Mac OXS Server version of FreeRadius Problems

Arran Cudbard-Bell a.cudbardb at freeradius.org
Mon Aug 29 11:03:59 CEST 2011


Did you verify ntlm_auth is actually working outside of FreeRADIUS?

The stuff below suggests its not...

-Arran


[mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
for details
[mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
for details
[mschap] 	expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} ->
--username=dsaw
[mschap]  mschap2: 12
[mschap] 	expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=236c06ebf1d2d1cf
[mschap] 	expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=b1e7d8a8884d8902ff74532fb08057f83298f346bab1896d
[2011/08/29 01:18:16, 0, pid=2301]
/SourceCache/samba/samba-235.7/samba/source/utils/ntlm_auth.c:get_winbind_domain(146)
 could not obtain winbind domain name!
Exec-Program output: Reading winbind reply failed! (0xc0000001) 
Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) 
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject



On 29 Aug 2011, at 10:52, DavidS wrote:

> Thanks Alan
> Stopped the other Server instance and of course as you not message resolved
> to 
> 
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> 	type = "auth"
> 	ipaddr = *
> 	port = 0
> }
> listen {
> 	type = "acct"
> 	ipaddr = *
> 	port = 0
> }
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Listening on proxy address * port 1814
> Ready to process requests.
> 
> However I still cant get the damn setup to Authenticate. The output during a
> failed attempt to authenticate a user, to my eyes did not reveal the issue
> that i need to address in eap (as you propose) or elsewhere
> 
> Here is the output during a user attempt to authenticate  -   any thoughts?
> (Thanks David)
> 
> Ready to process requests.
> rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=1,
> length=136
> 	User-Name = "dsawcer"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0023.331c.9680"
> 	Calling-Station-Id = "9027.e4f9.25b0"
> 	Service-Type = Login-User
> 	Message-Authenticator = 0x562f50d7ee215e2703a4aa2ca625ccfd
> 	EAP-Message = 0x0202000c0164736177636572
> 	NAS-Port-Type = Wireless-802.11
> 	NAS-Port = 257
> 	NAS-Port-Id = "257"
> 	NAS-IP-Address = 192.168.0.98
> 	NAS-Identifier = "ap1250"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 2 length 12
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[unix] returns notfound
> ++[files] returns noop
> rlm_opendirectory: The host 192.168.0.98 does not have an access group.
> rlm_opendirectory: Could not get the user's uuid.
> ++[opendirectory] returns notfound
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 1 to 192.168.0.98 port 1645
> 	EAP-Message = 0x010300061520
> 	Message-Authenticator = 0x00000000000000000000000000000000
> 	State = 0x73a410f073a70568fa17f41fc5620938
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=2,
> length=306
> 	User-Name = "dsawcer"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0023.331c.9680"
> 	Calling-Station-Id = "9027.e4f9.25b0"
> 	Service-Type = Login-User
> 	Message-Authenticator = 0xaa6d7f080c19541eaf62c4dc81581a09
> 	EAP-Message =
> 0x020300a415800000009a16030100950100009103014e5b4b3e338c0281aac0bcc701f19deaac117d722a79430407804edc3f8cf6f2000056c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a00170019000101000012000a00080006001700180019000b00020100
> 	NAS-Port-Type = Wireless-802.11
> 	NAS-Port = 257
> 	NAS-Port-Id = "257"
> 	State = 0x73a410f073a70568fa17f41fc5620938
> 	NAS-IP-Address = 192.168.0.98
> 	NAS-Identifier = "ap1250"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 3 length 164
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
>  TLS Length 154
> [ttls] Length Included
> [ttls] eaptls_verify returned 11 
> [ttls]     (other): before/accept initialization 
> [ttls]     TLS_accept: before/accept initialization 
> [ttls] <<< TLS 1.0 Handshake [length 0095], ClientHello  
> [ttls]     TLS_accept: SSLv3 read client hello A 
> [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello  
> [ttls]     TLS_accept: SSLv3 write server hello A 
> [ttls] >>> TLS 1.0 Handshake [length 0e89], Certificate  
> [ttls]     TLS_accept: SSLv3 write certificate A 
> [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
> [ttls]     TLS_accept: SSLv3 write server done A 
> [ttls]     TLS_accept: SSLv3 flush data 
> [ttls]     TLS_accept: Need to read more data: SSLv3 read client certificate
> A
> In SSL Handshake Phase 
> In SSL Accept mode  
> [ttls] eaptls_process returned 13 
> ++[eap] returns handled
> Sending Access-Challenge of id 2 to 192.168.0.98 port 1645
> 	EAP-Message =
> 0x0104040015c000000ec6160301002a0200002603014e5b4b3e8bc7ac345e1c5381eba044978c8cc9d815e95029e356c66b83d1b62000002f001603010e890b000e85000e820005933082058f30820477a00302010202072b432e88483c5a300d06092a864886f70d01010505003081ca310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e31333031060355040b132a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72793130302e06035504
> 	EAP-Message =
> 0x031327476f204461646479205365637572652043657274696669636174696f6e20417574686f726974793111300f060355040513083037393639323837301e170d3131303831333038323831305a170d3134303733313030313030365a30493111300f060355040a1308656f31312e6e65743121301f060355040b1318446f6d61696e20436f6e74726f6c2056616c6964617465643111300f06035504031308656f31312e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100d8a8ebd1991709bf23ed04e56d0d3e20948daed510d217cf642ab2885035a8563f7fc4500fa27834f0b37d52cbdc2769b320cc66
> 	EAP-Message =
> 0x1991b30d815bf3c2b6e12d2f0e92932210a8f2408c172dcddb05dfb4754ce82a776cf65829058d38cc1738525252759d4eb48e6dcfacc238a48d8b3382dde0f7fcd49a404afaa9ed63e4fd4bd0af702fed8b331841bdeebcc2d50f10fb3de53fc089a5d1b500a53aa6cc7e370b126c00e107c633fba512e5f31117587a6b44c2626cf3a43a97f268a4258c55e5b01343685595b0687253c0916225ca27faed8a30ab3eceb40de2f8a3eef97b61d5dca09bb39e174465e8c8586b8cec54ce634999d12c7c040ef0a3653a81210203010001a38201f8308201f4300f0603551d130101ff04053003010100301d0603551d250416301406082b0601050507
> 	EAP-Message =
> 0x030106082b06010505070302300e0603551d0f0101ff0404030205a030330603551d1f042c302a3028a026a0248622687474703a2f2f63726c2e676f64616464792e636f6d2f676473312d35342e63726c304d0603551d20044630443042060b6086480186fd6d010717013033303106082b06010505070201162568747470733a2f2f63657274732e676f64616464792e636f6d2f7265706f7369746f72792f30818006082b0601050507010104743072302406082b060105050730018618687474703a2f2f6f6373702e676f64616464792e636f6d2f304a06082b06010505073002863e687474703a2f2f6365727469666963617465732e676f6461
> 	EAP-Message = 0x6464792e636f6d2f7265706f
> 	Message-Authenticator = 0x00000000000000000000000000000000
> 	State = 0x73a410f072a00568fa17f41fc5620938
> Finished request 1.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=3,
> length=148
> 	User-Name = "dsawcer"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0023.331c.9680"
> 	Calling-Station-Id = "9027.e4f9.25b0"
> 	Service-Type = Login-User
> 	Message-Authenticator = 0x2db3b6c8db5fe348e4b1bd10b20c258f
> 	EAP-Message = 0x020400061500
> 	NAS-Port-Type = Wireless-802.11
> 	NAS-Port = 257
> 	NAS-Port-Id = "257"
> 	State = 0x73a410f072a00568fa17f41fc5620938
> 	NAS-IP-Address = 192.168.0.98
> 	NAS-Identifier = "ap1250"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 4 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
> [ttls] Received TLS ACK
> [ttls] ACK handshake fragment handler
> [ttls] eaptls_verify returned 1 
> [ttls] eaptls_process returned 13 
> ++[eap] returns handled
> Sending Access-Challenge of id 3 to 192.168.0.98 port 1645
> 	EAP-Message =
> 0x0105040015c000000ec67369746f72792f67645f696e7465726d6564696174652e637274301f0603551d23041830168014fdac6132936c45d6e2ee855f9abae7769968cce7306b0603551d11046430628208656f31312e6e6574820c7777772e656f31312e6e65748210736c726e6173302e656f31312e6e65748212736c727377697463682e656f31312e6e6574821173657276657231302e656f31312e6e6574820f736c723837372e656f31312e6e6574301d0603551d0e0416041484060b7bc0cfea495c2307cc9f9e49060817e12c300d06092a864886f70d010105050003820101007cb821a8dcf078841ddde21e6d43bf6d5093b22229cfe913
> 	EAP-Message =
> 0xd7c27d3ca7efa523743cd8f88e8c2b240558eaef9cfa3ee4c19e678399f4e3daa1952e230c39a9078fb8ad65314ee2e57aab07972822b163f92f6d9ab4ffabf27436a8a4ddec30901fa16a6ed0e7901f16c5d8b6b166f483a55a2e4159c38b80e4537e0b3a56c57195c501d0791276e298670e92b70143f045e3c83f0a4a7ad433e45d4c7e5636a1f2269c7d18587111ae7a07032a934838abd0fcb31f18b97a99fc7594f29874e0ad07b0e68061fbfce4d3b072c45baae778338c7f692c69f7412630972438266946d29e312811ddbad2219713978f459a816c6782954003a2c06231f8d08b8d190004e2308204de308203c6a0030201020202030130
> 	EAP-Message =
> 0x0d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3036313131363031353433375a170d3236313131363031353433375a3081ca310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e31333031060355040b132a687474703a2f2f6365727469
> 	EAP-Message =
> 0x666963617465732e676f64616464792e636f6d2f7265706f7369746f72793130302e06035504031327476f204461646479205365637572652043657274696669636174696f6e20417574686f726974793111300f06035504051308303739363932383730820122300d06092a864886f70d01010105000382010f003082010a0282010100c42dd5158c9c264cec3235eb5fb859015aa66181593b7063abe3dc3dc72ab8c933d379e43aed3c3023848eb33014b6b287c33d9554049edf99dd0b251e21de65297e35a8a954ebf6f73239d4265595adeffbfe5886d79ef4008d8c2a0cbd4204cea73f04f6ee80f2aaef52a16966dabe1aad5dda2c66ea1a6b
> 	EAP-Message = 0xbbe51a514a002f48c79875d8
> 	Message-Authenticator = 0x00000000000000000000000000000000
> 	State = 0x73a410f071a10568fa17f41fc5620938
> Finished request 2.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=4,
> length=148
> 	User-Name = "dsawcer"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0023.331c.9680"
> 	Calling-Station-Id = "9027.e4f9.25b0"
> 	Service-Type = Login-User
> 	Message-Authenticator = 0xb4df3ea96b26ccc933e07c8daf238f8c
> 	EAP-Message = 0x020500061500
> 	NAS-Port-Type = Wireless-802.11
> 	NAS-Port = 257
> 	NAS-Port-Id = "257"
> 	State = 0x73a410f071a10568fa17f41fc5620938
> 	NAS-IP-Address = 192.168.0.98
> 	NAS-Identifier = "ap1250"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 5 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
> [ttls] Received TLS ACK
> [ttls] ACK handshake fragment handler
> [ttls] eaptls_verify returned 1 
> [ttls] eaptls_process returned 13 
> ++[eap] returns handled
> Sending Access-Challenge of id 4 to 192.168.0.98 port 1645
> 	EAP-Message =
> 0x0106040015c000000ec6b929c8eef8666d0a9cb3f3fc787ca2f8a3f2b5c3f3b97a91c1a7e6252e9ca8ed12656e6af6124453703095c39c2b582b3d08744af2be51b0bf87d04c27586bb535c59daf1731f80b8feead813605890898cf3aaf2587c049eaa7fd67f7458e97cc1439e23685b57e1a37fd16f671119a743016fe1394a33f840d4f0203010001a38201323082012e301d0603551d0e04160414fdac6132936c45d6e2ee855f9abae7769968cce7301f0603551d23041830168014d2c4b0d291d44c1171b361cb3da1fedda86ad4e330120603551d130101ff040830060101ff020100303306082b0601050507010104273025302306082b0601
> 	EAP-Message =
> 0x05050730018617687474703a2f2f6f6373702e676f64616464792e636f6d30460603551d1f043f303d303ba039a0378635687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72792f6764726f6f742e63726c304b0603551d200444304230400604551d20003038303606082b06010505070201162a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f7279300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100d286c0ecbdf9a1b667ee660ba2063a04508e1572ac4a749553cb37cb4449ef07906b33d996f0
> 	EAP-Message =
> 0x9456a51330053c8532217bc9c70aa824a490de46d32523140367c210d66f0f5d7b7acc9fc5582ac1c49e21a85af3aca446f39ee463cb2f90a4292901d9722c29df370127bc4fee68d3218fc0b3e4f509edd210aa53b4bef0cc590bd63b961c952449dfceecfda7489114450e3a366fda45b345a241c9d4d7444e3eb97476d5a213552cc687a3b599ac0684877f7506fcbf144c0ecc6ec4df3db71271f4e8f15140222849e01d4b87a834cc06a2dd125ad186366403356f6f776eebf28550985eab0353ad9123631f169ccdb9b205633ae1f4681b1705359553ee00040430820400308202e8a003020102020100300d06092a864886f70d010105050030
> 	EAP-Message =
> 0x63310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d010101050003
> 	EAP-Message = 0x82010d003082010802820101
> 	Message-Authenticator = 0x00000000000000000000000000000000
> 	State = 0x73a410f070a20568fa17f41fc5620938
> Finished request 3.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=5,
> length=148
> 	User-Name = "dsawcer"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0023.331c.9680"
> 	Calling-Station-Id = "9027.e4f9.25b0"
> 	Service-Type = Login-User
> 	Message-Authenticator = 0xa82b2ec6c5b16aac04984c38b383fa96
> 	EAP-Message = 0x020600061500
> 	NAS-Port-Type = Wireless-802.11
> 	NAS-Port = 257
> 	NAS-Port-Id = "257"
> 	State = 0x73a410f070a20568fa17f41fc5620938
> 	NAS-IP-Address = 192.168.0.98
> 	NAS-Identifier = "ap1250"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 6 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
> [ttls] Received TLS ACK
> [ttls] ACK handshake fragment handler
> [ttls] eaptls_verify returned 1 
> [ttls] eaptls_process returned 13 
> ++[eap] returns handled
> Sending Access-Challenge of id 5 to 192.168.0.98 port 1645
> 	EAP-Message =
> 0x010702ee158000000ec600de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e38
> 	EAP-Message =
> 0x74c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c90
> 	EAP-Message =
> 0x1e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f16030100040e000000
> 	Message-Authenticator = 0x00000000000000000000000000000000
> 	State = 0x73a410f077a30568fa17f41fc5620938
> Finished request 4.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=6,
> length=480
> 	User-Name = "dsawcer"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0023.331c.9680"
> 	Calling-Station-Id = "9027.e4f9.25b0"
> 	Service-Type = Login-User
> 	Message-Authenticator = 0x49d07e0783dcd34e743f77688134f6a0
> 	EAP-Message =
> 0x02070150158000000146160301010610000102010073e8769c50931eb8d7510b6242122789975b90912e9b316de5374da9414b4ce049ad52941117dbc7e35eb6f3870db7f47a8f96fcbdedc32f0702ded1d8760af5931b8e482297f6ac6f51e3c9f8bcfe3bf7bc93c08f51afc4b641973a0e6ef0019c4e4f1ce2209d3cb42012fec054feb0345a57846adcb668f81e044b12b161597d0be12795e554410d329fa92ff71bffa30e103aee646b12bfc68defea0eddf3c98fce85893a9710fbfd6150fb59ff1fa64765e6371bc18eb4f3ea56129ce030f491c4d5c6c5ef7cd8f075468406014089200fb186b85c7933a85d2b07daa2674627f70b18300c04
> 	EAP-Message =
> 0x7afa967ca838b8fcd5e02794142216fb6f234114eba1bedf14030100010116030100309ccb0a854ba537cb852bba4e829095eecc777a146367523ef7408367aa73527e251f324f277a77fd69bd8275e3fb80cf
> 	NAS-Port-Type = Wireless-802.11
> 	NAS-Port = 257
> 	NAS-Port-Id = "257"
> 	State = 0x73a410f077a30568fa17f41fc5620938
> 	NAS-IP-Address = 192.168.0.98
> 	NAS-Identifier = "ap1250"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 7 length 253
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
>  TLS Length 326
> [ttls] Length Included
> [ttls] eaptls_verify returned 11 
> [ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange  
> [ttls]     TLS_accept: SSLv3 read client key exchange A 
> [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
> [ttls] <<< TLS 1.0 Handshake [length 0010], Finished  
> [ttls]     TLS_accept: SSLv3 read finished A 
> [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
> [ttls]     TLS_accept: SSLv3 write change cipher spec A 
> [ttls] >>> TLS 1.0 Handshake [length 0010], Finished  
> [ttls]     TLS_accept: SSLv3 write finished A 
> [ttls]     TLS_accept: SSLv3 flush data 
> [ttls]     (other): SSL negotiation finished successfully 
> SSL Connection Established 
> [ttls] eaptls_process returned 13 
> ++[eap] returns handled
> Sending Access-Challenge of id 6 to 192.168.0.98 port 1645
> 	EAP-Message =
> 0x0108004515800000003b140301000101160301003008670b7dfe3518a23af339575826eb71df43b6f75c4aa3a31a63da1f37fdd335f033ed4d3abed24011738f87683cd142
> 	Message-Authenticator = 0x00000000000000000000000000000000
> 	State = 0x73a410f076ac0568fa17f41fc5620938
> Finished request 5.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 1 with timestamp +2511
> Cleaning up request 1 ID 2 with timestamp +2511
> Cleaning up request 2 ID 3 with timestamp +2511
> Cleaning up request 3 ID 4 with timestamp +2511
> Cleaning up request 4 ID 5 with timestamp +2511
> Cleaning up request 5 ID 6 with timestamp +2511
> Ready to process requests.
> rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=7,
> length=285
> 	User-Name = "dsawcer"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0023.331c.9680"
> 	Calling-Station-Id = "9027.e4f9.25b0"
> 	Service-Type = Login-User
> 	Message-Authenticator = 0x97a15db1918171fe49d55d82bda7cba4
> 	EAP-Message =
> 0x0208008f1580000000851703010080e2d9295b14cae59129b605c441aec00a3187009bb0ed4acc791fd1db3e46a58e9523480b479075cceb0b4af41e536d8005125b4bd7c326fbb382a43ec84f0684a5370e8971afde67d795ece00c588642a7892fcf41526cc4b1e724df9aec0bf4df5cad51ac25ae1489416a68ffac146347ee2cb35435ec593275ea486d85885c
> 	NAS-Port-Type = Wireless-802.11
> 	NAS-Port = 257
> 	NAS-Port-Id = "257"
> 	State = 0x73a410f076ac0568fa17f41fc5620938
> 	NAS-IP-Address = 192.168.0.98
> 	NAS-Identifier = "ap1250"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 8 length 143
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
>  TLS Length 133
> [ttls] Length Included
> [ttls] eaptls_verify returned 11 
> [ttls] eaptls_process returned 7 
> [ttls] Session established.  Proceeding to decode tunneled attributes.
> [ttls] Got tunneled request
> 	User-Name = "dsaw"
> 	MS-CHAP-Challenge = 0x123df4ae238e051b426c24389c668556
> 	MS-CHAP2-Response =
> 0x6000312af67f4db149fc6001912cb04a532f0000000000000000b1e7d8a8884d8902ff74532fb08057f83298f346bab1896d
> 	FreeRADIUS-Proxied-To = 127.0.0.1
> [ttls] Sending tunneled request
> 	User-Name = "dsaw"
> 	MS-CHAP-Challenge = 0x123df4ae238e051b426c24389c668556
> 	MS-CHAP2-Response =
> 0x6000312af67f4db149fc6001912cb04a532f0000000000000000b1e7d8a8884d8902ff74532fb08057f83298f346bab1896d
> 	FreeRADIUS-Proxied-To = 127.0.0.1
> server inner-tunnel {
> +- entering group authorize {...}
> ++[chap] returns noop
> [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> ++[mschap] returns ok
> ++[unix] returns notfound
> [suffix] No '@' in User-Name = "dsaw", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> [files] users: Matched entry dsaw at line 236
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] Found existing Auth-Type, not changing it.
> ++[pap] returns noop
> Found Auth-Type = MSCHAP
> +- entering group MS-CHAP {...}
> [mschap] Told to do MS-CHAPv2 for dsaw with NT-Password
> [mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
> for details
> [mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
> for details
> [mschap] 	expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} ->
> --username=dsaw
> [mschap]  mschap2: 12
> [mschap] 	expand: --challenge=%{mschap:Challenge:-00} ->
> --challenge=236c06ebf1d2d1cf
> [mschap] 	expand: --nt-response=%{mschap:NT-Response:-00} ->
> --nt-response=b1e7d8a8884d8902ff74532fb08057f83298f346bab1896d
> [2011/08/29 01:18:16, 0, pid=2301]
> /SourceCache/samba/samba-235.7/samba/source/utils/ntlm_auth.c:get_winbind_domain(146)
>  could not obtain winbind domain name!
> Exec-Program output: Reading winbind reply failed! (0xc0000001) 
> Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) 
> Exec-Program: returned: 1
> [mschap] External script failed.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] returns reject
> Failed to authenticate the user.
> } # server inner-tunnel
> [ttls] Got tunneled reply code 3
> 	MS-CHAP-Error = "`E=691 R=1"
> [ttls] Got tunneled Access-Reject
> [eap] Handler failed in EAP/ttls
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject] 	expand: %{User-Name} -> dsawcer
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 6 for 1 seconds
> Going to the next request
> Waking up in 0.6 seconds.
> Sending delayed reject for request 6
> Sending Access-Reject of id 7 to 192.168.0.98 port 1645
> 	EAP-Message = 0x04080004
> 	Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 4.9 seconds.
> Cleaning up request 6 ID 7 with timestamp +2521
> Ready to process requests.
> 
> 
> --
> View this message in context: http://freeradius.1045715.n5.nabble.com/Mac-OXS-Server-version-of-FreeRadius-Error-tp4744750p4745526.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

Arran Cudbard-Bell
a.cudbardb at freeradius.org

RADIUS - Half the complexity of Diameter





More information about the Freeradius-Users mailing list