Help PLease

Adam Schappell aschappell at clearedgeit.com
Mon Mar 30 22:28:55 CEST 2015


Ok I am almost done with all the questions... Now when I go to login to
wifi I am able to download cert and everything but I get an authentication
failure. I have read most of it and am a little confused. Just wondering if
any one had better insight on this.

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] eaptls_verify returned 7

[peap] Done initial handshake

[peap] eaptls_process returned 7

[peap] EAPTLS_OK

[peap] Session established.  Decoding tunneled attributes.

[peap] Peap state phase2

[peap] EAP type mschapv2

[peap] Got tunneled request

EAP-Message =
0x02b0004a1a02b00045315bc9cd734ccc2fe9d6828b890731a36500000000000000005095b99f78e93a0cbf7b644f020752b0d8ea2f460ece269100434f52505c61736368617070656c6c

server  {

[peap] Setting User-Name to CORP\aschappell

Sending tunneled request

EAP-Message =
0x02b0004a1a02b00045315bc9cd734ccc2fe9d6828b890731a36500000000000000005095b99f78e93a0cbf7b644f020752b0d8ea2f460ece269100434f52505c61736368617070656c6c

FreeRADIUS-Proxied-To = 127.0.0.1

User-Name = "CORP\\aschappell"

State = 0x56c64cb95676560312b36f089a4e917a

server inner-tunnel {

# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel

+- entering group authorize {...}

++[chap] returns noop

++[mschap] returns noop

[suffix] No '@' in User-Name = "CORP\aschappell", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

++[control] returns noop

[eap] EAP packet type response id 176 length 74

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[files] returns noop

[sql] expand: %{User-Name} -> CORP\aschappell

[sql] sql_set_user escaped user --> 'CORP\aschappell'

rlm_sql (sql): Reserving sql socket id: 2

[sql] expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY
id -> SELECT id, username, attribute, value, op           FROM radcheck
      WHERE username = 'CORP=5Caschappell'           ORDER BY id

[sql] expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username =
'CORP=5Caschappell'           ORDER BY priority

rlm_sql (sql): Released sql socket id: 2

[sql] User CORP\aschappell not found

++[sql] returns notfound

[ldap] performing user authorization for CORP\aschappell

[ldap] expand: %{Stripped-User-Name} ->

[ldap] ... expanding second conditional

[ldap] expand: %{User-Name} -> CORP\5caschappell

[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=CORP\5caschappell)

[ldap] expand: dc=corp,dc=clearedgeit,dc=com ->
dc=corp,dc=clearedgeit,dc=com

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter
(sAMAccountName=CORP\5caschappell)

  [ldap] object not found

[ldap] search failed

  [ldap] ldap_release_conn: Release Id: 0

++[ldap] returns notfound

++[expiration] returns noop

++[logintime] returns noop

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /etc/raddb/sites-enabled/inner-tunnel

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/mschapv2

[eap] processing type mschapv2

[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel

[mschapv2] +- entering group MS-CHAP {...}

[mschap] No Cleartext-Password configured.  Cannot create LM-Password.

[mschap] No Cleartext-Password configured.  Cannot create NT-Password.

[mschap] NT Domain delimeter found, should we have enabled
with_ntdomain_hack?

[mschap] Creating challenge hash with username: CORP\aschappell

[mschap] Told to do MS-CHAPv2 for CORP\aschappell with NT-Password

[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.

[mschap] FAILED: MS-CHAP2-Response is incorrect

++[mschap] returns reject

[eap] Freeing handler

++[eap] returns reject

Failed to authenticate the user.

} # server inner-tunnel

[peap] Got tunneled reply code 3

MS-CHAP-Error = "\260E=691 R=1"

EAP-Message = 0x04b00004

Message-Authenticator = 0x00000000000000000000000000000000

[peap] Got tunneled reply RADIUS code 3

MS-CHAP-Error = "\260E=691 R=1"

EAP-Message = 0x04b00004

Message-Authenticator = 0x00000000000000000000000000000000

[peap] Tunneled authentication was rejected.

[peap] FAILURE

++[eap] returns handled

Sending Access-Challenge of id 126 to 10.0.1.149 port 32776

EAP-Message =
0x01b1002b190017030100209af0407cf44f78b901232ee0fa6c447f520423a19f0fa21733930383a8d19585

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xdfd6c0e5d767d92d9b96730baefb4877

Finished request 29.

Going to the next request

Waking up in 2.7 seconds.

rad_recv: Access-Request packet from host 10.0.1.149 port 32776, id=127,
length=231

User-Name = "CORP\\aschappell"

NAS-IP-Address = 10.0.1.149

NAS-Identifier = "24a43c105cfc"

NAS-Port = 0

Called-Station-Id = "24-A4-3C-1B-9F-92:ClearEdgeCORP"

Calling-Station-Id = "C8-BC-C8-C0-1D-A7"

Framed-MTU = 1400

NAS-Port-Type = Wireless-802.11

Connect-Info = "CONNECT 0Mbps 802.11b"

EAP-Message =
0x02b1002b1900170301002062c0e9553e6ba5810b4c114546a334c660bc79916f7276b819b2d01a9fe7faab

State = 0xdfd6c0e5d767d92d9b96730baefb4877

Message-Authenticator = 0x8de5a0f2aaede3f1ef08eecdd9bad205

# Executing section authorize from file /etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "CORP\aschappell", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 177 length 43

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] eaptls_verify returned 7

[peap] Done initial handshake

[peap] eaptls_process returned 7

[peap] EAPTLS_OK

[peap] Session established.  Decoding tunneled attributes.

[peap] Peap state send tlv failure

[peap] Received EAP-TLV response.

[peap]  The users session was previously rejected: returning reject (again.)

[peap]  *** This means you need to read the PREVIOUS messages in the debug
output

[peap]  *** to find out the reason why the user was rejected.

[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell
you.

[peap]  *** what went wrong, and how to fix the problem.

[eap] Handler failed in EAP/peap

[eap] Failed in EAP select

++[eap] returns invalid

Failed to authenticate the user.

Using Post-Auth-Type Reject

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group REJECT {...}

[attr_filter.access_reject] expand: %{User-Name} -> CORP\aschappell

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 30 for 1 seconds

Adam Schappell
System Administrator II
Clearedge IT Solutions, LLC
10620 Guilford Road
Jessup, MD 20794
Office:443-212-4712
Fax:443-212-4809
www.ClearEdgeIT.com <http://www.clearedgeit.com/>


On Mon, Mar 30, 2015 at 3:33 PM, Adam Schappell <aschappell at clearedgeit.com>
wrote:

> Thanks for everyones help. I dont know what exactly I did but I got access
> accept..
>
> Found Auth-Type = LDAP
>
> # Executing group from file /etc/raddb/sites-enabled/default
>
> +- entering group LDAP {...}
>
> [ldap] login attempt by "radius" with password "test"
>
> [ldap] user DN:
> CN=rtest,OU=Users,OU=Jetestp,OU=ClearEdge,DC=corp,DC=test,DC=com
>
>   [ldap] (re)connect to dc1.corp.clearedgeit.com:389, authentication 1
>
>   [ldap] bind as
> CN=rtests,OU=Users,OU=test,OU=ClearEdge,DC=corp,DC=testeit,DC=com/test to
> dc1.corp.clearedgeit.com:389
>
>   [ldap] waiting for bind result ...
>
>   [ldap] Bind was successful
>
> [ldap] user radius authenticated succesfully
>
> ++[ldap] returns ok
>
> # Executing section post-auth from file /etc/raddb/sites-enabled/default
>
> +- entering group post-auth {...}
>
> ++[exec] returns noop
>
> Sending Access-Accept of id 135 to 127.0.0.1 port 48249
>
> Finished request 0.
>
> Going to the next request
>
> Waking up in 4.9 seconds.
>
> Cleaning up request 0 ID 135 with timestamp +8
>
> Ready to process requests.
>
> Adam Schappell
> System Administrator II
> Clearedge IT Solutions, LLC
> 10620 Guilford Road
> Jessup, MD 20794
> Office:443-212-4712
> Fax:443-212-4809
> www.ClearEdgeIT.com <http://www.clearedgeit.com/>
>
>
> On Mon, Mar 30, 2015 at 3:23 PM, <A.L.M.Buxey at lboro.ac.uk> wrote:
>
>> Hi,
>>
>> > I get its failing but I do not know what else to set it to, It is the
>>
>> read the error. deduce the issue
>>
>> > [ldap] expand:
>> (&(SAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
>> > (&(SAMAccountName=radius)
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> thats wehat came out of the expansion of your current config
>>
>> >   [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter
>> > (&(SAMAccountName=radius)
>> >
>> >   [ldap] ldap_search() failed: Bad search filter:
>> (&(SAMAccountName=radius)
>>
>> and thats the result
>>
>> > [ldap] search failed
>>
>> which means that happens
>>
>>
>> the binding and the searching are 2 different things.  you had 'working'
>> but
>> failing search with uid - you've now just got a broken search
>>
>> I'd just hazard a guess that you should be using eg
>> (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name})
>>
>> note how upper and lower case have been chosen.
>>
>> alan
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>


More information about the Freeradius-Users mailing list