Config. Help please - ldap and Active Directory
Leighton Man
l.j.man at hud.ac.uk
Wed Mar 11 15:02:16 CET 2009
> Can you post the whole debug, not just snipetts. Are these
> from the same or from different requests in the exchange?
> Perhaps you need use_tunneled_reply rather than this.
>
Here's the complete debug (excluding the server start-up messages). There's rather a lot of it which is why I tried to post the bits relevant to what I'm trying (rather unsuccessfully :-) ) to understand.
Leighton
rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=36, length=148
User-Name = "cmsxleig"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-54-DB-BB-01"
Calling-Station-Id = "00-1B-63-B0-C9-E9"
EAP-Message = 0x0203000d01636d73786c656967
Message-Authenticator = 0xbc90b1b0b5ceba80a6767ff94c59ed43
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "FastEthernet0/1"
NAS-IP-Address = 10.127.240.217
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "cmsxleig"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 3 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap_staff] performing user authorization for cmsxleig
[ldap_staff] expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountName=cmsxleig)
[ldap_staff] expand: ou=staff, dc=ad, dc=hud, dc=ac, dc=uk -> ou=staff, dc=ad, dc=hud, dc=ac, dc=uk
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to burns.hud.ac.uk:389, authentication 0
rlm_ldap: bind as cn=username,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk/passwd to burns.hud.ac.uk:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=staff, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig)
rlm_ldap: object not found or got ambiguous search result
[ldap_staff] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap_staff] returns notfound
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
++- entering else else {...}
[ldap_student] performing user authorization for cmsxleig
[ldap_student] expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountName=cmsxleig)
[ldap_student] expand: ou=students, dc=ad, dc=hud, dc=ac, dc=uk -> ou=students, dc=ad, dc=hud, dc=ac, dc=uk
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to burns.hud.ac.uk:389, authentication 0
rlm_ldap: bind as cn=username,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk/passwd to burns.hud.ac.uk:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig)
[ldap_student] looking for check items in directory...
[ldap_student] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap_student] user cmsxleig authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap_student] returns ok
+++? if (ok)
? Evaluating (ok) -> TRUE
+++? if (ok) -> TRUE
+++- entering if (ok) {...}
++++[control] returns ok
+++- if (ok) returns ok
+++ ... skipping else for request 0: Preceding "if" was taken
++- else else returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 36 to 10.127.240.217 port 1645
EAP-Message = 0x010400160410d7424da981434c0db858d196aa1331b4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5de163455de567c927acd591e49a319b
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=37, length=159
User-Name = "cmsxleig"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-54-DB-BB-01"
Calling-Station-Id = "00-1B-63-B0-C9-E9"
EAP-Message = 0x020400060319
Message-Authenticator = 0x4dbcf0832938a2550152bfdcb815ec8c
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "FastEthernet0/1"
State = 0x5de163455de567c927acd591e49a319b
NAS-IP-Address = 10.127.240.217
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "cmsxleig"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 4 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap_staff] performing user authorization for cmsxleig
[ldap_staff] expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountName=cmsxleig)
[ldap_staff] expand: ou=staff, dc=ad, dc=hud, dc=ac, dc=uk -> ou=staff, dc=ad, dc=hud, dc=ac, dc=uk
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=staff, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig)
rlm_ldap: object not found or got ambiguous search result
[ldap_staff] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap_staff] returns notfound
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
++- entering else else {...}
[ldap_student] performing user authorization for cmsxleig
[ldap_student] expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountName=cmsxleig)
[ldap_student] expand: ou=students, dc=ad, dc=hud, dc=ac, dc=uk -> ou=students, dc=ad, dc=hud, dc=ac, dc=uk
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig)
[ldap_student] looking for check items in directory...
[ldap_student] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap_student] user cmsxleig authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap_student] returns ok
+++? if (ok)
? Evaluating (ok) -> TRUE
+++? if (ok) -> TRUE
+++- entering if (ok) {...}
++++[control] returns ok
+++- if (ok) returns ok
+++ ... skipping else for request 1: Preceding "if" was taken
++- else else returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 37 to 10.127.240.217 port 1645
EAP-Message = 0x010500061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5de163455ce47ac927acd591e49a319b
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=38, length=265
User-Name = "cmsxleig"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-54-DB-BB-01"
Calling-Station-Id = "00-1B-63-B0-C9-E9"
EAP-Message = 0x0205007019800000006616030100610100005d030149b7c1aeab2f6dbd3b06e21c6335a864e2b6c1c3aa77dea8567f202a7b06e0f3000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100
Message-Authenticator = 0x6db5036a3ae4bb0b29d1397a150437a8
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "FastEthernet0/1"
State = 0x5de163455ce47ac927acd591e49a319b
NAS-IP-Address = 10.127.240.217
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "cmsxleig"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 5 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 102
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0061], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 084e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 38 to 10.127.240.217 port 1645
EAP-Message = 0x0106040019c00000088b160301002a02000026030149b7c1ac6f4ea7d744b484ea8dccf4252ea401fae4499880c49c39adb8cfd33900002f00160301084e0b00084a0008470003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message = 0x301e170d3039303330393131353330315a170d3130303330393131353330315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e0f486a32a63ea8c5f3be2dab6e7754cd4040e44619a48776d26127a632b2861ffb099f624a244a369c00d4a7a745f1508321fb0dde8001f47ffabb2baef
EAP-Message = 0x4475eb993d9ca3fab222f7778ccce5dddb7f7c64c8dddb7a11a78531638cbfb59d489e2b201f77d4356a225c1dba8245c94f56a5081e79adea5d3624467c7135be351a4d011edc230aa13d0526e25f817ade783433d4b1dfc075dc514252532b27be4bedbc950c25829ce0606629a6a31dd6294304890f737d959542eeccb023666d43df003953b971d5bf1ebbcea37f4912761ea19f914bebad71acb985bce93ec2af6c366e87640db363d1e613cba97d236e5add9ff9eed22e5d4b6ee772edfc7d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010082e17a19587d75cd61
EAP-Message = 0xf93fd77c415b6e117856f4c728a4b787d05d8dfe3e21bd16753db864dd2e1f152688a0574c880fb6b38bb533de26f7267fd9b3477956e5c66d9c9a60f5516642321fde34863335c06b0b344c956a63911707606633a6bb20fcad4eb7b8180e324a32ef4e0f35343d82ad7d2f23848acfe1d9adddd61de8de51159533b5ebe52be9de278593d1cbfbb647a711dd3c930442aaf5a8ce71d31b7bf6162326dcb3be1c601c559d062a1b9e5a79938bd6282492e574a71da3766c8029614c21322945cf420ea1ac171c6769051fc9038e02283a72c7ca64e37ffc21528918a951fcd9a5b1959cfef34aa6fb5606bbfb82623872718bf280538d00049b308204
EAP-Message = 0x973082037fa0030201020201
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5de163455fe77ac927acd591e49a319b
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=39, length=159
User-Name = "cmsxleig"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-54-DB-BB-01"
Calling-Station-Id = "00-1B-63-B0-C9-E9"
EAP-Message = 0x020600061900
Message-Authenticator = 0xb1a47b6e94e316447e41877f2a847ed6
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "FastEthernet0/1"
State = 0x5de163455fe77ac927acd591e49a319b
NAS-IP-Address = 10.127.240.217
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "cmsxleig"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 39 to 10.127.240.217 port 1645
EAP-Message = 0x010703fc194000300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303330393131353330305a170d3130303330393131353330305a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d6577
EAP-Message = 0x6865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b4760f3fe6fe399f5be030fd803543f5958cfd8ae679612b56700ac92f876a34b2aa7e1a1c665bf3f5852977d2fa28126ab3927360676ddeebebdbb7d229ad64b337146ead10468e405f2558d2b9d11e73cbe6a53ee9411775b5f0ea978bac53b78f8572f81aa54fe86bdef98e946e1cab364bd0631763
EAP-Message = 0xed10dba2e049d5f20a1423d1ef5010cc3da9e9b3a3f11c539b11e0c9a4e22cec5c1161598b385db5214dd21f8799c55906f9ef75ce77d9b58ca609664f13c3db7d6c94e168d7d45c54d86e2b8477806570d6302aeba2c2f0f3058f6047a0e24d9b77009e93467144011b475874ea9cc09365d2cb861eb3a7b9d237489746fe59f7076db06bf2e3e30b0203010001a381f33081f0301d0603551d0e04160414abd501507cc9d78a8278093949d47c0c35eb38393081c00603551d230481b83081b58014abd501507cc9d78a8278093949d47c0c35eb3839a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975
EAP-Message = 0x733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d010104050003820101004ae49fb5afa9a0e756198402b0668357d21c879707a9426a0cd2d1d5b57e76d56f3bcb9b6195a5e3f5d20654371234d6a94f3c8ddb836aac3e73f6856b072fe19e3b29e1e3e6bacb5b04bfabbef33fa3033fdac3a6f992edc70efa0593bac9a26577
EAP-Message = 0x39df2f69b8aa23b1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5de163455ee67ac927acd591e49a319b
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=40, length=159
User-Name = "cmsxleig"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-54-DB-BB-01"
Calling-Station-Id = "00-1B-63-B0-C9-E9"
EAP-Message = 0x020700061900
Message-Authenticator = 0x014fc3a1d0d55913f78f89a13d8776d1
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "FastEthernet0/1"
State = 0x5de163455ee67ac927acd591e49a319b
NAS-IP-Address = 10.127.240.217
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "cmsxleig"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 40 to 10.127.240.217 port 1645
EAP-Message = 0x010800a519004c501cf4cabac8631623dbda4db158d1ac52dad5e46001166444635b465ea4b801cc6a60eb9306b4f7e418a95a16b9c0f8dbe94d4673fe8cb5cd9565a3d51d03425ae8171fb37917ee224a648f84b9b0d3d4c6fb2d4bba7cbae284ca0ee09edf3ef60f454eb751316f7df0d3b877b5d9c3f16bab23828fd6935dadb8007d6ecf8a89741fa608c51873c1a1a2db818e3f8bee7d73fd5316030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5de1634559e97ac927acd591e49a319b
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=41, length=491
User-Name = "cmsxleig"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-54-DB-BB-01"
Calling-Station-Id = "00-1B-63-B0-C9-E9"
EAP-Message = 0x0208015019800000014616030101061000010201002c95a9c6250c5436c12a1a8a4cab44c1f93ed567306cbc33d37de3d4c13d89310ce71779710ab5229309ee9fb224653da882814609f40f33791749952104bcc025e0f1a0f24c40dfe0de8f8f13f9a3047f3837b6abb3707b294d35c5e5e750b45996a3a6c2e60e3331466cee191731cd9a2c9ae6e3636725fe5de936989cece0e793eacd65904bfb68dba0ed5efc10ed5754838c33fc42878890c81852bd1eefdab8653f0cdaf9a738d2e69fbbe9474f36eac05950ef331f6c4af69d0593125118fa284c8eb920a6768a58979078a159a81dae0ad8fda8b0ec6352b9a474dea41ec69dcc1540f858
EAP-Message = 0xcc65716966474d97f1d09f94e1e7c5dd97700e9a207431e614030100010116030100309f33527bc6c37cc1b398772be7b61bcbd1f7b84656772a339937480ec216eaaac58902a3079c17c5e168f535e65d8cf2
Message-Authenticator = 0x4022f3dcf9eb58a9ab62621ab615cd42
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "FastEthernet0/1"
State = 0x5de1634559e97ac927acd591e49a319b
NAS-IP-Address = 10.127.240.217
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "cmsxleig"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 8 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 41 to 10.127.240.217 port 1645
EAP-Message = 0x0109004119001403010001011603010030361b56b20c41691b4f426dff7f2ad4894816568ad01864f4f67f9cc47f9c6616af70c9c8a11649b30091e576a2da1cb7
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5de1634558e87ac927acd591e49a319b
Finished request 5.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=42, length=159
User-Name = "cmsxleig"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-54-DB-BB-01"
Calling-Station-Id = "00-1B-63-B0-C9-E9"
EAP-Message = 0x020900061900
Message-Authenticator = 0x4808cbbee6269aa33148b8676dda8818
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "FastEthernet0/1"
State = 0x5de1634558e87ac927acd591e49a319b
NAS-IP-Address = 10.127.240.217
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "cmsxleig"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 9 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 42 to 10.127.240.217 port 1645
EAP-Message = 0x010a002b19001703010020a77557a3286e24cac6b15b0aeb79555638904414d9fbd5a819655603459d9a0f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5de163455beb7ac927acd591e49a319b
Finished request 6.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=43, length=196
User-Name = "cmsxleig"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-54-DB-BB-01"
Calling-Station-Id = "00-1B-63-B0-C9-E9"
EAP-Message = 0x020a002b19001703010020eea35b9513930a5db7b16a7b8feb65acbeac46a368b5de191dafbb3b6d2a25eb
Message-Authenticator = 0xaa3b637009406a52001d206bc4b55204
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "FastEthernet0/1"
State = 0x5de163455beb7ac927acd591e49a319b
NAS-IP-Address = 10.127.240.217
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "cmsxleig"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - cmsxleig
[peap] Got tunneled request
EAP-Message = 0x020a000d01636d73786c656967
server {
PEAP: Got tunneled identity of cmsxleig
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to cmsxleig
Sending tunneled request
EAP-Message = 0x020a000d01636d73786c656967
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "cmsxleig"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "cmsxleig"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 10 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010b00221a010b001d10ffb9aa2a11578ce200343aaa418bfec9636d73786c656967
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x774ed13b7745cb6204cdbc439a2405d2
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010b00221a010b001d10ffb9aa2a11578ce200343aaa418bfec9636d73786c656967
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x774ed13b7745cb6204cdbc439a2405d2
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 43 to 10.127.240.217 port 1645
EAP-Message = 0x010b004b19001703010040f2043b3eda010e357d940971e35f409540d5919f5fb9ad76d18e77f4ff187dc5292d0bb7f34346fbe2775e56e24e6aa18c3fd39c685328b40cd51ad6b4e0f194
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5de163455aea7ac927acd591e49a319b
Finished request 7.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=44, length=260
User-Name = "cmsxleig"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-54-DB-BB-01"
Calling-Station-Id = "00-1B-63-B0-C9-E9"
EAP-Message = 0x020b006b190017030100600cc1c638a3d913ce9ae454e7877dae26ab957df3f61b1854e3bb157c0632368ef73804859b340b0163e2367e579279a01fae7d896c73e938132b2624c277e9695721e02704708a31dfafe99089bbeac3570e76f1e0013abaf54458c0ce5d0e55
Message-Authenticator = 0x222c9aae92494ff78b6adb03ccae5c44
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "FastEthernet0/1"
State = 0x5de163455aea7ac927acd591e49a319b
NAS-IP-Address = 10.127.240.217
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "cmsxleig"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 11 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020b00431a020b003e312e204239aed55c69cf85e06acc07e01e0000000000000000efe90dcf578043bbfc1188f4eb3f004b7dd9695559d1ee3900636d73786c656967
server {
PEAP: Setting User-Name to cmsxleig
Sending tunneled request
EAP-Message = 0x020b00431a020b003e312e204239aed55c69cf85e06acc07e01e0000000000000000efe90dcf578043bbfc1188f4eb3f004b7dd9695559d1ee3900636d73786c656967
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "cmsxleig"
State = 0x774ed13b7745cb6204cdbc439a2405d2
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "cmsxleig"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 11 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for cmsxleig with NT-Password
[mschap] expand: --username=%{mschap:User-Name} -> --username=cmsxleig
[mschap] mschap2: ff
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=cd174960e64892c4
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=efe90dcf578043bbfc1188f4eb3f004b7dd9695559d1ee39
Exec-Program output: NT_KEY: 35ADC25F14496E3A8B5B3EC7E1D9E2E9
Exec-Program-Wait: plaintext: NT_KEY: 35ADC25F14496E3A8B5B3EC7E1D9E2E9
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010c00331a030b002e533d35424437413739444339353241463641324443353539423733343236453841433734364246343735
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x774ed13b7642cb6204cdbc439a2405d2
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010c00331a030b002e533d35424437413739444339353241463641324443353539423733343236453841433734364246343735
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x774ed13b7642cb6204cdbc439a2405d2
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 44 to 10.127.240.217 port 1645
EAP-Message = 0x010c005b190017030100501c537d1a5a82418315fd235711df9b767768e5b09642bc8f0e20915aa3f018d2b8f6171d8cc02dfde46b8fb44eecd88d9f420d88fb5399de0e217eda274321e48a733969f5d78f750197ad251d6c3ea9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5de1634555ed7ac927acd591e49a319b
Finished request 8.
Going to the next request
Waking up in 4.3 seconds.
rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=45, length=196
User-Name = "cmsxleig"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-54-DB-BB-01"
Calling-Station-Id = "00-1B-63-B0-C9-E9"
EAP-Message = 0x020c002b19001703010020eeea80c427ae52b88611ecdffbebc327c99f58f5ea94a7c63fcd140576f462d6
Message-Authenticator = 0x2720a841e60e010671b3f15ea60f83bc
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "FastEthernet0/1"
State = 0x5de1634555ed7ac927acd591e49a319b
NAS-IP-Address = 10.127.240.217
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "cmsxleig"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 12 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020c00061a03
server {
PEAP: Setting User-Name to cmsxleig
Sending tunneled request
EAP-Message = 0x020c00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "cmsxleig"
State = 0x774ed13b7642cb6204cdbc439a2405d2
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "cmsxleig"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 12 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
} # server inner-tunnel
[peap] Got tunneled reply code 2
EAP-Message = 0x030c0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "cmsxleig"
[peap] Got tunneled reply RADIUS code 2
EAP-Message = 0x030c0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "cmsxleig"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 45 to 10.127.240.217 port 1645
EAP-Message = 0x010d002b190017030100201a408b6dd31ee818348d93b79251401690a60378f8dbf01292e53f3864354f92
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5de1634554ec7ac927acd591e49a319b
Finished request 9.
Going to the next request
Waking up in 4.2 seconds.
rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=46, length=196
User-Name = "cmsxleig"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-54-DB-BB-01"
Calling-Station-Id = "00-1B-63-B0-C9-E9"
EAP-Message = 0x020d002b19001703010020d343176158acf8e2a0e5b7e6603cd4b92b47f02bd41ff6b133e3f09978ac0a09
Message-Authenticator = 0x3eb31b44a57adfaa84fc8cad44729966
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "FastEthernet0/1"
State = 0x5de1634554ec7ac927acd591e49a319b
NAS-IP-Address = 10.127.240.217
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "cmsxleig"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 13 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
++? if (control:Tmp-String-0 == "ldap-student")
(Attribute control:Tmp-String-0 was not found)
Sending Access-Accept of id 46 to 10.127.240.217 port 1645
MS-MPPE-Recv-Key = 0xe4a8a039b0329307e40bd293849cffd24a04d4e668d687e7adc4c9fa6340693b
MS-MPPE-Send-Key = 0x788fca79956ede0a43ce8bda8458a97a28fcded1a7d55b74d104d727a46b1024
EAP-Message = 0x030d0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "cmsxleig"
Finished request 10.
Going to the next request
Waking up in 4.2 seconds.
Cleaning up request 0 ID 36 with timestamp +29
Cleaning up request 1 ID 37 with timestamp +29
Cleaning up request 2 ID 38 with timestamp +29
Cleaning up request 3 ID 39 with timestamp +29
Cleaning up request 4 ID 40 with timestamp +29
Waking up in 0.2 seconds.
Cleaning up request 5 ID 41 with timestamp +29
Cleaning up request 6 ID 42 with timestamp +30
Cleaning up request 7 ID 43 with timestamp +30
Waking up in 0.1 seconds.
Cleaning up request 8 ID 44 with timestamp +30
Cleaning up request 9 ID 45 with timestamp +30
Cleaning up request 10 ID 46 with timestamp +30
Ready to process requests.
More information about the Freeradius-Users
mailing list