..::Change to MD5 passwords::..
Reyes Jimenez Alfonso Alejandro
aareyesj at bestel.com.mx
Mon Apr 23 23:36:04 CEST 2012
Mathew/List
I tried and I'm getting the same issue.
Here's the debug.
rad_recv: Access-Request packet from host 172.16.15.57 port 1034, id=6, length=245
Message-Authenticator = 0x948b8c046dfeede3e79b0b99ef7afa1a
Service-Type = Framed-User
User-Name = "bob"
Framed-MTU = 1488
State = 0xe1943d61e4922436507a40c0ae7feeb0
Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales"
Calling-Station-Id = "10-40-F3-95-22-24"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0206002b19001703010020cba7d86600d185f93548bb4b8a904a38a9374114ae4f376530f2636234997179
NAS-IP-Address = 192.168.1.11
NAS-Port = 3
NAS-Port-Id = "STA port # 3"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - bob
[peap] Got inner identity 'bob'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0206000801626f62
server {
PEAP: Setting User-Name to bob
Sending tunneled request
EAP-Message = 0x0206000801626f62
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "bob"
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry bob at line 222
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing MD5-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x0107001d1a010700181041ddee2c965cc666b59a722846b03606626f62
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdcb7ba18dcb0a038bd0375a7346d3160
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x0107001d1a010700181041ddee2c965cc666b59a722846b03606626f62
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdcb7ba18dcb0a038bd0375a7346d3160
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 6 to 172.16.15.57 port 1034
EAP-Message = 0x0107003b19001703010030f361b42992d2fe185b2ecb50a0ad36b527d73dba8701ca1054c8cc470dc3d24f6264911b5e402218e4d768082be0e2fc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe1943d61e7932436507a40c0ae7feeb0
Finished request 7.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.16.15.57 port 1034, id=7, length=293
Message-Authenticator = 0x8069a3d06eedbc23049e7abb97238b0c
Service-Type = Framed-User
User-Name = "bob"
Framed-MTU = 1488
State = 0xe1943d61e7932436507a40c0ae7feeb0
Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales"
Calling-Station-Id = "10-40-F3-95-22-24"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0207005b1900170301005006888ad17e1479ebf1252dd882c59af57fcbd8fc6fdc408be3aa9bca0f848910aaa971fce0d84e6bb295c7cfcb97bde44fa36080cf0b6339724dfb31451e7c555b8368fa68abb401ef4865dcee9697a8
NAS-IP-Address = 192.168.1.11
NAS-Port = 3
NAS-Port-Id = "STA port # 3"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 91
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x0207003e1a0207003931348dead339a96f464c6888db1dc6b1d10000000000000000bc37500d01943525cfbf94e73d034ffad65687700df882e200626f62
server {
PEAP: Setting User-Name to bob
Sending tunneled request
EAP-Message = 0x0207003e1a0207003931348dead339a96f464c6888db1dc6b1d10000000000000000bc37500d01943525cfbf94e73d034ffad65687700df882e200626f62
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "bob"
State = 0xdcb7ba18dcb0a038bd0375a7346d3160
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 62
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry bob at line 222
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing MD5-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: bob
[mschap] Told to do MS-CHAPv2 for bob with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
expand: password incorrecto -> password incorrecto
Login incorrect: [bob/<via Auth-Type = EAP>] (from client 172.16.15.57 port 0 via TLS tunnel) password incorrecto
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 7 to 172.16.15.57 port 1034
EAP-Message = 0x0108002b1900170301002083fe169562401f5c43afaf4cb74fbe5ea4774a2cd7c7fa97b12f9b79166d7851
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe1943d61e69c2436507a40c0ae7feeb0
Finished request 8.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.16.15.57 port 1034, id=8, length=245
Message-Authenticator = 0xe3af8b2689dcb116c182ab22757afc9b
Service-Type = Framed-User
User-Name = "bob"
Framed-MTU = 1488
State = 0xe1943d61e69c2436507a40c0ae7feeb0
Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales"
Calling-Station-Id = "10-40-F3-95-22-24"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0208002b19001703010020924f468aa5f7c1dbbec3ec8dd582e3d54f437bf2d65be67569273dead8ad2a34
NAS-IP-Address = 192.168.1.11
NAS-Port = 3
NAS-Port-Id = "STA port # 3"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
expand: password incorrecto -> password incorrecto
Login incorrect: [bob/<via Auth-Type = EAP>] (from client 172.16.15.57 port 3 cli 10-40-F3-95-22-24) password incorrecto
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> bob
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 8 to 172.16.15.57 port 1034
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 1 ID 0 with timestamp +22
Cleaning up request 2 ID 1 with timestamp +22
Cleaning up request 3 ID 2 with timestamp +22
Cleaning up request 4 ID 3 with timestamp +22
Cleaning up request 5 ID 4 with timestamp +22
Cleaning up request 6 ID 5 with timestamp +22
Cleaning up request 7 ID 6 with timestamp +22
Cleaning up request 8 ID 7 with timestamp +22
Waking up in 1.0 seconds.
Cleaning up request 9 ID 8 with timestamp +22
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=0, length=192
Message-Authenticator = 0xa0906d6e9baa55c0f2d52b574d79f6a4
Service-Type = Framed-User
User-Name = "bob"
Framed-MTU = 1488
Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales"
Calling-Station-Id = "10-40-F3-95-22-24"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0200000801626f62
NAS-IP-Address = 192.168.1.11
NAS-Port = 3
NAS-Port-Id = "STA port # 3"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry bob at line 222
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing MD5-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 172.16.15.57 port 1036
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee9c16b0ee9d0f4bc37318d43ce26de7
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=1, length=334
Message-Authenticator = 0x5cdd8e0b50791ff49a6476fd24974e5e
Service-Type = Framed-User
User-Name = "bob"
Framed-MTU = 1488
State = 0xee9c16b0ee9d0f4bc37318d43ce26de7
Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales"
Calling-Station-Id = "10-40-F3-95-22-24"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0201008419800000007a16030100750100007103014f95ca5308334a7b6c18c056215661784e21c986bfc41f2918fa48cff1d52b1b000036c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00320033003800390016001301000012000a00080006001700180019000b00020100
NAS-IP-Address = 192.168.1.11
NAS-Port = 3
NAS-Port-Id = "STA port # 3"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 132
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 122
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0075], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 08f8], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 1 to 172.16.15.57 port 1036
EAP-Message = 0x0102040019c000000935160301002a0200002603014f95ca5327cc991e70b77e26acf693105f409e8c76a846939d9390bbee807a7b00002f0016030108f80b0008f40008f10003e7308203e3308202cba003020102020101300d06092a864886f70d01010505003081b0310b3009060355040613024d583119301706035504081310446973747269746f204665646572616c310c300a06035504071303575443312a3028060355040a13215365637572697479204f7065726174696f6e732043656e7465722042657374656c3125302306092a864886f70d0109011616616172657965736a4062657374656c2e636f6d2e6d6331253023060355040313
EAP-Message = 0x1c456e746964616420436572746966696361646f72612042657374656c301e170d3132303432333136323135325a170d3133303432333136323135325a30819f310b3009060355040613024d583119301706035504081310446973747269746f204665646572616c312a3028060355040a13215365637572697479204f7065726174696f6e732043656e7465722042657374656c3122302006035504031319436572746966696361646f2070617261205365727669646f723125302306092a864886f70d0109011616616172657965736a4062657374656c2e636f6d2e6d7830820122300d06092a864886f70d01010105000382010f003082010a0282
EAP-Message = 0x010100be75d786c09b4ef3a52a43a2fc0723f7cd12a909b8291eeb3f8c9e7f29d7b7082b7d045c9c6d682586d91fa55b30554ad190f4fd241669f8734dfc7c4d012c3a5753743c7c03fe84e33058c63f9385d770e58d3cf12c97879405021f7ca9b262b526466981e02933caf75f648b914b00e5be0718c82eca14bfd1440dbe0688986daf6dad82c0bcc6d2ac53d7b59d413c57f2bf26fa95336ee180e7c6b8186b855e106848509a3d8aacdf7023db636aa6156cfe7727133fb613f1db344e3cf6c4258f4ec2f01f5eb17c1a453b93de4a7c8168471f5c5109f2e9c5f465e216ede9164dfbd67de0cc0f867b6ad7833321ced88941e0b383c171da7c
EAP-Message = 0xf80977f08a110203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101004e8939f33961439f8e21c3a110d5b82bd414149574f752504e3b0c97ce37b9895e2aebbba2de1ccc2f62f51071355352a6608991447ba34605a79c9bd15b9392104ebdb949038ae58c762c930d56391b739aada4226a109c460087bad50e41bef46ba5de1fe76fce5221376074d481e038556e7dda6b30f907fc20ef4f9c07efd33c887d13032120747840851ff6646e1a9da6cced9a3ee49c634092563b6474fb220d43e19fb8084aca3fd81829558bd30863886ec5410e4bcf892ae8ff5f00c015cbc615
EAP-Message = 0x381cca41e1ac6b870a2a6c38
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee9c16b0ef9e0f4bc37318d43ce26de7
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=2, length=208
Message-Authenticator = 0xc739fbd0ef9dcf866e7499bf3e1fc0da
Service-Type = Framed-User
User-Name = "bob"
Framed-MTU = 1488
State = 0xee9c16b0ef9e0f4bc37318d43ce26de7
Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales"
Calling-Station-Id = "10-40-F3-95-22-24"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020200061900
NAS-IP-Address = 192.168.1.11
NAS-Port = 3
NAS-Port-Id = "STA port # 3"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 172.16.15.57 port 1036
EAP-Message = 0x010303fc1940032746efe07ca1609b26d9870be420ff5c895ebab9edb979d34b3b21bcceee350934c34e8eba673c365095035004c100050430820500308203e8a003020102020900a2c39c984894d7f1300d06092a864886f70d01010505003081b0310b3009060355040613024d583119301706035504081310446973747269746f204665646572616c310c300a06035504071303575443312a3028060355040a13215365637572697479204f7065726174696f6e732043656e7465722042657374656c3125302306092a864886f70d0109011616616172657965736a4062657374656c2e636f6d2e6d63312530230603550403131c456e7469646164
EAP-Message = 0x20436572746966696361646f72612042657374656c301e170d3132303432333136323132385a170d3133303432333136323132385a3081b0310b3009060355040613024d583119301706035504081310446973747269746f204665646572616c310c300a06035504071303575443312a3028060355040a13215365637572697479204f7065726174696f6e732043656e7465722042657374656c3125302306092a864886f70d0109011616616172657965736a4062657374656c2e636f6d2e6d63312530230603550403131c456e746964616420436572746966696361646f72612042657374656c30820122300d06092a864886f70d01010105000382
EAP-Message = 0x010f003082010a0282010100b5ae278d69d605cdfce08ee4627348f7f149b236821a9a96c38e349599718719ea4e69d46b50a4ebb8d5b2e4e51a81f5770e3996e946045b866e9ba4fd644d23d3a9edaa2047aaeb8d65d49665f76cd4889388363204bf1a1a6ee09401700e80569e50a3795b9a8c6f0780045a2901c72a5bf5eb40787d6be22dc85e0480dcc72bd4e5a1b3b47459e5f38accc9a86687a3938f81969df947fb5a1dc4cdae760a533c53ec8b6a1558bc80f187211a322a9a2b831d0a6548885ada107ecc26482238b7bd9bca2fc65da92c0f934aceb404fa0348ff0b71b16bd642b5710f3cbccea2394e90881b6e00f82938e8a1e931401e
EAP-Message = 0xd13863d429632c3c8c6a414ea14de70203010001a382011930820115301d0603551d0e04160414dd636dabfd2d63daa0df7f064e9e80524f09f8973081e50603551d230481dd3081da8014dd636dabfd2d63daa0df7f064e9e80524f09f897a181b6a481b33081b0310b3009060355040613024d583119301706035504081310446973747269746f204665646572616c310c300a06035504071303575443312a3028060355040a13215365637572697479204f7065726174696f6e732043656e7465722042657374656c3125302306092a864886f70d0109011616616172657965736a4062657374656c2e636f6d2e6d63312530230603550403131c45
EAP-Message = 0x6e74696461642043
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee9c16b0ec9f0f4bc37318d43ce26de7
Finished request 12.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=3, length=208
Message-Authenticator = 0x9721441fee42173f4ac830082831c323
Service-Type = Framed-User
User-Name = "bob"
Framed-MTU = 1488
State = 0xee9c16b0ec9f0f4bc37318d43ce26de7
Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales"
Calling-Station-Id = "10-40-F3-95-22-24"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020300061900
NAS-IP-Address = 192.168.1.11
NAS-Port = 3
NAS-Port-Id = "STA port # 3"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 172.16.15.57 port 1036
EAP-Message = 0x0104014f19006572746966696361646f72612042657374656c820900a2c39c984894d7f1300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100a858e937f386ebf0d5cbafd3df632b75ed8f91985e2400074681a54c8218e23da99bed40feab9526ad2304f50d642ec64fe87a35a129bb188f9dacc905483cbaa538136be6c5c3964daa9f6c734dd58f80a21c606784c1481b3ec64f079d140e812c025dc0551be03714c9a1f1d91a33efffbae16d9ad9ff3d764384ecbf3fe416ef62d19218714d040eb537b2c9b857bfea26e6bdbb6cd1ab06219b2f8dfda391cfcedbec42191a3e69e783a54cbbc07e08f2073dc05e
EAP-Message = 0x46df94eed2015f11ee6d142419cf527a2b89a1e0d42f2476fc0f3658280de7c9fb0bc12ceee819419e565037a8a3f9346ec46baaca43702384a2582d5972fe10b09ba2859d03649add16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee9c16b0ed980f4bc37318d43ce26de7
Finished request 13.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=4, length=540
Message-Authenticator = 0x5fca46c54b0196cd6fe7153f9dbfca56
Service-Type = Framed-User
User-Name = "bob"
Framed-MTU = 1488
State = 0xee9c16b0ed980f4bc37318d43ce26de7
Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales"
Calling-Station-Id = "10-40-F3-95-22-24"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0204015019800000014616030101061000010201005bc6e8f77b4a5f1639708d69bde492a488c3d32ae3b24c27ff529908a3d5b69f49481e2d4915f43951aab38ac7aebade7ca22bf60cb88147ed7269538bfb74c436e36adbb94888c95cb71860bb8dd0e87a5a98aa321d45f89415ad6a44e56c5a2ba9b4f94e4ad43f63e1791472a1debf7bf3158cc571b112e65ee818b30b4b7a5027107e9550cc1fa3705174cd4a0013efa821316a1e3de4249677c5977bca910562f21ca05ccdef26df5d629cc34566885728d35d6d59b0534125bdcbf57d10cfd05ee862bccfffaa76b7d0b3d8a58ecc884720a3ed57fd5cb1eb3ab6d6588a6c22265acad15bad
EAP-Message = 0xaade04d74274d3f88d15932924f524eed688578761c114e7140301000101160301003004903e31b67d27b0bd637926db96e06f986d29e87babe80894627deed61fe3df128a74864e9a5476c0a58340aab4a7c9
NAS-IP-Address = 192.168.1.11
NAS-Port = 3
NAS-Port-Id = "STA port # 3"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 172.16.15.57 port 1036
EAP-Message = 0x01050041190014030100010116030100308669e55fd54bb312e722034e440cc89da9572b59e5fe404548a0ffaba858b0e3acd9c4a9fc0afb4c7e98bd9ef665cc7a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee9c16b0ea990f4bc37318d43ce26de7
Finished request 14.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=5, length=208
Message-Authenticator = 0xbe2776375b4e10ab3f30444b3ace7d8a
Service-Type = Framed-User
User-Name = "bob"
Framed-MTU = 1488
State = 0xee9c16b0ea990f4bc37318d43ce26de7
Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales"
Calling-Station-Id = "10-40-F3-95-22-24"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020500061900
NAS-IP-Address = 192.168.1.11
NAS-Port = 3
NAS-Port-Id = "STA port # 3"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 5 to 172.16.15.57 port 1036
EAP-Message = 0x0106002b19001703010020336f1efa15562f7ec63d5a266a4ae594c54e973da46098c6b50fc906e6a6f50b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee9c16b0eb9a0f4bc37318d43ce26de7
Finished request 15.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=6, length=245
Message-Authenticator = 0x13b610bf50f117d1384d073b43625dec
Service-Type = Framed-User
User-Name = "bob"
Framed-MTU = 1488
State = 0xee9c16b0eb9a0f4bc37318d43ce26de7
Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales"
Calling-Station-Id = "10-40-F3-95-22-24"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0206002b1900170301002007db074f7d46924de79aecb4a8341354a13dff53821c77586e64075cd4579212
NAS-IP-Address = 192.168.1.11
NAS-Port = 3
NAS-Port-Id = "STA port # 3"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - bob
[peap] Got inner identity 'bob'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0206000801626f62
server {
PEAP: Setting User-Name to bob
Sending tunneled request
EAP-Message = 0x0206000801626f62
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "bob"
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry bob at line 222
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing MD5-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x0107001d1a0107001810a72ac61743ac31416a9d10a086efbb79626f62
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3ba3714d3ba46ba312c4d56b659c6f28
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x0107001d1a0107001810a72ac61743ac31416a9d10a086efbb79626f62
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3ba3714d3ba46ba312c4d56b659c6f28
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 6 to 172.16.15.57 port 1036
EAP-Message = 0x0107003b190017030100305098dffb457482369d0a6ca4edb03a7362a3576cbcb7976426a24c938797a00685892c96b169a0cee843e8213e0f1ba0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee9c16b0e89b0f4bc37318d43ce26de7
Finished request 16.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=7, length=293
Message-Authenticator = 0x4d87ac714c2dd5f1386fa20d1ec9d726
Service-Type = Framed-User
User-Name = "bob"
Framed-MTU = 1488
State = 0xee9c16b0e89b0f4bc37318d43ce26de7
Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales"
Calling-Station-Id = "10-40-F3-95-22-24"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0207005b1900170301005088a6556be482f16c6160b5d7b7491a57531befe9dba60a051bbfb7b5f1048c62e587d3f8626c3bf6cef973d56912f54af6fe66eaeac67f32132086a0e57dcc8931082247f05059dad398c9955e215ee4
NAS-IP-Address = 192.168.1.11
NAS-Port = 3
NAS-Port-Id = "STA port # 3"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 91
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x0207003e1a0207003931d18a71697552b4f92cd285af401063bd0000000000000000152e50cdf17822fe76795c1346d0211b7854c6ffc3cce09000626f62
server {
PEAP: Setting User-Name to bob
Sending tunneled request
EAP-Message = 0x0207003e1a0207003931d18a71697552b4f92cd285af401063bd0000000000000000152e50cdf17822fe76795c1346d0211b7854c6ffc3cce09000626f62
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "bob"
State = 0x3ba3714d3ba46ba312c4d56b659c6f28
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 62
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry bob at line 222
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing MD5-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: bob
[mschap] Told to do MS-CHAPv2 for bob with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
expand: password incorrecto -> password incorrecto
Login incorrect: [bob/<via Auth-Type = EAP>] (from client 172.16.15.57 port 0 via TLS tunnel) password incorrecto
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 7 to 172.16.15.57 port 1036
EAP-Message = 0x0108002b19001703010020a4fa56ea5314462b9c6b1d0de620729da0601187d25fd2d532da2b68c0b86e35
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee9c16b0e9940f4bc37318d43ce26de7
Finished request 17.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=8, length=245
Message-Authenticator = 0xcf8322e778b5603e0bc5c162899a06b9
Service-Type = Framed-User
User-Name = "bob"
Framed-MTU = 1488
State = 0xee9c16b0e9940f4bc37318d43ce26de7
Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales"
Calling-Station-Id = "10-40-F3-95-22-24"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0208002b1900170301002055063fcb378b90263f36683d8bd9718d1f4d94963c882c3685c815dee3d336f1
NAS-IP-Address = 192.168.1.11
NAS-Port = 3
NAS-Port-Id = "STA port # 3"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
expand: password incorrecto -> password incorrecto
Login incorrect: [bob/<via Auth-Type = EAP>] (from client 172.16.15.57 port 3 cli 10-40-F3-95-22-24) password incorrecto
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> bob
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 18 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 18
Sending Access-Reject of id 8 to 172.16.15.57 port 1036
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
I think I'm missing something on the configuration, any ideas?
Regards.
Alfonso.
On Apr 23, 2012, at 3:14 PM, Matthew Newton wrote:
> On Mon, Apr 23, 2012 at 12:48:33PM -0500, Reyes Jimenez Alfonso Alejandro wrote:
>> bob Cleartext-Password := "Test"
>>
>> and we would like to use the following:
>>
>> bob MD5-Password := "f43ed6ad2f43ea778b65557c626262ysu"
>
> There are non-hex chars in that string, so it's never going to work.
>
>> What changes do we need to do ir order to allow that kind of authentication, any ideas?
>
> It works fine. Generate password:
>
> $ echo -n Test | md5sum
> 0cbc6611f5540bd0809a388dc95a615b -
>
>
> Add to users:
>
> bob MD5-Password := "0cbc6611f5540bd0809a388dc95a615b"
>
>
> Check:
>
> $ radtest bob Test localhost 1 testing123
> Sending Access-Request of id 73 to 127.0.0.1 port 1812
> User-Name = "bob"
> User-Password = "Test"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 1
> Message-Authenticator = 0x00000000000000000000000000000000
> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=73, length=20
>
> Cheers,
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>
> Systems Architect (UNIX and Networks), Network Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
#####################################################################################
El contenido de este mensaje es confidencial. Si usted ha recibido este mensaje por error, le ruego que no lo reenvíe y lo borre inmediatamente.
The contents of this message are confidential. If message has been received in error, please do not forward and destroy immediately.
#####################################################################################
More information about the Freeradius-Users
mailing list