PAP with LDAP and PEAP/MSCHANPv2 with ntlm_auth
Neil Prockter
n.prockter at lse.ac.uk
Fri Jun 25 18:23:35 CEST 2010
On 24/06/10 11:03, Alan DeKok wrote:
> Neil Prockter wrote:
>> I have a working config for PAP with LDAP against AD and a working
>> config for PEAP/MSCHANPv2 with ntlm_auth.
>>
>> I need the server to do both but when I combine the configs one thing or
>> another breaks.
>
> And debug output says... ?
this is a config that works for PAP/LDAP but not PEAP/MSCHANPv2
Info: FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on
Jan 5 2010 at 02:56:18
Info: Copyright (C) 1999-2009 The FreeRADIUS server project and
contributors.
Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info: PARTICULAR PURPOSE.
Info: You may redistribute copies of FreeRADIUS under the terms of the
Info: GNU General Public License v2.
Info: Starting - reading configuration files ...
Debug: including configuration file /etc/freeradius/radiusd.conf
Debug: including configuration file /etc/freeradius/proxy.conf
Debug: including configuration file /etc/freeradius/clients.conf
Debug: including files in directory /etc/freeradius/modules/
Debug: including configuration file /etc/freeradius/modules/exec
Debug: including configuration file /etc/freeradius/modules/radutmp
Debug: including configuration file /etc/freeradius/modules/expiration
Debug: including configuration file /etc/freeradius/modules/files
Debug: including configuration file /etc/freeradius/modules/attr_filter
Debug: including configuration file /etc/freeradius/modules/ippool
Debug: including configuration file /etc/freeradius/modules/etc_group
Debug: including configuration file /etc/freeradius/modules/counter
Debug: including configuration file /etc/freeradius/modules/realm
Debug: including configuration file /etc/freeradius/modules/detail.log
Debug: including configuration file /etc/freeradius/modules/wimax
Debug: including configuration file /etc/freeradius/modules/policy
Debug: including configuration file
/etc/freeradius/modules/detail.example.com
Debug: including configuration file /etc/freeradius/modules/linelog
Debug: including configuration file /etc/freeradius/modules/passwd
Debug: including configuration file /etc/freeradius/modules/preprocess
Debug: including configuration file /etc/freeradius/modules/perl
Debug: including configuration file /etc/freeradius/modules/mac2vlan
Debug: including configuration file /etc/freeradius/modules/sql_log
Debug: including configuration file /etc/freeradius/modules/acct_unique
Debug: including configuration file /etc/freeradius/modules/smbpasswd
Debug: including configuration file /etc/freeradius/modules/pap
Debug: including configuration file /etc/freeradius/modules/cui
Debug: including configuration file /etc/freeradius/modules/smsotp
Debug: including configuration file /etc/freeradius/modules/sradutmp
Debug: including configuration file /etc/freeradius/modules/always
Debug: including configuration file /etc/freeradius/modules/inner-eap
Debug: including configuration file /etc/freeradius/modules/attr_rewrite
Debug: including configuration file /etc/freeradius/modules/expr
Debug: including configuration file /etc/freeradius/modules/krb5
Debug: including configuration file /etc/freeradius/modules/chap
Debug: including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
Debug: including configuration file /etc/freeradius/modules/checkval
Debug: including configuration file /etc/freeradius/modules/otp
Debug: including configuration file /etc/freeradius/modules/digest
Debug: including configuration file /etc/freeradius/modules/ldap
Debug: including configuration file /etc/freeradius/modules/ntlm_auth
Debug: including configuration file /etc/freeradius/modules/mschap
Debug: including configuration file /etc/freeradius/modules/echo
Debug: including configuration file /etc/freeradius/modules/logintime
Debug: including configuration file /etc/freeradius/modules/detail
Debug: including configuration file /etc/freeradius/modules/pam
Debug: including configuration file /etc/freeradius/modules/mac2ip
Debug: including configuration file /etc/freeradius/modules/unix
Debug: including configuration file /etc/freeradius/eap.conf
Debug: including configuration file /etc/freeradius/policy.conf
Debug: including files in directory /etc/freeradius/sites-enabled/
Debug: including configuration file
/etc/freeradius/sites-enabled/inner-tunnel
Debug: including configuration file /etc/freeradius/sites-enabled/default
Debug: main {
Debug: user = "freerad"
Debug: group = "freerad"
Debug: allow_core_dumps = no
Debug: }
Debug: including dictionary file /etc/freeradius/dictionary
Debug: main {
Debug: prefix = "/usr"
Debug: localstatedir = "/var"
Debug: logdir = "/var/log/freeradius"
Debug: libdir = "/usr/lib/freeradius"
Debug: radacctdir = "/var/log/freeradius/radacct"
Debug: hostname_lookups = no
Debug: max_request_time = 30
Debug: cleanup_delay = 5
Debug: max_requests = 1024
Debug: pidfile = "/var/run/freeradius/freeradius.pid"
Debug: checkrad = "/usr/sbin/checkrad"
Debug: debug_level = 0
Debug: proxy_requests = yes
Debug: log {
Debug: stripped_names = no
Debug: auth = no
Debug: auth_badpass = no
Debug: auth_goodpass = no
Debug: }
Debug: security {
Debug: max_attributes = 200
Debug: reject_delay = 1
Debug: status_server = yes
Debug: }
Debug: }
Debug: radiusd: #### Loading Realms and Home Servers ####
Debug: proxy server {
Debug: retry_delay = 5
Debug: retry_count = 3
Debug: default_fallback = no
Debug: dead_time = 120
Debug: wake_all_if_all_dead = no
Debug: }
Debug: home_server localhost {
Debug: ipaddr = 127.0.0.1
Debug: port = 1812
Debug: type = "auth"
Debug: secret = "testing123"
Debug: response_window = 20
Debug: max_outstanding = 65536
Debug: require_message_authenticator = no
Debug: zombie_period = 40
Debug: status_check = "status-server"
Debug: ping_interval = 30
Debug: check_interval = 30
Debug: num_answers_to_alive = 3
Debug: num_pings_to_alive = 3
Debug: revive_interval = 120
Debug: status_check_timeout = 4
Debug: irt = 2
Debug: mrt = 16
Debug: mrc = 5
Debug: mrd = 30
Debug: }
Debug: home_server_pool my_auth_failover {
Debug: type = fail-over
Debug: home_server = localhost
Debug: }
Debug: realm example.com {
Debug: auth_pool = my_auth_failover
Debug: }
Debug: realm LOCAL {
Debug: }
Debug: radiusd: #### Loading Clients ####
Debug: client localhost {
Debug: ipaddr = 127.0.0.1
Debug: require_message_authenticator = no
Debug: secret = "testing123"
Debug: nastype = "other"
Debug: }
Debug: client wism.net {
Debug: require_message_authenticator = no
Debug: secret = "police"
Debug: }
Debug: radiusd: #### Instantiating modules ####
Debug: instantiate {
Debug: (Loaded rlm_exec, checking if it's valid)
Debug: Module: Linked to module rlm_exec
Debug: Module: Instantiating exec
Debug: exec {
Debug: wait = no
Debug: input_pairs = "request"
Debug: shell_escape = yes
Debug: }
Debug: (Loaded rlm_expr, checking if it's valid)
Debug: Module: Linked to module rlm_expr
Debug: Module: Instantiating expr
Debug: (Loaded rlm_expiration, checking if it's valid)
Debug: Module: Linked to module rlm_expiration
Debug: Module: Instantiating expiration
Debug: expiration {
Debug: reply-message = "Password Has Expired "
Debug: }
Debug: (Loaded rlm_logintime, checking if it's valid)
Debug: Module: Linked to module rlm_logintime
Debug: Module: Instantiating logintime
Debug: logintime {
Debug: reply-message = "You are calling outside your allowed timespan "
Debug: minimum-timeout = 60
Debug: }
Debug: }
Debug: radiusd: #### Loading Virtual Servers ####
Debug: server inner-tunnel {
Debug: modules {
Debug: Module: Checking authenticate {...} for more modules to load
Debug: (Loaded rlm_pap, checking if it's valid)
Debug: Module: Linked to module rlm_pap
Debug: Module: Instantiating pap
Debug: pap {
Debug: encryption_scheme = "auto"
Debug: auto_header = no
Debug: }
Debug: (Loaded rlm_chap, checking if it's valid)
Debug: Module: Linked to module rlm_chap
Debug: Module: Instantiating chap
Debug: (Loaded rlm_mschap, checking if it's valid)
Debug: Module: Linked to module rlm_mschap
Debug: Module: Instantiating mschap
Debug: mschap {
Debug: use_mppe = yes
Debug: require_encryption = no
Debug: require_strong = no
Debug: with_ntdomain_hack = yes
Debug: ntlm_auth = "/usr/local/bin/mschap-ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Debug: }
Debug: (Loaded rlm_unix, checking if it's valid)
Debug: Module: Linked to module rlm_unix
Debug: Module: Instantiating unix
Debug: unix {
Debug: radwtmp = "/var/log/freeradius/radwtmp"
Debug: }
Debug: (Loaded rlm_eap, checking if it's valid)
Debug: Module: Linked to module rlm_eap
Debug: Module: Instantiating eap
Debug: eap {
Debug: default_eap_type = "md5"
Debug: timer_expire = 60
Debug: ignore_unknown_eap_types = no
Debug: cisco_accounting_username_bug = no
Debug: max_sessions = 4096
Debug: }
Debug: Module: Linked to sub-module rlm_eap_md5
Debug: Module: Instantiating eap-md5
Debug: Module: Linked to sub-module rlm_eap_leap
Debug: Module: Instantiating eap-leap
Debug: Module: Linked to sub-module rlm_eap_gtc
Debug: Module: Instantiating eap-gtc
Debug: gtc {
Debug: challenge = "Password: "
Debug: auth_type = "PAP"
Debug: }
Debug: Module: Linked to sub-module rlm_eap_tls
Debug: Module: Instantiating eap-tls
Debug: tls {
Debug: rsa_key_exchange = no
Debug: dh_key_exchange = yes
Debug: rsa_key_length = 512
Debug: dh_key_length = 512
Debug: verify_depth = 0
Debug: pem_file_type = yes
Debug: private_key_file = "/etc/freeradius/certs/server.key"
Debug: certificate_file = "/etc/freeradius/certs/server.pem"
Debug: CA_file = "/etc/freeradius/certs/ca.pem"
Debug: private_key_password = "whatever"
Debug: dh_file = "/etc/freeradius/certs/dh"
Debug: random_file = "/etc/freeradius/certs/random"
Debug: fragment_size = 1024
Debug: include_length = yes
Debug: check_crl = no
Debug: cipher_list = "DEFAULT"
Debug: make_cert_command = "/etc/freeradius/certs/bootstrap"
Debug: cache {
Debug: enable = no
Debug: lifetime = 24
Debug: max_entries = 255
Debug: }
Debug: }
Debug: Module: Linked to sub-module rlm_eap_ttls
Debug: Module: Instantiating eap-ttls
Debug: ttls {
Debug: default_eap_type = "md5"
Debug: copy_request_to_tunnel = no
Debug: use_tunneled_reply = no
Debug: virtual_server = "inner-tunnel"
Debug: include_length = yes
Debug: }
Debug: Module: Linked to sub-module rlm_eap_peap
Debug: Module: Instantiating eap-peap
Debug: peap {
Debug: default_eap_type = "mschapv2"
Debug: copy_request_to_tunnel = no
Debug: use_tunneled_reply = no
Debug: proxy_tunneled_request_as_eap = yes
Debug: virtual_server = "inner-tunnel"
Debug: }
Debug: Module: Linked to sub-module rlm_eap_mschapv2
Debug: Module: Instantiating eap-mschapv2
Debug: mschapv2 {
Debug: with_ntdomain_hack = no
Debug: }
Debug: Module: Checking authorize {...} for more modules to load
Debug: (Loaded rlm_realm, checking if it's valid)
Debug: Module: Linked to module rlm_realm
Debug: Module: Instantiating suffix
Debug: realm suffix {
Debug: format = "suffix"
Debug: delimiter = "@"
Debug: ignore_default = no
Debug: ignore_null = no
Debug: }
Debug: (Loaded rlm_files, checking if it's valid)
Debug: Module: Linked to module rlm_files
Debug: Module: Instantiating files
Debug: files {
Debug: usersfile = "/etc/freeradius/users"
Debug: acctusersfile = "/etc/freeradius/acct_users"
Debug: preproxy_usersfile = "/etc/freeradius/preproxy_users"
Debug: compat = "no"
Debug: }
Debug: Module: Checking session {...} for more modules to load
Debug: (Loaded rlm_radutmp, checking if it's valid)
Debug: Module: Linked to module rlm_radutmp
Debug: Module: Instantiating radutmp
Debug: radutmp {
Debug: filename = "/var/log/freeradius/radutmp"
Debug: username = "%{User-Name}"
Debug: case_sensitive = yes
Debug: check_with_nas = yes
Debug: perm = 384
Debug: callerid = yes
Debug: }
Debug: Module: Checking post-proxy {...} for more modules to load
Debug: Module: Checking post-auth {...} for more modules to load
Debug: (Loaded rlm_attr_filter, checking if it's valid)
Debug: Module: Linked to module rlm_attr_filter
Debug: Module: Instantiating attr_filter.access_reject
Debug: attr_filter attr_filter.access_reject {
Debug: attrsfile = "/etc/freeradius/attrs.access_reject"
Debug: key = "%{User-Name}"
Debug: }
Debug: } # modules
Debug: } # server
Debug: server {
Debug: modules {
Debug: Module: Checking authenticate {...} for more modules to load
Debug: (Loaded rlm_ldap, checking if it's valid)
Debug: Module: Linked to module rlm_ldap
Debug: Module: Instantiating ldap
Debug: ldap {
Debug: server = "ad.net"
Debug: port = 389
Debug: password = "UNKNOWN"
Debug: identity = "cn=UNKNOWN,cn=Users,dc=net"
Debug: net_timeout = 1
Debug: timeout = 4
Debug: timelimit = 3
Debug: tls_mode = no
Debug: start_tls = no
Debug: tls_require_cert = "allow"
Debug: tls {
Debug: start_tls = no
Debug: require_cert = "allow"
Debug: }
Debug: basedn = "cn=Users,dc=net"
Debug: filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
Debug: base_filter = "(objectclass=radiusprofile)"
Debug: auto_header = no
Debug: access_attr_used_for_allow = yes
Debug: groupname_attribute = "cn"
Debug: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
Debug: dictionary_mapping = "/etc/freeradius/ldap.attrmap"
Debug: ldap_debug = 0
Debug: ldap_connections_number = 5
Debug: compare_check_items = no
Debug: do_xlat = yes
Debug: edir_account_policy_check = no
Debug: set_auth_type = yes
Debug: }
Debug: rlm_ldap: Registering ldap_groupcmp for Ldap-Group
Debug: rlm_ldap: Registering ldap_xlat with xlat_name ldap
Debug: rlm_ldap: reading ldap<->radius mappings from file
/etc/freeradius/ldap.attrmap
Debug: rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
Debug: rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
Debug: rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
Debug: rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS
Simultaneous-Use
Debug: rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS
Called-Station-Id
Debug: rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
Calling-Station-Id
Debug: rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
Debug: rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
Debug: rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
Debug: rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
Debug: rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
Debug: rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
Debug: rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
Debug: rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
Debug: rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
Debug: rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
Debug: rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS
Framed-IP-Address
Debug: rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS
Framed-IP-Netmask
Debug: rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
Debug: rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
Debug: rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
Debug: rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
Debug: rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS
Framed-Compression
Debug: rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
Debug: rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
Debug: rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
Debug: rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
Debug: rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
Debug: rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS
Framed-IPX-Network
Debug: rlm_ldap: LDAP radiusClass mapped to RADIUS Class
Debug: rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
Debug: rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
Debug: rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS
Termination-Action
Debug: rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS
Login-LAT-Service
Debug: rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
Debug: rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
Debug: rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
Debug: rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
Debug: rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
Debug: rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
Debug: rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
Debug: rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
Debug: rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
Debug: rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS
Tunnel-Medium-Type
Debug: rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
Debug: conns: 0x1663c00
Debug: Module: Checking authorize {...} for more modules to load
Debug: (Loaded rlm_preprocess, checking if it's valid)
Debug: Module: Linked to module rlm_preprocess
Debug: Module: Instantiating preprocess
Debug: preprocess {
Debug: huntgroups = "/etc/freeradius/huntgroups"
Debug: hints = "/etc/freeradius/hints"
Debug: with_ascend_hack = no
Debug: ascend_channels_per_line = 23
Debug: with_ntdomain_hack = no
Debug: with_specialix_jetstream_hack = no
Debug: with_cisco_vsa_hack = no
Debug: with_alvarion_vsa_hack = no
Debug: }
Debug: Module: Checking preacct {...} for more modules to load
Debug: (Loaded rlm_acct_unique, checking if it's valid)
Debug: Module: Linked to module rlm_acct_unique
Debug: Module: Instantiating acct_unique
Debug: acct_unique {
Debug: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Debug: }
Debug: Module: Checking accounting {...} for more modules to load
Debug: (Loaded rlm_detail, checking if it's valid)
Debug: Module: Linked to module rlm_detail
Debug: Module: Instantiating detail
Debug: detail {
Debug: detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
Debug: header = "%t"
Debug: detailperm = 384
Debug: dirperm = 493
Debug: locking = no
Debug: log_packet_header = no
Debug: }
Debug: Module: Instantiating attr_filter.accounting_response
Debug: attr_filter attr_filter.accounting_response {
Debug: attrsfile = "/etc/freeradius/attrs.accounting_response"
Debug: key = "%{User-Name}"
Debug: }
Debug: Module: Checking session {...} for more modules to load
Debug: Module: Checking post-proxy {...} for more modules to load
Debug: Module: Checking post-auth {...} for more modules to load
Debug: } # modules
Debug: } # server
Debug: radiusd: #### Opening IP addresses and Ports ####
Debug: listen {
Debug: type = "auth"
Debug: ipaddr = *
Debug: port = 0
Debug: }
Debug: listen {
Debug: type = "acct"
Debug: ipaddr = *
Debug: port = 0
Debug: }
Debug: Listening on authentication address * port 1812
Debug: Listening on accounting address * port 1813
Debug: Listening on proxy address * port 1814
Info: Ready to process requests.
rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769,
id=228, length=181
User-Name = "anonymous"
Calling-Station-Id = "00-de-ad-be-ef-00"
Called-Station-Id = "00-de-ad-be-ef-00:300s71"
NAS-Port = 29
NAS-IP-Address = WI.SM.IP.AD
NAS-Identifier = "wism"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "224"
EAP-Message = 0x0202000e01616e6f6e796d6f7573
Message-Authenticator = 0x3b9fe0ba7bf891b5ca19f03e42078be3
Info: +- entering group authorize {...}
Info: ++[preprocess] returns ok
Info: ++[chap] returns noop
Info: ++[mschap] returns noop
Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
Info: [suffix] No such realm "NULL"
Info: ++[suffix] returns noop
Info: [eap] EAP packet type response id 2 length 14
Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Info: ++[eap] returns updated
Info: ++[unix] returns notfound
Info: ++[files] returns noop
Info: [ldap] performing user authorization for anonymous
Info: [ldap] expand: %{Stripped-User-Name} ->
Info: [ldap] ... expanding second conditional
Info: [ldap] expand: %{User-Name} -> anonymous
Info: [ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(cn=anonymous)
Info: [ldap] expand: cn=Users,dc=net -> cn=Users,dc=net
Debug: [ldap] ldap_get_conn: Checking Id: 0
Debug: [ldap] ldap_get_conn: Got Id: 0
Debug: [ldap] attempting LDAP reconnection
Debug: [ldap] (re)connect to ad1.net:389, authentication 0
Debug: [ldap] bind as cn=UNKNOWN,cn=Users,dc=net/UNKNOWN to ad.net:389
Debug: [ldap] waiting for bind result ...
Debug: [ldap] Bind was successful
Debug: [ldap] performing search in cn=Users,dc=net, with filter
(cn=anonymous)
Debug: [ldap] object not found
Info: [ldap] search failed
Debug: [ldap] ldap_release_conn: Release Id: 0
Info: ++[ldap] returns notfound
Info: ++[expiration] returns noop
Info: ++[logintime] returns noop
Info: [pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
Info: ++[pap] returns noop
Info: Found Auth-Type = EAP
Info: +- entering group authenticate {...}
Info: [eap] EAP Identity
Info: [eap] processing type md5
Debug: rlm_eap_md5: Issuing Challenge
Info: ++[eap] returns handled
Sending Access-Challenge of id 228 to WI.SM.IP.AD port 32769
EAP-Message = 0x0103001604101efb6c5b449907ded101f79bf4da4ea1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x65f0ad2d65f3a9e6f4a939a01468bf34
Info: Finished request 0.
Debug: Going to the next request
Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769,
id=229, length=191
User-Name = "anonymous"
Calling-Station-Id = "00-de-ad-be-ef-00"
Called-Station-Id = "00-de-ad-be-ef-00:300s71"
NAS-Port = 29
NAS-IP-Address = WI.SM.IP.AD
NAS-Identifier = "wism-s-7-1"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "224"
EAP-Message = 0x020300060319
State = 0x65f0ad2d65f3a9e6f4a939a01468bf34
Message-Authenticator = 0x179fef7f379024051186e7de60beed29
Info: +- entering group authorize {...}
Info: ++[preprocess] returns ok
Info: ++[chap] returns noop
Info: ++[mschap] returns noop
Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
Info: [suffix] No such realm "NULL"
Info: ++[suffix] returns noop
Info: [eap] EAP packet type response id 3 length 6
Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Info: ++[eap] returns updated
Info: ++[unix] returns notfound
Info: ++[files] returns noop
Info: [ldap] performing user authorization for anonymous
Info: [ldap] expand: %{Stripped-User-Name} ->
Info: [ldap] ... expanding second conditional
Info: [ldap] expand: %{User-Name} -> anonymous
Info: [ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(cn=anonymous)
Info: [ldap] expand: cn=Users,dc=net -> cn=Users,dc=net
Debug: [ldap] ldap_get_conn: Checking Id: 0
Debug: [ldap] ldap_get_conn: Got Id: 0
Debug: [ldap] performing search in cn=Users,dc=net, with filter
(cn=anonymous)
Debug: [ldap] object not found
Info: [ldap] search failed
Debug: [ldap] ldap_release_conn: Release Id: 0
Info: ++[ldap] returns notfound
Info: ++[expiration] returns noop
Info: ++[logintime] returns noop
Info: [pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
Info: ++[pap] returns noop
Info: Found Auth-Type = EAP
Info: +- entering group authenticate {...}
Info: [eap] Request found, released from the list
Info: [eap] EAP NAK
Info: [eap] EAP-NAK asked for EAP-Type/peap
Info: [eap] processing type tls
Info: [tls] Initiate
Info: [tls] Start returned 1
Info: ++[eap] returns handled
Sending Access-Challenge of id 229 to WI.SM.IP.AD port 32769
EAP-Message = 0x010400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x65f0ad2d64f4b4e6f4a939a01468bf34
Info: Finished request 1.
Debug: Going to the next request
Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769,
id=230, length=296
User-Name = "anonymous"
Calling-Station-Id = "00-de-ad-be-ef-00"
Called-Station-Id = "00-de-ad-be-ef-00:300s71"
NAS-Port = 29
NAS-IP-Address = WI.SM.IP.AD
NAS-Identifier = "wism-s-7-1"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "224"
EAP-Message =
0x0204006f19800000006516030100600100005c03014c24d1d07d00bac9bd661d741d6ae192350e5909eef304731ccd40d53c94d014000018002f00350005000ac013c014c009c00a00320038001300040100001b0000000700050000026e70000a0006000400170018000b00020100
State = 0x65f0ad2d64f4b4e6f4a939a01468bf34
Message-Authenticator = 0xb9fa17ba1dd694d52f755de2848888af
Info: +- entering group authorize {...}
Info: ++[preprocess] returns ok
Info: ++[chap] returns noop
Info: ++[mschap] returns noop
Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
Info: [suffix] No such realm "NULL"
Info: ++[suffix] returns noop
Info: [eap] EAP packet type response id 4 length 111
Info: [eap] Continuing tunnel setup.
Info: ++[eap] returns ok
Info: Found Auth-Type = EAP
Info: +- entering group authenticate {...}
Info: [eap] Request found, released from the list
Info: [eap] EAP/peap
Info: [eap] processing type peap
Info: [peap] processing EAP-TLS
Debug: TLS Length 101
Info: [peap] Length Included
Info: [peap] eaptls_verify returned 11
Info: [peap] (other): before/accept initialization
Info: [peap] TLS_accept: before/accept initialization
Info: [peap] <<< TLS 1.0 Handshake [length 0060], ClientHello
Info: [peap] TLS_accept: SSLv3 read client hello A
Info: [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
Info: [peap] TLS_accept: SSLv3 write server hello A
Info: [peap] >>> TLS 1.0 Handshake [length 0cda], Certificate
Info: [peap] TLS_accept: SSLv3 write certificate A
Info: [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
Info: [peap] TLS_accept: SSLv3 write server done A
Info: [peap] TLS_accept: SSLv3 flush data
Info: [peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
Debug: In SSL Handshake Phase
Debug: In SSL Accept mode
Info: [peap] eaptls_process returned 13
Info: [peap] EAPTLS_HANDLED
Info: ++[eap] returns handled
Sending Access-Challenge of id 230 to WI.SM.IP.AD port 32769
EAP-Message =
0x0105040019c000000d17160301002a0200002603014c24d1d006fa8d9e6c749e35db4ddbcbedfaf6b78f769ca0752f8ceaffbe99b100002f001603010cda0b000cd6000cd30004e6308204e2308203caa003020102020b0100000000012844ee0d1d300d06092a864886f70d0101050500306a31233021060355040b131a4f7267616e697a6174696f6e2056616c69646174696f6e20434131133011060355040a130a476c6f62616c5369676e312e302c06035504031325476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e204341301e170d3130303432383134333132335a170d3131303630383133303733335a
EAP-Message =
0x3081a4310b3009060355040613024742310f300d060355040813064c6f6e646f6e311730150603550407130e47726561746572204c6f6e646f6e31143012060355040b130b495420536572766963657331393037060355040a13304c6f6e646f6e205363686f6f6c206f662045636f6e6f6d69637320616e6420506f6c69746963616c20536369656e6365311a301806035504031311656475726f616d2e6c73652e61632e756b30819f300d06092a864886f70d010101050003818d00308189028181009f9500d90219202add368b016711abcfab55f84eaa69adc4d3ccf669c09eeecd7d76b692fb6e7b3a7e6b84e40b7be76e086482dccda0c8855a
EAP-Message =
0x7b444cdeebfd9c9cda99a42bef38c976248ef45b0c9fbe84fd12c1688164b28e239af8b8c057fe458b8340c971e3bea93e322ce8ae3ea334775779f5ede7f19d042004c1e27e570203010001a38201d0308201cc301f0603551d230418301680147d6d2aec66aba75136ab0269f1708fc4590b9a1f304906082b06010505070101043d303b303906082b06010505073002862d687474703a2f2f7365637572652e676c6f62616c7369676e2e6e65742f6361636572742f6f726776312e637274303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f4f7267616e697a6174696f6e56616c31
EAP-Message =
0x2e63726c301d0603551d0e04160414c5fc054d4b6b0ba0e21afa6eb952a250d7632aea30090603551d1304023000300e0603551d0f0101ff0404030205a030290603551d250422302006082b0601050507030106082b06010505070302060a2b0601040182370a0303304b0603551d2004443042304006092b06010401a03201143033303106082b060105050702011625687474703a2f2f7777772e676c6f62616c7369676e2e6e65742f7265706f7369746f72792f301106096086480186f84201010404030206c030580603551d110451304f8211656475726f616d2e6c73652e61632e756b820d7273312e6c73652e61632e756b820d7273322e6c
EAP-Message = 0x73652e61632e756b820d7273
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x65f0ad2d67f5b4e6f4a939a01468bf34
Info: Finished request 2.
Debug: Going to the next request
Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769,
id=231, length=191
User-Name = "anonymous"
Calling-Station-Id = "00-de-ad-be-ef-00"
Called-Station-Id = "00-de-ad-be-ef-00:300s71"
NAS-Port = 29
NAS-IP-Address = WI.SM.IP.AD
NAS-Identifier = "wism-s-7-1"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "224"
EAP-Message = 0x020500061900
State = 0x65f0ad2d67f5b4e6f4a939a01468bf34
Message-Authenticator = 0xf4969c9017799f7479e44f9583f56894
Info: +- entering group authorize {...}
Info: ++[preprocess] returns ok
Info: ++[chap] returns noop
Info: ++[mschap] returns noop
Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
Info: [suffix] No such realm "NULL"
Info: ++[suffix] returns noop
Info: [eap] EAP packet type response id 5 length 6
Info: [eap] Continuing tunnel setup.
Info: ++[eap] returns ok
Info: Found Auth-Type = EAP
Info: +- entering group authenticate {...}
Info: [eap] Request found, released from the list
Info: [eap] EAP/peap
Info: [eap] processing type peap
Info: [peap] processing EAP-TLS
Info: [peap] Received TLS ACK
Info: [peap] ACK handshake fragment handler
Info: [peap] eaptls_verify returned 1
Info: [peap] eaptls_process returned 13
Info: [peap] EAPTLS_HANDLED
Info: ++[eap] returns handled
Sending Access-Challenge of id 231 to WI.SM.IP.AD port 32769
EAP-Message =
0x010603fc1940332e6c73652e61632e756b820d7273342e6c73652e61632e756b300d06092a864886f70d0101050500038201010027faff9eebc23c415ced88bed1607744abbb405c3fbae2d0eed6f00348e4160cf7c27a2ceb01c22aee506f517cc406685d278a6636f434ae7fad62cb8ba24e28b106f042435beb20864a34f17405fd19546fda3a3a7daa3985650f278a5894d9f617f99542c62d0ceadffe6ae739553d3324cbe64fa93f82e6fd5582f4f49457ccbc24458e223c5e37c9e68eb592f66417eb4500c2410fe49754b5a3dff7ccc322bdfd1f95a9d5b2f4a25aefd6f2cd8ba3813ea0eb47855719c79a7eb5324d6e431b7e6caa2867bb03
EAP-Message =
0x107d6aeb021036bae51c99ec23ee0cfe6fe7d7e0618c0d36edf250203e987e9ddfd195331895c6ad5dbbfbef7b5d452a1345619550a76400046b308204673082034fa003020102020b04000000000111dfe86c66300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3037303431313132303030305a170d3134303132373131303030305a306a31233021060355040b131a4f7267616e697a6174696f6e2056616c69646174
EAP-Message =
0x696f6e20434131133011060355040a130a476c6f62616c5369676e312e302c06035504031325476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100a12fc4bcce8703e967c189c8e593fc7db4ad9ef6634e6ae89c2c7389a201f48f21f8fd259d58166d86f6ee4957757e75ea22117e3dfbc74241dcfcc50c9155807beb64331d9bf9ca38e9abc62543512540f4e47e18556aa98f103a401ed65783ef7f2f342f2dd2f653c2190db7edc981f5462cb423425e9d130375ecea6afc577cc936973b98dc1313ecec41fa5d34eab9
EAP-Message =
0x93e7101665cc9c92fdf5c59d3e4ab909fce45f1e695f4df4567244b11d2303c836f66588c8bf3916458e1e266c5116c52a0038c5a41369957dab013ba8c414b480daac1a4420d5fea9067b1427afe03021dd90f4a9d523192e1e03e6c1df9529e4c19443dd3e90aacb4bc9be8ad3390203010001a382011f3082011b300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020100301d0603551d0e041604147d6d2aec66aba75136ab0269f1708fc4590b9a1f304b0603551d2004443042304006092b06010401a03201143033303106082b060105050702011625687474703a2f2f7777772e676c6f62616c7369676e2e
EAP-Message = 0x6e65742f7265706f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x65f0ad2d66f6b4e6f4a939a01468bf34
Info: Finished request 3.
Debug: Going to the next request
Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769,
id=232, length=191
User-Name = "anonymous"
Calling-Station-Id = "00-de-ad-be-ef-00"
Called-Station-Id = "00-de-ad-be-ef-00:300s71"
NAS-Port = 29
NAS-IP-Address = WI.SM.IP.AD
NAS-Identifier = "wism-s-7-1"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "224"
EAP-Message = 0x020600061900
State = 0x65f0ad2d66f6b4e6f4a939a01468bf34
Message-Authenticator = 0xe8d49e3a50281578c82514ef251d91b5
Info: +- entering group authorize {...}
Info: ++[preprocess] returns ok
Info: ++[chap] returns noop
Info: ++[mschap] returns noop
Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
Info: [suffix] No such realm "NULL"
Info: ++[suffix] returns noop
Info: [eap] EAP packet type response id 6 length 6
Info: [eap] Continuing tunnel setup.
Info: ++[eap] returns ok
Info: Found Auth-Type = EAP
Info: +- entering group authenticate {...}
Info: [eap] Request found, released from the list
Info: [eap] EAP/peap
Info: [eap] processing type peap
Info: [peap] processing EAP-TLS
Info: [peap] Received TLS ACK
Info: [peap] ACK handshake fragment handler
Info: [peap] eaptls_verify returned 1
Info: [peap] eaptls_process returned 13
Info: [peap] EAPTLS_HANDLED
Info: ++[eap] returns handled
Sending Access-Challenge of id 232 to WI.SM.IP.AD port 32769
EAP-Message =
0x010703fc19407369746f72792f30330603551d1f042c302a3028a026a0248622687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742e63726c301106096086480186f842010104040302020430200603551d2504193017060a2b0601040182370a030306096086480186f8420401301f0603551d23041830168014607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d0101050500038201010037a88f3679003c18e81ac5f27b22286bbf198f179aeda6c4d6a1d6632d7bfb045b28daccf9b6ee025419de6c91f2610dfd7f2820cc8f36d16187a05949aa0796def9b32cf9b5ee152933cdb4139dc790ce
EAP-Message =
0x4d7cf25a11877bfad48dd12f55991a5fef1608b13dd23d1ecbb5f05797523a126362b6f2bccde2a69c17ce28e0c60f5aecbf70bd5ae754bef1cfc63d9f5f7adab72e65eac2d3e9c7babe4dcbda33ae559dae14f6320862e189e4342a753c2a05a92b5038bb5986a6845a84c3bd43ba9f1f1505ceb5770dd4dd2f49c8fe58954bbc4e9613001e9cb82777711dc461cbf41e8c33b300670db7b2ac8c3d3adc382f642d00818935d8e2b93117fe3a5fd1000379308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369
EAP-Message =
0x676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d89
EAP-Message =
0x8e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101
EAP-Message = 0xff301d0603551d0e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x65f0ad2d61f7b4e6f4a939a01468bf34
Info: Finished request 4.
Debug: Going to the next request
Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769,
id=233, length=191
User-Name = "anonymous"
Calling-Station-Id = "00-de-ad-be-ef-00"
Called-Station-Id = "00-de-ad-be-ef-00:300s71"
NAS-Port = 29
NAS-IP-Address = WI.SM.IP.AD
NAS-Identifier = "wism-s-7-1"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "224"
EAP-Message = 0x020700061900
State = 0x65f0ad2d61f7b4e6f4a939a01468bf34
Message-Authenticator = 0xed02f88c28a03f52688f377358f999c3
Info: +- entering group authorize {...}
Info: ++[preprocess] returns ok
Info: ++[chap] returns noop
Info: ++[mschap] returns noop
Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
Info: [suffix] No such realm "NULL"
Info: ++[suffix] returns noop
Info: [eap] EAP packet type response id 7 length 6
Info: [eap] Continuing tunnel setup.
Info: ++[eap] returns ok
Info: Found Auth-Type = EAP
Info: +- entering group authenticate {...}
Info: [eap] Request found, released from the list
Info: [eap] EAP/peap
Info: [eap] processing type peap
Info: [peap] processing EAP-TLS
Info: [peap] Received TLS ACK
Info: [peap] ACK handshake fragment handler
Info: [peap] eaptls_verify returned 1
Info: [peap] eaptls_process returned 13
Info: [peap] EAPTLS_HANDLED
Info: ++[eap] returns handled
Sending Access-Challenge of id 233 to WI.SM.IP.AD port 32769
EAP-Message =
0x0108013b190004160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe
EAP-Message =
0x3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e016030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x65f0ad2d60f8b4e6f4a939a01468bf34
Info: Finished request 5.
Debug: Going to the next request
Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769,
id=234, length=393
User-Name = "anonymous"
Calling-Station-Id = "00-de-ad-be-ef-00"
Called-Station-Id = "00-de-ad-be-ef-00:300s71"
NAS-Port = 29
NAS-IP-Address = WI.SM.IP.AD
NAS-Identifier = "wism-s-7-1"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "224"
EAP-Message =
0x020800d01980000000c6160301008610000082008016ef2214088be1cdd7eb700a74658c482c2a64f206405c889bea11be679a688f8e2deefe319300dbddcf5e9251d92d8e231cf7048ea52fe0e2245e13d0c6938f1f66f441f596653f04870273b80424fb4cf836d05ade39a5b22667e0dc5bf3b19da39a7c3fe44ce5ee9be4f17f5e653632c92dc130f05dbfa8164773fa53194014030100010116030100300ae47b27b1177d1659e0878d3bf4f5050f55838c717c41146053493be212d0487d67adcde2edaf024724891ba5005ceb
State = 0x65f0ad2d60f8b4e6f4a939a01468bf34
Message-Authenticator = 0x9558017ea83d954d2f4675a7a977c12d
Info: +- entering group authorize {...}
Info: ++[preprocess] returns ok
Info: ++[chap] returns noop
Info: ++[mschap] returns noop
Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
Info: [suffix] No such realm "NULL"
Info: ++[suffix] returns noop
Info: [eap] EAP packet type response id 8 length 208
Info: [eap] Continuing tunnel setup.
Info: ++[eap] returns ok
Info: Found Auth-Type = EAP
Info: +- entering group authenticate {...}
Info: [eap] Request found, released from the list
Info: [eap] EAP/peap
Info: [eap] processing type peap
Info: [peap] processing EAP-TLS
Debug: TLS Length 198
Info: [peap] Length Included
Info: [peap] eaptls_verify returned 11
Info: [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
Info: [peap] TLS_accept: SSLv3 read client key exchange A
Info: [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
Info: [peap] <<< TLS 1.0 Handshake [length 0010], Finished
Info: [peap] TLS_accept: SSLv3 read finished A
Info: [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
Info: [peap] TLS_accept: SSLv3 write change cipher spec A
Info: [peap] >>> TLS 1.0 Handshake [length 0010], Finished
Info: [peap] TLS_accept: SSLv3 write finished A
Info: [peap] TLS_accept: SSLv3 flush data
Info: [peap] (other): SSL negotiation finished successfully
Debug: SSL Connection Established
Info: [peap] eaptls_process returned 13
Info: [peap] EAPTLS_HANDLED
Info: ++[eap] returns handled
Sending Access-Challenge of id 234 to WI.SM.IP.AD port 32769
EAP-Message =
0x01090041190014030100010116030100308712947469621f0a7daa7cda1509647b52efa024cba3a8f8f28a57041acc7e2f0ce3e17e2ac1fd892c98e39693086987
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x65f0ad2d63f9b4e6f4a939a01468bf34
Info: Finished request 6.
Debug: Going to the next request
Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769,
id=235, length=191
User-Name = "anonymous"
Calling-Station-Id = "00-de-ad-be-ef-00"
Called-Station-Id = "00-de-ad-be-ef-00:300s71"
NAS-Port = 29
NAS-IP-Address = WI.SM.IP.AD
NAS-Identifier = "wism-s-7-1"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "224"
EAP-Message = 0x020900061900
State = 0x65f0ad2d63f9b4e6f4a939a01468bf34
Message-Authenticator = 0x8c90905c54913a7d02dc49be82d7748d
Info: +- entering group authorize {...}
Info: ++[preprocess] returns ok
Info: ++[chap] returns noop
Info: ++[mschap] returns noop
Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
Info: [suffix] No such realm "NULL"
Info: ++[suffix] returns noop
Info: [eap] EAP packet type response id 9 length 6
Info: [eap] Continuing tunnel setup.
Info: ++[eap] returns ok
Info: Found Auth-Type = EAP
Info: +- entering group authenticate {...}
Info: [eap] Request found, released from the list
Info: [eap] EAP/peap
Info: [eap] processing type peap
Info: [peap] processing EAP-TLS
Info: [peap] Received TLS ACK
Info: [peap] ACK handshake is finished
Info: [peap] eaptls_verify returned 3
Info: [peap] eaptls_process returned 3
Info: [peap] EAPTLS_SUCCESS
Info: ++[eap] returns handled
Sending Access-Challenge of id 235 to WI.SM.IP.AD port 32769
EAP-Message =
0x010a002b1900170301002034fbfc1f5fed6e9d753ac4f78861a6413a13a95fd0161198ee26e6808ab4052c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x65f0ad2d62fab4e6f4a939a01468bf34
Info: Finished request 7.
Debug: Going to the next request
Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769,
id=236, length=228
User-Name = "anonymous"
Calling-Station-Id = "00-de-ad-be-ef-00"
Called-Station-Id = "00-de-ad-be-ef-00:300s71"
NAS-Port = 29
NAS-IP-Address = WI.SM.IP.AD
NAS-Identifier = "wism-s-7-1"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "224"
EAP-Message =
0x020a002b19001703010020d6176f7b410617c4dfe15778edd548db125e4d05835fcf78d1db8c28f9cc9883
State = 0x65f0ad2d62fab4e6f4a939a01468bf34
Message-Authenticator = 0xc7b49dfac47ceb1d898fa94ebfca2f73
Info: +- entering group authorize {...}
Info: ++[preprocess] returns ok
Info: ++[chap] returns noop
Info: ++[mschap] returns noop
Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
Info: [suffix] No such realm "NULL"
Info: ++[suffix] returns noop
Info: [eap] EAP packet type response id 10 length 43
Info: [eap] Continuing tunnel setup.
Info: ++[eap] returns ok
Info: Found Auth-Type = EAP
Info: +- entering group authenticate {...}
Info: [eap] Request found, released from the list
Info: [eap] EAP/peap
Info: [eap] processing type peap
Info: [peap] processing EAP-TLS
Info: [peap] eaptls_verify returned 7
Info: [peap] Done initial handshake
Info: [peap] eaptls_process returned 7
Info: [peap] EAPTLS_OK
Info: [peap] Session established. Decoding tunneled attributes.
PEAP tunnel data in 0000: 01 6e 70
Info: [peap] Identity - np
Info: [peap] Got tunneled request
EAP-Message = 0x020a0007016e70
server {
Debug: PEAP: Got tunneled identity of np
Debug: PEAP: Setting default EAP type for tunneled EAP session.
Debug: PEAP: Setting User-Name to np
Sending tunneled request
EAP-Message = 0x020a0007016e70
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "np"
server inner-tunnel {
Info: +- entering group authorize {...}
Info: ++[chap] returns noop
Info: ++[mschap] returns noop
Info: ++[unix] returns notfound
Info: [suffix] No '@' in User-Name = "np", looking up realm NULL
Info: [suffix] No such realm "NULL"
Info: ++[suffix] returns noop
Info: ++[control] returns noop
Info: [eap] EAP packet type response id 10 length 7
Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Info: ++[eap] returns updated
Info: ++[files] returns noop
Info: ++[expiration] returns noop
Info: ++[logintime] returns noop
Info: ++[pap] returns noop
Info: Found Auth-Type = EAP
Info: +- entering group authenticate {...}
Info: [eap] EAP Identity
Info: [eap] processing type mschapv2
Debug: rlm_eap_mschapv2: Issuing Challenge
Info: ++[eap] returns handled
} # server inner-tunnel
Info: [peap] Got tunneled reply code 11
EAP-Message = 0x010b001c1a010b001710028ad2ebffffa9625538cea34a3e243a6e70
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb39c7d1cb397675a0ab86daaede9146a
Info: [peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010b001c1a010b001710028ad2ebffffa9625538cea34a3e243a6e70
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb39c7d1cb397675a0ab86daaede9146a
Info: [peap] Got tunneled Access-Challenge
PEAP tunnel data out 0000: 1a 01 0b 00 17 10 02 8a d2 eb ff ff a9 62
55 38
PEAP tunnel data out 0010: ce a3 4a 3e 24 3a 6e 70
Info: ++[eap] returns handled
Sending Access-Challenge of id 236 to WI.SM.IP.AD port 32769
EAP-Message =
0x010b003b19001703010030eaa27cae66bfc42920b049aec687d64b1b4723650fc4fb58ee1f1158979cd93c4abfec16d8f27668812c89ea17e12da3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x65f0ad2d6dfbb4e6f4a939a01468bf34
Info: Finished request 8.
Debug: Going to the next request
Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769,
id=237, length=276
User-Name = "anonymous"
Calling-Station-Id = "00-de-ad-be-ef-00"
Called-Station-Id = "00-de-ad-be-ef-00:300s71"
NAS-Port = 29
NAS-IP-Address = WI.SM.IP.AD
NAS-Identifier = "wism-s-7-1"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "224"
EAP-Message =
0x020b005b190017030100508c3e82cfb3e4e5eaa0bf0f51ff541b1bbd13c7457596eefda104cc8f94b266604b7a5918f62b7ffee66b21ff7b1c990c16524efab5a171da3e9afcf675b856ef080c9a9e6d0ec5cb065dddc005074049
State = 0x65f0ad2d6dfbb4e6f4a939a01468bf34
Message-Authenticator = 0xb5ccd9d2be70c7df6cf6c778fefb6bd2
Info: +- entering group authorize {...}
Info: ++[preprocess] returns ok
Info: ++[chap] returns noop
Info: ++[mschap] returns noop
Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
Info: [suffix] No such realm "NULL"
Info: ++[suffix] returns noop
Info: [eap] EAP packet type response id 11 length 91
Info: [eap] Continuing tunnel setup.
Info: ++[eap] returns ok
Info: Found Auth-Type = EAP
Info: +- entering group authenticate {...}
Info: [eap] Request found, released from the list
Info: [eap] EAP/peap
Info: [eap] processing type peap
Info: [peap] processing EAP-TLS
Info: [peap] eaptls_verify returned 7
Info: [peap] Done initial handshake
Info: [peap] eaptls_process returned 7
Info: [peap] EAPTLS_OK
Info: [peap] Session established. Decoding tunneled attributes.
PEAP tunnel data in 0000: 1a 02 0b 00 38 31 e3 29 3a 5b fc 38 b6 ff d2 d9
PEAP tunnel data in 0010: 4a 90 e0 ed 79 66 00 00 00 00 00 00 00 00 56 3e
PEAP tunnel data in 0020: 33 2d 28 c1 22 b4 4a 66 0a 02 8d a5 31 b4 c4 8c
PEAP tunnel data in 0030: 6b 0e c7 1c f6 e8 00 6e 70
Info: [peap] EAP type mschapv2
Info: [peap] Got tunneled request
EAP-Message =
0x020b003d1a020b003831e3293a5bfc38b6ffd2d94a90e0ed79660000000000000000563e332d28c122b44a660a028da531b4c48c6b0ec71cf6e8006e70
server {
Debug: PEAP: Setting User-Name to np
Sending tunneled request
EAP-Message =
0x020b003d1a020b003831e3293a5bfc38b6ffd2d94a90e0ed79660000000000000000563e332d28c122b44a660a028da531b4c48c6b0ec71cf6e8006e70
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "np"
State = 0xb39c7d1cb397675a0ab86daaede9146a
server inner-tunnel {
Info: +- entering group authorize {...}
Info: ++[chap] returns noop
Info: ++[mschap] returns noop
Info: ++[unix] returns notfound
Info: [suffix] No '@' in User-Name = "np", looking up realm NULL
Info: [suffix] No such realm "NULL"
Info: ++[suffix] returns noop
Info: ++[control] returns noop
Info: [eap] EAP packet type response id 11 length 61
Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Info: ++[eap] returns updated
Info: ++[files] returns noop
Info: ++[expiration] returns noop
Info: ++[logintime] returns noop
Info: ++[pap] returns noop
Info: Found Auth-Type = EAP
Info: +- entering group authenticate {...}
Info: [eap] Request found, released from the list
Info: [eap] EAP/mschapv2
Info: [eap] processing type mschapv2
Info: [mschapv2] +- entering group MS-CHAP {...}
Info: [mschap] Told to do MS-CHAPv2 for np with NT-Password
Info: [mschap] expand: %{Stripped-User-Name} ->
Info: [mschap] ... expanding second conditional
Info: [mschap] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
Info: [mschap] expand: %{User-Name:-None} -> np
Info: [mschap] expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=np
Info: [mschap] mschap2: 02
Info: [mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=e70378161b70bec1
Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=563e332d28c122b44a660a028da531b4c48c6b0ec71cf6e8
Debug: Exec-Program output: NT_KEY: E92808F4B14A0ABEEBC125A12E908546
Debug: Exec-Program-Wait: plaintext: NT_KEY:
E92808F4B14A0ABEEBC125A12E908546
Debug: Exec-Program: returned: 0
Info: [mschap] adding MS-CHAPv2 MPPE keys
Info: ++[mschap] returns ok
Debug: MSCHAP Success
Info: ++[eap] returns handled
} # server inner-tunnel
Info: [peap] Got tunneled reply code 11
EAP-Message =
0x010c00331a030b002e533d37303232433143333645413945374241383346433837353537363541373131324243373937324132
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb39c7d1cb290675a0ab86daaede9146a
Info: [peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010c00331a030b002e533d37303232433143333645413945374241383346433837353537363541373131324243373937324132
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb39c7d1cb290675a0ab86daaede9146a
Info: [peap] Got tunneled Access-Challenge
PEAP tunnel data out 0000: 1a 03 0b 00 2e 53 3d 37 30 32 32 43 31 43
33 36
PEAP tunnel data out 0010: 45 41 39 45 37 42 41 38 33 46 43 38 37 35
35 37
PEAP tunnel data out 0020: 36 35 41 37 31 31 32 42 43 37 39 37 32 41 32
Info: ++[eap] returns handled
Sending Access-Challenge of id 237 to WI.SM.IP.AD port 32769
EAP-Message =
0x010c005b19001703010050b38e016e1d1c4a26834e93a2c9d27528caf14a8686c1052589683f903485d2a27542951f5bbbc2efabcbb4d46866c159feee98b49a134f5effa4fd89fc696c2200726e3f59ff1ef7b8d230ca3f21dc74
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x65f0ad2d6cfcb4e6f4a939a01468bf34
Info: Finished request 9.
Debug: Going to the next request
Debug: Waking up in 4.8 seconds.
Info: Cleaning up request 0 ID 228 with timestamp +39
Info: Cleaning up request 1 ID 229 with timestamp +39
Info: Cleaning up request 2 ID 230 with timestamp +39
Info: Cleaning up request 3 ID 231 with timestamp +39
Info: Cleaning up request 4 ID 232 with timestamp +39
Info: Cleaning up request 5 ID 233 with timestamp +39
Info: Cleaning up request 6 ID 234 with timestamp +39
Info: Cleaning up request 7 ID 235 with timestamp +39
Info: Cleaning up request 8 ID 236 with timestamp +39
Info: Cleaning up request 9 ID 237 with timestamp +39
Info: Ready to process requests.
>
>> Does anyone have such a setup working or know if it is possible/impossible.
>
> It's possible.
>
>> Would it be simpler to use a virtual server for one or the other?
>
> There's already a two virtual servers: default, and inner-tunnel. You
> can use those.
>
> Step 1: start with default config
> Step 2: get LDAP to work with PAP
> Step 3: configure "ntlm_auth" for the MSCHAP module.
>
> After that, both will work.
>
> The *usual* cause of problems is that you're forcing Auth-Type. Don't
> do that.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/planningAndCorporatePolicy/legalandComplianceTeam/legal/disclaimer.htm
More information about the Freeradius-Users
mailing list