Lotus Notes Encryption
rrperez
rrperez at apc.edu.ph
Thu Aug 19 07:48:27 CEST 2010
Thanks Peter, your a savior, I commented out pap in the authorize and
authenticate section in my sites-enabled default and inner-tunnel and it did
work.
But then again, when I tested it out, it only works locally with linux
platforms but when I tried to test it with the wifi router and windows
clients, it didn't.
Here is my debug:
rad_recv: Access-Request packet from host 10.96.100.205 port 1400, id=0,
length=143
User-Name = "kim.almarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0x12d80ee013da174ed007cbe32dab339b
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200061900
Message-Authenticator = 0xed627311a6a1881b5ccc49e9a637dbb5
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 1400
EAP-Message =
0x010303fc1940a5300d06092a864886f70d010105050030818e310b3009060355040613025048310f300d060355040813064d616e696c61310e300c0603550407130550617361793111300f060355040a1308534d205072696d653123302106092a864886f70d0109011614706572657a2e32726f6e40676d61696c2e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3130303830353231343433315a170d3131303830353231343433315a30818e310b3009060355040613025048310f300d060355040813064d616e696c61310e300c0603550407130550617361793111300f06
EAP-Message =
0x0355040a1308534d205072696d653123302106092a864886f70d0109011614706572657a2e32726f6e40676d61696c2e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c377b277cfce89da192b6975f0e2c6f2860fd64da3fd80309a1ea8bb2ef91fa0d004899dfb920f5bd5bba909cc537b86d0ac729985a36c6c7bb562a02aeb6cbbadbd25c73240631e24c7bc66d8bcc423848426c6094bebdca51e781a251f99361eb4885aaa88541eabb41ccf08250ccfa82eb3f18b3ba6025f53e1994f0e9a5f81
EAP-Message =
0x96ab436778d1b5b28ffa1d177836b9584f8228ae3f38eb1b255e5ecc9ffdb5fd5f41ed8f88d07fb1865be3b978d27fd8f5de8a5f66814c415f2f81948713e5475d61ff81076a6c12afd11a2b4efb8114e2dee083866a63775065a83aecaa60f96d32d41db2651e6523d1dda4968768503b77957ed302e70148af04bea6b33d0203010001a381f63081f3301d0603551d0e04160414eb114a719ea71a316c157f42cb959cbe3d7ad1453081c30603551d230481bb3081b88014eb114a719ea71a316c157f42cb959cbe3d7ad145a18194a4819130818e310b3009060355040613025048310f300d060355040813064d616e696c61310e300c0603550407
EAP-Message =
0x130550617361793111300f060355040a1308534d205072696d653123302106092a864886f70d0109011614706572657a2e32726f6e40676d61696c2e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e6d6f0b5c23c70a5300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100560f8590dfda5419fd715a32a3c02c7dfea64b4f7ab3f1d76173a6206a9919d372f97837051eba6b10fa29e2f813863875f2f260ce5e7935ddc4267fb7b6230d9c2b4cdaaf825e25b4910d895ed0355c1860eb0cb62961ee54228efe26aa5315820139132002a30d07
EAP-Message = 0xbd4b27e772945483
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x12d80ee010db174ed007cbe32dab339b
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 1402, id=0,
length=143
User-Name = "kim.almarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0x12d80ee010db174ed007cbe32dab339b
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300061900
Message-Authenticator = 0xdd9bb4604cc491e52d93993ef5295629
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 1402
EAP-Message =
0x0104009e19006f0fd8a5dc5276fa83706f679780f3e60b36f5b3489d5551b7dc0590f2ddf6959d4ba9550b38329c20dce0ab3182205608a19b3d2964953695b467af4cd29ade6a679b18dfa5492a4286fe5b2a13c12d8305450e32b2441a68b97f9701655d60ad7d399f3b693b9562b3353d3bd5d730cab42857c0e5edb72fde0d9b70eeb03dd0afd787e1ceede01810d2c9e83bdc16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x12d80ee011dc174ed007cbe32dab339b
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 1404, id=0,
length=475
User-Name = "kim.almarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0x12d80ee011dc174ed007cbe32dab339b
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x02040150198000000146160301010610000102010072ae88400938d0083fb0c12f09a139a709419f40b8e6e8ee460d4f27084a0dd29e3bd409b6c0ced511e697bf480c470c3610300cc2afb8b6497786541b2d2a0c2ae85b52ded272301ae94bcb6afff2486b216641263acb4e8a84c8bf344b4b11c79e32e69006ff4f7bfdfc0c718bd7432dbdd9a211766d2a88d6d97970d9e96556978300cd185226dde14cd250be748c24f91aa6b64c518248d317ca782879c14db4457507c36f2b283fd7889ec44b7077e4c36ddcb14764bc526453823ef563e726b99fa57b75cfc3df5abceae234481030dbd9b720e37340e45ed41c9b364e731a3f4a129ced89
EAP-Message =
0x01a5d935cf98912a36e4be9e65cbf0cf5ac5463cc4e1628114030100010116030100308f36fda82b7cda0759ab0ee21afa5591d781fce8b1588d36f6ad3c8cf411d7fd2896ed5cf1031dd31ade315efd50fdf0
Message-Authenticator = 0xf19bbe506fd86435dea00fe97bd3d5f7
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 1404
EAP-Message =
0x0105004119001403010001011603010030b2753b377ba0009e0080331ffad6cc2487b5f2964bec77e42cf81df39a55d2390cf58ae71eee164d33308963dff57f80
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x12d80ee016dd174ed007cbe32dab339b
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 1406, id=0,
length=143
User-Name = "kim.almarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0x12d80ee016dd174ed007cbe32dab339b
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500061900
Message-Authenticator = 0x01fd398985e73333d344efbb9e9f6397
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 1406
EAP-Message =
0x0106002b19001703010020ef046be0ff90417c0226190d61886f677aa0ba56c643c01435e9e1e7a16c550d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x12d80ee017de174ed007cbe32dab339b
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 1408, id=0,
length=196
User-Name = "kim.almarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0x12d80ee017de174ed007cbe32dab339b
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0206003b190017030100307190bd67cb930b02c0335ee671382000c7ba0ae8e918a20772fdfbf2029c11ac948f85d5ac1db3ec8404869db9d7363d
Message-Authenticator = 0x752100cc4f0dcddef59bc1cb270c4b6d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 59
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - kim.almarez
[peap] Got tunneled request
EAP-Message = 0x02060010016b696d2e616c6d6172657a
server {
PEAP: Got tunneled identity of kim.almarez
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to kim.almarez
Sending tunneled request
EAP-Message = 0x02060010016b696d2e616c6d6172657a
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "kim.almarez"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 16
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for kim.almarez
[ldap] expand: %{Stripped-User-Name} ->
[ldap] expand: %{User-Name} -> kim.almarez
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=kim.almarez)
[ldap] expand: O=SMPRIME -> O=SMPRIME
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in O=SMPRIME, with filter (uid=kim.almarez)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user kim.almarez authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010700251a0107002010661c04d831bfa95bcef52c9c9387ef836b696d2e616c6d6172657a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3a9f4a7c3a985093651140f65e1dbc5b
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010700251a0107002010661c04d831bfa95bcef52c9c9387ef836b696d2e616c6d6172657a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3a9f4a7c3a985093651140f65e1dbc5b
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 1408
EAP-Message =
0x0107004b1900170301004029c7eee1f15e70ef2533d6b5a35d36168624b40f86f1a8004e6794d90be7d45c45319480d61db02f01a3854247418ee133e1707761857dff56a546518c17916f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x12d80ee014df174ed007cbe32dab339b
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 1410, id=0,
length=244
User-Name = "kim.almarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0x12d80ee014df174ed007cbe32dab339b
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0207006b190017030100606483cdd3ba73bce3c05308c3796c8c70d7479ec7922b1f03240faca33cfa11e64eb753d28d135e4a9a9425236ce6ba32547ad5c3d0420e0f0037413f159124de15166d366801e63e15c9de1bac2ff63e4edf0f11be92452bbb47fa60148ee26a
Message-Authenticator = 0xf617ac11a29c2f13dad2ef64e2b03526
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020700461a02070041315dc57ae46932cd1054bd09e0436fd1fe000000000000000075cc54e270c430cf5e13c4703b5bada0537b38a1aaf0d700006b696d2e616c6d6172657a
server {
PEAP: Setting User-Name to kim.almarez
Sending tunneled request
EAP-Message =
0x020700461a02070041315dc57ae46932cd1054bd09e0436fd1fe000000000000000075cc54e270c430cf5e13c4703b5bada0537b38a1aaf0d700006b696d2e616c6d6172657a
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "kim.almarez"
State = 0x3a9f4a7c3a985093651140f65e1dbc5b
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 70
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for kim.almarez
[ldap] expand: %{Stripped-User-Name} ->
[ldap] expand: %{User-Name} -> kim.almarez
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=kim.almarez)
[ldap] expand: O=SMPRIME -> O=SMPRIME
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in O=SMPRIME, with filter (uid=kim.almarez)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user kim.almarez authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] WARNING: Unknown value specified for Auth-Type. Cannot perform
requested action.
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 1410
EAP-Message =
0x0108002b1900170301002079260559645c9857376d741abe65d55cc54f1a2aa52afabbe7f7ffac0a4c92ee
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x12d80ee015d0174ed007cbe32dab339b
Finished request 7.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 1412, id=0,
length=180
User-Name = "kim.almarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0x12d80ee015d0174ed007cbe32dab339b
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0208002b1900170301002098690ec5e9147f0af3b0e762ad2031c2406ea7bfc98262f36fbd12a2b813e5a9
Message-Authenticator = 0x106af60537eb38932efe628a03dea9b3
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> kim.almarez
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 0 to 10.96.100.205 port 1412
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
Cleaning up request 0 ID 0 with timestamp +14
Cleaning up request 1 ID 0 with timestamp +15
Cleaning up request 2 ID 0 with timestamp +15
Cleaning up request 3 ID 0 with timestamp +15
Cleaning up request 4 ID 0 with timestamp +15
Cleaning up request 5 ID 0 with timestamp +15
Cleaning up request 6 ID 0 with timestamp +15
Cleaning up request 7 ID 0 with timestamp +15
Waking up in 1.0 seconds.
Cleaning up request 8 ID 0 with timestamp +15
Ready to process requests.
The only error I found in this debug was with the mschapv2, I don't know
what might be the problem?
--
View this message in context: http://old.nabble.com/Lotus-Notes-Encryption-tp29449703p29478724.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list