Authentication with eap/mschapv2
Stefan Hotz
stefhotz at yahoo.de
Thu Sep 17 16:09:49 CEST 2009
Hello
I would like to authenticate my Windows XP wireless users with freeradius against a AD. Test with the local ntlm_auth against the AD worked fine as well radtest with a local user in the users file.
It seems to me that Problem ist somewhere here:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
rlm_eap_mschapv2: Invalid response type 4
[eap] Handler failed in EAP/mschapv2
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
I have read in the archive that "Code 4 is MS-CHAP failure. It means that the client told the server
it didn't like the previous packet"
But I have no idea what the server does not like.
The whole debug output is below
Any help it greatliy appreciated
regards
stefan
FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Sep 2 2009 at 13:59:26
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy..conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
group = freerad
user = freerad
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127..0.0.1
require_message_authenticator = no
secret = "testing123-1"
shortname = "localhost"
nastype = "other"
}
client 10.0.0.1 {
require_message_authenticator = no
secret = "testing123-1"
shortname = "wireless"
nastype = "others"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = no
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-mydomain:-mydomain} --username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/demoCA/nzzwire01-0.key"
certificate_file = "/etc/freeradius/certs/demoCA/nzzwire01-0.crt"
CA_file = "/etc/freeradius/certs/demoCA/CA_cert.crt"
private_key_password = "WireKey*!4"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/etc/freeradius/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = no
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {....} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
}
}
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=104, length=145
User-Name = "mydomain\\user"
Framed-MTU = 1400
Called-Station-Id = "000d.2868.4801"
Calling-Station-Id = "000e.3560.3e95"
Service-Type = Login-User
Message-Authenticator = 0xa1f051e8488f5a50cb044187a8c4c674
EAP-Message = 0x02010010015a4830315c532e486f747a
NAS-Port-Type = Wireless-802.11
NAS-Port = 4392
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "wireless"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 16
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 104 to 10.0.0.1 port 1645
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80e9682e80eb716d23cf4280d3865bd8
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=105, length=253
User-Name = "mydomain\\user"
Framed-MTU = 1400
Called-Station-Id = "000d.2868.4801"
Calling-Station-Id = "000e.3560.3e95"
Service-Type = Login-User
Message-Authenticator = 0x8ea63d676026bf116dc956f454e8088e
EAP-Message = 0x0202006a1900160301005f0100005b03014ab1f239fed58a9540ea7eeff0e2d184bfde52a76c671ae71e9ecf769581c7ff00003400390038003500160013000a00330032002f006600050004006500640063006200610060001500120009001400110008000600030100
NAS-Port-Type = Wireless-802.11
NAS-Port = 4392
State = 0x80e9682e80eb716d23cf4280d3865bd8
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "wireless"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 106
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005f], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 05ce], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 105 to 10.0.0.1 port 1645
EAP-Message = 0x0103040019c00000071d160301002a0200002603014ab1f237fbca05f523e033ce4b7b8ef2489ee1d6fe7016bbe3ffc2f4ab5acb540000390016030105ce0b0005ca0005c7000302308202fe30820267a003020102020103300d06092a864886f70d0101040500304e310b3009060355040613026368310b3009060355040813027a68310f300d060355040713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b301e170d3038313230343037333630395a170d3133313230333037333630395a3066310b3009060355040613026368310b3009060355040813027a68310c300a060355040a13
EAP-Message = 0x036e7a7a31133011060355040b130a696e666f726d6174696b312730250603550403131e6e7a7a7769726530312d302e7a6830312e6e7a7a6772757070652e6e657430819f300d06092a864886f70d010101050003818d0030818902818100bf2852a1be32bc65d8a6bf27c34453b53ae9a378b98943a31b5d4cffd28e96dd9b0fe69212027623d91a92682a238cd190adecad171cee0a76a5c264efd4e159242c850c78c1e8ec9acc7d222c3970510dd21a06596b40b25001fcb62b617d02a3c2cba3821cafd6b656e9eeca3c84a5e4c271b3786a2089de9ce97b9d894b630203010001a381d33081d030090603551d1304023000302c060960864801
EAP-Message = 0x86f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414c93199967c5bdf132d1d5ab3fa15ac9b72ecc78530760603551d23046f306d8014727ea255965d8fbf177009121c46c0ca5c761743a152a450304e310b3009060355040613026368310b3009060355040813027a68310f300d060355040713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b820100300d06092a864886f70d0101040500038181002f9130e3625335befa4741b20897377a22f325d6436e1c36f9be24facaf7d1eb54deaa81edb224429c0854f0f6
EAP-Message = 0x9e6475e665843ce0370b2c4dcfa7fd912d359404dbc1b027aadf3de96180dba9be61bf82785b63a41ec73f7f6b84bcd80990704441a9a84945a2ba2f68c77c8c56880b191482c87285bb22fc9351db0fed03c40002bf308202bb30820224a003020102020100300d06092a864886f70d0101040500304e310b3009060355040613026368310b3009060355040813027a68310f300d060355040713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b301e170d3038313230333135343235395a170d3138313230313135343235395a304e310b3009060355040613026368310b30090603550408
EAP-Message = 0x13027a68310f300d06035504
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80e9682e81ea716d23cf4280d3865bd8
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=106, length=153
User-Name = "mydomain\\user"
Framed-MTU = 1400
Called-Station-Id = "000d.2868.4801"
Calling-Station-Id = "000e.3560.3e95"
Service-Type = Login-User
Message-Authenticator = 0x918316a7a500e443230e4bbc47d5ad7d
EAP-Message = 0x020300061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 4392
State = 0x80e9682e81ea716d23cf4280d3865bd8
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "wireless"
+- entering group authorize {....}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 106 to 10.0.0.1 port 1645
EAP-Message = 0x0104032d19000713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b30819f300d06092a864886f70d010101050003818d0030818902818100c6c1ffce3fe668d765c1dd77d608b27ae5168f1f7316dfe1a61a51fecf6f027c376b13047d11e34eaefd6ed682d3a580106b2b085f78571cdf1c97d02fff9db2b45ecff5512bf42627b38bb49fcf492066930dd04d889258035bd804da3b43e36fb19fd3c6ade9dc1010b9f2d0886c90a26b5f9d22cd17a296867ecc4c709bab0203010001a381a83081a5301d0603551d0e04160414727ea255965d8fbf177009121c46c0ca5c76174330760603
EAP-Message = 0x551d23046f306d8014727ea255965d8fbf177009121c46c0ca5c761743a152a450304e310b3009060355040613026368310b3009060355040813027a68310f300d060355040713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b820100300c0603551d13040530030101ff300d06092a864886f70d0101040500038181009b2b4c150f7620aaf113a2855c0750f0f50f3265f6dc9fd8fc45c87192e5989f36e2b223cce00d9c2e289c59d7f552348f1befc5041ea840047c8c51b742070d2038a1d8f30d149f97b4cbfc136bfa0953625647d75e1865d30c12c56cd30417e427107d7ac14ab8
EAP-Message = 0xc3a50f63708713e4de5f2a257c536d7c8ec6401d29067103160301010d0c0001090040bc35b1fa5e7e1a1ac57b7f4b1d4bdb2aa0c090840cf3995df0fd2a2125315aeab4113d78cdd6f01841f720a3f51032069994b119ac5e013e6d1c1bdb60055c0b0001020040bb26e792b1a9496427dd930c8f921185af6d0b1301223b7bfff07ab237f63ecd5152d2a79716c1f6d95317f4105666565fc951027f12bdce2a6fec51a49ffa880080562d6f74e16994a4a2757f46b77009569a38e063190ba54e6d395c04837f42a48cb81baee48328a2844d446293b40effd6fa3ba3f2ab86032c5e5d3310ad86eb11ae0eab3c4b922b461f833c66b44a39f19b4b
EAP-Message = 0x1fee35da981a6e3f4939e5c3e0187867094c41b1e6bf6da839f737f42dfefea18aa18718509de0791f15edde5316030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80e9682e82ed716d23cf4280d3865bd8
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=107, length=287
User-Name = "mydomain\\user"
Framed-MTU = 1400
Called-Station-Id = "000d.2868.4801"
Calling-Station-Id = "000e.3560.3e95"
Service-Type = Login-User
Message-Authenticator = 0xf6e713150b71eaf618f12fde46e3bcbb
EAP-Message = 0x0204008c190016030100461000004200401c3ab7dc1a753b6ae3020d96d1d144cadf21b5f3422a6783f77bc954b33441514b12044ddacd7ca955d4e1c23c8fc697df9f9e4cdd9361aca2ed8f9ac3f1e04314030100010116030100309180e1b3bc25f45e673fbe76685a95ecc6440b1b0309c47624f75142ae6c9ada63fa12674301b56444c21b450c6b32e7
NAS-Port-Type = Wireless-802.11
NAS-Port = 4392
State = 0x80e9682e82ed716d23cf4280d3865bd8
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "wireless"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 140
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 107 to 10.0.0.1 port 1645
EAP-Message = 0x010500411900140301000101160301003020196b841f13a063342315f0272e8781d4be5a2e7147e5bdbbfbdc21aeef3d4ea2affdacf672abbd8534b15150719e00
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80e9682e83ec716d23cf4280d3865bd8
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=108, length=153
User-Name = "mydomain\\user"
Framed-MTU = 1400
Called-Station-Id = "000d.2868.4801"
Calling-Station-Id = "000e.3560.3e95"
Service-Type = Login-User
Message-Authenticator = 0x4e257a44e0eb615236e7e6132d5d661f
EAP-Message = 0x020500061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 4392
State = 0x80e9682e83ec716d23cf4280d3865bd8
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "wireless"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 108 to 10.0.0.1 port 1645
EAP-Message = 0x0106002b190017030100204ac0995a7016dc6e2823fe58aa1a8ff6714e685167aa9168e2a18516a34ce6d6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80e9682e84ef716d23cf4280d3865bd8
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=109, length=243
User-Name = "mydomain\\user"
Framed-MTU = 1400
Called-Station-Id = "000d.2868.4801"
Calling-Station-Id = "000e.3560.3e95"
Service-Type = Login-User
Message-Authenticator = 0xa1c6ce6def0c9de02466b5c65e1cf9c3
EAP-Message = 0x0206006019001703010020d89c686f3a414d7446d857dee8506108223b5dc794ab421d80fb05f03f0a2bd21703010030de672b9ad28edfa510afb0379d769393b37e8de8f1cc4e4f7e9153bc4b7c4b9ccae6f4b26cc5a1bf7fcdc31537a79ea0
NAS-Port-Type = Wireless-802.11
NAS-Port = 4392
State = 0x80e9682e84ef716d23cf4280d3865bd8
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "wireless"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - mydomain\user
[peap] Got tunnled request
EAP-Message = 0x02060010017a6830315c732e686f747a
server (null) {
PEAP: Got tunneled identity of mydomain\user
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to mydomain\user
Sending tunneled request
EAP-Message = 0x02060010017a6830315c732e686f747a
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "mydomain\\user"
Framed-MTU = 1400
Called-Station-Id = "000d.2868.4801"
Calling-Station-Id = "000e.3560.3e95"
Service-Type = Login-User
NAS-Port-Type = Wireless-802.11
NAS-Port = 4392
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "wireless"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 16
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010700251a0107002010c508956d066adc8e3bc9b92127fb2fe27a6830315c732e686f747a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x03371cd203300629664a8ed6dcdcbe2d
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010700251a0107002010c508956d066adc8e3bc9b92127fb2fe27a6830315c732e686f747a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x03371cd203300629664a8ed6dcdcbe2d
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 109 to 10.0.0.1 port 1645
EAP-Message = 0x0107004b19001703010040fd04cc1b4a2605a649d63355aabdeb2632f6f349527cb4013d00d87573592aab6137e23b1f600379195c551950397cce371207f6be612863a7984b38637b9992
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80e9682e85ee716d23cf4280d3865bd8
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=110, length=291
User-Name = "mydomain\\user"
Framed-MTU = 1400
Called-Station-Id = "000d.2868.4801"
Calling-Station-Id = "000e.3560.3e95"
Service-Type = Login-User
Message-Authenticator = 0x1cd29e39402a6e840e8f6556bf46928e
EAP-Message = 0x0207009019001703010020bd76d0b1af16c027e5a9da101b14ee7fe6ff2cf97814650047851242be007a711703010060c32b500bc499db805ab72b291f00d4005f04d993d16bb7061e2d52b47c7d9556b3c7c11b69878df2bb9d162d0785d085987181a73a81d9315139e4662efa7b54369921d174a6047bb7746897a46c93a795a8ebc3c4856481f9e1323ad8bcbdb5
NAS-Port-Type = Wireless-802.11
NAS-Port = 4392
State = 0x80e9682e85ee716d23cf4280d3865bd8
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "wireless"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message = 0x020700461a0207004131f57076f6190b1451606d6ed9d3c3b80f0000000000000000758dee0f5cf4b7ea3cd150fa32ff165723887bae940074c4007a6830315c732e686f747a
server (null) {
PEAP: Setting User-Name to mydomain\user
Sending tunneled request
EAP-Message = 0x020700461a0207004131f57076f6190b1451606d6ed9d3c3b80f0000000000000000758dee0f5cf4b7ea3cd150fa32ff165723887bae940074c4007a6830315c732e686f747a
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "mydomain\\user"
State = 0x03371cd203300629664a8ed6dcdcbe2d
Framed-MTU = 1400
Called-Station-Id = "000d.2868.4801"
Calling-Station-Id = "000e.3560..3e95"
Service-Type = Login-User
NAS-Port-Type = Wireless-802.11
NAS-Port = 4392
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "wireless"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 70
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for user with NT-Password
expand: --domain=%{mschap:NT-mydomain:-mydomain} -> --domain=mydomain
expand: --username=%{mschap:User-Name:-None} -> --username=user
[mschap] mschap2: c5
expand: --challenge=%{mschap:Challenge:-00} -> --challenge=8660dea0f174464c
expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=758dee0f5cf4b7ea3cd150fa32ff165723887bae940074c4
Exec-Program output: NT_KEY: B9C1923227672CF3D5079723D78E41A0
Exec-Program-Wait: plaintext: NT_KEY: B9C1923227672CF3D5079723D78E41A0
Exec-Program: returned: 0
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010800331a0307002e533d32423538443738374433374635314433313846413736343432333539463034384645433535353044
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x03371cd2023f0629664a8ed6dcdcbe2d
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010800331a0307002e533d32423538443738374433374635314433313846413736343432333539463034384645433535353044
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x03371cd2023f0629664a8ed6dcdcbe2d
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 110 to 10.0.0.1 port 1645
EAP-Message = 0x0108005b1900170301005055895bdec32accf23e83a028b4dacbd15c004660b5f7894904db99814756478b5e75b0d7784be8499937b31e7b49ac566dea2f9ffcfec48f52c6187290e8531f7f1f1227f27d7b589aea4033a7d24ea9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80e9682e86e1716d23cf4280d3865bd8
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10..0.0.1 port 1645, id=111, length=227
User-Name = "mydomain\\user"
Framed-MTU = 1400
Called-Station-Id = "000d.2868.4801"
Calling-Station-Id = "000e.3560.3e95"
Service-Type = Login-User
Message-Authenticator = 0xca25c9fefffe68fb16b7540330f886cd
EAP-Message = 0x0208005019001703010020218fcc3ddf31542a1f4561375cb7b54f876cad08360a35bbee7cffcc512cd1a1170301002029173c496b16779ef3bb3d5172702d36c240bd8357def389fac4eb3212046f6e
NAS-Port-Type = Wireless-802.11
NAS-Port = 4392
State = 0x80e9682e86e1716d23cf4280d3865bd8
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "wireless"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message = 0x020800061a04
server (null) {
PEAP: Setting User-Name to mydomain\user
Sending tunneled request
EAP-Message = 0x020800061a04
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "mydomain\\user"
State = 0x03371cd2023f0629664a8ed6dcdcbe2d
Framed-MTU = 1400
Called-Station-Id = "000d.2868.4801"
Calling-Station-Id = "000e.3560.3e95"
Service-Type = Login-User
NAS-Port-Type = Wireless-802.11
NAS-Port = 4392
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "wireless"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {....}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
rlm_eap_mschapv2: Invalid response type 4
[eap] Handler failed in EAP/mschapv2
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 111 to 10.0.0.1 port 1645
EAP-Message = 0x0109002b19001703010020b12908003d5c6d7d90cd3130cf111d70753d81ca7757744970195793cf356978
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80e9682e87e0716d23cf4280d3865bd8
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=112, length=227
User-Name = "mydomain\\user"
Framed-MTU = 1400
Called-Station-Id = "000d.2868.4801"
Calling-Station-Id = "000e.3560.3e95"
Service-Type = Login-User
Message-Authenticator = 0x508935028611f6b0a47361317bf28b8f
EAP-Message = 0x02090050190017030100203ce39908b6bbd121e3b74f1b47e4df5e0a3b29c6bad8add51bdfad7e96ecb35917030100208618b9c909461c0afd54c4187f4fc76076ec42ed2d702e7cdd3e3099dc3b0f6b
NAS-Port-Type = Wireless-802.11
NAS-Port = 4392
State = 0x80e9682e87e0716d23cf4280d3865bd8
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "wireless"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} -> mydomain\user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 112 to 10.0.0.1 port 1645
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.4 seconds.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090917/4db4347c/attachment.html>
More information about the Freeradius-Users
mailing list