Freeradius + WPA2 + Windows Client
rrperez
rrperez at apc.edu.ph
Thu Aug 19 10:42:55 CEST 2010
Sorry for the inconvenience Alan, I'm just a student and currently
studying/exploring radius servers.
Now I changed all the configuration back to default and make the some
configuration to make ldap works.
Here is the debug and it is quite different from the previous one:
rad_recv: Access-Request packet from host 10.96.100.205 port 1494, id=0,
length=143
User-Name = "kim.almarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0x37e5184d33e0019d0fd828625cb2b12f
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500061900
Message-Authenticator = 0xcffe22481a4058a92af0247cdbeb03ec
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 1494
EAP-Message =
0x0106002b1900170301002091954e9ec07cc3ca9afa609b287aea0248a1a1fbb2fe6ad3ccf1ea09fba06e11
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x37e5184d32e3019d0fd828625cb2b12f
Finished request 6.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 1496, id=0,
length=196
User-Name = "kim.almarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0x37e5184d32e3019d0fd828625cb2b12f
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0206003b19001703010030b116207fd585e2b669e3f77de44fc303752534eacf129c6be70a929f6c0f467eac807a801d321cd3fbee1078fefb5fcc
Message-Authenticator = 0xa31d5cd12cca50d02ad850f9eb1f0ff8
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 59
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - kim.almarez
[peap] Got tunneled request
EAP-Message = 0x02060010016b696d2e616c6d6172657a
server {
PEAP: Got tunneled identity of kim.almarez
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to kim.almarez
Sending tunneled request
EAP-Message = 0x02060010016b696d2e616c6d6172657a
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "kim.almarez"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 16
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for kim.almarez
[ldap] expand: %{Stripped-User-Name} ->
[ldap] expand: %{User-Name} -> kim.almarez
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=kim.almarez)
[ldap] expand: O=SMPRIME -> O=SMPRIME
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in O=SMPRIME, with filter (uid=kim.almarez)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user kim.almarez authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010700251a01070020102ef100c06100accb4d5d1b6ad5d2f8446b696d2e616c6d6172657a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb71a0bf8b71d112af1d78f0bcd53be2d
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010700251a01070020102ef100c06100accb4d5d1b6ad5d2f8446b696d2e616c6d6172657a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb71a0bf8b71d112af1d78f0bcd53be2d
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 1496
EAP-Message =
0x0107004b19001703010040b41853b36929694f55a975a54e0312aad67a79c95cee9ba97992e39f7d2cb6588c877bec75be8cf35a9a5ef98dad06c34e7356d515ab0acfad5acbec3896cbfa
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x37e5184d31e2019d0fd828625cb2b12f
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 1498, id=0,
length=244
User-Name = "kim.almarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0x37e5184d31e2019d0fd828625cb2b12f
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0207006b190017030100601e1827ee2c7843bdfa6b6e4689356b3cf4bbc3f5fe93482b29a244a417d2932b712ffbd46c831824c618053d9e66118c6e9bb1f988abb79558291fd48347ea822c12fa3e712b7512ce80fc6fb19399f71a3dc7d99c9b8ae049e2d93d0119462d
Message-Authenticator = 0xab6a9afce0d198bfc3a3acbd3bfb1958
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020700461a0207004131c8424ddebbff4ae40360c6bf7d5a207500000000000000006da6ed352c3663c5a057b5a88306c7398494ebcd6bd77420006b696d2e616c6d6172657a
server {
PEAP: Setting User-Name to kim.almarez
Sending tunneled request
EAP-Message =
0x020700461a0207004131c8424ddebbff4ae40360c6bf7d5a207500000000000000006da6ed352c3663c5a057b5a88306c7398494ebcd6bd77420006b696d2e616c6d6172657a
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "kim.almarez"
State = 0xb71a0bf8b71d112af1d78f0bcd53be2d
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 70
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for kim.almarez
[ldap] expand: %{Stripped-User-Name} ->
[ldap] expand: %{User-Name} -> kim.almarez
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=kim.almarez)
[ldap] expand: O=SMPRIME -> O=SMPRIME
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in O=SMPRIME, with filter (uid=kim.almarez)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user kim.almarez authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for kim.almarez with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 1498
EAP-Message =
0x0108002b19001703010020b67088663b6039d4a9c90f13c1f75b147bc25c040460ced33b554cb989f51d40
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x37e5184d30ed019d0fd828625cb2b12f
Finished request 8.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 1500, id=0,
length=180
User-Name = "kim.almarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0x37e5184d30ed019d0fd828625cb2b12f
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0208002b19001703010020afc9ad58dc4eaeb0cd31df70e64a2e70d873b7893fd45c94866f771c430c0c9c
Message-Authenticator = 0x1552a063a65c1859294c6558583d7435
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> kim.almarez
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 0 to 10.96.100.205 port 1500
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.6 seconds.
Cleaning up request 1 ID 0 with timestamp +21
Cleaning up request 2 ID 0 with timestamp +21
Cleaning up request 3 ID 0 with timestamp +21
Cleaning up request 4 ID 0 with timestamp +21
Cleaning up request 5 ID 0 with timestamp +21
Cleaning up request 6 ID 0 with timestamp +21
Cleaning up request 7 ID 0 with timestamp +21
Cleaning up request 8 ID 0 with timestamp +21
Waking up in 1.0 seconds.
Cleaning up request 9 ID 0 with timestamp +21
Ready to process requests.
The difference is with this lines:
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for kim.almarez with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect.
--
View this message in context: http://old.nabble.com/Freeradius-%2B-WPA2-%2B-Windows-Client-tp29479107p29479714.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list