connectivity issues with different devices
Andrew Meyer
andrewm659 at yahoo.com
Thu Dec 7 22:11:18 CET 2017
Hello,
I emailed in about a week ago trying to get eap+ttls configured to work with my MacBooks and mobile devices. I have finally gotten that working. However now i'm running into another issues. We had to do a code upgrade on my wireless to support TLS 1.2 which is now done.
Right now i'm facing an issue JUST on Mac OS X High Sierra where it is not able to authenticate. In order to get the mobile devices working on my test SSID I had to disable EAP+TLS termination from the Access Points to the FreeRADIUS server. I have EAP+TTLS setup to use PAP beacuse I'm authenticating to LDAP/FreeIPA.
This is working for Mac OS X 10.11.x, 10.12.x, Android 6 & 7, but not for High Sierra 10.13.x. I am still working on procuring a Apple Mobile device that is on the latest code.
So i'm trying to figure out if I need to change the config slightly but not 100% sure.
But here is my debug output right now:
Thu Dec 7 21:00:28 2017 : Debug: (35) Message-Authenticator = 0x9cc50130f378dd9808a639a0c01c246d
Thu Dec 7 21:00:28 2017 : Debug: (35) session-state: No cached attributes
Thu Dec 7 21:00:28 2017 : Debug: (35) # Executing section authorize from file /etc/raddb/sites-enabled/default
Thu Dec 7 21:00:28 2017 : Debug: (35) authorize {
Thu Dec 7 21:00:28 2017 : Debug: (35) policy filter_username {
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name) {
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name) -> TRUE
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name) {
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ / /) {
Thu Dec 7 21:00:28 2017 : Debug: No matches
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ / /) -> FALSE
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /@[^@]*@/ ) {
Thu Dec 7 21:00:28 2017 : Debug: No matches
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /\.\./ ) {
Thu Dec 7 21:00:28 2017 : Debug: No matches
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /\.\./ ) -> FALSE
Thu Dec 7 21:00:28 2017 : Debug: (35) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
Thu Dec 7 21:00:28 2017 : Debug: No matches
Thu Dec 7 21:00:28 2017 : Debug: (35) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /\.$/) {
Thu Dec 7 21:00:28 2017 : Debug: No matches
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /\.$/) -> FALSE
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /@\./) {
Thu Dec 7 21:00:28 2017 : Debug: No matches
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /@\./) -> FALSE
Thu Dec 7 21:00:28 2017 : Debug: (35) } # if (&User-Name) = notfound
Thu Dec 7 21:00:28 2017 : Debug: (35) } # policy filter_username = notfound
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling preprocess (rlm_preprocess)
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from preprocess (rlm_preprocess)
Thu Dec 7 21:00:28 2017 : Debug: (35) [preprocess] = ok
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling chap (rlm_chap)
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from chap (rlm_chap)
Thu Dec 7 21:00:28 2017 : Debug: (35) [chap] = noop
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling mschap (rlm_mschap)
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from mschap (rlm_mschap)
Thu Dec 7 21:00:28 2017 : Debug: (35) [mschap] = noop
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling digest (rlm_digest)
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from digest (rlm_digest)
Thu Dec 7 21:00:28 2017 : Debug: (35) [digest] = noop
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling suffix (rlm_realm)
Thu Dec 7 21:00:28 2017 : Debug: (35) suffix: Checking for suffix after "@"
Thu Dec 7 21:00:28 2017 : Debug: (35) suffix: No '@' in User-Name = "andrew.meyer", looking up realm NULL
Thu Dec 7 21:00:28 2017 : Debug: (35) suffix: No such realm "NULL"
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from suffix (rlm_realm)
Thu Dec 7 21:00:28 2017 : Debug: (35) [suffix] = noop
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling eap (rlm_eap)
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Peer sent EAP Response (code 2) ID 8 length 119
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Continuing tunnel setup
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from eap (rlm_eap)
Thu Dec 7 21:00:28 2017 : Debug: (35) [eap] = ok
Thu Dec 7 21:00:28 2017 : Debug: (35) } # authorize = ok
Thu Dec 7 21:00:28 2017 : Debug: (35) Found Auth-Type = eap
Thu Dec 7 21:00:28 2017 : Debug: (35) # Executing group from file /etc/raddb/sites-enabled/default
Thu Dec 7 21:00:28 2017 : Debug: (35) authenticate {
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authenticate]: calling eap (rlm_eap)
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Expiring EAP session with state 0x7ee913c27feb09b0
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Finished EAP session with state 0x4bff8a3e4df79f46
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Previous EAP request found for state 0x4bff8a3e4df79f46, released from the list
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Peer sent packet with method EAP TTLS (21)
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Calling submodule eap_ttls to process data
Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: Authenticate
Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: Continuing EAP-TLS
Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: Peer sent flags --L
Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: Peer indicated complete TLS record size will be 109 bytes
Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: Got complete TLS record (109 bytes)
Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: [eaptls verify] = length included
Thu Dec 7 21:00:28 2017 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0
Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: [eaptls process] = ok
Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: Session established. Proceeding to decode tunneled attributes
Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: Got tunneled request
Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: EAP-Message = 0x020200471a02020042310c2b32464a4d784b18430da9031e0a2c0000000000000000b79f070b5edc9d77e6b3a8afe5e8e14058595469c43a365700616e647265772e6d65796572
Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
Thu Dec 7 21:00:28 2017 : Debug: (35) Virtual server inner-tunnel received request
Thu Dec 7 21:00:28 2017 : Debug: (35) EAP-Message = 0x020200471a02020042310c2b32464a4d784b18430da9031e0a2c0000000000000000b79f070b5edc9d77e6b3a8afe5e8e14058595469c43a365700616e647265772e6d65796572
Thu Dec 7 21:00:28 2017 : Debug: (35) FreeRADIUS-Proxied-To = 127.0.0.1
Thu Dec 7 21:00:28 2017 : Debug: (35) User-Name = "andrew.meyer"
Thu Dec 7 21:00:28 2017 : Debug: (35) State = 0x7ee913c27feb09b057d7e8dcddbcec86
Thu Dec 7 21:00:28 2017 : WARNING: (35) Outer and inner identities are the same. User privacy is compromised.
Thu Dec 7 21:00:28 2017 : Debug: (35) server inner-tunnel {
Thu Dec 7 21:00:28 2017 : Debug: (35) session-state: No cached attributes
Thu Dec 7 21:00:28 2017 : Debug: (35) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
Thu Dec 7 21:00:28 2017 : Debug: (35) authorize {
Thu Dec 7 21:00:28 2017 : Debug: (35) policy filter_username {
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name) {
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name) -> TRUE
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name) {
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ / /) {
Thu Dec 7 21:00:28 2017 : Debug: No matches
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ / /) -> FALSE
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /@[^@]*@/ ) {
Thu Dec 7 21:00:28 2017 : Debug: No matches
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /\.\./ ) {
Thu Dec 7 21:00:28 2017 : Debug: No matches
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /\.\./ ) -> FALSE
Thu Dec 7 21:00:28 2017 : Debug: (35) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
Thu Dec 7 21:00:28 2017 : Debug: No matches
Thu Dec 7 21:00:28 2017 : Debug: (35) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /\.$/) {
Thu Dec 7 21:00:28 2017 : Debug: No matches
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /\.$/) -> FALSE
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /@\./) {
Thu Dec 7 21:00:28 2017 : Debug: No matches
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /@\./) -> FALSE
Thu Dec 7 21:00:28 2017 : Debug: (35) } # if (&User-Name) = notfound
Thu Dec 7 21:00:28 2017 : Debug: (35) } # policy filter_username = notfound
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling chap (rlm_chap)
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from chap (rlm_chap)
Thu Dec 7 21:00:28 2017 : Debug: (35) [chap] = noop
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling mschap (rlm_mschap)
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from mschap (rlm_mschap)
Thu Dec 7 21:00:28 2017 : Debug: (35) [mschap] = noop
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling suffix (rlm_realm)
Thu Dec 7 21:00:28 2017 : Debug: (35) suffix: Checking for suffix after "@"
Thu Dec 7 21:00:28 2017 : Debug: (35) suffix: No '@' in User-Name = "andrew.meyer", looking up realm NULL
Thu Dec 7 21:00:28 2017 : Debug: (35) suffix: No such realm "NULL"
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from suffix (rlm_realm)
Thu Dec 7 21:00:28 2017 : Debug: (35) [suffix] = noop
Thu Dec 7 21:00:28 2017 : Debug: (35) update control {
Thu Dec 7 21:00:28 2017 : Debug: (35) &Proxy-To-Realm := LOCAL
Thu Dec 7 21:00:28 2017 : Debug: (35) } # update control = noop
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling eap (rlm_eap)
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Peer sent EAP Response (code 2) ID 2 length 71
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: No EAP Start, assuming it's an on-going EAP conversation
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from eap (rlm_eap)
Thu Dec 7 21:00:28 2017 : Debug: (35) [eap] = updated
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling files (rlm_files)
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from files (rlm_files)
Thu Dec 7 21:00:28 2017 : Debug: (35) [files] = noop
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling ldap (rlm_ldap)
Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: EXPAND TMPL LITERAL
Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: EXPAND TMPL LITERAL
Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: EXPAND TMPL LITERAL
Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: EXPAND TMPL LITERAL
Thu Dec 7 21:00:28 2017 : Debug: rlm_ldap (ldap): Reserved connection (10)
Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: EXPAND TMPL XLAT
Thu Dec 7 21:00:28 2017 : Debug: (uid=%{%{Stripped-User-Name}:-%{User-Name}})
Thu Dec 7 21:00:28 2017 : Debug: Parsed xlat tree:
Thu Dec 7 21:00:28 2017 : Debug: literal --> (uid=
Thu Dec 7 21:00:28 2017 : Debug: XLAT-IF {
Thu Dec 7 21:00:28 2017 : Debug: attribute --> Stripped-User-Name
Thu Dec 7 21:00:28 2017 : Debug: }
Thu Dec 7 21:00:28 2017 : Debug: XLAT-ELSE {
Thu Dec 7 21:00:28 2017 : Debug: attribute --> User-Name
Thu Dec 7 21:00:28 2017 : Debug: }
Thu Dec 7 21:00:28 2017 : Debug: literal --> )
Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: --> (uid=andrew.meyer)
Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: EXPAND TMPL LITERAL
Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: Performing search in "cn=users,cn=accounts,dc=gatewayblend,dc=net" with filter "(uid=andrew.meyer)", scope "sub"
Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: Waiting for search result...
Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: User object found at DN "uid=andrew.meyer,cn=users,cn=accounts,dc=gatewayblend,dc=net"
Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: Processing user attributes
Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: Attribute "userPassword" not found in LDAP object
Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: Attribute "radiusControlAttribute" not found in LDAP object
Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: Attribute "radiusRequestAttribute" not found in LDAP object
Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: Attribute "radiusReplyAttribute" not found in LDAP object
Thu Dec 7 21:00:28 2017 : WARNING: (35) ldap: No "known good" password added. Ensure the admin user has permission to read the password attribute
Thu Dec 7 21:00:28 2017 : WARNING: (35) ldap: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
Thu Dec 7 21:00:28 2017 : Debug: rlm_ldap (ldap): Released connection (10)
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from ldap (rlm_ldap)
Thu Dec 7 21:00:28 2017 : Debug: (35) [ldap] = ok
Thu Dec 7 21:00:28 2017 : Debug: (35) if ((ok || updated) && User-Password) {
Thu Dec 7 21:00:28 2017 : Debug: (35) if ((ok || updated) && User-Password) -> FALSE
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling expiration (rlm_expiration)
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from expiration (rlm_expiration)
Thu Dec 7 21:00:28 2017 : Debug: (35) [expiration] = noop
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling logintime (rlm_logintime)
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from logintime (rlm_logintime)
Thu Dec 7 21:00:28 2017 : Debug: (35) [logintime] = noop
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling pap (rlm_pap)
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from pap (rlm_pap)
Thu Dec 7 21:00:28 2017 : Debug: (35) [pap] = noop
Thu Dec 7 21:00:28 2017 : Debug: (35) } # authorize = updated
Thu Dec 7 21:00:28 2017 : Debug: (35) Found Auth-Type = eap
Thu Dec 7 21:00:28 2017 : Debug: (35) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
Thu Dec 7 21:00:28 2017 : Debug: (35) authenticate {
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authenticate]: calling eap (rlm_eap)
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Expiring EAP session with state 0x7ee913c27feb09b0
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Finished EAP session with state 0x7ee913c27feb09b0
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Previous EAP request found for state 0x7ee913c27feb09b0, released from the list
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Peer sent packet with method EAP MSCHAPv2 (26)
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Calling submodule eap_mschapv2 to process data
Thu Dec 7 21:00:28 2017 : Debug: (35) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
Thu Dec 7 21:00:28 2017 : Debug: (35) eap_mschapv2: authenticate {
Thu Dec 7 21:00:28 2017 : Debug: (35) eap_mschapv2: modsingle[authenticate]: calling mschap (rlm_mschap)
Thu Dec 7 21:00:28 2017 : WARNING: (35) mschap: No Cleartext-Password configured. Cannot create NT-Password
Thu Dec 7 21:00:28 2017 : WARNING: (35) mschap: No Cleartext-Password configured. Cannot create LM-Password
Thu Dec 7 21:00:28 2017 : Debug: (35) mschap: Creating challenge hash with username: andrew.meyer
Thu Dec 7 21:00:28 2017 : Debug: (35) mschap: Client is using MS-CHAPv2
Thu Dec 7 21:00:28 2017 : ERROR: (35) mschap: FAILED: No NT/LM-Password. Cannot perform authentication
Thu Dec 7 21:00:28 2017 : ERROR: (35) mschap: MS-CHAP2-Response is incorrect
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authenticate]: returned from mschap (rlm_mschap)
Thu Dec 7 21:00:28 2017 : Debug: (35) [mschap] = reject
Thu Dec 7 21:00:28 2017 : Debug: (35) } # authenticate = reject
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Sending EAP Failure (code 4) ID 2 length 4
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Freeing handler
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authenticate]: returned from eap (rlm_eap)
Thu Dec 7 21:00:28 2017 : Debug: (35) [eap] = reject
Thu Dec 7 21:00:28 2017 : Debug: (35) } # authenticate = reject
Thu Dec 7 21:00:28 2017 : Debug: (35) Failed to authenticate the user
Thu Dec 7 21:00:28 2017 : Debug: (35) Using Post-Auth-Type Reject
Thu Dec 7 21:00:28 2017 : Debug: (35) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
Thu Dec 7 21:00:28 2017 : Debug: (35) Post-Auth-Type REJECT {
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter)
Thu Dec 7 21:00:28 2017 : Debug: %{User-Name}
Thu Dec 7 21:00:28 2017 : Debug: Parsed xlat tree:
Thu Dec 7 21:00:28 2017 : Debug: attribute --> User-Name
Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: EXPAND %{User-Name}
Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: --> andrew.meyer
Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: Matched entry DEFAULT at line 11
Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: MS-CHAP-Error = "\002E=691 R=1 C=6bfbf7b2dac4da0509b000cb87f64dd1 V=3 M=Authentication failed" allowed by MS-CHAP-Error =* ""
Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: Attribute "MS-CHAP-Error" allowed by 1 rules, disallowed by 0 rules
Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: EAP-Message = 0x04020004 allowed by EAP-Message =* 0x
Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: Attribute "EAP-Message" allowed by 1 rules, disallowed by 0 rules
Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: Message-Authenticator = 0x00000000000000000000000000000000 allowed by Message-Authenticator =* 0x
Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: Attribute "Message-Authenticator" allowed by 1 rules, disallowed by 0 rules
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter)
Thu Dec 7 21:00:28 2017 : Debug: (35) [attr_filter.access_reject] = updated
Thu Dec 7 21:00:28 2017 : Debug: (35) update outer.session-state {
Thu Dec 7 21:00:28 2017 : Debug: (35) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication'
Thu Dec 7 21:00:28 2017 : Debug: (35) } # update outer.session-state = noop
Thu Dec 7 21:00:28 2017 : Debug: (35) } # Post-Auth-Type REJECT = updated
Thu Dec 7 21:00:28 2017 : Debug: (35) } # server inner-tunnel
Thu Dec 7 21:00:28 2017 : Debug: (35) Virtual server sending reply
Thu Dec 7 21:00:28 2017 : Debug: (35) MS-CHAP-Error = "\002E=691 R=1 C=6bfbf7b2dac4da0509b000cb87f64dd1 V=3 M=Authentication failed"
Thu Dec 7 21:00:28 2017 : Debug: (35) EAP-Message = 0x04020004
Thu Dec 7 21:00:28 2017 : Debug: (35) Message-Authenticator = 0x00000000000000000000000000000000
Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: Got tunneled Access-Reject
Thu Dec 7 21:00:28 2017 : ERROR: (35) eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Sending EAP Failure (code 4) ID 8 length 4
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Failed in EAP select
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authenticate]: returned from eap (rlm_eap)
Thu Dec 7 21:00:28 2017 : Debug: (35) [eap] = invalid
Thu Dec 7 21:00:28 2017 : Debug: (35) } # authenticate = invalid
Thu Dec 7 21:00:28 2017 : Debug: (35) Failed to authenticate the user
Thu Dec 7 21:00:28 2017 : Debug: (35) Using Post-Auth-Type Reject
Thu Dec 7 21:00:28 2017 : Debug: (35) # Executing group from file /etc/raddb/sites-enabled/default
Thu Dec 7 21:00:28 2017 : Debug: (35) Post-Auth-Type REJECT {
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter)
Thu Dec 7 21:00:28 2017 : Debug: %{User-Name}
Thu Dec 7 21:00:28 2017 : Debug: Parsed xlat tree:
Thu Dec 7 21:00:28 2017 : Debug: attribute --> User-Name
Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: EXPAND %{User-Name}
Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: --> andrew.meyer
Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: Matched entry DEFAULT at line 11
Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: EAP-Message = 0x04080004 allowed by EAP-Message =* 0x
Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: Attribute "EAP-Message" allowed by 1 rules, disallowed by 0 rules
Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: Message-Authenticator = 0x00000000000000000000000000000000 allowed by Message-Authenticator =* 0x
Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: Attribute "Message-Authenticator" allowed by 1 rules, disallowed by 0 rules
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter)
Thu Dec 7 21:00:28 2017 : Debug: (35) [attr_filter.access_reject] = updated
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[post-auth]: calling eap (rlm_eap)
Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Reply already contained an EAP-Message, not inserting EAP-Failure
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[post-auth]: returned from eap (rlm_eap)
Thu Dec 7 21:00:28 2017 : Debug: (35) [eap] = noop
Thu Dec 7 21:00:28 2017 : Debug: (35) policy remove_reply_message_if_eap {
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&reply:EAP-Message && &reply:Reply-Message) {
Thu Dec 7 21:00:28 2017 : Debug: (35) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
Thu Dec 7 21:00:28 2017 : Debug: (35) else {
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[post-auth]: calling noop (rlm_always)
Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[post-auth]: returned from noop (rlm_always)
Thu Dec 7 21:00:28 2017 : Debug: (35) [noop] = noop
Thu Dec 7 21:00:28 2017 : Debug: (35) } # else = noop
Thu Dec 7 21:00:28 2017 : Debug: (35) } # policy remove_reply_message_if_eap = noop
Thu Dec 7 21:00:28 2017 : Debug: (35) } # Post-Auth-Type REJECT = updated
Thu Dec 7 21:00:28 2017 : Debug: (35) Delaying response for 1.000000 seconds
Thu Dec 7 21:00:28 2017 : Debug: Thread 4 waiting to be assigned a request
Thu Dec 7 21:00:28 2017 : Debug: Waking up in 0.6 seconds.
Thu Dec 7 21:00:29 2017 : Debug: (35) Sending delayed response
Thu Dec 7 21:00:29 2017 : Debug: (35) Sent Access-Reject Id 249 from 10.1.6.160:1812 to 10.1.10.2:37381 length 44
Thu Dec 7 21:00:29 2017 : Debug: (35) EAP-Message = 0x04080004
Thu Dec 7 21:00:29 2017 : Debug: (35) Message-Authenticator = 0x00000000000000000000000000000000
Thu Dec 7 21:00:29 2017 : Debug: Waking up in 3.9 seconds.
Thu Dec 7 21:00:33 2017 : Debug: (28) Cleaning up request packet ID 242 with timestamp +3225
Thu Dec 7 21:00:33 2017 : Debug: (29) Cleaning up request packet ID 243 with timestamp +3225
Thu Dec 7 21:00:33 2017 : Debug: (30) Cleaning up request packet ID 244 with timestamp +3225
Thu Dec 7 21:00:33 2017 : Debug: (31) Cleaning up request packet ID 245 with timestamp +3225
Thu Dec 7 21:00:33 2017 : Debug: (32) Cleaning up request packet ID 246 with timestamp +3225
Thu Dec 7 21:00:33 2017 : Debug: (33) Cleaning up request packet ID 247 with timestamp +3225
Thu Dec 7 21:00:33 2017 : Debug: (34) Cleaning up request packet ID 248 with timestamp +3225
Thu Dec 7 21:00:33 2017 : Debug: (35) Cleaning up request packet ID 249 with timestamp +3225
Thu Dec 7 21:00:33 2017 : Info: Ready to process requests
Thank you in advance,
Andrew
More information about the Freeradius-Users
mailing list