<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><DIV>Hello Everybody! </DIV>
<DIV> </DIV>
<DIV>We are having issue in trying to setup Radius server with a huwaei quidway S3900 as authenticator.</DIV>
<DIV> </DIV>
<DIV>The switch ports are configured as hybrid and tagged on all our four vlans. We also configure VLAN 1</DIV>
<DIV> </DIV>
<DIV>(the default) as guest vlan of the ports and dot1x is activated globally and on each ethernet port.</DIV>
<DIV> </DIV>
<DIV>Radius server is configure to search for users in LDAP directory. Here is one off our user parameters in </DIV>
<DIV> </DIV>
<DIV>the directory:</DIV>
<DIV> </DIV>
<DIV>dn: uid=toto,ou=Users,ou=ceforp,dc=uac,dc=bj<BR>uid: toto<BR>cn: toto<BR>sambaSID: toto<BR>telephoneNumber: 00000000<BR>roomNumber: 00000000<BR>homePhone: 97 09 61 90/90 04 12 26<BR>givenName: toto<BR>sn: toto<BR>mail: <A href="mailto:toto@ceforp.uac.bj">toto@ceforp.uac.bj</A><BR>objectClass: person<BR>objectClass: organizationalPerson<BR>objectClass: inetOrgPerson<BR>objectClass: posixAccount</DIV>
<DIV>objectClass: radiusProfile<BR>objectClass: top<BR>objectClass: sambaSamAccount<BR>objectClass: shadowAccount<BR>userPassword: {crypt}$1$JGZ378je$G9BPCKU.BWv1QEAZCQtFO.<BR>sambaLMPassword: AZERTY<BR>sambaNTPassword: AZERTY<BR>shadowLastChange: 14250<BR>shadowMax: 99999<BR>shadowWarning: 7</DIV>
<DIV>radiusTunnelPrivateGroup-Id: "2"<BR>radiusTunnelMediumType: IEEE-802<BR>radiusTunnelType: VLAN</DIV>
<DIV>loginShell: /bin/bash<BR>uidNumber: 1616<BR>gidNumber: 1614<BR>homeDirectory: /home/toto</DIV>
<DIV>gecos: Akouma toto,,,97 09 61 90/90 04 12 26</DIV>
<DIV> </DIV>
<DIV> When we try the authentication with this user account, although radius log send the </DIV>
<DIV> </DIV>
<DIV>VLAN attributes (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID) in </DIV>
<DIV> </DIV>
<DIV>Access-Challenge messages and finally send an Access-Accept message, the switch </DIV>
<DIV> </DIV>
<DIV>does not assign the right VLAN( the switching from VLAN 1 to VLAN 2 does not</DIV>
<DIV> </DIV>
<DIV>occur) and the user still in VLAN 1. We note that there is no VLAN attribute in </DIV>
<DIV> </DIV>
<DIV>Access-Accept message.</DIV>
<DIV> </DIV>
<DIV> What may be wrong ? Below is the radius server's output log </DIV>
<DIV> </DIV>
<DIV><BR> <BR>Ready to process requests.<BR>rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=22, length<BR>=115<BR> User-Name = "toto"<BR> EAP-Message = 0x0201000901746f746f<BR> Message-Authenticator = 0x60464542ce8c771452c8234d62a8de2d<BR> NAS-IP-Address = 192.168.100.5<BR> NAS-Identifier = "000fe265a2f5"<BR> NAS-Port = 268455937<BR> NAS-Port-Type = Ethernet<BR> Service-Type = Framed-User<BR> Framed-Protocol = PPP<BR> Calling-Station-Id = "000b-5d4a-369f"<BR>+- entering group authorize<BR>++[preprocess]
returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR> rlm_realm: No <A href="mailto:'@'">'@'</A> in User-Name = "toto", looking up realm NULL<BR> rlm_realm: No such realm "NULL"<BR>++[suffix] returns noop<BR> rlm_eap: EAP packet type response id 1 length 9<BR> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<BR>++[eap] returns updated<BR>++[unix] returns notfound<BR> users: Matched entry DEFAULT at line 172<BR>++[files] returns ok<BR>rlm_ldap: - authorize<BR>rlm_ldap: performing user authorization for toto<BR> expand: (&(objectclass=posixAccount)(uid=%u)) -> (&(objectclass=posixAcc<BR>ount)(uid=toto))<BR> expand: dc=uac,dc=bj -> dc=uac,dc=bj<BR>rlm_ldap: ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: attempting LDAP
reconnection<BR>Sending Access-Challenge of id 22 to 192.168.100.5 port 5001<BR> Framed-Protocol = PPP<BR> Framed-Compression = Van-Jacobson-TCP-IP<BR> Tunnel-Private-Group-Id:0 = "2"<BR> Tunnel-Medium-Type:0 = IEEE-802<BR> Tunnel-Type:0 = VLAN<BR> EAP-Message = 0x010200061920<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0xa88eb0cba88ca91516c2ad39391ee6f1<BR>Finished request 0.<BR>Going to the next request<BR>Waking up in 4.9 seconds.<BR>rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=23, length=236<BR> User-Name =
"toto"<BR> EAP-Message = 0x0202007019800000006616030100610100005d03014a3f38dbbadfdeb57d18de0598e2cc8fc3a93bdc048767fda66314b9273e319b200a7da7d94248ab602a4aad9e3fcb579310da741faf694e40b9fef41839ae4604001600040005000a000900640062000300060013001200630100<BR> Message-Authenticator = 0x3cf0c9732a7a9b23dea1cf4538f76931<BR> NAS-IP-Address = 192.168.100.5<BR> NAS-Identifier = "000fe265a2f5"<BR> NAS-Port = 268455937<BR> NAS-Port-Type = Ethernet<BR> Service-Type = Framed-User<BR> Framed-Protocol = PPP<BR> Calling-Station-Id = "000b-5d4a-369f"<BR>
State = 0xa88eb0cba88ca91516c2ad39391ee6f1<BR>+- entering group authorize<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR> rlm_realm: No <A href="mailto:'@'">'@'</A> in User-Name = "toto", looking up realm NULL<BR> rlm_realm: No such realm "NULL"<BR>++[suffix] returns noop<BR> rlm_eap: EAP packet type response id 2 length 112<BR> rlm_eap: Continuing tunnel setup.<BR>++[eap] returns ok<BR> rad_check_password: Found Auth-Type EAP<BR>auth: type "EAP"<BR>+- entering group authenticate<BR> rlm_eap: Request found, released from the list<BR> rlm_eap: EAP/peap<BR> rlm_eap: processing type peap<BR> rlm_eap_peap: Authenticate<BR> rlm_eap_tls: processing TLS<BR> TLS Length 102<BR>rlm_eap_tls: Length Included<BR> eaptls_verify returned 11<BR> (other): before/accept initialization<BR>
TLS_accept: before/accept initialization<BR> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello<BR> TLS_accept: SSLv3 read client hello A<BR> rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello<BR> TLS_accept: SSLv3 write server hello A<BR> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0eb6], Certificate<BR> TLS_accept: SSLv3 write certificate A<BR> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone<BR> TLS_accept: SSLv3 write server done A<BR> TLS_accept: SSLv3 flush data<BR> TLS_accept: Need to read more data: SSLv3 read client certificate A<BR>In SSL Handshake Phase<BR>In SSL Accept mode<BR> eaptls_process returned 13<BR> rlm_eap_peap: EAPTLS_HANDLED<BR>++[eap] returns handled<BR>Sending Access-Challenge of id 23 to 192.168.100.5 port
5001<BR> EAP-Message = 0x0103040019c000000f13160301004a0200004603014a3f46ed27ac2ce8a976a6a7a18e528a981c1274689c91b8dd0f371a71ef957e201e2e2fb4a46d14234197b85b3d21307055bb67a12dd408dcad5b39db5e679e770004001603010eb60b000eb2000eaf000759308207553082053da003020102020101300d06092a864886f70d01010505003081a2310b300906035504061302424a311330110603550408130a41746c616e7469717565311630140603550407130d41626f6d65792d43616c6176693121301f060355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311430<BR> EAP-Message =
0x120603550403140b726f6f745f43415f554143311a301806092a864886f70d010901160b696e666f407561632e626a301e170d3038303731373135353833355a170d3039303731373135353833355a3081a4310b300906035504061302424a311330110603550408130a41746c616e7469717565311630140603550407130d41626f6d65792d43616c6176693121301f060355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311630140603550403130d63616c6176692e7561632e626a311a301806092a864886f70d010901160b696e666f407561632e626a30820222300d06<BR> EAP-Message =
0x092a864886f70d01010105000382020f003082020a0282020100ba35068b7967acc67f03fe9f0cd76ea4fc16bb62b8986f8a2e70413e22942f1e7604ab691177fdb5fd14:<BR>a030bb00840b9281a6ee37482bcb1f95d7cbeb23a06a1f659a48f4380a23acc10952d5c70258579fbda12d599aabd12d4ddb5de20e943c515ea8f817f15fc4b1201ba2952a43c8b4ef52941f256670d7e216ec19930e940ce1832e9b953096dc6ef00bbb1dc173b800b183c5d1f20383d29f7c8795d5ed22c8d6075f492d2adb6700a51ed0f8c8793c2d460be5d822a8309b541802b27c2c496be98c1a0737ed88ac27cd94bd85ef58a16f3dba29d3b94754265bd7d24ddea4<BR> EAP-Message =
0x45efe16f59861c8f63dffa7835ba4e3f654afd6c2f50bbd1f11e220bd5df962d0e516688c7e9124128eb9bd23caf997fe12ad314ecbbce6c5dd3549df7aeb8b879bfdf2727b3aa1e4019283741448cf3e2148ea203a546e25c60fee5fe5da03d3fe1265da3dbe91bb7e620d1932e83d4e05433d6f2aa30a5264f30a134574f03c418c8077e7333d774f9b8a6451eea70a918f132cecf7957423a22784653042a5fcc6a8a0a66aefce4fff473ee078ed7fb2a3b1cab12694e3d1f9f44bae7ebaa6c6be4686e475ab908428af9592000f62b93ba39bfe15863907dc535941e1d7e9b5236874fb51979f8662aadc3dc1bdc5e34a9bdd3e32430fbe857523b<BR> EAP-Message = 0x0d3f2885d5031e5f76099610<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0xa88eb0cba98da91516c2ad39391ee6f1<BR>Finished request 1.<BR>Going to the next request<BR>Waking up in 4.9 seconds.<BR>rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=24,
length=130<BR> User-Name = "toto"<BR> EAP-Message = 0x020300061900<BR> Message-Authenticator = 0xb5552c32bd90604d37c9c0fb4482455e<BR> NAS-IP-Address = 192.168.100.5<BR> NAS-Identifier = "000fe265a2f5"<BR> NAS-Port = 268455937<BR> NAS-Port-Type = Ethernet<BR> Service-Type = Framed-User<BR> Framed-Protocol = PPP<BR> Calling-Station-Id = "000b-5d4a-369f"<BR> State = 0xa88eb0cba98da91516c2ad39391ee6f1<BR>+- entering group authorize<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap]
returns noop<BR> rlm_realm: No <A href="mailto:'@'">'@'</A> in User-Name = "toto", looking up realm NULL<BR> rlm_realm: No such realm "NULL"<BR>++[suffix] returns noop<BR> rlm_eap: EAP packet type response id 3 length 6<BR> rlm_eap: Continuing tunnel setup.<BR>++[eap] returns ok<BR> rad_check_password: Found Auth-Type EAP<BR>auth: type "EAP"<BR>+- entering group authenticate<BR> rlm_eap: Request found, released from the list<BR> rlm_eap: EAP/peap<BR> rlm_eap: processing type peap<BR> rlm_eap_peap: Authenticate<BR> rlm_eap_tls: processing TLS<BR>rlm_eap_tls: Received EAP-TLS ACK message<BR> rlm_eap_tls: ack handshake fragment handler<BR> eaptls_verify returned 1<BR> eaptls_process returned 13<BR> rlm_eap_peap: EAPTLS_HANDLED<BR>++[eap] returns handled<BR>Sending Access-Challenge of id 24 to 192.168.100.5 port
5001<BR> EAP-Message = 0x010403fc1940b38003bf6e1f8b658ce51826eea11c0bf44abf450203010001a38201903082018c30090603551d1304023000301106096086480186f8420101040403020640302b06096086480186f842010d041e161c54696e7943412047656e657261746564204365727469666963617465301d0603551d0e04160414f17eea30a8f7f709053f3f7bed44e40d6d63c68a3081d70603551d230481cf3081cc8014c3580d7f0c9b26c3fcca6bddecc25329b3ed999ea181a8a481a53081a2310b300906035504061302424a311330110603550408130a41746c616e7469717565311630140603550407130d41626f6d65792d43616c6176693121301f06<BR> EAP-Message =
0x0355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311430120603550403140b726f6f745f43415f554143311a301806092a864886f70d010901160b696e666f407561632e626a820900f454a6d25d837f6130160603551d12040f300d810b696e666f407561632e626a30160603551d11040f300d810b696e666f407561632e626a30160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d0101050500038202010075889612daeb738396e4a633941133cd7614298049994d4992ccef22cbb75e37e26fe9f51f9ce8515ea0918db7864da4440933<BR> EAP-Message =
0x48844b57b3456682ac4b3f45d62d86f7212af508730fb37f53225ffbbc2fdb3389346da7802eec86548588c0cf01c50417969e4d3566c9ca0ae3910f6c79047d2510b9fb557185e826bf355820de2952f9aec584ce6e89062b088ded33999cde33f95fe3fe6f173623cde8838901421c17541dacf82879a49712ba9d082c9ebde368272af85d031e9049dead03902ebe71bb3a1b5e3c8385902c677cfac0c1ee8ac405a6cb77c6f64cdcf09b1d61874cb3eac03ce9f283d130caaceaa38a65c12e7d13a6d34444def970fd60d973fe7b2031abc41fa019dfd91cdfeeaab155f615f327c7b5fd711b79db87f45aa2b97c4e2bb44ef02d77392b0bb5d93c<BR> EAP-Message =
0xe888d84f68211cd1f5c40eda157273e3e193c20d682ad3f30f0765ece4c20646afac050b8493e0874845971a2a03645d412b6aa96ea90fcae6df3fd94d6502900ad1c15f756f6c28cec9618f497faf5c32c200771a0b0e9652749b06ffa8837b0795883b757b81e62b4ad3d9eba615ccf63fc7f6d12d038814e32d013972b21b033399b4dea04c7368b4c20e80c405d25d70a49b1c16ad339510cc041bc529950d5e0769de26399739d2383499951bc54db8c1342e86354291c1f62b8b1816be8e184a30b6c761c73eea65c0d03ae8830007503082074c30820534a003020102020900f454a6d25d837f61300d06092a864886f70d01010505003081a2<BR> EAP-Message = 0x310b300906035504<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0xa88eb0cbaa8aa91516c2ad39391ee6f1<BR>Finished request 2.<BR>Going to the next request<BR>Waking up in 4.8 seconds.<BR>rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=25, length=130<BR>
User-Name = "toto"<BR> EAP-Message = 0x020400061900<BR> Message-Authenticator = 0x5eeac44dfede983aedee24c387cb44e9<BR> NAS-IP-Address = 192.168.100.5<BR> NAS-Identifier = "000fe265a2f5"<BR> NAS-Port = 268455937<BR> NAS-Port-Type = Ethernet<BR> Service-Type = Framed-User<BR> Framed-Protocol = PPP<BR> Calling-Station-Id = "000b-5d4a-369f"<BR> State = 0xa88eb0cbaa8aa91516c2ad39391ee6f1<BR>+- entering group authorize<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR> rlm_realm: No <A
href="mailto:'@'">'@'</A> in User-Name = "toto", looking up realm NULL<BR> rlm_realm: No such realm "NULL"<BR>++[suffix] returns noop<BR> rlm_eap: EAP packet type response id 4 length 6<BR> rlm_eap: Continuing tunnel setup.<BR>++[eap] returns ok<BR> rad_check_password: Found Auth-Type EAP<BR>auth: type "EAP"<BR>+- entering group authenticate<BR> rlm_eap: Request found, released from the list<BR> rlm_eap: EAP/peap<BR> rlm_eap: processing type peap<BR> rlm_eap_peap: Authenticate<BR> rlm_eap_tls: processing TLS<BR>rlm_eap_tls: Received EAP-TLS ACK message<BR> rlm_eap_tls: ack handshake fragment handler<BR> eaptls_verify returned 1<BR> eaptls_process returned 13<BR> rlm_eap_peap: EAPTLS_HANDLED<BR>++[eap] returns handled<BR>Sending Access-Challenge of id 25 to 192.168.100.5 port 5001<BR> EAP-Message =
0x010503fc1940061302424a311330110603550408130a41746c616e74:<BR>69717565311630140603550407130d41626f6d65792d43616c6176693121301f060355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311430120603550403140b726f6f745f43415f554143311a301806092a864886f70d010901160b696e666f407561632e626a301e170d3038303731373135353331385a170d3138303731353135353331385a3081a2310b300906035504061302424a311330110603550408130a41746c616e7469717565311630140603550407130d41626f6d65792d43616c617669<BR> EAP-Message =
0x3121301f060355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311430120603550403140b726f6f745f43415f554143311a301806092a864886f70d010901160b696e666f407561632e626a30820222300d06092a864886f70d01010105000382020f003082020a0282020100f4b24ec17856ccd0925b38267d08f774b4e8305facfc02da999c9d5787a4d6b57af62d62531b4ee11135cf1546825c9c7aa6eb452c5adc6a768616ec978be9ddb0e98b1b1d23d2056c5fe37f46247295851e5c4866dec12d3b298b3d9b7629208465333f1f479a886f8321e8768b6a32c9563ecf<BR> EAP-Message =
0xfd7d052a60062bf19ea4c007138dbedfb86604118f1c20c7e7769a82cd10564c4624a53786e894a174a253585bca0e92e8f32923fdde919eee543c6ac7b1e6af377a726d62cdab0941c4bacccd7a40fd1762b4682c47150b33a819d4ce4e01e31a989dce7ea27fc14c6bf6c4ef036929e3ec575b94610bcc30d0d0159b94a41182650f071d1b73a7e9a8cbe844be37b3ce1193910909bee58ca887a0a4b6ea65674aac02012eb9c0f5207982e2b06d2c4d36e5af8b508edf8f65234696eeae28121a786c906e933f56770d32ee8987de8b678d809dc53d98da8b805c62953231091b47026c2bf695899b7c170197219e4b80f6d5bb1135c76e11e641e7<BR> EAP-Message =
0x6eda160e7661681a20b9381dcddcc5da66c62e9d40885dd74b38733981cc17f8735cca0122e34ed54e822d8d607215055a06834c0d0dd8b770fe025c4d0fb310baea2e876d5e9574e4c68282d0b440acd1bb420f329c0cefda380d72c6cd635dca12658b638b58bea300430511b391e39ffa5a778cd618a444517759644e3b714a3c7dba6b53de21aea101b29656e30203010001a38201813082017d301d0603551d0e04160414c3580d7f0c9b26c3fcca6bddecc25329b3ed999e3081d70603551d230481cf3081cc8014c3580d7f0c9b26c3fcca6bddecc25329b3ed999ea181a8a481a53081a2310b300906035504061302424a3113301106035504<BR> EAP-Message = 0x08130a41746c616e<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0xa88eb0cbab8ba91516c2ad39391ee6f1<BR>Finished request 3.<BR>Going to the next request<BR>Waking up in 4.7 seconds.<BR>rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=26,
length=130<BR> User-Name = "toto"<BR> EAP-Message = 0x020500061900<BR> Message-Authenticator = 0x95ef28d6ba4539705842ff6961284ff6<BR> NAS-IP-Address = 192.168.100.5<BR> NAS-Identifier = "000fe265a2f5"<BR> NAS-Port = 268455937<BR> NAS-Port-Type = Ethernet<BR> Service-Type = Framed-User<BR>Calling-Station-Id = "000b-5d4a-369f"<BR> State = 0xa88eb0cbae86a91516c2ad39391ee6f1<BR>+- entering group authorize<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR> rlm_realm: No <A href="mailto:'@'">'@'</A> in User-Name = "toto", looking up
realm NULL<BR> rlm_realm: No such realm "NULL"<BR>++[suffix] returns noop<BR> rlm_eap: EAP packet type response id 8 length 32<BR> rlm_eap: Continuing tunnel setup.<BR>++[eap] returns ok<BR> rad_check_password: Found Auth-Type EAP<BR>auth: type "EAP"<BR>+- entering group authenticate<BR> rlm_eap: Request found, released from the list<BR> rlm_eap: EAP/peap<BR> rlm_eap: processing type peap<BR> rlm_eap_peap: Authenticate<BR> rlm_eap_tls: processing TLS<BR> eaptls_verify returned 7<BR> rlm_eap_tls: Done initial handshake<BR> eaptls_process returned 7<BR> rlm_eap_peap: EAPTLS_OK<BR> rlm_eap_peap: Session established. Decoding tunneled attributes.<BR> rlm_eap_peap: Identity - toto<BR> PEAP: Got tunneled EAP-Message<BR> EAP-Message = 0x0208000901746f746f<BR> PEAP: Got tunneled identity of
toto<BR> PEAP: Setting default EAP type for tunneled EAP session.<BR> PEAP: Setting User-Name to toto<BR> PEAP: Sending tunneled request<BR> EAP-Message = 0x0208000901746f746f<BR> FreeRADIUS-Proxied-To = 127.0.0.1<BR> User-Name = "toto"<BR>server (null) {<BR>+- entering group authorize<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR> rlm_realm: No <A href="mailto:'@'">'@'</A> in User-Name = "toto", looking up realm NULL<BR> rlm_realm: No such realm "NULL"<BR>++[suffix] returns noop<BR> rlm_eap: EAP packet type response id 8 length 9<BR> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<BR>++[eap] returns updated<BR>++[unix] returns notfound<BR>++[files] returns noop<BR>rlm_ldap: - authorize<BR>rlm_ldap: performing
user authorization for toto<BR> expand: (&(objectclass=posixAccount)(uid=%u)) -> (&(objectclass=posixAccount)(uid=toto))<BR> expand: dc=uac,dc=bj -> dc=uac,dc=bj<BR>rlm_ldap: ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: performing search in dc=uac,dc=bj, with filter (&(objectclass=posixAccount)(uid=toto))<BR>rlm_ldap: checking if remote access for toto is allowed by uid<BR>rlm_ldap: No default NMAS login sequence<BR>rlm_ldap: looking for check items in directory...<BR>rlm_ldap: LDAP attribute sambaNTPassword as RADIUS attribute NT-Password == 0x4332313832333530444532433243463343344435434231343441394431444233<BR>rlm_ldap: LDAP attribute sambaLMPassword as RADIUS attribute LM-Password == 0x3337364436424445433041413644323839343445324446343839413838304534<BR>rlm_ldap: LDAP attribute userPassword as RADIUS attribute
User-Password == "totouser"<BR>:rlm_ldap: looking for reply items in directory...<BR>rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = "2"<BR>rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802<BR>rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN<BR>rlm_ldap: user toto authorized to use remote access<BR>rlm_ldap: ldap_release_conn: Release Id: 0<BR>++[ldap] returns ok<BR>++[expiration] returns noop<BR>++[logintime] returns noop<BR>rlm_pap: Normalizing NT-Password from hex encoding<BR>rlm_pap: Normalizing LM-Password from hex encoding<BR>rlm_pap: Found existing Auth-Type, not changing it.<BR>++[pap] returns noop<BR> rad_check_password: Found Auth-Type EAP<BR>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR>!!! Replacing User-Password in config items with
Cleartext-Password. !!!<BR>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR>!!! Please update your configuration so that the "known good" !!!<BR>!!! clear text password is in Cleartext-Password, and not in User-Password. !!!<BR>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR>auth: type "EAP"<BR>+- entering group authenticate<BR> rlm_eap: EAP Identity<BR> rlm_eap: processing type mschapv2<BR>rlm_eap_mschapv2: Issuing Challenge<BR>++[eap] returns handled<BR>} # server (null)<BR> PEAP: Got tunneled reply RADIUS code 11<BR> Tunnel-Private-Group-Id:0 = "2"<BR> Tunnel-Medium-Type:0 = IEEE-802<BR> Tunnel-Type:0 =
VLAN<BR> EAP-Message = 0x0109001e1a010900191007ae8dd49bdfd0c817732291052c1735746f746f<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0x0c186c320c1176bedb16c1e664f42fe2<BR> PEAP: Processing from tunneled session code 0x7c2670 11<BR> Tunnel-Private-Group-Id:0 = "2"<BR> Tunnel-Medium-Type:0 = IEEE-802<BR> Tunnel-Type:0 = VLAN<BR> EAP-Message = 0x0109001e1a010900191007ae8dd49bdfd0c817732291052c1735746f:<BR>746f<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0x0c186c320c1176bedb16c1e664f42fe2<BR> PEAP: Got tunneled
Access-Challenge<BR>++[eap] returns handled<BR>Sending Access-Challenge of id 29 to 192.168.100.5 port 5001<BR> EAP-Message = 0x010900351900170301002ae5ded2cf6543b4449305996cc5fdcfec9bf7867d5fdb62ee189022502a79da435f13d7b9b80c2f8ced86<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0xa88eb0cbaf87a91516c2ad39391ee6f1<BR>Finished request 7.<BR>Going to the next request<BR>Waking up in 4.4 seconds.<BR>rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=30, length=210<BR> User-Name = "toto"<BR> EAP-Message =
0x020900561900170301004bbaf13ec9d401f583cd58929b8f7f454cdb002639dc4ea00b14a69f6400eea5d340665d95edb631514792962e1d54723456e074bd14b4ba6f45464f3d30552dc3f8823cd456500ca92efae7<BR> Message-Authenticator = 0xa44820cdf03d1108a8d932ec95e953ef<BR> NAS-IP-Address = 192.168.100.5<BR> NAS-Identifier = "000fe265a2f5"<BR> NAS-Port = 268455937<BR> NAS-Port-Type = Ethernet<BR> Service-Type = Framed-User<BR> Framed-Protocol = PPP<BR> Calling-Station-Id = "000b-5d4a-369f"<BR> State = 0xa88eb0cbaf87a91516c2ad39391ee6f1<BR>+- entering group authorize<BR>++[preprocess] returns ok<BR>++[chap] returns
noop<BR>++[mschap] returns noop<BR> rlm_realm: No <A href="mailto:'@'">'@'</A> in User-Name = "toto", looking up realm NULL<BR> rlm_realm: No such realm "NULL"<BR>++[suffix] returns noop<BR> rlm_eap: EAP packet type response id 9 length 86<BR> rlm_eap: Continuing tunnel setup.<BR>++[eap] returns ok<BR> rad_check_password: Found Auth-Type EAP<BR>auth: type "EAP"<BR>+- entering group authenticate<BR> rlm_eap: Request found, released from the list<BR> rlm_eap: EAP/peap<BR>rlm_eap: processing type peap<BR> rlm_eap_peap: Authenticate<BR> rlm_eap_tls: processing TLS<BR> eaptls_verify returned 7<BR> rlm_eap_tls: Done initial handshake<BR> eaptls_process returned 7<BR> rlm_eap_peap: EAPTLS_OK<BR> rlm_eap_peap: Session established. Decoding tunneled attributes.<BR> rlm_eap_peap: EAP type mschapv2<BR> PEAP: Got tunneled
EAP-Message<BR> EAP-Message = 0x0209003f1a0209003a31f627621d72908d812dcc8660104a923b00000000000000007d029e559fbcc706309ba7f099f573290ecf7056a219884a00746f746f<BR> PEAP: Setting User-Name to toto<BR> PEAP: Sending tunneled request<BR> EAP-Message = 0x0209003f1a0209003a31f627621d72908d812dcc8660104a923b00000000000000007d029e559fbcc706309ba7f099f573290ecf7056a219884a00746f746f<BR> FreeRADIUS-Proxied-To = 127.0.0.1<BR> User-Name = "toto"<BR> State = 0x0c186c320c1176bedb16c1e664f42fe2<BR>server (null) {<BR>+- entering group authorize<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR> rlm_realm: No <A href="mailto:'@'">'@'</A> in User-Name = "toto", looking up realm
NULL<BR> rlm_realm: No such realm "NULL"<BR>++[suffix] returns noop<BR> rlm_eap: EAP packet type response id 9 length 63<BR> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<BR>++[eap] returns updated<BR>++[unix] returns notfound<BR>++[files] returns noop<BR>rlm_ldap: - authorize<BR>rlm_ldap: performing user authorization for toto<BR> expand: (&(objectclass=posixAccount)(uid=%u)) -> (&(objectclass=posixAccount)(uid=toto))<BR> expand: dc=uac,dc=bj -> dc=uac,dc=bj<BR>rlm_ldap: ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: performing search in dc=uac,dc=bj, with filter (&(objectclass=posixAccount)(uid=toto))<BR>rlm_ldap: checking if remote access for toto is allowed by uid<BR>rlm_ldap: No default NMAS login sequence</DIV>
<DIV>rlm_ldap: looking for check items in directory...<BR>rlm_ldap: LDAP attribute sambaNTPassword as RADIUS attribute NT-Password == 0x4332313832333530444532433243463343344435434231343441394431444233<BR>rlm_ldap: LDAP attribute sambaLMPassword as RADIUS attribute LM-Password == 0x3337364436424445433041413644323839343445324446343839413838304534<BR>rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password == "totouser"<BR>rlm_ldap: looking for reply items in directory...<BR>rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = "2"<BR>rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802<BR>rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN<BR>rlm_ldap: user toto authorized to use remote access<BR>rlm_ldap: ldap_release_conn: Release Id: 0<BR>++[ldap] returns ok<BR>++[expiration] returns noop<BR>++[logintime] returns
noop<BR>rlm_pap: Normalizing NT-Password from hex encoding<BR>rlm_pap: Normalizing LM-Password from hex encoding<BR>rlm_pap: Found existing Auth-Type, not changing it.<BR>++[pap] returns noop<BR> rad_check_password: Found Auth-Type EAP<BR>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR>!!! Replacing User-Password in config items with Cleartext-Password. !!!<BR>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR>!!! Please update your configuration so that the "known good" !!!<BR>!!! clear text password is in Cleartext-Password, and not in User-Password. !!!<BR>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR>auth: type "EAP"<BR>+- entering group authenticate<BR> rlm_eap: Request found, released from the
list<BR> rlm_eap: EAP/mschapv2<BR> rlm_eap: processing type mschapv2<BR>+- entering group MS-CHAP<BR> rlm_mschap: Found LM-Password<BR> rlm_mschap: Found NT-Password<BR> rlm_mschap: Told to do MS-CHAPv2 for toto with NT-Password<BR>rlm_mschap: adding MS-CHAPv2 MPPE keys<BR>++[mschap] returns ok<BR>MSCHAP Success<BR>++[eap] returns handled<BR>} # server (null)<BR> PEAP: Got tunneled reply RADIUS code 11<BR> Tunnel-Private-Group-Id:0 = "2"<BR> Tunnel-Medium-Type:0 = IEEE-802<BR> Tunnel-Type:0 = VLAN<BR> EAP-Message = 0x010a00331a0309002e533d45324635434146333132433946454341393932443738373436364344424342443444364643444134<BR> Message-Authenticator =
0x00000000000000000000000000000000<BR> State = 0x0c186c320d1276bedb16c1e664f42fe2<BR> PEAP: Processing from tunneled session code 0x7c52c0 11<BR> Tunnel-Private-Group-Id:0 = "2"<BR> Tunnel-Medium-Type:0 = IEEE-802<BR> Tunnel-Type:0 = VLAN<BR> EAP-Message = 0x010a00331a0309002e533d45324635434146333132433946454341393932443738373436364344424342443444364643444134<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0x0c186c320d1276bedb16c1e664f42fe2<BR> PEAP: Got tunneled Access-Challenge<BR>++[eap] returns handled<BR>Sending Access-Challenge of id 30 to 192.168.100.5 port 5001<BR> EAP-Message
= 0x010a004a1900170301003ff9c9a8096c8008435d18d64dd2844e84eaccd55bc005519a1e4330882677b71ee2dfdead2f7bfc9dcf711bd2b6776b5ded041a41783f07063d0a82dfff7eee<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0xa88eb0cba084a91516c2ad39391ee6f1<BR>Finished request 8.<BR>Going to the next request<BR>Waking up in 4.3 seconds.<BR>rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=31, length=153<BR> User-Name = "toto"<BR> EAP-Message = 0x020a001d19001703010012c5c3e515e280e0362280ea65d35a6ee5f57e<BR> Message-Authenticator = 0xb12836f1115dd64af2d01d2d0fc41bca<BR> NAS-IP-Address = 192.168.100.5<BR> NAS-Identifier =
"000fe265a2f5"<BR> NAS-Port = 268455937<BR> NAS-Port-Type = Ethernet<BR> Service-Type = Framed-User<BR> Framed-Protocol = PPP<BR> Calling-Station-Id = "000b-5d4a-369f"<BR> State = 0xa88eb0cba084a91516c2ad39391ee6f1<BR>+- entering group authorize<BR>rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=32, length<BR>=162<BR> User-Name = "toto"<BR> EAP-Message = 0x020b00261900170301001bac16d38a5cfbaed36ed0105a6c7c16925c<BR>925a2a8a04b60c164770<BR> Message-Authenticator = 0x6969775e3b691b3e7ef57aaa3e4d3ba7<BR> NAS-IP-Address =
192.168.100.5<BR> NAS-Identifier = "000fe265a2f5"<BR> NAS-Port = 268455937<BR> NAS-Port-Type = Ethernet<BR> Service-Type = Framed-User<BR> Framed-Protocol = PPP<BR> Calling-Station-Id = "000b-5d4a-369f"<BR> State = 0xa88eb0cba185a91516c2ad39391ee6f1<BR>+- entering group authorize<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR> rlm_realm: No <A href="mailto:'@'">'@'</A> in User-Name = "toto", looking up realm NULL<BR> rlm_realm: No such realm "NULL"<BR>++[suffix] returns noop<BR> rlm_eap: EAP packet type response id 11 length 38<BR> rlm_eap: Continuing tunnel setup.<BR>++[eap]
returns ok<BR> rad_check_password: Found Auth-Type EAP<BR>auth: type "EAP"<BR>+- entering group authenticate<BR> rlm_eap: Request found, released from the list<BR> rlm_eap: EAP/peap<BR> rlm_eap: processing type peap<BR> rlm_eap_peap: Authenticate<BR> rlm_eap_tls: processing TLS<BR> eaptls_verify returned 7<BR> rlm_eap_tls: Done initial handshake<BR> eaptls_process returned 7<BR> rlm_eap_peap: EAPTLS_OK<BR> rlm_eap_peap: Session established. Decoding tunneled attributes.<BR> rlm_eap_peap: Received EAP-TLV response.<BR> rlm_eap_peap: Success<BR> rlm_eap: Freeing handler<BR>++[eap] returns ok<BR>Login OK: [toto/<via Auth-Type = EAP>] (from client uac_quid002 port 268455937 cli 000b-5d4a-369f)<BR>+- entering group post-auth<BR>++[exec] returns noop<BR>Sending Access-Accept of id 32 to 192.168.100.5 port 5001<BR>
MS-MPPE-Recv-Key = 0x3fc9ad8eb5c61fa194fbcf43ec68aa879a28a6f2b25d5dcc96531f47dccdae69<BR> MS-MPPE-Send-Key = 0xaf8ead06473463ae03e04ac1cc4f09e8e827287effa7ccaf360b0b8bbc2ed18e<BR> EAP-Message = 0x030b0004<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> User-Name = "toto"<BR>Finished request 10.<BR>Going to the next request<BR>Waking up in 4.1 seconds.<BR><BR>Thanks for your help!</DIV></div><br>
</body></html>