Authentication doesn't work anymore

Sun Nov 7 12:55:48 CET 2010

Hi

I'm going crazy with my RADIUS configuration. For some days all works. But
now i can't authenticate with xp client, linux still works.
It seams that it is a problem with the EAP configuration or with the
certificates, but i doesn't find any error in the debug output!?

Maybe this will be the problem, "[eap] No EAP Start, assuming it's an
on-going EAP conversation" but I don't know waht i can do. Please give me
some futher hints. I want to authenticate with EAP-PEAP and MSCHAP.

rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=43,
length=145
	NAS-IP-Address = 192.168.0.2
	NAS-Port = 50005
	NAS-Port-Type = Ethernet
	User-Name = "FIRMA1\\usera"
	Called-Station-Id = "00-15-F9-D8-7C-C5"
	Calling-Station-Id = "00-1A-4B-63-69-0B"
	Service-Type = Framed-User
	Framed-MTU = 1500
	EAP-Message = 0x02000014014649524d41315c626c657273636861
	Message-Authenticator = 0x7371c1f1726066beb9dabe848c328593
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] 	expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107
[auth_log] 	expand: %t -> Sun Nov  7 11:36:33 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera"
[ntdomain] Found realm "FIRMA1"
[ntdomain] Adding Stripped-User-Name = "usera"
[ntdomain] Adding Realm = "FIRMA1"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 0 length 20
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for usera
[ldap] 	expand: %{Stripped-User-Name} -> usera
[ldap] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=usera)
[ldap] 	expand: dc=firma1,dc=de -> dc=firma1,dc=de
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=firma1,dc=de, with filter (uid=usera)
[ldap] Added User-Password = {SSHA}WNtfzJKztV/VYNqJAew//EpfaqFTTmRY in check
items
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] sambaNtPassword -> NT-Password ==
0x3043423639343838303546373937424632413832383037393733423839353337
  [ldap] sambaLmPassword -> LM-Password ==
0x3031464335413642453742433639323941414433423433354235313430344545
[ldap] looking for reply items in directory...
[ldap] user usera authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.    
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"              
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 43 to 192.168.0.2 port 1812
	EAP-Message = 0x010100061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe5811fdbe58006df807df3f78bad2b67
Finished request 42.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=44,
length=230
	NAS-IP-Address = 192.168.0.2
	NAS-Port = 50005
	NAS-Port-Type = Ethernet
	User-Name = "FIRMA1\\usera"
	Called-Station-Id = "00-15-F9-D8-7C-C5"
	Calling-Station-Id = "00-1A-4B-63-69-0B"
	Service-Type = Framed-User
	Framed-MTU = 1500
	State = 0xe5811fdbe58006df807df3f78bad2b67
	EAP-Message =
0x0201005719800000004d16030100480100004403014cd6813031d93b50d4e589daaf39973f09262a8588b4684bfd4c30b952c9245a00001600040005000a0009006400620003000600130012006301000005ff01000100
	Message-Authenticator = 0xc287af478d7c193cfcec6b09c33c099c
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] 	expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107
[auth_log] 	expand: %t -> Sun Nov  7 11:36:33 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera"
[ntdomain] Found realm "FIRMA1"
[ntdomain] Adding Stripped-User-Name = "usera"
[ntdomain] Adding Realm = "FIRMA1"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 1 length 87
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 77
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap]     (other): before/accept initialization 
[peap]     TLS_accept: before/accept initialization 
[peap] <<< TLS 1.0 Handshake [length 0048], ClientHello  
[peap]     TLS_accept: SSLv3 read client hello A 
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello  
[peap]     TLS_accept: SSLv3 write server hello A 
[peap] >>> TLS 1.0 Handshake [length 07d8], Certificate  
[peap]     TLS_accept: SSLv3 write certificate A 
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: SSLv3 write server done A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 44 to 192.168.0.2 port 1812
	EAP-Message =
0x0102040019c00000081c16030100310200002d03014cd68131c9a74e02de2ba907521446470a623f35b17ca47f32683ec55db8455f000004000005ff0100010016030107d80b0007d40007d10003733082036f30820257a003020102020101300d06092a864886f70d01010405003079310b3009060355040613024445311630140603550408130d426c6572736368526164697573311330110603550407130a5765696e67617274656e3110300e060355040a1307426c65727363683115301306092a864886f70d01090116066140612e6465311430120603550403130b5261646975732054657374301e170d3130313030373135303932315a170d31
	EAP-Message =
0x31313030373135303932315a3064310b3009060355040613024445311630140603550408130d426c65727363685261646975733110300e060355040a1307426c6572736368311430120603550403130b52616469757320546573743115301306092a864886f70d01090116066140612e646530820122300d06092a864886f70d01010105000382010f003082010a0282010100beade1be49bb6da9990ac95083434e9fc6a86411143c8cec2aef5f2aaa5801a97f756f621461a34bfbaf348c97bd48269a36888e97d5b7e9dc765889712b4cd98092f312a6be1b96a3438646c64c974cefb4accf93ce7414a33b29922f3e8d268cfb61fcdb0309bba351
	EAP-Message =
0x7defd94f63fe21857a958338d7f7337892653b9184d3b54ee131516261aaa8ac47bc6349e3100ff08c9714f8abc6cadd64dc50e00296adf04aa8a9e22c8cd35b0731246f9702849e480790d3bb1d2970917402cb8b2f3a0639b69a53447def512699944541b9be1e94a9528737e87496604a035f7a86220fffabc75b8c19429f067cf502276b22f0741c0646087a88e095844c4d616b0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100bd0d00c31db1f9d3792d88680abc76fd9c368ebe49bd728bdb8db8504d75fba64aff2a141ac63c8004a01a43291071f4f91337c6f9
	EAP-Message =
0xf68cb9c7c714631cc88be66a728078e474df461ddf20f2db5f52cedf381646c1ba0c2e08b64a6d30946daaf5d92798d628631218c3c724290f9f3344d87b94428b7aa02dab38004100a0eea379017950d458cb34c71928a77018d9a83b80b5614d0303956dff622d133f88b8dc17bb608cd21ff12590332857a08949c72bff9c57f279a6e752797bb9d004467efefb38fd944c328fb43ac6a60be70233ee8f402e996c84d5d64de6ab91348af2063c3e8e27bde3eba4ef831431ab18e999225f1ee674c55d7d048d89d1d2000458308204543082033ca003020102020900f014131264b7ade5300d06092a864886f70d01010505003079310b30090603
	EAP-Message = 0x550406130244453116301406
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe5811fdbe48306df807df3f78bad2b67
Finished request 43.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=45,
length=149
	NAS-IP-Address = 192.168.0.2
	NAS-Port = 50005
	NAS-Port-Type = Ethernet
	User-Name = "FIRMA1\\usera"
	Called-Station-Id = "00-15-F9-D8-7C-C5"
	Calling-Station-Id = "00-1A-4B-63-69-0B"
	Service-Type = Framed-User
	Framed-MTU = 1500
	State = 0xe5811fdbe48306df807df3f78bad2b67
	EAP-Message = 0x020200061900
	Message-Authenticator = 0x6595267991b7298210d423ea9e5e7e34
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] 	expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107
[auth_log] 	expand: %t -> Sun Nov  7 11:36:33 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera"
[ntdomain] Found realm "FIRMA1"
[ntdomain] Adding Stripped-User-Name = "usera"
[ntdomain] Adding Realm = "FIRMA1"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 45 to 192.168.0.2 port 1812
	EAP-Message =
0x010303fc194003550408130d426c6572736368526164697573311330110603550407130a5765696e67617274656e3110300e060355040a1307426c65727363683115301306092a864886f70d01090116066140612e6465311430120603550403130b5261646975732054657374301e170d3130313030373135303932315a170d3230313031343135303932315a3079310b3009060355040613024445311630140603550408130d426c6572736368526164697573311330110603550407130a5765696e67617274656e3110300e060355040a1307426c65727363683115301306092a864886f70d01090116066140612e6465311430120603550403130b
	EAP-Message =
0x526164697573205465737430820122300d06092a864886f70d01010105000382010f003082010a0282010100ed103b08365fb46bcabb1cb67f18b2a11a8b1b091c1984839c573cd2a8b07d4c7581a7288f4e58ced2e6429f6cc5a9caf7d3af27c77c3ddf2a4d15b3edbdc4107f4c2349a9d0ed866830996fe189872d5453deed13f6834c9a19a45a67acb59e4929acdb9ae55f43bf357f331b50e49a351b0339b462f845e2a24d81eceb0f63526bcec87858a85ffb7fe7cfe31fd84a4bbd06192401160c7103f7f77f961f7c2dd84c87427e900456941c33425630b692611cc96c79bee4fb28e78dfe18b9465f1b63dc71e12c3a780ac82d775764a451
	EAP-Message =
0xe24474c861b96895fa7fad9add315db3c9d6bd413d193cbd431147f6a318743d7c29ed7656a7380b8ebf4fe110ae910203010001a381de3081db301d0603551d0e04160414ac77f070444423b5a05945e1546a0c7747062ba73081ab0603551d230481a33081a08014ac77f070444423b5a05945e1546a0c7747062ba7a17da47b3079310b3009060355040613024445311630140603550408130d426c6572736368526164697573311330110603550407130a5765696e67617274656e3110300e060355040a1307426c65727363683115301306092a864886f70d01090116066140612e6465311430120603550403130b526164697573205465737482
	EAP-Message =
0x0900f014131264b7ade5300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100a4eda8c0530c34b7000a8955c4b977fafa376631a7e70b7f97e4d6ecdcde16be2bdd9b63eec98684dbbc0e5b1260fb2dbfbc176a70413802943b7ce71a3a17eea80c47adfb49282ad8511bc247e4cb07ce7d1750d89f1f72e3958222a60b3446b371eabaf0cd1cdac6500bb05edc876d5b3fa65fe194901d6782ce781ec2af28202ccc9c8f11359eca01a21530a84c5bc8d3e83eed89158a3408b6500a36e7e9adaa579df3447a5df899d7db132e2015685539921cb6cc2cf78048cd5b6afb367da3720cf912fa8b573958c54803929861
	EAP-Message = 0xe30c97f4b32d6d07
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe5811fdbe78206df807df3f78bad2b67
Finished request 44.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=46,
length=149
	NAS-IP-Address = 192.168.0.2
	NAS-Port = 50005
	NAS-Port-Type = Ethernet
	User-Name = "FIRMA1\\usera"
	Called-Station-Id = "00-15-F9-D8-7C-C5"
	Calling-Station-Id = "00-1A-4B-63-69-0B"
	Service-Type = Framed-User
	Framed-MTU = 1500
	State = 0xe5811fdbe78206df807df3f78bad2b67
	EAP-Message = 0x020300061900
	Message-Authenticator = 0x5b1899fb14339eca7ba59de266860af7
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] 	expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107
[auth_log] 	expand: %t -> Sun Nov  7 11:36:33 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera"
[ntdomain] Found realm "FIRMA1"
[ntdomain] Adding Stripped-User-Name = "usera"
[ntdomain] Adding Realm = "FIRMA1"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 46 to 192.168.0.2 port 1812
	EAP-Message =
0x0104003619000f0b409c6f7dd2e83b8a1ad34c1b43c61b5cfa499e7822f081073040ea4c9280acd2686fd194f216030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe5811fdbe68506df807df3f78bad2b67
Finished request 45.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=47,
length=149
	NAS-IP-Address = 192.168.0.2
	NAS-Port = 50005
	NAS-Port-Type = Ethernet
	User-Name = "FIRMA1\\usera"
	Called-Station-Id = "00-15-F9-D8-7C-C5"
	Calling-Station-Id = "00-1A-4B-63-69-0B"
	Service-Type = Framed-User
	Framed-MTU = 1500
	State = 0xe5811fdbe68506df807df3f78bad2b67
	EAP-Message = 0x020400061900
	Message-Authenticator = 0xc59a1a2d0cfb101ec430dad4e10897b6
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] 	expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101107
[auth_log] 	expand: %t -> Sun Nov  7 11:36:33 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera"
[ntdomain] Found realm "FIRMA1"
[ntdomain] Adding Stripped-User-Name = "usera"
[ntdomain] Adding Realm = "FIRMA1"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 47 to 192.168.0.2 port 1812
	EAP-Message = 0x010500061900
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe5811fdbe18406df807df3f78bad2b67
Finished request 46.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 42 ID 43 with timestamp +2802
Cleaning up request 43 ID 44 with timestamp +2802
Cleaning up request 44 ID 45 with timestamp +2802
Cleaning up request 45 ID 46 with timestamp +2802
Cleaning up request 46 ID 47 with timestamp +2802
Ready to process requests.

-- 
View this message in context: http://freeradius.1045715.n5.nabble.com/Authentication-doesn-t-work-anymore-tp3253866p3253866.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.