Logging ntlm authentication

Sion mleasd at gmail.com
Fri Sep 3 15:52:19 CEST 2010


On Fri, Sep 3, 2010 at 12:58 PM, Alan DeKok <aland at deployingradius.com> wrote:
> Sion wrote:
>> That's what I thought, but it my linelog log it shows it being empty.
>
>  The MS-CHAP-Error is in the reply.
>
>> I've tried putting 'linelog' in the post-auth sections of both the
>> default and inner-tunnel virtual servers but no joy. Am I missing
>> something obvious here?
>
>  See the "Post-Auth-Type Reject" block, too.
>

Still no luck I'm afraid. Here's the output of radiusd -X in case it helps:

rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=9, length=181
        User-Name = "anonymous"
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
        EAP-Message = 0x0205000e01616e6f6e796d6f7573
        Message-Authenticator = 0xe0aee197f906702cbcedda8c6fce7ab1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 9 to 192.168.196.13 port 32768
        EAP-Message = 0x010600061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x70163a6b70102318926cb2671448dd5c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=10, length=312
        User-Name = "anonymous"
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
        EAP-Message =
0x0206007f19800000007516030100700100006c03014c80fc7750fabd6450dcb77c4605cbaab73a3c1e43bf175cfcee437c8275d0e1000018002f00350005000ac013c014c009c00a00320038001300040100002b00000017001500001264617573657268656c706465736b74657374000a0006000400170018000b00020100
        State = 0x70163a6b70102318926cb2671448dd5c
        Message-Authenticator = 0x1b3669861698384d471a2c44b8a9fda0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 127
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 117
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0070], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 06e5], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 10 to 192.168.196.13 port 32768
        EAP-Message =
0x0107040019c000000722160301002a0200002603014c80fc77269f43ae3e8f7344872f86f6066a22b315bdeaa4d71d1033ca071d7200002f0016030106e50b0006e10006de0003c1308203bd30820326a0030201020210571735f114d0297747dec8e1dc855028300d06092a864886f70d01010505003081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e311930
        EAP-Message =
0x1706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d301e170d3037303932383030303030305a170d3130303932373233353935395a3081d231293027060355040a132063656e7472616c69617330312e696e7465726e616c2e757769632e61632e756b313b3039060355040b1332476f20746f2068747470733a2f2f7777772e7468617774652e636f6d2f7265706f7369746f72792f696e6465782e68746d6c31223020060355040b13195468617774652053534c31323320636572746966696361746531193017060355040b1310446f6d
        EAP-Message =
0x61696e2056616c696461746564312930270603550403132063656e7472616c69617330312e696e7465726e616c2e757769632e61632e756b30819f300d06092a864886f70d010101050003818d0030818902818100bea4ab1bcde08208fc9823ce022556c90f5c3bfdc79c0a9ae2ba2aa110017a67c67fbd2fbd1e6304853e51cc8f7b3ce4d5ad36b6a420d028b7902935c9d14eb0f880839faf3509f1b23be0c6820e60e8dd4e35b1f3f6b57df2655f379468e63958406874dd2a19700be6638c73cc20eccb85863be0dcd8af40386f900835c88b0203010001a3819f30819c300c0603551d130101ff0402300030390603551d1f04323030302ea02c
        EAP-Message =
0xa02a8628687474703a2f2f63726c2e7468617774652e636f6d2f54686177746553657276657243412e63726c301d0603551d250416301406082b0601050507030106082b06010505070302303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300d06092a864886f70d0101050500038181002f4b29c37eb54ba62bd16de5c09a6f3f258c10fd90177df8f37186799e2ba3832bed398f85c2623d5568257c3df4225e49c4327704d7ec1393ee5e03ce7e5a53ae45e6d58b6752212544ea79baef771d921f39169dba3c0a219fea40fef8422456026a51942acbcb90d677
        EAP-Message = 0x323d4fe9cf449ea6dc0def99
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x70163a6b71112318926cb2671448dd5c
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=11, length=191
        User-Name = "anonymous"
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
        EAP-Message = 0x020700061900
        State = 0x70163a6b71112318926cb2671448dd5c
        Message-Authenticator = 0x3f0536adc88567e3fa2e7d68e8e685a1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 11 to 192.168.196.13 port 32768
        EAP-Message =
0x010803321900b2abee6bd1b7966fef000317308203133082027ca003020102020101300d06092a864886f70d01010405003081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3119301706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d301e170d39
        EAP-Message =
0x36303830313030303030305a170d3230313233313233353935395a3081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3119301706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d30819f300d06092a864886f70d010101050003818d003081890281
        EAP-Message =
0x8100d3a4506ec8ff566be6cf5db6ea0c687547a2aac2da8425fca8f44751da85b5207494861e0f75c9e90861f5066d306e151902e952c062db4d999ee26a0c4438cdfebee3640970c5feb16b29b62f49c83bd427042510972fe7906dc0284299d74c43dec3f5216d549f5dc358e1c0e4d95bb0b8dcb47bdf363ac2b5662212d6870d0203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810007fa4c695cfb95cc46ee85834d21308ecad9a86f491ae6da51e360706c846111a11ac8483e59437d4f953da18bb70b62987a758add884e4e9e40dba8cc3274b96f0dc6e3b3440bd98a6f9a299b99
        EAP-Message =
0x18283bd1e340289a5a3cd5b5e7201b8bcaa4ab8de951d9e24c2c59a9dab9b2751bf642f2efc7f218f989bca3ff8a232e704716030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x70163a6b721e2318926cb2671448dd5c
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=12, length=393
        User-Name = "anonymous"
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
        EAP-Message =
0x020800d01980000000c616030100861000008200807f5ca792ca8945089c0a2b67189c4d8de67a35f4e0082ca10d5e39027cd248d3678879a0f9cc4b777993417be8ea1687e656c4e4dea6be0f8f523ef29df4c7f682ad83ddc3bb05f04463a2274720e393a61c5038a66c1b62848a0ae51515d86d21b5b29558ce7bf129764cfcfe38e4e82a6b8c6a67034add9b51844257af2e481403010001011603010030cc3bfd1b203852f6ef64ac8b1cf56dade3f27dd1b4e578c2287f9dec49fff5bf265106af0619f4fc139b7ceab9c7fce9
        State = 0x70163a6b721e2318926cb2671448dd5c
        Message-Authenticator = 0xd3605cae4d3cdfcdb79fb31c4f77efaf
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 12 to 192.168.196.13 port 32768
        EAP-Message =
0x01090041190014030100010116030100306d3b466552376c524f9d57acb4ef59fa8a5a82a64f242ad92194e8f1193b8f3fc3d1cbc55ad95dc6a4505a0e370e8389
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x70163a6b731f2318926cb2671448dd5c
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=13, length=191
        User-Name = "anonymous"
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
        EAP-Message = 0x020900061900
        State = 0x70163a6b731f2318926cb2671448dd5c
        Message-Authenticator = 0x1f53ab50f68ee7219c995d840f27876e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 13 to 192.168.196.13 port 32768
        EAP-Message =
0x010a002b19001703010020d6d3ddbda2e15f5002501e18123dbf29e2f931ccce9e84466e3fcf5c38c4982b
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x70163a6b741c2318926cb2671448dd5c
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=14, length=244
        User-Name = "anonymous"
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
        EAP-Message =
0x020a003b190017030100303767555210c29944d549c0315be418183880d41e3b10753f2347ac68077538c53f95356c3d6e1ccfbbe46691ef85acdd
        State = 0x70163a6b741c2318926cb2671448dd5c
        Message-Authenticator = 0x38b94b464c83b45da9b75001bb686fb7
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 59
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - daUserHelpdeskTest
[peap] Got tunneled request
        EAP-Message = 0x020a00170164615573657248656c706465736b54657374
server  {
  PEAP: Got tunneled identity of daUserHelpdeskTest
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to daUserHelpdeskTest
Sending tunneled request
        EAP-Message = 0x020a00170164615573657248656c706465736b54657374
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "daUserHelpdeskTest"
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "daUserHelpdeskTest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 10 length 23
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message =
0x010b002c1a010b002710acc43b6824a7b4882f1607c4f3f414ac64615573657248656c706465736b54657374
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x1e88ea081e83f0086516d1bfc3ff692c
[peap] Got tunneled reply RADIUS code 11
        EAP-Message =
0x010b002c1a010b002710acc43b6824a7b4882f1607c4f3f414ac64615573657248656c706465736b54657374
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x1e88ea081e83f0086516d1bfc3ff692c
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 14 to 192.168.196.13 port 32768
        EAP-Message =
0x010b004b190017030100409cbd93fb082834e5312d9e4e7e07b2fadc35f17d03ba94d6b4488d36a02ced807b1c816ed7ecd17c09f0e46b6db0a303330d4cba7a3ebdf7a4488bf7ec9fe660
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x70163a6b751d2318926cb2671448dd5c
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=15, length=292
        User-Name = "anonymous"
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
        EAP-Message =
0x020b006b19001703010060564c96a98610ddca81ab047cf49040cc25bbec1f15e7836a3ff4254b1b43391111bacebf925796803af1497774f5a869381948a58b170923920058e7776cc3a6e4c83132066f73a23e8b0f4106f7b9136f48fc8f7a1b5222bbe64ebc64dae94d
        State = 0x70163a6b751d2318926cb2671448dd5c
        Message-Authenticator = 0x8a5a9caddddcc8d8fef955471ac2c224
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message =
0x020b004d1a020b004831ff6a3ce5d8969159b5028c63dcbdce3a0000000000000000119ada0d77457f3cf74b7aac600d9ac29c970352419456d90064615573657248656c706465736b54657374
server  {
  PEAP: Setting User-Name to daUserHelpdeskTest
Sending tunneled request
        EAP-Message =
0x020b004d1a020b004831ff6a3ce5d8969159b5028c63dcbdce3a0000000000000000119ada0d77457f3cf74b7aac600d9ac29c970352419456d90064615573657248656c706465736b54657374
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "daUserHelpdeskTest"
        State = 0x1e88ea081e83f0086516d1bfc3ff692c
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "daUserHelpdeskTest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 11 length 77
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for daUserHelpdeskTest with NT-Password
[mschap]        expand: %{Stripped-User-Name} ->
[mschap] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details
[mschap]        expand: %{User-Name:-None} -> daUserHelpdeskTest
[mschap]        expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} ->
--username=daUserHelpdeskTest
[mschap]  mschap2: ac
[mschap]        expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=99630d7d1b70ccb6
[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=119ada0d77457f3cf74b7aac600d9ac29c970352419456d9
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
        MS-CHAP-Error = "\013E=691 R=1"
        EAP-Message = 0x040b0004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
        MS-CHAP-Error = "\013E=691 R=1"
        EAP-Message = 0x040b0004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 15 to 192.168.196.13 port 32768
        EAP-Message =
0x010c002b19001703010020e2ecfa9fe8a4bab6e0d189ee4afc63838d3039becf8c75642a188987d9f7efd4
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x70163a6b761a2318926cb2671448dd5c
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=16, length=228
        User-Name = "anonymous"
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
        EAP-Message =
0x020c002b19001703010020afeb09438ae8736bd4545752ecc17e1b5de36e4b8ca31c95fa6617432d9080d4
        State = 0x70163a6b761a2318926cb2671448dd5c
        Message-Authenticator = 0x80361a22f6d1ad6492ba21f97229c16c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 12 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap]  Had sent TLV failure.  User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> anonymous
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
[testlinelog]   expand: /var/log/radius/testlinelog ->
/var/log/radius/testlinelog
[testlinelog]   expand: %S      %{reply:Packet-Type}    %{User-Name}
 %{Calling-Station-Id}   %{Called-Station-Id}    %{NAS-Identifier}
  %{Packet-Src-IP-Address}        %{reply:Reply-Message}
%{reply:MS-CHAP-Error}  %{reply:Tunnel-Type}
%{reply:Tunnel-Private-Group-Id} -> 2010-09-03 14:47:35
Access-Reject  anonymous        00-1B-77-94-57-72
00-0B-85-6D-BA-C0:eduroam       llwacA105       192.168.196.13
++[testlinelog] returns ok
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 16 to 192.168.196.13 port 32768
        EAP-Message = 0x040c0004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 0 ID 9 with timestamp +14
Cleaning up request 1 ID 10 with timestamp +14
Cleaning up request 2 ID 11 with timestamp +14
Cleaning up request 3 ID 12 with timestamp +14
Cleaning up request 4 ID 13 with timestamp +14
Cleaning up request 5 ID 14 with timestamp +14
Cleaning up request 6 ID 15 with timestamp +14
Waking up in 1.0 seconds.
Cleaning up request 7 ID 16 with timestamp +14
Ready to process requests.


>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list