PEAP w/ freeradius to LDAP storing ntPassword not working - resolved
schilling
schilling2006 at gmail.com
Sat Nov 6 21:42:15 CET 2010
Here is my radiusd -X output of a assumed successful login with peap.
Would you please see whether this is working? Yes, the default with
one ldap line commented out in site-enabled/inner-tunnel works. But it
will not work once I have a virtual server in the radiusd.conf.
The debug is done with default radius.configuration with only the
following addition:
I could add all the uncommented lines in site-enabled/default to this
virtual server instance, I just want to see what exactly is my
previous issue, so I reduced to minimum "working" configure I thought.
Well, may be not.
###sding
server ldap_ntpassword_1814 {
listen {
type = auth
ipaddr = *
port = 1814
}
listen {
ipaddr = *
port = 1815
type = acct
}
authorize {
eap {
ok = return
}
}
authenticate {
eap
}
}
###sding
FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Nov 5
2010 at 10:45:49
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /home/sding/opt/etc/raddb/radiusd.conf
including configuration file /home/sding/opt/etc/raddb/proxy.conf
including configuration file /home/sding/opt/etc/raddb/clients.conf
including files in directory /home/sding/opt/etc/raddb/modules/
including configuration file /home/sding/opt/etc/raddb/modules/acct_unique
including configuration file /home/sding/opt/etc/raddb/modules/always
including configuration file /home/sding/opt/etc/raddb/modules/attr_filter
including configuration file /home/sding/opt/etc/raddb/modules/attr_rewrite
including configuration file /home/sding/opt/etc/raddb/modules/chap
including configuration file /home/sding/opt/etc/raddb/modules/checkval
including configuration file /home/sding/opt/etc/raddb/modules/counter
including configuration file /home/sding/opt/etc/raddb/modules/cui
including configuration file /home/sding/opt/etc/raddb/modules/detail
including configuration file
/home/sding/opt/etc/raddb/modules/detail.example.com
including configuration file /home/sding/opt/etc/raddb/modules/detail.log
including configuration file /home/sding/opt/etc/raddb/modules/digest
including configuration file /home/sding/opt/etc/raddb/modules/dynamic_clients
including configuration file /home/sding/opt/etc/raddb/modules/echo
including configuration file /home/sding/opt/etc/raddb/modules/etc_group
including configuration file /home/sding/opt/etc/raddb/modules/exec
including configuration file /home/sding/opt/etc/raddb/modules/expiration
including configuration file /home/sding/opt/etc/raddb/modules/expr
including configuration file /home/sding/opt/etc/raddb/modules/files
including configuration file /home/sding/opt/etc/raddb/modules/inner-eap
including configuration file /home/sding/opt/etc/raddb/modules/ippool
including configuration file /home/sding/opt/etc/raddb/modules/krb5
including configuration file /home/sding/opt/etc/raddb/modules/ldap
including configuration file /home/sding/opt/etc/raddb/modules/linelog
including configuration file /home/sding/opt/etc/raddb/modules/logintime
including configuration file /home/sding/opt/etc/raddb/modules/mac2ip
including configuration file /home/sding/opt/etc/raddb/modules/mac2vlan
including configuration file /home/sding/opt/etc/raddb/modules/mschap
including configuration file /home/sding/opt/etc/raddb/modules/ntlm_auth
including configuration file /home/sding/opt/etc/raddb/modules/opendirectory
including configuration file /home/sding/opt/etc/raddb/modules/otp
including configuration file /home/sding/opt/etc/raddb/modules/pam
including configuration file /home/sding/opt/etc/raddb/modules/pap
including configuration file /home/sding/opt/etc/raddb/modules/passwd
including configuration file /home/sding/opt/etc/raddb/modules/perl
including configuration file /home/sding/opt/etc/raddb/modules/policy
including configuration file /home/sding/opt/etc/raddb/modules/preprocess
including configuration file /home/sding/opt/etc/raddb/modules/radutmp
including configuration file /home/sding/opt/etc/raddb/modules/realm
including configuration file /home/sding/opt/etc/raddb/modules/smbpasswd
including configuration file /home/sding/opt/etc/raddb/modules/smsotp
including configuration file /home/sding/opt/etc/raddb/modules/sql_log
including configuration file
/home/sding/opt/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /home/sding/opt/etc/raddb/modules/sradutmp
including configuration file /home/sding/opt/etc/raddb/modules/unix
including configuration file /home/sding/opt/etc/raddb/modules/wimax
including configuration file /home/sding/opt/etc/raddb/eap.conf
including configuration file /home/sding/opt/etc/raddb/policy.conf
including files in directory /home/sding/opt/etc/raddb/sites-enabled/
including configuration file /home/sding/opt/etc/raddb/sites-enabled/default
including configuration file
/home/sding/opt/etc/raddb/sites-enabled/inner-tunnel
including configuration file
/home/sding/opt/etc/raddb/sites-enabled/control-socket
main {
allow_core_dumps = no
}
including dictionary file /home/sding/opt/etc/raddb/dictionary
main {
prefix = "/home/sding/opt/"
localstatedir = "/home/sding/opt//var"
logdir = "/home/sding/opt//var/log/radius"
libdir = "/home/sding/opt//lib"
radacctdir = "/home/sding/opt//var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/home/sding/opt//var/run/radiusd/radiusd.pid"
checkrad = "/home/sding/opt//sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 128.186.252.11/32 {
require_message_authenticator = no
secret = "cisco"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/home/sding/opt/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/home/sding/opt/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/home/sding/opt/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/home/sding/opt/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server ldap_ntpassword_1814 { # from file /home/sding/opt/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /home/sding/opt/etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/home/sding/opt/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/home/sding/opt/etc/raddb/certs/auth1_comodo/auth1.key"
certificate_file = "/home/sding/opt/etc/raddb/certs/auth1_comodo/server.crt"
CA_file = "/home/sding/opt/etc/raddb/certs/auth1_comodo/ca-chain.crt"
private_key_password = "thismykey"
dh_file = "/home/sding/opt/etc/raddb/certs/dh"
random_file = "/home/sding/opt/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/home/sding/opt/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
} # modules
} # server
server inner-tunnel { # from file
/home/sding/opt/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/home/sding/opt/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/home/sding/opt/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/home/sding/opt/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/home/sding/opt/etc/raddb/modules/unix
unix {
radwtmp = "/home/sding/opt//var/log/radius/radwtmp"
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/home/sding/opt/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/home/sding/opt/etc/raddb/modules/files
files {
usersfile = "/home/sding/opt/etc/raddb/users"
acctusersfile = "/home/sding/opt/etc/raddb/acct_users"
preproxy_usersfile = "/home/sding/opt/etc/raddb/preproxy_users"
compat = "no"
}
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file
/home/sding/opt/etc/raddb/modules/ldap
ldap {
server = "mds.fsu.edu"
port = 389
password = "myldappassword"
identity = "cn=radius-proxy-proxy,ou=proxy-users,dc=fsu,dc=edu"
net_timeout = 10
timeout = 20
timelimit = 20
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = yes
require_cert = "allow"
}
basedn = "dc=fsu,dc=edu"
filter = "(&(uid=%u)(!(uid=lib-guest*)))"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/home/sding/opt/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed
in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file
/home/sding/opt/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x8921338
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/home/sding/opt/etc/raddb/modules/radutmp
radutmp {
filename = "/home/sding/opt//var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file
/home/sding/opt/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/home/sding/opt/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server { # from file /home/sding/opt/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/home/sding/opt/etc/raddb/modules/digest
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/home/sding/opt/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/home/sding/opt/etc/raddb/huntgroups"
hints = "/home/sding/opt/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/home/sding/opt/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/home/sding/opt/etc/raddb/modules/detail
detail {
detailfile = "/home/sding/opt//var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from
file /home/sding/opt/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/home/sding/opt/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/home/sding/opt//var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = *
port = 1814
}
listen {
type = "acct"
ipaddr = *
port = 1815
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /home/sding/opt//var/run/radiusd/radiusd.sock
Listening on authentication address * port 1814 as server ldap_ntpassword_1814
Listening on accounting address * port 1815 as server ldap_ntpassword_1814
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Ready to process requests.
rad_recv: Access-Request packet from host 128.186.252.11 port 32858,
id=194, length=160
User-Name = "sding"
NAS-IP-Address = 128.186.252.11
NAS-Port = 129
Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem"
Calling-Station-Id = "00-12-F0-71-28-BF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps/1Mbps 802.11g"
EAP-Message = 0x0212000a017364696e67
Message-Authenticator = 0x6325d4e08e1c07cc15e8712dda27d62c
server ldap_ntpassword_1814 {
# Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 18 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
# Executing group from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
} # server ldap_ntpassword_1814
Sending Access-Challenge of id 194 to 128.186.252.11 port 32858
EAP-Message = 0x0113001604102ef8be1d90b4bc9af75abe1eaa422223
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2516ecdd2505e83ff725017e0433f9f6
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 128.186.252.11 port 32858,
id=195, length=174
User-Name = "sding"
NAS-IP-Address = 128.186.252.11
NAS-Port = 129
Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem"
Calling-Station-Id = "00-12-F0-71-28-BF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps/1Mbps 802.11g"
EAP-Message = 0x021300060319
State = 0x2516ecdd2505e83ff725017e0433f9f6
Message-Authenticator = 0x8ae90ed63d19f2dc17a87e9ad06e0d4e
server ldap_ntpassword_1814 {
# Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 19 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
# Executing group from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
} # server ldap_ntpassword_1814
Sending Access-Challenge of id 195 to 128.186.252.11 port 32858
EAP-Message = 0x011400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2516ecdd2402f53ff725017e0433f9f6
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 128.186.252.11 port 32858,
id=196, length=255
User-Name = "sding"
NAS-IP-Address = 128.186.252.11
NAS-Port = 129
Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem"
Calling-Station-Id = "00-12-F0-71-28-BF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps/1Mbps 802.11g"
EAP-Message = 0x0214005719800000004d16030100480100004403014cd46491a50af6b476d0c2b26cfc35c55a1678008ac04c723fd6776ef30a701c00001600040005000a0009006400620003000600130012006301000005ff01000100
State = 0x2516ecdd2402f53ff725017e0433f9f6
Message-Authenticator = 0xf8c4e70699e5fcac0fc7afb6aa376f00
server ldap_ntpassword_1814 {
# Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 20 length 87
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 77
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0048], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0f33], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server ldap_ntpassword_1814
Sending Access-Challenge of id 196 to 128.186.252.11 port 32858
EAP-Message = 0x0115040019c000000f7716030100310200002d03014cd464915a9a5028d668f9e09aec880896aee600806fb58d92a740bc9aacca01000004000005ff010001001603010f330b000f2f000f2c00063f3082063b30820523a0030201020210635b024dc9d1dc5f3c2f4cedba800fd9300d06092a864886f70d0101050500308193310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311b3019060355
EAP-Message = 0x0403131255544e202d2044415441436f727020534743301e170d3130313032383030303030305a170d3132313032373233353935395a30820125310b3009060355040613025553310e300c0603550411130533323330363110300e06035504081307466c6f72696461311430120603550407130b54616c6c616861737365653121301f06035504091318466c6f7269646120537461746520556e6976657273697479312830260603550409131f363130304320556e69766572736974792043656e746572204d5320323632303121301f060355040a1318466c6f7269646120537461746520556e6976657273697479310c300a060355040b1303495453
EAP-Message = 0x312b3029060355040b1322486f7374656420627920466c6f7269646120537461746520556e697665727369747931173015060355040b130e436f6d6f646f205347432053534c311a30180603550403131161757468312e6974732e6673752e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100ab48c2c53dd239f0ea7125f2bc75a3a15f52fa3ad4b3b67e93a56eb1e56ecf0b10b444019144f5a1fef9eafe655be434d8603478738e93ed5feba81be470a12dc93913afc0eff1ab2752a74c2d30bd6b9b0a3adabd0d59fb068054b505b3dde7b14f994c2c20c4f01b2e7b2b9c035d2ca37d439b876b66600040
EAP-Message = 0xc58ddc05812f05704d364e7b9e2f1d62a56f8344a3b2113418268b38ec5ebbf8b14fc21f21306d4fdafd636d6045e5e2b092d740f7a2ee4c817c06082bdb2e32fb5d1ead99d4488011197c0f8c30e1afe77a5d1728a4a787f2615f999e2d96eca34f1a13cf7c9bccedfb653abe32aa3f6ca2cd74a0d3a3a1d3d0baff57f101263688dc171f9b0203010001a38201f4308201f0301f0603551d230418301680145332d1b3cf7ffae0f1a05d854e92d29e451db44f301d0603551d0e0416041430953498d738b06c6795237e557027279a818ac8300e0603551d0f0101ff0404030205a0300c0603551d130101ff0402300030340603551d25042d302b06
EAP-Message = 0x082b0601050507030106082b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2516ecdd2703f53ff725017e0433f9f6
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 128.186.252.11 port 32858,
id=197, length=174
User-Name = "sding"
NAS-IP-Address = 128.186.252.11
NAS-Port = 129
Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem"
Calling-Station-Id = "00-12-F0-71-28-BF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps/1Mbps 802.11g"
EAP-Message = 0x021500061900
State = 0x2516ecdd2703f53ff725017e0433f9f6
Message-Authenticator = 0x3228b80a3cb9c9ca4538fed5447936c8
server ldap_ntpassword_1814 {
# Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 21 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server ldap_ntpassword_1814
Sending Access-Challenge of id 197 to 128.186.252.11 port 32858
EAP-Message = 0x011603fc194006010505070302060a2b0601040182370a030306096086480186f842040130460603551d20043f303d303b060c2b06010401b2310102010304302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e636f6d2f435053306d0603551d1f046630643031a02fa02d862b687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f55544e2d44415441436f72705347432e63726c302fa02da02b8629687474703a2f2f63726c2e636f6d6f646f2e6e65742f55544e2d44415441436f72705347432e63726c306e06082b0601050507010104623060303806082b06010505073002862c68747470
EAP-Message = 0x3a2f2f6372742e636f6d6f646f63612e636f6d2f55544e416464547275737453474343412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d30330603551d11042c302a821161757468312e6974732e6673752e65647582157777772e61757468312e6974732e6673752e656475300d06092a864886f70d010105050003820101000e3d408868bc72069780fa6defb4507c3785d09cce4093609c9aec78f7d54575ac9d46d4d728042655c04e71cf1702a022a8162f0e141efcec52b29d8281777d2f320deee2192ecf40bd8f71a229491ea7b5759f8d5cd34553d90d2169abed2a19a6c3109f7b
EAP-Message = 0x72d353eaccd921343a3616d0da0f87a72821b4f3e76e9ea1e74de473d65f67ee30885cbc6666dd0895f71a171259b2784eb5cacd8cdbf95ea642fd35e6a96faae97659f923b096bbb8ee85227f245139f484a3f53b6a63c5e24ca8dc0828dae91decea8245cf4916652bcc7275ff5aacbcfc7576b490371e6d6c30332137ecd528fd736ed2b30659a6d741c715c3b07cb577b69d90ec944ad1520004aa308204a63082038ea003020102021046eaf096054cc5e3fa65ea6e9f42c664300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d4164
EAP-Message = 0x6454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3035303630373038303931305a170d3230303533303130343833385a308193310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311b30190603550403131255544e202d2044415441436f72702053474330820122300d0609
EAP-Message = 0x2a864886f70d0101
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2516ecdd2600f53ff725017e0433f9f6
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 128.186.252.11 port 32858,
id=198, length=174
User-Name = "sding"
NAS-IP-Address = 128.186.252.11
NAS-Port = 129
Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem"
Calling-Station-Id = "00-12-F0-71-28-BF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps/1Mbps 802.11g"
EAP-Message = 0x021600061900
State = 0x2516ecdd2600f53ff725017e0433f9f6
Message-Authenticator = 0x75a884e84b7d44bdc02ab17107d67d8e
server ldap_ntpassword_1814 {
# Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 22 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server ldap_ntpassword_1814
Sending Access-Challenge of id 198 to 128.186.252.11 port 32858
EAP-Message = 0x011703fc19400105000382010f003082010a0282010100dfee5810a22b6e55c48ebf2e4609e7e0080f2e2b7a13941bbdf6b6808e650593001ebcafe20f8e190d1247ecacada3fa2e70f8de6efb5642159e2e5cef23de21b9057627190f4fd6c39cb4be941963f2a6110aeb53489cbef2293b16e81aa04ca6c9f4185968c070f25300c05e5082a5566f36f94ae04486a04d4ed6476e494acb67d7a6c405b98e1ef4fcffcde736e09c056cb2332215d0b4e0cc17c0b2c0f4fe323f292a957bd8f2a74e0f547ca10d80b30903c1ff5cdd5e9a3ebcaebc478a6aae71ca1fb12ab85f42050bec4630d1720bcae9566df5efdf78be61bab2a5ae044cbca8ac69
EAP-Message = 0x1597bdefebb48cbf35f8d4c3d1280e5c3a9f7018332077c4a2af0203010001a382011730820113301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e041604145332d1b3cf7ffae0f1a05d854e92d29e451db44f300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff30200603551d2504193017060a2b0601040182370a030306096086480186f842040130110603551d20040a300830060604551d2000307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f416464547275737445787465726e616c4341526f6f
EAP-Message = 0x742e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f416464547275737445787465726e616c4341526f6f742e63726c300d06092a864886f70d0101050500038201010063869210b113fa37be8e2ab61b8a43f55cae0e14dff769407fbf1a710009d8bfd4244abfe093ff01d80bc60fec7e479cb05df77c149dfcc03392845bd283f452e2225874fc431b3fa7a358da03fdbcf03ae4edcc12bbc9b9ae7b04a00472bfe9de2dd2a751660073d2bd7eaa9e53967d69b2183e8ead56507ef7d5b0ff396265828c9657c38ff760f6c28d3487fc4f43e5dbbf1caaf686cde6df113f8d07f76d8313c038883960a17e30e1e3
EAP-Message = 0x883ea4bb636f2ce98a682cee9669ac0461e14f4e0e9d724cf67938c8c748696f940f74b4bcc8cf574db97571960d8a060bebddd0f03c7dc62e98466a38c702b5c8b8b26575deda9008b677b8530025cb47ca735f00043a308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d323030
EAP-Message = 0x3533303130343833
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2516ecdd2101f53ff725017e0433f9f6
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 128.186.252.11 port 32858,
id=199, length=174
User-Name = "sding"
NAS-IP-Address = 128.186.252.11
NAS-Port = 129
Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem"
Calling-Station-Id = "00-12-F0-71-28-BF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps/1Mbps 802.11g"
EAP-Message = 0x021700061900
State = 0x2516ecdd2101f53ff725017e0433f9f6
Message-Authenticator = 0x602e32ae1208f2087ad641fe019857e1
server ldap_ntpassword_1814 {
# Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 23 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server ldap_ntpassword_1814
Sending Access-Challenge of id 199 to 128.186.252.11 port 32858
EAP-Message = 0x0118039b1900385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61
EAP-Message = 0xaa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7
EAP-Message = 0xfac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e7
EAP-Message = 0x24adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e860416030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2516ecdd200ef53ff725017e0433f9f6
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 128.186.252.11 port 32858,
id=200, length=490
User-Name = "sding"
NAS-IP-Address = 128.186.252.11
NAS-Port = 129
Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem"
Calling-Station-Id = "00-12-F0-71-28-BF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps/1Mbps 802.11g"
EAP-Message = 0x02180140198000000136160301010610000102010092fbf1bfd8994b61145cfdcb1e041bc16c1e7d8322531a34fb8331b5ca4594cc0c19455b77850f623fd592f095c2f3513d29c40f9f4fac639a7db0cd1bc0d6dacc8684878554b6b78cce88d5adab5ff474ae9dac9b3160a1b13564b0d51ccf0eb6236869855dd98383f5e30320c33d11f0648c25fa089b4c09c36a0a7d59be37f1972da54426123693c810867f191c624a41854a0220cc3c9f88db74c6fe2f66dbcbfb7213867323f00f102483c702144303dd1069e6614400e5abbe3eb9b4c8fa0aefdaae5ff54d24a95f033a214ebc557b97e6869e4de56b3e5decc6d69074fd9e4ff0452fc4a2
EAP-Message = 0x10211da47763f075340e04bf32712bee9467dc21e6ff3b67140301000101160301002099d74861733826cd6aad89f228c70bf4f525679c4d30399bfcf0bcf6c59ec511
State = 0x2516ecdd200ef53ff725017e0433f9f6
Message-Authenticator = 0x49fd3a179bb372aab9ed098457dda985
server ldap_ntpassword_1814 {
# Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 24 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server ldap_ntpassword_1814
Sending Access-Challenge of id 200 to 128.186.252.11 port 32858
EAP-Message = 0x0119003119001403010001011603010020f4c3f8a68d0a868a15204aa51ac3f69ce9a3ff3cf98ca7ec345df74c9c510fb3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2516ecdd230ff53ff725017e0433f9f6
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 128.186.252.11 port 32858,
id=201, length=174
User-Name = "sding"
NAS-IP-Address = 128.186.252.11
NAS-Port = 129
Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem"
Calling-Station-Id = "00-12-F0-71-28-BF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps/1Mbps 802.11g"
EAP-Message = 0x021900061900
State = 0x2516ecdd230ff53ff725017e0433f9f6
Message-Authenticator = 0x85f2af6e5ee959f4cfa4853858daa3bc
server ldap_ntpassword_1814 {
# Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 25 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
} # server ldap_ntpassword_1814
Sending Access-Challenge of id 201 to 128.186.252.11 port 32858
EAP-Message = 0x011a0020190017030100153bfe5b4672f9906b8d9f501b8e0af76113ab2664db
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2516ecdd220cf53ff725017e0433f9f6
Finished request 7.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 128.186.252.11 port 32858,
id=202, length=201
User-Name = "sding"
NAS-IP-Address = 128.186.252.11
NAS-Port = 129
Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem"
Calling-Station-Id = "00-12-F0-71-28-BF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps/2Mbps 802.11g"
EAP-Message = 0x021a002119001703010016add00124077c7f90e7b1c301ade6745cbde84f9a8055
State = 0x2516ecdd220cf53ff725017e0433f9f6
Message-Authenticator = 0x6ad93d080a0c4e906efc8cd44b95f901
server ldap_ntpassword_1814 {
# Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 26 length 33
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - sding
[peap] Got inner identity 'sding'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x021a000a017364696e67
server ldap_ntpassword_1814 {
PEAP: Setting User-Name to sding
Sending tunneled request
EAP-Message = 0x021a000a017364696e67
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "sding"
server inner-tunnel {
# Executing section authorize from file
/home/sding/opt/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "sding", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 26 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for sding
[ldap] expand: (&(uid=%u)(!(uid=lib-guest*))) ->
(&(uid=sding)(!(uid=lib-guest*)))
[ldap] expand: dc=fsu,dc=edu -> dc=fsu,dc=edu
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to mds.fsu.edu:389, authentication 0
[ldap] starting TLS
[ldap] bind as
cn=radius-prox-proxyy,ou=proxy-users,dc=fsu,dc=edu/myldappassword to
mds.fsu.edu:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=fsu,dc=edu, with filter
(&(uid=sding)(!(uid=lib-guest*)))
[ldap] looking for check items in directory...
[ldap] ntPassword -> NT-Password == 0x771cfdfe02a8c15e15b3e0e4974602fa
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure
that the user is configured correctly?
[ldap] user sding authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x011b001f1a011b001a10baa17901364e16a41979ac9f01e5ff587364696e67
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa541e25fa55af8f7552608e9adf7407a
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x011b001f1a011b001a10baa17901364e16a41979ac9f01e5ff587364696e67
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa541e25fa55af8f7552608e9adf7407a
[peap] Got tunneled Access-Challenge
++[eap] returns handled
} # server ldap_ntpassword_1814
Sending Access-Challenge of id 202 to 128.186.252.11 port 32858
EAP-Message = 0x011b00361900170301002b08b2e211c843e5ce2b9da00b328fc3596a5981d5a681c8946e6d0309c09d973cca6989a04b2d668e90697d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2516ecdd2d0df53ff725017e0433f9f6
Finished request 8.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 128.186.252.11 port 32858,
id=203, length=255
User-Name = "sding"
NAS-IP-Address = 128.186.252.11
NAS-Port = 129
Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem"
Calling-Station-Id = "00-12-F0-71-28-BF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps/2Mbps 802.11g"
EAP-Message = 0x021b00571900170301004c97aa80c8bf5582084343c4a0bec2db428fd24b095d4d74e3ff47136def8f975cefe31f87108b3332772041ff7b9ca1bc5b7d7392447ae0e08ef9d18096fd4faeb5d3f7fc84330c28379a2d2d
State = 0x2516ecdd2d0df53ff725017e0433f9f6
Message-Authenticator = 0x698f7f3cd67f4dc5a34b9576a4997c83
server ldap_ntpassword_1814 {
# Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 27 length 87
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x021b00401a021b003b31948b918bc9d0b5fffe13788bf68bcca300000000000000007d31e18645e434394acf384df2a9525de9cb328a11d0abca007364696e67
server ldap_ntpassword_1814 {
PEAP: Setting User-Name to sding
Sending tunneled request
EAP-Message = 0x021b00401a021b003b31948b918bc9d0b5fffe13788bf68bcca300000000000000007d31e18645e434394acf384df2a9525de9cb328a11d0abca007364696e67
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "sding"
State = 0xa541e25fa55af8f7552608e9adf7407a
server inner-tunnel {
# Executing section authorize from file
/home/sding/opt/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "sding", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 27 length 64
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for sding
[ldap] expand: (&(uid=%u)(!(uid=lib-guest*))) ->
(&(uid=sding)(!(uid=lib-guest*)))
[ldap] expand: dc=fsu,dc=edu -> dc=fsu,dc=edu
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=fsu,dc=edu, with filter
(&(uid=sding)(!(uid=lib-guest*)))
[ldap] looking for check items in directory...
[ldap] ntPassword -> NT-Password == 0x771cfdfe02a8c15e15b3e0e4974602fa
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure
that the user is configured correctly?
[ldap] user sding authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/home/sding/opt/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: sding
[mschap] Told to do MS-CHAPv2 for sding with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x011c00331a031b002e533d46444232423030313131304437413334363846414130324646304144344635334139424431373546
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa541e25fa45df8f7552608e9adf7407a
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x011c00331a031b002e533d46444232423030313131304437413334363846414130324646304144344635334139424431373546
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa541e25fa45df8f7552608e9adf7407a
[peap] Got tunneled Access-Challenge
++[eap] returns handled
} # server ldap_ntpassword_1814
Sending Access-Challenge of id 203 to 128.186.252.11 port 32858
EAP-Message = 0x011c004a1900170301003f961fdc7894fb72d8849f34a008f09cba27e1c376a916e0f902d223bd19fa71f006a0d19fa03b0b036d5703d1f87b284c484682012f01e3819c7ec8d5b3496d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2516ecdd2c0af53ff725017e0433f9f6
Finished request 9.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 128.186.252.11 port 32858,
id=204, length=197
User-Name = "sding"
NAS-IP-Address = 128.186.252.11
NAS-Port = 129
Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem"
Calling-Station-Id = "00-12-F0-71-28-BF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps/2Mbps 802.11g"
EAP-Message = 0x021c001d19001703010012121b6a01d5062bd9054cc2b8b5b6e48872ff
State = 0x2516ecdd2c0af53ff725017e0433f9f6
Message-Authenticator = 0x9e2ccf188feea2fe205634d658c905ee
server ldap_ntpassword_1814 {
# Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 28 length 29
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x021c00061a03
server ldap_ntpassword_1814 {
PEAP: Setting User-Name to sding
Sending tunneled request
EAP-Message = 0x021c00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "sding"
State = 0xa541e25fa45df8f7552608e9adf7407a
server inner-tunnel {
# Executing section authorize from file
/home/sding/opt/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "sding", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 28 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for sding
[ldap] expand: (&(uid=%u)(!(uid=lib-guest*))) ->
(&(uid=sding)(!(uid=lib-guest*)))
[ldap] expand: dc=fsu,dc=edu -> dc=fsu,dc=edu
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=fsu,dc=edu, with filter
(&(uid=sding)(!(uid=lib-guest*)))
[ldap] looking for check items in directory...
[ldap] ntPassword -> NT-Password == 0x771cfdfe02a8c15e15b3e0e4974602fa
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure
that the user is configured correctly?
[ldap] user sding authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file
/home/sding/opt/etc/raddb/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xaf4d3e14de752dd67eafa3fd0435fa66
MS-MPPE-Recv-Key = 0x963e38f3cb3e0b4d2666e67b6583c56d
EAP-Message = 0x031c0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "sding"
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xaf4d3e14de752dd67eafa3fd0435fa66
MS-MPPE-Recv-Key = 0x963e38f3cb3e0b4d2666e67b6583c56d
EAP-Message = 0x031c0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "sding"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
} # server ldap_ntpassword_1814
Sending Access-Challenge of id 204 to 128.186.252.11 port 32858
EAP-Message = 0x011d00261900170301001bd7d04ac183c1619da026c60fe9164f872bc825a60167c33a7f37f9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2516ecdd2f0bf53ff725017e0433f9f6
Finished request 10.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 128.186.252.11 port 32858,
id=205, length=206
User-Name = "sding"
NAS-IP-Address = 128.186.252.11
NAS-Port = 129
Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem"
Calling-Station-Id = "00-12-F0-71-28-BF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps/2Mbps 802.11g"
EAP-Message = 0x021d00261900170301001b07890dc451e45c0291b3616a524d5b632a2875608c5ac01117ea91
State = 0x2516ecdd2f0bf53ff725017e0433f9f6
Message-Authenticator = 0x0d3c0e26663bc23a5c405ac793eccb88
server ldap_ntpassword_1814 {
# Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 29 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /home/sding/opt/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
WARNING: Empty post-auth section. Using default return values.
} # server ldap_ntpassword_1814
Sending Access-Accept of id 205 to 128.186.252.11 port 32858
MS-MPPE-Recv-Key =
0x22e1319dea63f4410fe3ad33363dcca198536b1464c72ec70b83a73a1e1b0fab
MS-MPPE-Send-Key =
0x9656612e871bcba6fe5057864962efd2fd0653971462962d4583b94a0216d3b8
EAP-Message = 0x031d0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "sding"
Finished request 11.
Going to the next request
Waking up in 4.6 seconds.
Cleaning up request 0 ID 194 with timestamp +12
Cleaning up request 1 ID 195 with timestamp +12
Cleaning up request 2 ID 196 with timestamp +12
Cleaning up request 3 ID 197 with timestamp +12
Cleaning up request 4 ID 198 with timestamp +12
Cleaning up request 5 ID 199 with timestamp +12
Cleaning up request 6 ID 200 with timestamp +12
Cleaning up request 7 ID 201 with timestamp +12
Waking up in 0.1 seconds.
Cleaning up request 8 ID 202 with timestamp +12
Cleaning up request 9 ID 203 with timestamp +12
Cleaning up request 10 ID 204 with timestamp +13
Cleaning up request 11 ID 205 with timestamp +13
Ready to process requests.
On Sat, Nov 6, 2010 at 6:39 AM, Alan DeKok <aland at deployingradius.com> wrote:
> schilling wrote:
>> Now whenever I try to have a virtual server for another instance, then
>> it will have the same error as before.
>
> Then that virtual server is configured incorrectly.
>
>> Then I copied the site-enabled/default content and put them within the
>> virtual server, it's working again.
>
> The default configuration works.
>
>> I then try to reduce to the
>> minimum necessary configuration,
>
> Why? Just... why do people do this?
>
>> the following is for the virtual
>> server to work
>
> No. It won't work because LDAP is never used to find the "known good"
> password.
>
> I have no idea what you're doing, but the server is definitely
> misconfigured.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list