]  expand: (&(|(eduPersonAffiliation=Staff)(eduPersonAffiliation=Faculty))(cn=%u)) -> (&(|(eduPersonAffiliation=Staff)(eduPersonAffiliation=Faculty))(cn=kledford))
[ldap]  expand: ou=users,o=uga -> ou=users,o=uga
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,o=uga, with filter (&(|(eduPersonAffiliation=Staff)(eduPersonAffiliation=Faculty))(cn=kledford))
rlm_ldap: ldap_search() failed: LDAP connection lost.
rlm_ldap: Attempting reconnect
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=cousteau-apache,ou=EDSAdmins,o=uga/my_pass to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,o=uga, with filter (&(|(eduPersonAffiliation=Staff)(eduPersonAffiliation=Faculty))(cn=kledford))
[ldap] checking if remote access for kledford is allowed by ugaelmkprov
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] user kledford authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
[ldap_all_myids] performing user authorization for kledford
[ldap_all_myids]        expand: (cn=%u) -> (cn=kledford)
[ldap_all_myids]        expand: ou=users,o=uga -> ou=users,o=uga
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,o=uga, with filter (cn=kledford)
rlm_ldap: ldap_search() failed: LDAP connection lost.
rlm_ldap: Attempting reconnect
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=cousteau-apache,ou=EDSAdmins,o=uga/my_pass to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,o=uga, with filter (cn=kledford)
[ldap_all_myids] checking if remote access for kledford is allowed by ugaelmkprov
[ldap_all_myids] No default NMAS login sequence
[ldap_all_myids] looking for check items in directory...
[ldap_all_myids] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap_all_myids] user kledford authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap_all_myids] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 191 to 172.17.6.205 port 32770
        EAP-Message = 0x010c00061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0282fb8e028ee22c7ff0f6bedc08a825
Finished request 70.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=192, length=266
        User-Name = "kledford"
        Calling-Station-Id = "00-11-95-D9-07-77"
        Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
        NAS-Port = 29
        NAS-IP-Address = 172.17.6.205
        NAS-Identifier = "South6"
        Airespace-Wlan-Id = 3
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "1999"
        EAP-Message = 0x020c005019800000004616030100410100003d0301496f410ff8ee077ce9d259abb7f81ed6db2ea758cffee4e7ad7eb61b95e8329a00001600040005000a000900640062000300060013001200630100
        State = 0x0282fb8e028ee22c7ff0f6bedc08a825
        Message-Authenticator = 0x2f08e7cd6b50bc98da1db2daf64fc80f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 12 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap]     (other): before/accept initialization 
[peap]     TLS_accept: before/accept initialization 
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello  
[peap]     TLS_accept: SSLv3 read client hello A 
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello  
[peap]     TLS_accept: SSLv3 write server hello A 
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate  
[peap]     TLS_accept: SSLv3 write certificate A 
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: SSLv3 write server done A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 192 to 172.17.6.205 port 32770
        EAP-Message = 0x010d040019c00000089b160301002a020000260301496f3ee1ee8866b8a4376d656afa915e2b592a924331e0656bce890e613fc83d00000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
        EAP-Message = 0x301e170d3039303130383232313433335a170d3130303130383232313433335a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a7d8c0ef7a3a864ea16abde689de9400a9efdf1a723cba7527411b145f5f30d30db1a7ef5d5a6c8e611c936e821ef04bf3a0a42bed5e573364ac9fc855d2
        EAP-Message = 0x9dc5234c6a61b0c639d1205aa8f6baa7a1798dc955d6792d68778d995c460a09b5e1ee31c0ca65fd7df82c8a30b284ea76a1875e16a4fa0b08f93927516f8ceb745842c378db6d5c1406c734d618323918d433707c4e59e6435881a39e18cb0ce52c1623cf149e57425ddfae12be2b2befbd9ba756f589a05f8935ce573ad4f6fcad95116eb8499c1daa6f3f34da4ccb275c6686677bc25ae678b5fabadd8c474d2a87263705892a9dee3a8b5c5ad11d1b229d93b7b37235bfa25c908e4a5c643fe70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010046d53a405176aa48f1
        EAP-Message = 0x9db9b1e524130f431f8d31d979c3c9cb9d01dfa19eacaa8bf1354d77b8431d571e12011a22f5adb109c8336191a861f9ee34a0f51c5d8991bd8feddac68ffac0ede52e5e9bd3efc17b6924e9bf4ec4944dda2bb48c10680ac49473dd2c474637c05c0594ec984f91468614a00e16547cb1b4227fe0b554a45d93852b09
        EAP-Message = 0x69eba10c49200443
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0282fb8e008ce22c7ff0f6bedc08a825
Finished request 72.
Going to the next requ

Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=194, length=192
        User-Name = "kledford"
        Calling-Station-Id = "00-11-95-D9-07-77"
        Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
        NAS-Port = 29
        NAS-IP-Address = 172.17.6.205
        NAS-Identifier = "South6"
        Airespace-Wlan-Id = 3
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "1999"
        EAP-Message = 0x020e00061900
        State = 0x0282fb8e008ce22c7ff0f6bedc08a825
        Message-Authenticator = 0x4aa592830ab1a5ab74e9a9a007187cb3
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 14 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 194 to 172.17.6.205 port 32770
        EAP-Message = 0x010f00b51900dbe740ea1ac0356d73325c3b4862b3d7de03f02a23dba6bca2f6f1b797a90fbf5218a80d927bb8db9704876c522721d2a501828d7bbe23987b3f9f1232f56c98240d6e7810db793c7dd5e34daf5cf4299daa19393ea7ca3fc824447b57a62db54a622b8245942bc900cb982216c393a912b5ec346076e6044863de5249f31e319e8a0e876937e0b3520514fc00e3072659bbb89957d1322ad32aa4cbcb9418749803eb4310ae16030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0282fb8e018de22c7ff0f6bedc08a825
Finished request 73.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=195, length=508
        User-Name = "kledford"
        Calling-Station-Id = "00-11-95-D9-07-77"
        Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
        NAS-Port = 29
        NAS-IP-Address = 172.17.6.205
        NAS-Identifier = "South6"
        Airespace-Wlan-Id = 3
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "1999"
        EAP-Message = 0x020f014019800000013616030101061000010201009b838b42c320d7d04e42a0b97c6f5480741eeb64be1f131e3dacb4c0394fb96bda91ccae4264e9a3264cc7e1bc621a8c9c0bf2be4de29042ee94469be9e3830f348df4009c679c00a1241df4b2b65fab811351cb1b97847eba5bfe321dc32739f93043103bd3a969513b10dbca3a2c9deb4a9a492603629e7e9ddaa362f0b148ad1842270a18321708ff0e314412079d458dd4b9fab38d9f1b86a65fa0fa8b0a2e06403c7a7a52d8c2a2e7ed5878c339d6905da1718c32b7f8ba07c8cedf866c980f690722e38fb421df3d67e55cc9b380bae38ef392c6234db71242b16f7ff56e352b7a3ca3837a
        EAP-Message = 0xcf4e92de1e4d6728808dbf8df54d4819c57dabf00e16984114030100010116030100205c95b90821f44df33871c079ce0448065b483c9ef6504c023bba98c997702759
        State = 0x0282fb8e018de22c7ff0f6bedc08a825
        Message-Authenticator = 0x441cfb0518eb1e533b6445ac9ce68d59
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 15 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange  
[peap]     TLS_accept: SSLv3 read client key exchange A 
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[peap] <<< TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 read finished A 
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[peap]     TLS_accept: SSLv3 write change cipher spec A 
[peap] >>> TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 write finished A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     (other): SSL negotiation finished successfully 
SSL Connection Established 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 195 to 172.17.6.205 port 32770
        EAP-Message = 0x0110003119001403010001011603010020094cda7a332cef09766a43e6416115d88a0b0c2b9538c106d7a79530914df85b
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0282fb8e0692e22c7ff0f6bedc08a825
Finished request 74.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=196, length=192
        User-Name = "kledford"
        Calling-Station-Id = "00-11-95-D9-07-77"
        Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
        NAS-Port = 29
        NAS-IP-Address = 172.17.6.205
        NAS-Identifier = "South6"
        Airespace-Wlan-Id = 3
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "1999"
        EAP-Message = 0x021000061900
        State = 0x0282fb8e0692e22c7ff0f6bedc08a825
        Message-Authenticator = 0xb2541fc85b1ccd57fc7147c181c1f8b1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 16 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3 
[peap] eaptls_process returned 3 
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 196 to 172.17.6.205 port 32770
        EAP-Message = 0x011100201900170301001563bc74883cd5e22b287fdc9866b0cf7b7527605d97
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0282fb8e0793e22c7ff0f6bedc08a825
Finished request 75.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=197, length=222
        User-Name = "kledford"
        Calling-Station-Id = "00-11-95-D9-07-77"
        Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
        NAS-Port = 29
        NAS-IP-Address = 172.17.6.205
        NAS-Identifier = "South6"
        Airespace-Wlan-Id = 3
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "1999"
        EAP-Message = 0x0211002419001703010019cf021abfc4a36083c60b53cf5f495fc64fef8cb5cb08107c9a
        State = 0x0282fb8e0793e22c7ff0f6bedc08a825
        Message-Authenticator = 0x8249cfb08c9015d02c7dd9437b1ecd50
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 17 length 36
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - kledford
[peap] Got tunnled request
        EAP-Message = 0x0211000d016b6c6564666f7264
server (null) {
  PEAP: Got tunneled identity of kledford
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to kledford
Sending tunneled request
        EAP-Message = 0x0211000d016b6c6564666f7264
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "kledford"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 17 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message = 0x011200221a0112001d1054a490ba859f553d784df2dd0bde41906b6c6564666f7264
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x577c69d6576e7321a99fdce2c06ba398
[peap] Got tunneled reply RADIUS code 11
        EAP-Message = 0x011200221a0112001d1054a490ba859f553d784df2dd0bde41906b6c6564666f7264
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x577c69d6576e7321a99fdce2c06ba398
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 197 to 172.17.6.205 port 32770
        EAP-Message = 0x011200391900170301002e1f2e6251b0ee12c3a6be5147b62d32ff1e8f5b4d653c72d63b2f51095dd26c88d9e80b73c7c67e4d2642369bb7cf
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0282fb8e0490e22c7ff0f6bedc08a825
Finished request 76.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=198, length=276
        User-Name = "kledford"
        Calling-Station-Id = "00-11-95-D9-07-77"
        Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
        NAS-Port = 29
        NAS-IP-Address = 172.17.6.205
        NAS-Identifier = "South6"
        Airespace-Wlan-Id = 3
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "1999"
        EAP-Message = 0x0212005a1900170301004fbe3681cc29c08c6a9cb7790dee6a2413b0ebc8473162dc85f362a9966ab531a0eb62ade6f69f550ca67d378fbff0e34767146eb3407c022ee9bd1e1939557fdd64cd99d5a77b130c13aeea3580be9f
        State = 0x0282fb8e0490e22c7ff0f6bedc08a825
        Message-Authenticator = 0x1d0b5a02f83fd064643cf8b17b61649e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 18 length 90
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
        EAP-Message = 0x021200431a0212003e31910199f838846ecebfb8b1996e431f9a0000000000000000977ba5a70d750315fe66e5f61e48aad8aad8d19f5b65eb8a006b6c6564666f7264
server (null) {
  PEAP: Setting User-Name to kledford
Sending tunneled request
        EAP-Message = 0x021200431a0212003e31910199f838846ecebfb8b1996e431f9a0000000000000000977ba5a70d750315fe66e5f61e48aad8aad8d19f5b65eb8a006b6c6564666f7264
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "kledford"
        State = 0x577c69d6576e7321a99fdce2c06ba398
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 18 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for kledford with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
        MS-CHAP-Error = "\022E=691 R=1"
        EAP-Message = 0x04120004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
        MS-CHAP-Error = "\022E=691 R=1"
        EAP-Message = 0x04120004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 198 to 172.17.6.205 port 32770
        EAP-Message = 0x011300261900170301001b7d7ecb9363773c2925be6270b36c1cc64746512b567f6487e27a4e
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0282fb8e0591e22c7ff0f6bedc08a825
Finished request 77.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=199, length=224
        User-Name = "kledford"
        Calling-Station-Id = "00-11-95-D9-07-77"
        Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
        NAS-Port = 29
        NAS-IP-Address = 172.17.6.205
        NAS-Identifier = "South6"
        Airespace-Wlan-Id = 3
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "1999"
        EAP-Message = 0x021300261900170301001b989cf4d191ed8635a159d484e8b3ddcea284fc0177b8ed705dd9d8
        State = 0x0282fb8e0591e22c7ff0f6bedc08a825
        Message-Authenticator = 0xf942e38c5ad48d5f0723d8062283dcb2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 19 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap]  Had sent TLV failure.  User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> kledford
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 78 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 78
Sending Access-Reject of id 199 to 172.17.6.205 port 32770
        EAP-Message = 0x04130004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.5 seconds.
Cleaning up request 70 ID 191 with timestamp +511079
Cleaning up request 71 ID 192 with timestamp +511080
Waking up in 0.1 seconds.
Cleaning up request 72 ID 193 with timestamp +511080
Cleaning up request 73 ID 194 with timestamp +511080
Cleaning up request 74 ID 195 with timestamp +511080
Waking up in 0.1 seconds.
Cleaning up request 75 ID 196 with timestamp +511080
Cleaning up request 76 ID 197 with timestamp +511080
Cleaning up request 77 ID 198 with timestamp +511080
Waking up in 1.0 seconds.
Cleaning up request 78 ID 199 with timestamp +511080

-- 
Keith Ledford <kledford AT uga DOT edu>
Network Administrator
EITS Network Engineering



More information about the Freeradius-Users mailing list