Error in Authentication

Jaswinder Kaur Jaswinder.Kaur at northyorks.gov.uk
Wed Mar 11 17:06:49 CET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello All,

I am using freeradius 2.1.1 on Suse 10 SP1. I am trying to integrate Freeradius with edirectory, but somehow, I am not able to achieve the desired result, the client just sits while trying to authenticate, I can see the Radius server reading the username and password, but still its not authenticating it.

Kindly Help. I am attaching the debug from radius server here:

rad_recv: Access-Request packet from host 130.1.254.174 port 20002, id=98, length=142
        NAS-Port-Id = "AP1/1"
        Calling-Station-Id = "00-1F-3B-70-5B-7F"
        Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST"
        Service-Type = Framed-User
        EAP-Message = 0x0201000a016a6b617572
        User-Name = "jkaur"
        NAS-Port = 22283
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "3Com"
        NAS-IP-Address = 130.1.254.174
        Message-Authenticator = 0xe4060b16fe2c51beb980f9935f65bfc7
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jkaur", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for jkaur
[ldap]  expand: (uid=%u) -> (uid=jkaur)
[ldap]  expand: ou=it,ou=cse,ou=no,o=nycc -> ou=it,ou=cse,ou=no,o=nycc
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to FS-NWMASTER.NYCC.INTERNAL:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: bind as cn=radadmin,o=nycc/f9s4b991 to FS-NWMASTER.NYCC.INTERNAL:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=it,ou=cse,ou=no,o=nycc, with filter (uid=jkaur)
[ldap] checking if remote access for jkaur is allowed by dialupAccess
[ldap] Added the eDirectory password rimpysaini in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user jkaur authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 98 to 130.1.254.174 port 20002
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x80cadc2980c8c54cf63317ea2469d24f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 130.1.254.174 port 20002, id=99, length=142
        NAS-Port-Id = "AP1/1"
        Calling-Station-Id = "00-1F-3B-70-5B-7F"
        Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST"
        Service-Type = Framed-User
        EAP-Message = 0x0202000a016a6b617572
        User-Name = "jkaur"
        NAS-Port = 22283
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "3Com"
        NAS-IP-Address = 130.1.254.174
        Message-Authenticator = 0x76041cb28fa2b04c02d0efce299c7d5c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jkaur", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for jkaur
[ldap]  expand: (uid=%u) -> (uid=jkaur)
[ldap]  expand: ou=it,ou=cse,ou=no,o=nycc -> ou=it,ou=cse,ou=no,o=nycc
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=it,ou=cse,ou=no,o=nycc, with filter (uid=jkaur)
[ldap] checking if remote access for jkaur is allowed by dialupAccess
[ldap] Added the eDirectory password rimpysaini07 in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user jkaur authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 99 to 130.1.254.174 port 20002
        EAP-Message = 0x010300061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x91df0da291dc14674239f44201d53d4a
Finished request 1.
Going to the next request
Waking up in 3.8 seconds.
rad_recv: Access-Request packet from host 130.1.254.174 port 20002, id=100, length=230
        NAS-Port-Id = "AP1/1"
        Calling-Station-Id = "00-1F-3B-70-5B-7F"
        Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST"
        Service-Type = Framed-User
        User-Name = "jkaur"
        NAS-Port = 22283
        State = 0x91df0da291dc14674239f44201d53d4a
        EAP-Message = 0x0203005019800000004616030100410100003d030149b7dca0ddb16c7a496e5deebbe35ff527acaeff8dbba62fec80e4f180ae48a600001600040005000a000900640062000300060013001200630100
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "3Com"
        NAS-IP-Address = 130.1.254.174
        Message-Authenticator = 0x19f917f08434ae523871513b4caafa8a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jkaur", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0894], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 100 to 130.1.254.174 port 20002
        EAP-Message = 0x0104040019c0000008d1160301002a02000026030149b7dcf9318b3ef84c939831ce58e8857748b1d22f1327019078b16af9a86cd90000040016030108940b00089000088d0003b9308203b53082029da003020102020101300d06092a864886f70d010104050030819e310b300906035504061302554b311730150603550408130e4e6f727468596f726b7368697265311630140603550407130d4e6f727468616c6c6572746f6e310d300b060355040a13044e5943433128302606092a864886f70d0109011619667761646d696e406e6f727468796f726b732e676f762e756b312530230603550403131c5261646975732043657274696669636174
        EAP-Message = 0x6520417574686f72697479301e170d3038313031373132333332325a170d3039313031373132333332325a308183310b300906035504061302554b311730150603550408130e4e6f727468596f726b7368697265310d300b060355040a13044e5943433122302006035504031319526164697573205365727665722043657274696669636174653128302606092a864886f70d0109011619667761646d696e406e6f727468796f726b732e676f762e756b30820122300d06092a864886f70d01010105000382010f003082010a0282010100cd13f0d013bb9dec50e4dd7bdc9fbc58229f5604d1451e3ae04cad5d2c7471897746e05a7030161f06e586
        EAP-Message = 0xcd6df9ae5bbac452b9ced66324dd524c5a35c3953c75332375f2f052de026a52a5407fe96d32e09ee2b527e1cd4289e4ba50268864a77112c2ca82d73241a9e85be9329a83b668676fe469daca13f973910e3805e022171956443f726e3715f75c88689c7456abf4cf6b9905ad8621dfff3df28bf3a9377bda878b98b009db95c59c2890eeac812ffeb008f58be609fbadb652836c4f84f32381ce24e182c7798ebdd4ccc214261ab6cc5341b05803f72393f54477bd7734a6cfe401c74548648ab1e14458e8addfa65525acd0737d327e29ed56210203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d
        EAP-Message = 0x0101040500038201010084cd6c73a9a87de7c7a2e2077fd165eb2f179852170c01a1a7922a912af1b486c5792df4c09f3943821aa7ab0c906b89409a89037b6ce50e66a5b9406d1f6b4d46b3e0c9f483d0e0783cf7fa07b6a7bc349e8126cb570e7924e0d65f8902a4fd6e1a15f0395821ac50e3dc2e9700bd8002cff236d10b5bedd3f31c0ea1d403abcbd09e628ef5fb5a0678a719841c910e0459ab86a644047c6c37c6816de61d000fb47e82b402b9113c90d2b1d174071d840f82524a85704e74ac87f3828690dd7c9a96810697f69b01b832a0e75e003a97376beb90336a9bf3d81a0145ea584a1f736701604f9c3102e3db94d9d1665d3b4733
        EAP-Message = 0xa0d76c148e6c209f19daf73c
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x91df0da290db14674239f44201d53d4a
Finished request 2.
Going to the next request
Waking up in 3.8 seconds.
rad_recv: Access-Request packet from host 130.1.254.174 port 20002, id=101, length=156
        NAS-Port-Id = "AP1/1"
        Calling-Station-Id = "00-1F-3B-70-5B-7F"
        Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST"
        Service-Type = Framed-User
        User-Name = "jkaur"
        NAS-Port = 22283
        State = 0x91df0da290db14674239f44201d53d4a
        EAP-Message = 0x020400061900
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "3Com"
        NAS-IP-Address = 130.1.254.174
        Message-Authenticator = 0x6c0a9364d053c262952bdb3618da745b
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jkaur", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 101 to 130.1.254.174 port 20002
        EAP-Message = 0x010503fc1940a90004ce308204ca308203b2a0030201020209009b1b08b0dc10c143300d06092a864886f70d010105050030819e310b300906035504061302554b311730150603550408130e4e6f727468596f726b7368697265311630140603550407130d4e6f727468616c6c6572746f6e310d300b060355040a13044e5943433128302606092a864886f70d0109011619667761646d696e406e6f727468796f726b732e676f762e756b312530230603550403131c52616469757320436572746966696361746520417574686f72697479301e170d3038313031373132333233365a170d3038313131363132333233365a30819e310b300906035504
        EAP-Message = 0x061302554b311730150603550408130e4e6f727468596f726b7368697265311630140603550407130d4e6f727468616c6c6572746f6e310d300b060355040a13044e5943433128302606092a864886f70d0109011619667761646d696e406e6f727468796f726b732e676f762e756b312530230603550403131c52616469757320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d49ead33ecc1b617197e30620c4e3b9942d4e0e2a1ffc2a574ae6a544c53ce06a00c19cdfaa411508579d8d004b09da444fe5bf25e8d32dcda6f5e4d09bd879839bb3feccff9
        EAP-Message = 0xa5b69f3fdfed63a2cc0ebe2c9d2593dda02396af057fef8305d18791273ad1dc9735caa330e78518c48d94ab8f1b99e077ba85acd2687c7ea01a8f8aaab311770897891fe93c9b4f7c3e4484c76151a333063c8ee1886d53cfe4b702e6ce3e7eed4c20620bf1fe9beecaf34088944e6a0322ac938b7a55f7b410efc2600156eb51a1c31a52770ea19fb58e757de90a9f36e21341fb28350205ef0e07bdb4849837ca5695cb28a05890f65bb7bfa348e1809c1d6072e3e3496d870203010001a382010730820103301d0603551d0e04160414dbc19e39b5ff87ed34aa19e93ee4b0137e6900783081d30603551d230481cb3081c88014dbc19e39b5ff87
        EAP-Message = 0xed34aa19e93ee4b0137e690078a181a4a481a130819e310b300906035504061302554b311730150603550408130e4e6f727468596f726b7368697265311630140603550407130d4e6f727468616c6c6572746f6e310d300b060355040a13044e5943433128302606092a864886f70d0109011619667761646d696e406e6f727468796f726b732e676f762e756b312530230603550403131c52616469757320436572746966696361746520417574686f726974798209009b1b08b0dc10c143300c0603551d13040530030101ff300d06092a864886f70d010105050003820101009c7bcb32cf7d349b4654e9e3b4abfd92a5a087fcf4c7e8e5a798896a
        EAP-Message = 0xfe0d8480599c7ac3
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x91df0da293da14674239f44201d53d4a
Finished request 3.
Going to the next request
Waking up in 3.7 seconds.
rad_recv: Access-Request packet from host 130.1.254.174 port 20002, id=102, length=156
        NAS-Port-Id = "AP1/1"
        Calling-Station-Id = "00-1F-3B-70-5B-7F"
        Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST"
        Service-Type = Framed-User
        User-Name = "jkaur"
        NAS-Port = 22283
        State = 0x91df0da293da14674239f44201d53d4a
        EAP-Message = 0x020500061900
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "3Com"
        NAS-IP-Address = 130.1.254.174
        Message-Authenticator = 0x7cb007c0ef1b2a4023d78e8c55ffbd6a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jkaur", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 102 to 130.1.254.174 port 20002
        EAP-Message = 0x010600eb1900c4e5df22b2997947c345df9f73a6626b07517c5a726255d236ef91678b9dbd214791bfa39479046f030aec36f700bedcaa04b3806e3b0273a730d7b377fa8b259b433d3f2327ddb27a17e2dec166919e6f6c1f8615baaf8f6aca7d3544983e8b21be5f42651b80d05bc937533d9813c13a30c615ac07bb23221aac800d99641262e5dc9790a2f8a021ccb83999eb9626cfd463580589b33bb5e583ea7e10846af95052a4075a9c2ab01dc7d3c42336b1c3f284a0f3975abea2685d187d38752a63875df19cc80a22f75eb3481eb665081aeb1e77ca79b2066e059ed416030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x91df0da292d914674239f44201d53d4a
Finished request 4.
Going to the next request
Waking up in 3.7 seconds.
rad_recv: Access-Request packet from host 130.1.254.174 port 20002, id=103, length=156
        NAS-Port-Id = "AP1/1"
        Calling-Station-Id = "00-1F-3B-70-5B-7F"
        Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST"
        Service-Type = Framed-User
        User-Name = "jkaur"
        NAS-Port = 22283
        State = 0x91df0da292d914674239f44201d53d4a
        EAP-Message = 0x020600061900
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "3Com"
        NAS-IP-Address = 130.1.254.174
        Message-Authenticator = 0xf6d9d82b0d35719f05b623c4f8655f5d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jkaur", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 103 to 130.1.254.174 port 20002
        EAP-Message = 0x010700061900
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x91df0da295d814674239f44201d53d4a
Finished request 5.
Going to the next request
Waking up in 3.7 seconds.
Cleaning up request 0 ID 98 with timestamp +145
Waking up in 1.1 seconds.
Cleaning up request 1 ID 99 with timestamp +146
Cleaning up request 2 ID 100 with timestamp +148
Cleaning up request 3 ID 101 with timestamp +148
Cleaning up request 4 ID 102 with timestamp +148
Cleaning up request 5 ID 103 with timestamp +148
Ready to process requests.



Any help is greatly appreciated.

Thanks,
JK





-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.9.0 (Build 472)
Charset: US-ASCII

wsBVAwUBSbfhvvsvZpRjP72bAQigHAf+Oq2xkxpqarERcbOXk6eM4aEb7+d7W4GR
cZfA42GyFMstZ6+RQ5ERt1pMaGDv/6FajFPBA1SK1bqFDQ3rcJyqissMOS5Oscb2
ORw7b8kWFX2NUwQANDnZYSxz9LhPZlUTaRHqWzDcicvuELiIQxJStbK+dIZ2fWFV
PvPAgpKtddbvpL3smKlY1aFkYmUtsumBd0xsljzX3j+qTzEeli6y+MpGDYXfvmLe
i4b3B2sP39VXjQCP0Z+Zx3yduR9YfAoNrn/fUBdiIQSKrgUn9Lz5Lsox1lbbhyKT
BIQGsDqpiktukzW7N6Va7pF/tjfAko/Kmf2SxKTsoOdG8sKaSgnv4g==
=4Ibp
-----END PGP SIGNATURE-----
Access your county council services online 24 hours a day, 7 days a week at www.northyorks.gov.uk.

WARNING

Any opinions or statements expressed in this e-mail are those of the individual and not necessarily those of North Yorkshire County Council.

This e-mail and any files transmitted with it are confidential and solely for the use of the intended recipient. If you receive this in error, please do not disclose any information to anyone, notify the sender at the above address and then destroy all copies.

North Yorkshire County Council’s computer systems and communications may be monitored to ensure effective operation of the system and for other lawful purposes.

Although we have endeavoured to ensure that this e-mail and any attachments are free from any virus we would advise you to take any necessary steps to ensure that they are actually virus free.

If you receive an ‘out of office’ notice from the person you are contacting and you wish to request information under either the Freedom of Information Act, the Data Protection Act or the Environmental Information Regulations please forward your request by e-mail to the Data Management Team (datamanagement.officer at northyorks.gov.uk) who will process your request.

North Yorkshire County Council.




More information about the Freeradius-Users mailing list