MSCHAP Machine/User Authentication with Windows
Ben Humpert
ben at an3k.de
Mon May 11 10:14:18 CEST 2015
Your computer is in a domain, thus when using user authentication you
get as User-Name TESTDOMAIN\\testuser instead of just testuser. If you
want your computers to be in a domain I can't help you with
configuring FR since I don't know how but I know that you could use
huntgroups but it's not advised.
But I can help you with configuring the windows clients. Since I'm
using german language and the translations are weird I'll link to
screenshots of the configuration windows. It's Windows 7 but it's
identical to Windows 8.
a) http://i.imgur.com/2ChblVs.png
1 enable checkbox
2 select PEAP
3 select if you want to keep the manually entered username and password saved
4 enable if you want to use this network connection in networks (or on
ports) without required authentication
5 will lead to the next screenshot
6 leads to the last schreenshot (d)
b) http://i.imgur.com/gbz2ZYf.png
1 disable if you don't have a certificate for your Radius server and skip 2,3,4
2 leave it empty
3 select the certificate of the CA that validated your certificate or
is the Root of the certificate chain
4 enable if you don't want popups shown when you connect to a new (and
yet unknown) server
5 select EAP-MSCHAP v2
6 enable this
7 disable if you don't have a NAP (Network Access Protection - a
security feature of Windows Server 2008)
8 disable
9 enable if you want the client to send the correct username only in
the TLS tunnel and send the one specified instead for unencrypted
connections to the Radius server
10 leads to the next screenshot
c) http://i.imgur.com/PSoBDwD.png
disable if you want to use different username / password for 802.1x
authentication and windows account
d) http://i.imgur.com/VwKkIXa.png
1 enable
2 select user authentication
3 enable Single Sign-On if you are in a windows domain using an Active
Directory for windows user authentication.
4 click to enter 802.1x authentication credentials right now so you
don't get asked later when you first try to connect
Signle Sign-On is a feature that only works in an Active Directory.
Normally Windows logs the user in and then tries to authenticate with
802.1x which is stupid since you can't log into Active Directory
without a working network connection. If you enable this and select
"before user login" Windows now does 802.1x authentication and when
established logs in the user.
If you enable the "different VLAN" setting Windows will additionally
update the DHCP lease after you logged in.
2015-05-11 9:18 GMT+02:00 Tynan Young <tynany at gmail.com>:
> Hi,
>
> I've searched high and low for answers/a solution on this and haven't
> had much luck, so I'm hoping someone on this list might be able to
> help.
>
> I have a near default freeradius3 setup using NTLM to authenticate our
> PEAP MSCHAP wireless clients. Non-windows machines work fine (mac,
> phones etc), but I'm having difficulty getting Windows 7/8
> authenticated using machine authentication or user authentication.
> Essentially I'm seeing the below error:
> Auth: Invalid user: [DOMAIN\\user]
> or
> Auth: Invalid user: [host\\MACHINE-NAME]
>
> Successful authentications (from a mac) look like this:
> Auth: Login OK: [user]
>
> Running "ntlm_auth --request-nt-key --username=domain\\user" returns
> NT_STATUS_OK
>
> The only real configuration changes I've made are in the mschap mod,
> having tried both of the following:
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}"
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name:-None}
> --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
>
>
> Below is a debug of a windows 8 wireless client attempting to
> authenticate. First it tries machine authentication, then it tries
> user authentication.
>
> Any help would be greatly appreciated.
>
> Cheers
>
> Ready to process requests.
> Received Access-Request Id 211 from 172.17.6.253:32985 to
> 192.168.254.181:1812 length 240
> User-Name = 'host/win81-ops.in.testdomain'
> NAS-IP-Address = 172.17.6.253
> NAS-Port = 0
> NAS-Identifier = 'wirelesscontroller'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = '5C514FFA8C73'
> Called-Station-Id = '000B869A9037'
> Service-Type = Framed-User
> Framed-MTU = 1100
> EAP-Message = 0x0201002001686f73742f77696e38312d6f70732e696e2e667265736876696577
> Aruba-Essid-Name = 'bandit'
> Aruba-Location-Id = 'ap1'
> Aruba-AP-Group = 'syd'
> Aruba-Device-Type = 'Windows'
> Message-Authenticator = 0xb1632e4c77e27f16f9cdd51c91aa5ee9
> (0) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (0) authorize {
> (0) filter_username filter_username {
> (0) if (User-Name != "%{tolower:%{User-Name}}")
> (0) EXPAND %{tolower:%{User-Name}}
> (0) --> host/win81-ops.in.testdomain
> (0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (0) if (User-Name =~ / /)
> (0) if (User-Name =~ / /) -> FALSE
> (0) if (User-Name =~ /@.*@/ )
> (0) if (User-Name =~ /@.*@/ ) -> FALSE
> (0) if (User-Name =~ /\\.\\./ )
> (0) if (User-Name =~ /\\.\\./ ) -> FALSE
> (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
> (0) if (User-Name =~ /\\.$/)
> (0) if (User-Name =~ /\\.$/) -> FALSE
> (0) if (User-Name =~ /@\\./)
> (0) if (User-Name =~ /@\\./) -> FALSE
> (0) } # filter_username filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
> looking up realm NULL
> (0) suffix : No such realm "NULL"
> (0) [suffix] = noop
> (0) eap : EAP packet type response id 1 length 32
> (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit
> the rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Found Auth-Type = EAP
> (0) # Executing group from file /etc/freeradius/sites-enabled/default
> (0) authenticate {
> (0) eap : Peer sent Identity (1)
> (0) eap : Calling eap_peap to process EAP data
> (0) eap_peap : Flushing SSL sessions (of #0)
> (0) eap_peap : Initiate
> (0) eap_peap : Start returned 1
> (0) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12af78b29f
> (0) [eap] = handled
> (0) } # authenticate = handled
> Sending Access-Challenge Id 211 from 192.168.254.181:1812 to 172.17.6.253:32985
> EAP-Message = 0x010200061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xaf7aab12af78b29f91f28722b6106031
> (0) Finished request
> Waking up in 0.3 seconds.
> Received Access-Request Id 203 from 172.17.6.253:32985 to
> 192.168.254.181:1812 length 344
> User-Name = 'host/win81-ops.in.testdomain'
> NAS-IP-Address = 172.17.6.253
> NAS-Port = 0
> NAS-Identifier = 'wirelesscontroller'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = '5C514FFA8C73'
> Called-Station-Id = '000B869A9037'
> Service-Type = Framed-User
> Framed-MTU = 1100
> EAP-Message = 0x0202007619800000006c16030100670100006303015550523bf4af127e5fe0dfcfc8c5a896e7cfc31a2a7746ab87d162af997a04a5000018c014c0130035002fc00ac00900380032000a00130005000401000022ff01000100000500050100000000000a0006000400170018000b0002010000230000
> State = 0xaf7aab12af78b29f91f28722b6106031
> Aruba-Essid-Name = 'bandit'
> Aruba-Location-Id = 'ap1'
> Aruba-AP-Group = 'syd'
> Aruba-Device-Type = 'Windows'
> Message-Authenticator = 0xa9f4a8b97958f630a9984c92c0fcc7bd
> (1) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (1) authorize {
> (1) filter_username filter_username {
> (1) if (User-Name != "%{tolower:%{User-Name}}")
> (1) EXPAND %{tolower:%{User-Name}}
> (1) --> host/win81-ops.in.testdomain
> (1) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (1) if (User-Name =~ / /)
> (1) if (User-Name =~ / /) -> FALSE
> (1) if (User-Name =~ /@.*@/ )
> (1) if (User-Name =~ /@.*@/ ) -> FALSE
> (1) if (User-Name =~ /\\.\\./ )
> (1) if (User-Name =~ /\\.\\./ ) -> FALSE
> (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
> (1) if (User-Name =~ /\\.$/)
> (1) if (User-Name =~ /\\.$/) -> FALSE
> (1) if (User-Name =~ /@\\./)
> (1) if (User-Name =~ /@\\./) -> FALSE
> (1) } # filter_username filter_username = notfound
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) [digest] = noop
> (1) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
> looking up realm NULL
> (1) suffix : No such realm "NULL"
> (1) [suffix] = noop
> (1) eap : EAP packet type response id 2 length 118
> (1) eap : Continuing tunnel setup.
> (1) [eap] = ok
> (1) } # authorize = ok
> (1) Found Auth-Type = EAP
> (1) # Executing group from file /etc/freeradius/sites-enabled/default
> (1) authenticate {
> (1) eap : Expiring EAP session with state 0xaf7aab12af78b29f
> (1) eap : Finished EAP session with state 0xaf7aab12af78b29f
> (1) eap : Previous EAP request found for state 0xaf7aab12af78b29f,
> released from the list
> (1) eap : Peer sent PEAP (25)
> (1) eap : EAP PEAP (25)
> (1) eap : Calling eap_peap to process EAP data
> (1) eap_peap : processing EAP-TLS
> TLS Length 108
> (1) eap_peap : Length Included
> (1) eap_peap : eaptls_verify returned 11
> (1) eap_peap : (other): before/accept initialization
> (1) eap_peap : TLS_accept: before/accept initialization
> (1) eap_peap : <<< TLS 1.0 Handshake [length 0067], ClientHello
> (1) eap_peap : TLS_accept: SSLv3 read client hello A
> (1) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello
> (1) eap_peap : TLS_accept: SSLv3 write server hello A
> (1) eap_peap : >>> TLS 1.0 Handshake [length 0c61], Certificate
> (1) eap_peap : TLS_accept: SSLv3 write certificate A
> (1) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
> (1) eap_peap : TLS_accept: SSLv3 write key exchange A
> (1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> (1) eap_peap : TLS_accept: SSLv3 write server done A
> (1) eap_peap : TLS_accept: SSLv3 flush data
> (1) eap_peap : TLS_accept: Need to read more data: SSLv3 read
> client certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> (1) eap_peap : eaptls_process returned 13
> (1) eap_peap : FR_TLS_HANDLED
> (1) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ae79b29f
> (1) [eap] = handled
> (1) } # authenticate = handled
> Sending Access-Challenge Id 203 from 192.168.254.181:1812 to 172.17.6.253:32985
> EAP-Message = 0x010303ec19c000000e1d1603010059020000550301f9a84ded3c3d019330abd1de6d7ff97f916e4aa4140b0733d9c1a1686ec5ba212041db36e17b59817fcc7a5d510c0ab6febebd2f0dfc04701386f3dad95265c63dc01400000dff01000100000b0004030001021603010c610b000c5d000c5a0004a7308204a33082038ba00302010202030439a3300d06092a864886f70d01010b05003047310b300906035504061302555331163014060355040a130d47656f547275737420496e632e3120301e06035504031317526170696453534c20534841323536204341202d204733301e170d3135303530373033333932305a170d3136303530383233353131385a30819431133011060355040b130a475432333636383233393131302f060355040b1328536565207777772e726170696473736c2e636f6d2f7265736f75726365732f637073202863293135312f302d060355040b1326446f6d61696e20436f6e74726f6c2056616c696461746564202d20526170696453534c2852293119301706035504031310776966692e63616d706d6f6e2e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c2b2d2c1ff3c2380d9d47968c4a76b101501d4b4d3efd5857da81b6610580c9021e898e1beb2f5ea06a98dfd06a3f04bfa7b68fc77481cc7b9eb5777938
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xaf7aab12ae79b29f91f28722b6106031
> (1) Finished request
> Waking up in 0.3 seconds.
> Received Access-Request Id 213 from 172.17.6.253:32985 to
> 192.168.254.181:1812 length 232
> User-Name = 'host/win81-ops.in.testdomain'
> NAS-IP-Address = 172.17.6.253
> NAS-Port = 0
> NAS-Identifier = 'wirelesscontroller'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = '5C514FFA8C73'
> Called-Station-Id = '000B869A9037'
> Service-Type = Framed-User
> Framed-MTU = 1100
> EAP-Message = 0x020300061900
> State = 0xaf7aab12ae79b29f91f28722b6106031
> Aruba-Essid-Name = 'bandit'
> Aruba-Location-Id = 'ap1'
> Aruba-AP-Group = 'syd'
> Aruba-Device-Type = 'Windows'
> Message-Authenticator = 0x78dd3eaf48cf6c7dbaa005633cb99020
> (2) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (2) authorize {
> (2) filter_username filter_username {
> (2) if (User-Name != "%{tolower:%{User-Name}}")
> (2) EXPAND %{tolower:%{User-Name}}
> (2) --> host/win81-ops.in.testdomain
> (2) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (2) if (User-Name =~ / /)
> (2) if (User-Name =~ / /) -> FALSE
> (2) if (User-Name =~ /@.*@/ )
> (2) if (User-Name =~ /@.*@/ ) -> FALSE
> (2) if (User-Name =~ /\\.\\./ )
> (2) if (User-Name =~ /\\.\\./ ) -> FALSE
> (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
> (2) if (User-Name =~ /\\.$/)
> (2) if (User-Name =~ /\\.$/) -> FALSE
> (2) if (User-Name =~ /@\\./)
> (2) if (User-Name =~ /@\\./) -> FALSE
> (2) } # filter_username filter_username = notfound
> (2) [preprocess] = ok
> (2) [chap] = noop
> (2) [mschap] = noop
> (2) [digest] = noop
> (2) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
> looking up realm NULL
> (2) suffix : No such realm "NULL"
> (2) [suffix] = noop
> (2) eap : EAP packet type response id 3 length 6
> (2) eap : Continuing tunnel setup.
> (2) [eap] = ok
> (2) } # authorize = ok
> (2) Found Auth-Type = EAP
> (2) # Executing group from file /etc/freeradius/sites-enabled/default
> (2) authenticate {
> (2) eap : Expiring EAP session with state 0xaf7aab12ae79b29f
> (2) eap : Finished EAP session with state 0xaf7aab12ae79b29f
> (2) eap : Previous EAP request found for state 0xaf7aab12ae79b29f,
> released from the list
> (2) eap : Peer sent PEAP (25)
> (2) eap : EAP PEAP (25)
> (2) eap : Calling eap_peap to process EAP data
> (2) eap_peap : processing EAP-TLS
> (2) eap_peap : Received TLS ACK
> (2) eap_peap : Received TLS ACK
> (2) eap_peap : ACK handshake fragment handler
> (2) eap_peap : eaptls_verify returned 1
> (2) eap_peap : eaptls_process returned 13
> (2) eap_peap : FR_TLS_HANDLED
> (2) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ad7eb29f
> (2) [eap] = handled
> (2) } # authenticate = handled
> Sending Access-Challenge Id 213 from 192.168.254.181:1812 to 172.17.6.253:32985
> EAP-Message = 0x010403e8194068747470733a2f2f7777772e726170696473736c2e636f6d2f6c6567616c300d06092a864886f70d01010b05000382010100412ebe33348a8106947be103048d5e4157080515045c19a8462a51e4feeca012ee0dc94be9e68ac04f9f65e221ce68f9fbe8e8168bc96facb82798fc5b13ea06f1ffd6f2a1683b5b7724324583f81c1488b36ebb24dc5fc2869a56deca8df3d8280bd435a6a0da7538811583165a5472ac3083e17d572ee39b22330b526f78ee4cb3a6bddd5da72964d40dc24886262c496e902b113cec927570ad97c97b69139b6e7a3fd880364272157aa9d8d1282b47629eec34e7c9f7e7bcdc542844ef1ad4a5d0af52c5998f3eb7fc16750e053edfd5ec552c3605586e652059d7df62719839c9be47acc6da9bc55822c024b98fd93ea1f864785e73066c022efa89ed7f000429308204253082030da0030201020203023a77300d06092a864886f70d01010b05003042310b300906035504061302555331163014060355040a130d47656f547275737420496e632e311b30190603550403131247656f547275737420476c6f62616c204341301e170d3134303832393231333933325a170d3232303532303231333933325a3047310b300906035504061302555331163014060355040a130d47656f547275737420496e632e3120301e06035504031317526170696
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xaf7aab12ad7eb29f91f28722b6106031
> (2) Finished request
> Waking up in 0.3 seconds.
> Received Access-Request Id 212 from 172.17.6.253:32985 to
> 192.168.254.181:1812 length 232
> User-Name = 'host/win81-ops.in.testdomain'
> NAS-IP-Address = 172.17.6.253
> NAS-Port = 0
> NAS-Identifier = 'wirelesscontroller'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = '5C514FFA8C73'
> Called-Station-Id = '000B869A9037'
> Service-Type = Framed-User
> Framed-MTU = 1100
> EAP-Message = 0x020400061900
> State = 0xaf7aab12ad7eb29f91f28722b6106031
> Aruba-Essid-Name = 'bandit'
> Aruba-Location-Id = 'ap1'
> Aruba-AP-Group = 'syd'
> Aruba-Device-Type = 'Windows'
> Message-Authenticator = 0x318c68ac9fd3cec956e3ad0fe6630868
> (3) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (3) authorize {
> (3) filter_username filter_username {
> (3) if (User-Name != "%{tolower:%{User-Name}}")
> (3) EXPAND %{tolower:%{User-Name}}
> (3) --> host/win81-ops.in.testdomain
> (3) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (3) if (User-Name =~ / /)
> (3) if (User-Name =~ / /) -> FALSE
> (3) if (User-Name =~ /@.*@/ )
> (3) if (User-Name =~ /@.*@/ ) -> FALSE
> (3) if (User-Name =~ /\\.\\./ )
> (3) if (User-Name =~ /\\.\\./ ) -> FALSE
> (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
> (3) if (User-Name =~ /\\.$/)
> (3) if (User-Name =~ /\\.$/) -> FALSE
> (3) if (User-Name =~ /@\\./)
> (3) if (User-Name =~ /@\\./) -> FALSE
> (3) } # filter_username filter_username = notfound
> (3) [preprocess] = ok
> (3) [chap] = noop
> (3) [mschap] = noop
> (3) [digest] = noop
> (3) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
> looking up realm NULL
> (3) suffix : No such realm "NULL"
> (3) [suffix] = noop
> (3) eap : EAP packet type response id 4 length 6
> (3) eap : Continuing tunnel setup.
> (3) [eap] = ok
> (3) } # authorize = ok
> (3) Found Auth-Type = EAP
> (3) # Executing group from file /etc/freeradius/sites-enabled/default
> (3) authenticate {
> (3) eap : Expiring EAP session with state 0xaf7aab12ad7eb29f
> (3) eap : Finished EAP session with state 0xaf7aab12ad7eb29f
> (3) eap : Previous EAP request found for state 0xaf7aab12ad7eb29f,
> released from the list
> (3) eap : Peer sent PEAP (25)
> (3) eap : EAP PEAP (25)
> (3) eap : Calling eap_peap to process EAP data
> (3) eap_peap : processing EAP-TLS
> (3) eap_peap : Received TLS ACK
> (3) eap_peap : Received TLS ACK
> (3) eap_peap : ACK handshake fragment handler
> (3) eap_peap : eaptls_verify returned 1
> (3) eap_peap : eaptls_process returned 13
> (3) eap_peap : FR_TLS_HANDLED
> (3) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ac7fb29f
> (3) [eap] = handled
> (3) } # authenticate = handled
> Sending Access-Challenge Id 212 from 192.168.254.181:1812 to 172.17.6.253:32985
> EAP-Message = 0x010503e819400105050730018612687474703a2f2f672e73796d63642e636f6d304c0603551d20044530433041060a6086480186f8450107363033303106082b060105050702011625687474703a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f637073300d06092a864886f70d01010b05000382010100a3581ec64332acac2f9378b7eaae5440472d7e788d50f6f866acd64f73d644efaf0bcc5bc1f44f9a8f497e60afc227c716f1fb938190a97cef6f7e6e45941684bdec49f1c40ef4af045983870f2c3b97c35a129b7b04357ba39533087b93712242b3a9d96f4f8192fc07b679bc844a9d7709f1c589f2f0b49c54aa127b0dba4fef9319ecef7d4e61a38e769c59cf8c94b18497f71ab907b8b2c64f1379dbbf4f511b7f690d512ac1d615ff3751346551f41ebe386aec0eabbf3d7b39057bf4f3fb1aa1d0c87e4e648dcd8c615590fe3aca5d250ff81da34a74564f1a5540707525a6332eba4ba55d539a0d30e18d5f612cafccefb099a180ff0bf2624c7026980003813082037d308202e6a003020102020312bbe6300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f726974793
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xaf7aab12ac7fb29f91f28722b6106031
> (3) Finished request
> Waking up in 0.3 seconds.
> Received Access-Request Id 215 from 172.17.6.253:32985 to
> 192.168.254.181:1812 length 232
> User-Name = 'host/win81-ops.in.testdomain'
> NAS-IP-Address = 172.17.6.253
> NAS-Port = 0
> NAS-Identifier = 'wirelesscontroller'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = '5C514FFA8C73'
> Called-Station-Id = '000B869A9037'
> Service-Type = Framed-User
> Framed-MTU = 1100
> EAP-Message = 0x020500061900
> State = 0xaf7aab12ac7fb29f91f28722b6106031
> Aruba-Essid-Name = 'bandit'
> Aruba-Location-Id = 'ap1'
> Aruba-AP-Group = 'syd'
> Aruba-Device-Type = 'Windows'
> Message-Authenticator = 0xa1f200dd5a90136447ce1b37b4b067f6
> (4) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (4) authorize {
> (4) filter_username filter_username {
> (4) if (User-Name != "%{tolower:%{User-Name}}")
> (4) EXPAND %{tolower:%{User-Name}}
> (4) --> host/win81-ops.in.testdomain
> (4) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (4) if (User-Name =~ / /)
> (4) if (User-Name =~ / /) -> FALSE
> (4) if (User-Name =~ /@.*@/ )
> (4) if (User-Name =~ /@.*@/ ) -> FALSE
> (4) if (User-Name =~ /\\.\\./ )
> (4) if (User-Name =~ /\\.\\./ ) -> FALSE
> (4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
> (4) if (User-Name =~ /\\.$/)
> (4) if (User-Name =~ /\\.$/) -> FALSE
> (4) if (User-Name =~ /@\\./)
> (4) if (User-Name =~ /@\\./) -> FALSE
> (4) } # filter_username filter_username = notfound
> (4) [preprocess] = ok
> (4) [chap] = noop
> (4) [mschap] = noop
> (4) [digest] = noop
> (4) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
> looking up realm NULL
> (4) suffix : No such realm "NULL"
> (4) [suffix] = noop
> (4) eap : EAP packet type response id 5 length 6
> (4) eap : Continuing tunnel setup.
> (4) [eap] = ok
> (4) } # authorize = ok
> (4) Found Auth-Type = EAP
> (4) # Executing group from file /etc/freeradius/sites-enabled/default
> (4) authenticate {
> (4) eap : Expiring EAP session with state 0xaf7aab12ac7fb29f
> (4) eap : Finished EAP session with state 0xaf7aab12ac7fb29f
> (4) eap : Previous EAP request found for state 0xaf7aab12ac7fb29f,
> released from the list
> (4) eap : Peer sent PEAP (25)
> (4) eap : EAP PEAP (25)
> (4) eap : Calling eap_peap to process EAP data
> (4) eap_peap : processing EAP-TLS
> (4) eap_peap : Received TLS ACK
> (4) eap_peap : Received TLS ACK
> (4) eap_peap : ACK handshake fragment handler
> (4) eap_peap : eaptls_verify returned 1
> (4) eap_peap : eaptls_process returned 13
> (4) eap_peap : FR_TLS_HANDLED
> (4) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ab7cb29f
> (4) [eap] = handled
> (4) } # authenticate = handled
> Sending Access-Challenge Id 215 from 192.168.254.181:1812 to 172.17.6.253:32985
> EAP-Message = 0x0106027d19003a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f73656375726563612e63726c304e0603551d200447304530430604551d2000303b303906082b06010505070201162d68747470733a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f7265706f7369746f7279300d06092a864886f70d01010505000381810076e1126e4e4b1612863006b28108cff008c7c7717e66eec2edd43b1ffff0f0c84ed64338b0b9307d18d05583a26acb36119ce84866a36d7fb813d447fe8b5a5c73fcaed91b321938ab973414aa96d2eba31c140849b6bbe591ef8336eb1d566fcadabc736390e47f7b3e22cb3d07ed5f38749ce303504ea1af98ee61f2843f12160301014b0c0001470300174104897a41b10d790abe7d33a7bae7191df884039b23026439f474763fa6cb936641097d6e73ce79a5d3ee3b2dfa1b6742cbcfb4d94a2af4c9fb6f756ba052b43beb01009562f546db63c6a53f98650f9c9d234c62b3baccfd8e26d7b9d6c78e6e3a07a30382f753afb96cb8ec266b728877907a1c97f6c7948f7e9fa2ef2b571fbeb92748fee46d52b20070b28559f1f20027269f02be9d63f5756b166ceaa06afa8c13fcd38c8a4133c0288c9ed1fa2aa55e92d8a3cf16fa192847ce5bbb08ab2fdad640d11
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xaf7aab12ab7cb29f91f28722b6106031
> (4) Finished request
> Waking up in 0.3 seconds.
> Received Access-Request Id 216 from 172.17.6.253:32985 to
> 192.168.254.181:1812 length 370
> User-Name = 'host/win81-ops.in.testdomain'
> NAS-IP-Address = 172.17.6.253
> NAS-Port = 0
> NAS-Identifier = 'wirelesscontroller'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = '5C514FFA8C73'
> Called-Station-Id = '000B869A9037'
> Service-Type = Framed-User
> Framed-MTU = 1100
> EAP-Message = 0x020600901980000000861603010046100000424104d85d873dea9326b04b69add1a56edb8644246c919b8f460725f22d19b7bfbf30fe22e7d993c960b2ffeebbd155bb316e63ba7796287a737a52d0367b3ab5eb5614030100010116030100306bf7326dd2963bc5094534034ea75caccf46011de517912c4d0c91d510ef3644496711ac075146320a47c686b17ee94c
> State = 0xaf7aab12ab7cb29f91f28722b6106031
> Aruba-Essid-Name = 'bandit'
> Aruba-Location-Id = 'ap1'
> Aruba-AP-Group = 'syd'
> Aruba-Device-Type = 'Windows'
> Message-Authenticator = 0x3d5c9d2133066c4b3420ff366a49e175
> (5) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (5) authorize {
> (5) filter_username filter_username {
> (5) if (User-Name != "%{tolower:%{User-Name}}")
> (5) EXPAND %{tolower:%{User-Name}}
> (5) --> host/win81-ops.in.testdomain
> (5) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (5) if (User-Name =~ / /)
> (5) if (User-Name =~ / /) -> FALSE
> (5) if (User-Name =~ /@.*@/ )
> (5) if (User-Name =~ /@.*@/ ) -> FALSE
> (5) if (User-Name =~ /\\.\\./ )
> (5) if (User-Name =~ /\\.\\./ ) -> FALSE
> (5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
> (5) if (User-Name =~ /\\.$/)
> (5) if (User-Name =~ /\\.$/) -> FALSE
> (5) if (User-Name =~ /@\\./)
> (5) if (User-Name =~ /@\\./) -> FALSE
> (5) } # filter_username filter_username = notfound
> (5) [preprocess] = ok
> (5) [chap] = noop
> (5) [mschap] = noop
> (5) [digest] = noop
> (5) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
> looking up realm NULL
> (5) suffix : No such realm "NULL"
> (5) [suffix] = noop
> (5) eap : EAP packet type response id 6 length 144
> (5) eap : Continuing tunnel setup.
> (5) [eap] = ok
> (5) } # authorize = ok
> (5) Found Auth-Type = EAP
> (5) # Executing group from file /etc/freeradius/sites-enabled/default
> (5) authenticate {
> (5) eap : Expiring EAP session with state 0xaf7aab12ab7cb29f
> (5) eap : Finished EAP session with state 0xaf7aab12ab7cb29f
> (5) eap : Previous EAP request found for state 0xaf7aab12ab7cb29f,
> released from the list
> (5) eap : Peer sent PEAP (25)
> (5) eap : EAP PEAP (25)
> (5) eap : Calling eap_peap to process EAP data
> (5) eap_peap : processing EAP-TLS
> TLS Length 134
> (5) eap_peap : Length Included
> (5) eap_peap : eaptls_verify returned 11
> (5) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
> (5) eap_peap : TLS_accept: SSLv3 read client key exchange A
> (5) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
> (5) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
> (5) eap_peap : TLS_accept: SSLv3 read finished A
> (5) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
> (5) eap_peap : TLS_accept: SSLv3 write change cipher spec A
> (5) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
> (5) eap_peap : TLS_accept: SSLv3 write finished A
> (5) eap_peap : TLS_accept: SSLv3 flush data
> SSL: adding session
> 41db36e17b59817fcc7a5d510c0ab6febebd2f0dfc04701386f3dad95265c63d to
> cache
> (5) eap_peap : (other): SSL negotiation finished successfully
> SSL Connection Established
> (5) eap_peap : eaptls_process returned 13
> (5) eap_peap : FR_TLS_HANDLED
> (5) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12aa7db29f
> (5) [eap] = handled
> (5) } # authenticate = handled
> Sending Access-Challenge Id 216 from 192.168.254.181:1812 to 172.17.6.253:32985
> EAP-Message = 0x0107004119001403010001011603010030904c13f5aa90bc06c6a9e4a9a9fe076ac1facca994920e0028b62392ef0d62e3dffb6d45d1198e88cbe9b9ce70df1d39
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xaf7aab12aa7db29f91f28722b6106031
> (5) Finished request
> Waking up in 0.2 seconds.
> Waking up in 4.6 seconds.
> Received Access-Request Id 218 from 172.17.6.253:32985 to
> 192.168.254.181:1812 length 232
> User-Name = 'host/win81-ops.in.testdomain'
> NAS-IP-Address = 172.17.6.253
> NAS-Port = 0
> NAS-Identifier = 'wirelesscontroller'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = '5C514FFA8C73'
> Called-Station-Id = '000B869A9037'
> Service-Type = Framed-User
> Framed-MTU = 1100
> EAP-Message = 0x020700061900
> State = 0xaf7aab12aa7db29f91f28722b6106031
> Aruba-Essid-Name = 'bandit'
> Aruba-Location-Id = 'ap1'
> Aruba-AP-Group = 'syd'
> Aruba-Device-Type = 'Windows'
> Message-Authenticator = 0x870a84bb1fdef1e9e576bb097297dafc
> (6) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (6) authorize {
> (6) filter_username filter_username {
> (6) if (User-Name != "%{tolower:%{User-Name}}")
> (6) EXPAND %{tolower:%{User-Name}}
> (6) --> host/win81-ops.in.testdomain
> (6) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (6) if (User-Name =~ / /)
> (6) if (User-Name =~ / /) -> FALSE
> (6) if (User-Name =~ /@.*@/ )
> (6) if (User-Name =~ /@.*@/ ) -> FALSE
> (6) if (User-Name =~ /\\.\\./ )
> (6) if (User-Name =~ /\\.\\./ ) -> FALSE
> (6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
> (6) if (User-Name =~ /\\.$/)
> (6) if (User-Name =~ /\\.$/) -> FALSE
> (6) if (User-Name =~ /@\\./)
> (6) if (User-Name =~ /@\\./) -> FALSE
> (6) } # filter_username filter_username = notfound
> (6) [preprocess] = ok
> (6) [chap] = noop
> (6) [mschap] = noop
> (6) [digest] = noop
> (6) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
> looking up realm NULL
> (6) suffix : No such realm "NULL"
> (6) [suffix] = noop
> (6) eap : EAP packet type response id 7 length 6
> (6) eap : Continuing tunnel setup.
> (6) [eap] = ok
> (6) } # authorize = ok
> (6) Found Auth-Type = EAP
> (6) # Executing group from file /etc/freeradius/sites-enabled/default
> (6) authenticate {
> (6) eap : Expiring EAP session with state 0xaf7aab12aa7db29f
> (6) eap : Finished EAP session with state 0xaf7aab12aa7db29f
> (6) eap : Previous EAP request found for state 0xaf7aab12aa7db29f,
> released from the list
> (6) eap : Peer sent PEAP (25)
> (6) eap : EAP PEAP (25)
> (6) eap : Calling eap_peap to process EAP data
> (6) eap_peap : processing EAP-TLS
> (6) eap_peap : Received TLS ACK
> (6) eap_peap : Received TLS ACK
> (6) eap_peap : ACK handshake is finished
> (6) eap_peap : eaptls_verify returned 3
> (6) eap_peap : eaptls_process returned 3
> (6) eap_peap : FR_TLS_SUCCESS
> (6) eap_peap : Session established. Decoding tunneled attributes.
> (6) eap_peap : Peap state TUNNEL ESTABLISHED
> (6) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12a972b29f
> (6) [eap] = handled
> (6) } # authenticate = handled
> Sending Access-Challenge Id 218 from 192.168.254.181:1812 to 172.17.6.253:32985
> EAP-Message = 0x0108002b19001703010020f022350972cbaf550411b0a05e940de89489d54aaa26eea60fa42c528e37b598
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xaf7aab12a972b29f91f28722b6106031
> (6) Finished request
> Waking up in 0.3 seconds.
> Received Access-Request Id 219 from 172.17.6.253:32985 to
> 192.168.254.181:1812 length 301
> User-Name = 'host/win81-ops.in.testdomain'
> NAS-IP-Address = 172.17.6.253
> NAS-Port = 0
> NAS-Identifier = 'wirelesscontroller'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = '5C514FFA8C73'
> Called-Station-Id = '000B869A9037'
> Service-Type = Framed-User
> Framed-MTU = 1100
> EAP-Message = 0x0208004b190017030100401450d110896340dd1527e3b736b40db579761481d7c7bd8df6f8a8bafe346ae902d6eca6adb3ce318e7f8a82345ed565cb364dbaf6fea0c3ea2fe03f596781b8
> State = 0xaf7aab12a972b29f91f28722b6106031
> Aruba-Essid-Name = 'bandit'
> Aruba-Location-Id = 'ap1'
> Aruba-AP-Group = 'syd'
> Aruba-Device-Type = 'Windows'
> Message-Authenticator = 0x81748904e69029b5c562279f77a1fa9a
> (7) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (7) authorize {
> (7) filter_username filter_username {
> (7) if (User-Name != "%{tolower:%{User-Name}}")
> (7) EXPAND %{tolower:%{User-Name}}
> (7) --> host/win81-ops.in.testdomain
> (7) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (7) if (User-Name =~ / /)
> (7) if (User-Name =~ / /) -> FALSE
> (7) if (User-Name =~ /@.*@/ )
> (7) if (User-Name =~ /@.*@/ ) -> FALSE
> (7) if (User-Name =~ /\\.\\./ )
> (7) if (User-Name =~ /\\.\\./ ) -> FALSE
> (7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
> (7) if (User-Name =~ /\\.$/)
> (7) if (User-Name =~ /\\.$/) -> FALSE
> (7) if (User-Name =~ /@\\./)
> (7) if (User-Name =~ /@\\./) -> FALSE
> (7) } # filter_username filter_username = notfound
> (7) [preprocess] = ok
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) [digest] = noop
> (7) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
> looking up realm NULL
> (7) suffix : No such realm "NULL"
> (7) [suffix] = noop
> (7) eap : EAP packet type response id 8 length 75
> (7) eap : Continuing tunnel setup.
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = EAP
> (7) # Executing group from file /etc/freeradius/sites-enabled/default
> (7) authenticate {
> (7) eap : Expiring EAP session with state 0xaf7aab12a972b29f
> (7) eap : Finished EAP session with state 0xaf7aab12a972b29f
> (7) eap : Previous EAP request found for state 0xaf7aab12a972b29f,
> released from the list
> (7) eap : Peer sent PEAP (25)
> (7) eap : EAP PEAP (25)
> (7) eap : Calling eap_peap to process EAP data
> (7) eap_peap : processing EAP-TLS
> (7) eap_peap : eaptls_verify returned 7
> (7) eap_peap : Done initial handshake
> (7) eap_peap : eaptls_process returned 7
> (7) eap_peap : FR_TLS_OK
> (7) eap_peap : Session established. Decoding tunneled attributes.
> (7) eap_peap : Peap state WAITING FOR INNER IDENTITY
> (7) eap_peap : Identity - host/win81-ops.in.testdomain
> (7) eap_peap : Got inner identity 'host/win81-ops.in.testdomain'
> (7) eap_peap : Setting default EAP type for tunneled EAP session.
> (7) eap_peap : Got tunneled request
> EAP-Message = 0x0208002001686f73742f77696e38312d6f70732e696e2e667265736876696577
> server default {
> (7) eap_peap : Setting User-Name to host/win81-ops.in.testdomain
> Sending tunneled request
> EAP-Message = 0x0208002001686f73742f77696e38312d6f70732e696e2e667265736876696577
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = 'host/win81-ops.in.testdomain'
> server inner-tunnel {
> (7) # Executing section authorize from file
> /etc/freeradius/sites-enabled/inner-tunnel
> (7) authorize {
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
> looking up realm NULL
> (7) suffix : No such realm "NULL"
> (7) [suffix] = noop
> (7) ntdomain : No '\' in User-Name = "host/win81-ops.in.testdomain",
> looking up realm NULL
> (7) ntdomain : No such realm "NULL"
> (7) [ntdomain] = noop
> (7) update control {
> (7) Proxy-To-Realm := 'LOCAL'
> (7) } # update control = noop
> (7) eap : EAP packet type response id 8 length 32
> (7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit
> the rest of authorize
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = EAP
> (7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> (7) authenticate {
> (7) eap : Peer sent Identity (1)
> (7) eap : Calling eap_mschapv2 to process EAP data
> (7) eap_mschapv2 : Issuing Challenge
> (7) eap : New EAP session, adding 'State' attribute to reply 0xdf4bb440df42ae97
> (7) [eap] = handled
> (7) } # authenticate = handled
> } # server inner-tunnel
> (7) eap_peap : Got tunneled reply code 11
> EAP-Message = 0x010900351a0109003010ec2d3f9c331be8cc8f308fb3e36354f7686f73742f77696e38312d6f70732e696e2e667265736876696577
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xdf4bb440df42ae976131f6adcea1c414
> (7) eap_peap : Got tunneled reply RADIUS code 11
> EAP-Message = 0x010900351a0109003010ec2d3f9c331be8cc8f308fb3e36354f7686f73742f77696e38312d6f70732e696e2e667265736876696577
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xdf4bb440df42ae976131f6adcea1c414
> (7) eap_peap : Got tunneled Access-Challenge
> (7) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12a873b29f
> (7) [eap] = handled
> (7) } # authenticate = handled
> Sending Access-Challenge Id 219 from 192.168.254.181:1812 to 172.17.6.253:32985
> EAP-Message = 0x0109005b1900170301005026e15c112b330ea70a897a62e1e776e56a8cfc3542db91a040be524e2ecd90127236545cd0d513ea877cdd23c887e844dd5fc775bd5cb9fc5aeb0e0d08ee6646e96621abff9801bf0b83f07219a91189
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xaf7aab12a873b29f91f28722b6106031
> (7) Finished request
> Waking up in 0.3 seconds.
> Received Access-Request Id 217 from 172.17.6.253:32985 to
> 192.168.254.181:1812 length 349
> User-Name = 'host/win81-ops.in.testdomain'
> NAS-IP-Address = 172.17.6.253
> NAS-Port = 0
> NAS-Identifier = 'wirelesscontroller'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = '5C514FFA8C73'
> Called-Station-Id = '000B869A9037'
> Service-Type = Framed-User
> Framed-MTU = 1100
> EAP-Message = 0x0209007b19001703010070c28751119ce4f468f4da5543f53dfa82dc9fb4ec3663880ebc4225065cf9de7314a32afc8093225d3fc12d012659cc234ee541504d9fde5d06fa80dfe83e331aa6527744476fd0f2aed8b4596f0efd388f1b20164aba971c8de1654bc68e9b63b89c741d4067a43f254bc083a03ea937
> State = 0xaf7aab12a873b29f91f28722b6106031
> Aruba-Essid-Name = 'bandit'
> Aruba-Location-Id = 'ap1'
> Aruba-AP-Group = 'syd'
> Aruba-Device-Type = 'Windows'
> Message-Authenticator = 0x60c7b813e29d7f613e573fca00dadb1f
> (8) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (8) authorize {
> (8) filter_username filter_username {
> (8) if (User-Name != "%{tolower:%{User-Name}}")
> (8) EXPAND %{tolower:%{User-Name}}
> (8) --> host/win81-ops.in.testdomain
> (8) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (8) if (User-Name =~ / /)
> (8) if (User-Name =~ / /) -> FALSE
> (8) if (User-Name =~ /@.*@/ )
> (8) if (User-Name =~ /@.*@/ ) -> FALSE
> (8) if (User-Name =~ /\\.\\./ )
> (8) if (User-Name =~ /\\.\\./ ) -> FALSE
> (8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
> (8) if (User-Name =~ /\\.$/)
> (8) if (User-Name =~ /\\.$/) -> FALSE
> (8) if (User-Name =~ /@\\./)
> (8) if (User-Name =~ /@\\./) -> FALSE
> (8) } # filter_username filter_username = notfound
> (8) [preprocess] = ok
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) [digest] = noop
> (8) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
> looking up realm NULL
> (8) suffix : No such realm "NULL"
> (8) [suffix] = noop
> (8) eap : EAP packet type response id 9 length 123
> (8) eap : Continuing tunnel setup.
> (8) [eap] = ok
> (8) } # authorize = ok
> (8) Found Auth-Type = EAP
> (8) # Executing group from file /etc/freeradius/sites-enabled/default
> (8) authenticate {
> (8) eap : Expiring EAP session with state 0xdf4bb440df42ae97
> (8) eap : Finished EAP session with state 0xaf7aab12a873b29f
> (8) eap : Previous EAP request found for state 0xaf7aab12a873b29f,
> released from the list
> (8) eap : Peer sent PEAP (25)
> (8) eap : EAP PEAP (25)
> (8) eap : Calling eap_peap to process EAP data
> (8) eap_peap : processing EAP-TLS
> (8) eap_peap : eaptls_verify returned 7
> (8) eap_peap : Done initial handshake
> (8) eap_peap : eaptls_process returned 7
> (8) eap_peap : FR_TLS_OK
> (8) eap_peap : Session established. Decoding tunneled attributes.
> (8) eap_peap : Peap state phase2
> (8) eap_peap : EAP type MSCHAPv2 (26)
> (8) eap_peap : Got tunneled request
> EAP-Message = 0x020900561a020900513145439c4e90869e9f6ceab1d1297c6d380000000000000000d0dd725641db826ddf168b4b2144c203e6d3280c10fec22900686f73742f77696e38312d6f70732e696e2e667265736876696577
> server default {
> (8) eap_peap : Setting User-Name to host/win81-ops.in.testdomain
> Sending tunneled request
> EAP-Message = 0x020900561a020900513145439c4e90869e9f6ceab1d1297c6d380000000000000000d0dd725641db826ddf168b4b2144c203e6d3280c10fec22900686f73742f77696e38312d6f70732e696e2e667265736876696577
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = 'host/win81-ops.in.testdomain'
> State = 0xdf4bb440df42ae976131f6adcea1c414
> server inner-tunnel {
> (8) # Executing section authorize from file
> /etc/freeradius/sites-enabled/inner-tunnel
> (8) authorize {
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
> looking up realm NULL
> (8) suffix : No such realm "NULL"
> (8) [suffix] = noop
> (8) ntdomain : No '\' in User-Name = "host/win81-ops.in.testdomain",
> looking up realm NULL
> (8) ntdomain : No such realm "NULL"
> (8) [ntdomain] = noop
> (8) update control {
> (8) Proxy-To-Realm := 'LOCAL'
> (8) } # update control = noop
> (8) eap : EAP packet type response id 9 length 86
> (8) eap : No EAP Start, assuming it's an on-going EAP conversation
> (8) [eap] = updated
> (8) [files] = noop
> (8) [expiration] = noop
> (8) [logintime] = noop
> (8) [pap] = noop
> (8) } # authorize = updated
> (8) Found Auth-Type = EAP
> (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> (8) authenticate {
> (8) eap : Expiring EAP session with state 0xdf4bb440df42ae97
> (8) eap : Finished EAP session with state 0xdf4bb440df42ae97
> (8) eap : Previous EAP request found for state 0xdf4bb440df42ae97,
> released from the list
> (8) eap : Peer sent MSCHAPv2 (26)
> (8) eap : EAP MSCHAPv2 (26)
> (8) eap : Calling eap_mschapv2 to process EAP data
> (8) eap_mschapv2 : # Executing group from file
> /etc/freeradius/sites-enabled/inner-tunnel
> (8) eap_mschapv2 : Auth-Type MS-CHAP {
> (8) mschap : Creating challenge hash with username: host/win81-ops.in.testdomain
> (8) mschap : Client is using MS-CHAPv2
> (8) mschap : Executing: /usr/bin/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name:-None}
> --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}
> (8) mschap : EXPAND --username=%{mschap:User-Name:-None}
> (8) mschap : --> --username=win81-ops$
> (8) mschap : EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN}
> (8) mschap : --> --domain=in
> (8) mschap : Creating challenge hash with username: host/win81-ops.in.testdomain
> (8) mschap : EXPAND --challenge=%{mschap:Challenge:-00}
> (8) mschap : --> --challenge=4d7bb6f00f0d7a38
> (8) mschap : EXPAND --nt-response=%{mschap:NT-Response:-00}
> (8) mschap : -->
> --nt-response=d0dd725641db826ddf168b4b2144c203e6d3280c10fec229
> (8) ERROR: mschap : Program returned code (1) and output 'Logon
> failure (0xc000006d)'
> (8) mschap : External script failed.
> (8) ERROR: mschap : External script says: Logon failure (0xc000006d)
> (8) ERROR: mschap : MS-CHAP2-Response is incorrect
> (8) [mschap] = reject
> (8) } # Auth-Type MS-CHAP = reject
> (8) eap : Freeing handler
> (8) [eap] = reject
> (8) } # authenticate = reject
> (8) Failed to authenticate the user.
> (8) Login incorrect (mschap: Program returned code (1) and output
> 'Logon failure (0xc000006d)'): [host/win81-ops.in.testdomain] (from
> client ap1-38-wlsclt-00 port 0 via TLS tunnel)
> (8) Using Post-Auth-Type Reject
> (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> (8) Post-Auth-Type REJECT {
> (8) attr_filter.access_reject : EXPAND %{User-Name}
> (8) attr_filter.access_reject : --> host/win81-ops.in.testdomain
> (8) attr_filter.access_reject : Matched entry DEFAULT at line 11
> (8) [attr_filter.access_reject] = updated
> (8) } # Post-Auth-Type REJECT = updated
> } # server inner-tunnel
> (8) eap_peap : Got tunneled reply code 3
> MS-CHAP-Error = '\tE=691 R=1'
> EAP-Message = 0x04090004
> Message-Authenticator = 0x00000000000000000000000000000000
> (8) eap_peap : Got tunneled reply RADIUS code 3
> MS-CHAP-Error = '\tE=691 R=1'
> EAP-Message = 0x04090004
> Message-Authenticator = 0x00000000000000000000000000000000
> (8) eap_peap : Tunneled authentication was rejected.
> (8) eap_peap : FAILURE
> (8) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12a770b29f
> (8) [eap] = handled
> (8) } # authenticate = handled
> Sending Access-Challenge Id 217 from 192.168.254.181:1812 to 172.17.6.253:32985
> EAP-Message = 0x010a002b190017030100200b738039b4f535481dff197a39ee81927b772fac96781dd6e727a46a1fce1378
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xaf7aab12a770b29f91f28722b6106031
> (8) Finished request
> Waking up in 0.3 seconds.
> Received Access-Request Id 220 from 172.17.6.253:32985 to
> 192.168.254.181:1812 length 269
> User-Name = 'host/win81-ops.in.testdomain'
> NAS-IP-Address = 172.17.6.253
> NAS-Port = 0
> NAS-Identifier = 'wirelesscontroller'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = '5C514FFA8C73'
> Called-Station-Id = '000B869A9037'
> Service-Type = Framed-User
> Framed-MTU = 1100
> EAP-Message = 0x020a002b19001703010020544957a4f102082595db7a5beab83a5e39c5618bc043779c4640f13519373571
> State = 0xaf7aab12a770b29f91f28722b6106031
> Aruba-Essid-Name = 'bandit'
> Aruba-Location-Id = 'ap1'
> Aruba-AP-Group = 'syd'
> Aruba-Device-Type = 'Windows'
> Message-Authenticator = 0x567dfee464244ff803f97a5369736c65
> (9) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (9) authorize {
> (9) filter_username filter_username {
> (9) if (User-Name != "%{tolower:%{User-Name}}")
> (9) EXPAND %{tolower:%{User-Name}}
> (9) --> host/win81-ops.in.testdomain
> (9) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (9) if (User-Name =~ / /)
> (9) if (User-Name =~ / /) -> FALSE
> (9) if (User-Name =~ /@.*@/ )
> (9) if (User-Name =~ /@.*@/ ) -> FALSE
> (9) if (User-Name =~ /\\.\\./ )
> (9) if (User-Name =~ /\\.\\./ ) -> FALSE
> (9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
> (9) if (User-Name =~ /\\.$/)
> (9) if (User-Name =~ /\\.$/) -> FALSE
> (9) if (User-Name =~ /@\\./)
> (9) if (User-Name =~ /@\\./) -> FALSE
> (9) } # filter_username filter_username = notfound
> (9) [preprocess] = ok
> (9) [chap] = noop
> (9) [mschap] = noop
> (9) [digest] = noop
> (9) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
> looking up realm NULL
> (9) suffix : No such realm "NULL"
> (9) [suffix] = noop
> (9) eap : EAP packet type response id 10 length 43
> (9) eap : Continuing tunnel setup.
> (9) [eap] = ok
> (9) } # authorize = ok
> (9) Found Auth-Type = EAP
> (9) # Executing group from file /etc/freeradius/sites-enabled/default
> (9) authenticate {
> (9) eap : Expiring EAP session with state 0xaf7aab12a770b29f
> (9) eap : Finished EAP session with state 0xaf7aab12a770b29f
> (9) eap : Previous EAP request found for state 0xaf7aab12a770b29f,
> released from the list
> (9) eap : Peer sent PEAP (25)
> (9) eap : EAP PEAP (25)
> (9) eap : Calling eap_peap to process EAP data
> (9) eap_peap : processing EAP-TLS
> (9) eap_peap : eaptls_verify returned 7
> (9) eap_peap : Done initial handshake
> (9) eap_peap : eaptls_process returned 7
> (9) eap_peap : FR_TLS_OK
> (9) eap_peap : Session established. Decoding tunneled attributes.
> (9) eap_peap : Peap state send tlv failure
> (9) eap_peap : Received EAP-TLV response.
> (9) eap_peap : The users session was previously rejected: returning
> reject (again.)
> (9) eap_peap : *** This means you need to read the PREVIOUS messages
> in the debug output
> (9) eap_peap : *** to find out the reason why the user was rejected.
> (9) eap_peap : *** Look for "reject" or "fail". Those earlier
> messages will tell you.
> (9) eap_peap : *** what went wrong, and how to fix the problem.
> SSL: Removing session
> 41db36e17b59817fcc7a5d510c0ab6febebd2f0dfc04701386f3dad95265c63d from
> the cache
> (9) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed
> (9) eap : Failed in EAP select
> (9) [eap] = invalid
> (9) } # authenticate = invalid
> (9) Failed to authenticate the user.
> (9) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP
> sub-module failed): [host/win81-ops.in.testdomain] (from client
> ap1-38-wlsclt-00 port 0 cli 5C514FFA8C73)
> (9) Using Post-Auth-Type Reject
> (9) # Executing group from file /etc/freeradius/sites-enabled/default
> (9) Post-Auth-Type REJECT {
> (9) attr_filter.access_reject : EXPAND %{User-Name}
> (9) attr_filter.access_reject : --> host/win81-ops.in.testdomain
> (9) attr_filter.access_reject : Matched entry DEFAULT at line 11
> (9) [attr_filter.access_reject] = updated
> (9) eap : Reply already contained an EAP-Message, not inserting EAP-Failure
> (9) [eap] = noop
> (9) remove_reply_message_if_eap remove_reply_message_if_eap {
> (9) if (reply:EAP-Message && reply:Reply-Message)
> (9) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
> (9) else else {
> (9) [noop] = noop
> (9) } # else else = noop
> (9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
> (9) } # Post-Auth-Type REJECT = updated
> (9) Delaying response for 1 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (9) Sending delayed response
> Sending Access-Reject Id 220 from 192.168.254.181:1812 to 172.17.6.253:32985
> EAP-Message = 0x040a0004
> Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 2.5 seconds.
> (0) Cleaning up request packet ID 211 with timestamp +5
> (1) Cleaning up request packet ID 203 with timestamp +5
> (2) Cleaning up request packet ID 213 with timestamp +5
> (3) Cleaning up request packet ID 212 with timestamp +5
> (4) Cleaning up request packet ID 215 with timestamp +5
> (5) Cleaning up request packet ID 216 with timestamp +5
> Waking up in 1.4 seconds.
> (6) Cleaning up request packet ID 218 with timestamp +7
> (7) Cleaning up request packet ID 219 with timestamp +7
> (8) Cleaning up request packet ID 217 with timestamp +7
> (9) Cleaning up request packet ID 220 with timestamp +7
> Ready to process requests.
> Received Access-Request Id 221 from 172.17.6.253:32985 to
> 192.168.254.181:1812 length 218
> User-Name = 'TESTDOMAIN\\testuser'
> NAS-IP-Address = 172.17.6.253
> NAS-Port = 0
> NAS-Identifier = 'wirelesscontroller'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = '5C514FFA8C73'
> Called-Station-Id = '000B869A9037'
> Service-Type = Framed-User
> Framed-MTU = 1100
> EAP-Message = 0x02010015014652455348564945575c74796e616e79
> Aruba-Essid-Name = 'bandit'
> Aruba-Location-Id = 'ap1'
> Aruba-AP-Group = 'syd'
> Aruba-Device-Type = 'Windows'
> Message-Authenticator = 0xdd9875a4f200bb105676cc44bbc1990a
> (10) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (10) authorize {
> (10) filter_username filter_username {
> (10) if (User-Name != "%{tolower:%{User-Name}}")
> (10) EXPAND %{tolower:%{User-Name}}
> (10) --> testdomain\\testuser
> (10) if (User-Name != "%{tolower:%{User-Name}}") -> TRUE
> (10) if (User-Name != "%{tolower:%{User-Name}}") {
> (10) [reject] = reject
> (10) } # if (User-Name != "%{tolower:%{User-Name}}") = reject
> (10) } # filter_username filter_username = reject
> (10) } # authorize = reject
> (10) Invalid user: [TESTDOMAIN\\testuser] (from client
> ap1-38-wlsclt-00 port 0 cli 5C514FFA8C73)
> (10) Using Post-Auth-Type Reject
> (10) # Executing group from file /etc/freeradius/sites-enabled/default
> (10) Post-Auth-Type REJECT {
> (10) attr_filter.access_reject : EXPAND %{User-Name}
> (10) attr_filter.access_reject : --> TESTDOMAIN\\testuser
> (10) attr_filter.access_reject : Matched entry DEFAULT at line 11
> (10) [attr_filter.access_reject] = updated
> (10) eap : Request was previously rejected, inserting EAP-Failure
> (10) [eap] = updated
> (10) remove_reply_message_if_eap remove_reply_message_if_eap {
> (10) if (reply:EAP-Message && reply:Reply-Message)
> (10) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
> (10) else else {
> (10) [noop] = noop
> (10) } # else else = noop
> (10) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
> (10) } # Post-Auth-Type REJECT = updated
> (10) Delaying response for 1 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (10) Sending delayed response
> Sending Access-Reject Id 221 from 192.168.254.181:1812 to 172.17.6.253:32985
> EAP-Message = 0x04010004
> Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.9 seconds.
> (10) Cleaning up request packet ID 221 with timestamp +12
> Ready to process requests.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list