freeradius authentication stops working after some time...

Casartello, Thomas tcasartello at wsc.ma.edu
Mon Jun 7 15:43:14 CEST 2010 

Has anyone else seen a problem with this? This is starting to happen more
commonly with me. I'm having to reboot the server that Freeradius runs on to
get the authentication working again. I'm using AD auth through
Winbind....Here is the debug...

Machine authentication is properly configured. When I reboot it, this same
authentication is successful. The strange thing is is that a reboot is
necessary. Just restarting radius, winbind, and smbd doesn't cut it......

rad_recv: Access-Request packet from host 172.20.4.253 port 32769, id=165,
length=329
        User-Name = "host/basestar.ads.wsc.ma.edu"
        Calling-Station-Id = "00-21-5c-7d-71-fd"
        Called-Station-Id = "00-21-d7-90-64-10:s-wsc"
        NAS-Port = 29
        NAS-IP-Address = 172.20.4.253
        NAS-Identifier = "abbott-wism-b"
        Airespace-Wlan-Id = 4
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "491"
        EAP-Message =
0x020b007b19001703010070abe23d0799f55b545cee42461dd141d17c72c67cb2dabd470668
441eaec01a8266d6d4f36f751270037d895acddc86660b043ce05bf1f2bd3788e0d72bc3ed10
cb62242f62cb3227d4141974651832f49a1a9003f46db1f1de9b12e13c4372ff3bebd05b274f
c4ca2a60dcb3ce47a80b
        State = 0x1d035cd3150845bae32ebc5933237cec
        Message-Authenticator = 0x77259c5c45ce8c9a600ee9e9f9120e52
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/basestar.ads.wsc.ma.edu", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/basestar.ads.wsc.ma.edu", looking up
realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 11 length 123
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message =
0x020b00571a020b005231dbfe5edcdb81d9452effcb46478d712d0000000000000000c133d8
84067c2ea1fff7a04fef31119b91de14974498a8e000686f73742f62617365737461722e6164
732e7773632e6d612e656475
server  {
  PEAP: Setting User-Name to host/basestar.ads.wsc.ma.edu
Sending tunneled request
        EAP-Message =
0x020b00571a020b005231dbfe5edcdb81d9452effcb46478d712d0000000000000000c133d8
84067c2ea1fff7a04fef31119b91de14974498a8e000686f73742f62617365737461722e6164
732e7773632e6d612e656475
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "host/basestar.ads.wsc.ma.edu"
        State = 0x6498913564938b9115406469a8f16067
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "host/basestar.ads.wsc.ma.edu", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/basestar.ads.wsc.ma.edu", looking up
realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
++[control] returns noop
[eap] EAP packet type response id 11 length 87
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 13
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for host/basestar.ads.wsc.ma.edu with
NT-Password
[mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
for details
[mschap]        ... expanding second conditional
[mschap]        expand: %{mschap:User-Name:-None} -> basestar$
[mschap]        expand:
--username=%{Stripped-User-Name:-%{mschap:User-Name:-None}} ->
--username=basestar$
[mschap]  mschap2: a7
[mschap]        expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=9e1c53abac5d5f70
[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=c133d884067c2ea1fff7a04fef31119b91de14974498a8e0
Exec-Program output: NT_KEY: 07241CE38653EA3AEBF9A1F92A945380 
Exec-Program-Wait: plaintext: NT_KEY: 07241CE38653EA3AEBF9A1F92A945380 
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success 
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message =
0x010c00331a030b002e533d3241323844453432324345383245414531453633324144333538
3141304238443644383443303631
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x6498913565948b9115406469a8f16067
[peap] Got tunneled reply RADIUS code 11
        EAP-Message =
0x010c00331a030b002e533d3241323844453432324345383245414531453633324144333538
3141304238443644383443303631
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x6498913565948b9115406469a8f16067
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 165 to 172.20.4.253 port 32769
        EAP-Message =
0x010c005b19001703010050b9cc4946916158a9cc76c97e8ea8072014edda81414c6cfc1f4d
89147ee419fb9d9f624e2737b751db9eea008fd0b613d42ac1d903696d9897e801e96f323eb5
346ce82bd5e4bced9cf8af66d7684d53
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x1d035cd3140f45bae32ebc5933237cec

Thomas E. Casartello, Jr.
Staff Assistant - Wireless/Linux Administrator
Information Technology
Wilson 105A
Westfield State College

-----Original Message-----
From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org
[mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org
] On Behalf Of Bruce Nunn
Sent: Wednesday, June 02, 2010 9:39 AM
To: FreeRadius users mailing list
Subject: Re: freeradius authentication stops working after some time...

I run 2.1.8, server 2008 R2  and samba 3.5.2. It's something to do with
winbind, but I have not nailed it down on my installation yet.
Sent via Verizon Wireless

-----Original Message-----
From: "Casartello, Thomas" <tcasartello at wsc.ma.edu>
Date: Wed, 2 Jun 2010 08:28:23 
To: 'FreeRadius users mailing list'<freeradius-users at lists.freeradius.org>
Subject: RE: freeradius authentication stops working after some time...

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4179 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100607/35f2ba00/attachment.bin>

More information about the Freeradius-Users mailing list