Hi. I'm trying to set up PEAP authentication with AD on freeradius 2.1.7 (centos).<br><br>Everything in users file is commented out (including DEFAULTs) except the test<br>user "bob" who authenticates successfully.<br>
<br>Auth requests fail in mschap module with "external program" complaining about an<br>invalid parameter (which I cannot pinpoint).<br><br>radiusd -X:<br><br>FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31 2010 at 00:25:31<br>
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. <br>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A <br>PARTICULAR PURPOSE. <br>You may redistribute copies of FreeRADIUS under the terms of the <br>
GNU General Public License v2. <br>Starting - reading configuration files ...<br>including configuration file /etc/raddb/radiusd.conf<br>including configuration file /etc/raddb/proxy.conf<br>including configuration file /etc/raddb/clients.conf<br>
including files in directory /etc/raddb/modules/<br>including configuration file /etc/raddb/modules/files<br>including configuration file /etc/raddb/modules/expiration<br>including configuration file /etc/raddb/modules/sradutmp<br>
including configuration file /etc/raddb/modules/wimax<br>including configuration file /etc/raddb/modules/realm<br>including configuration file /etc/raddb/modules/sql_log<br>including configuration file /etc/raddb/modules/inner-eap<br>
including configuration file /etc/raddb/modules/detail<br>including configuration file /etc/raddb/modules/smbpasswd<br>including configuration file /etc/raddb/modules/preprocess<br>including configuration file /etc/raddb/modules/unix<br>
including configuration file /etc/raddb/modules/mschap<br>including configuration file /etc/raddb/modules/acct_unique<br>including configuration file /etc/raddb/modules/logintime<br>including configuration file /etc/raddb/modules/digest<br>
including configuration file /etc/raddb/modules/checkval<br>including configuration file /etc/raddb/modules/mac2vlan<br>including configuration file /etc/raddb/modules/chap<br>including configuration file /etc/raddb/modules/counter<br>
including configuration file /etc/raddb/modules/ippool<br>including configuration file /etc/raddb/modules/policy<br>including configuration file /etc/raddb/modules/pam<br>including configuration file /etc/raddb/modules/cui<br>
including configuration file /etc/raddb/modules/radutmp<br>including configuration file /etc/raddb/modules/exec<br>including configuration file /etc/raddb/modules/<a href="http://detail.example.com">detail.example.com</a><br>
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login<br>including configuration file /etc/raddb/modules/detail.log<br>including configuration file /etc/raddb/modules/linelog<br>including configuration file /etc/raddb/modules/smsotp<br>
including configuration file /etc/raddb/modules/echo<br>including configuration file /etc/raddb/modules/pap<br>including configuration file /etc/raddb/modules/perl<br>including configuration file /etc/raddb/modules/otp<br>
including configuration file /etc/raddb/modules/passwd<br>including configuration file /etc/raddb/modules/attr_rewrite<br>including configuration file /etc/raddb/modules/mac2ip<br>including configuration file /etc/raddb/modules/expr<br>
including configuration file /etc/raddb/modules/always<br>including configuration file /etc/raddb/modules/etc_group<br>including configuration file /etc/raddb/modules/attr_filter<br>including configuration file /etc/raddb/eap.conf<br>
including configuration file /etc/raddb/policy.conf<br>including files in directory /etc/raddb/sites-enabled/<br>including configuration file /etc/raddb/sites-enabled/control-socket<br>including configuration file /etc/raddb/sites-enabled/inner-tunnel<br>
including configuration file /etc/raddb/sites-enabled/default<br>group = radiusd<br>user = radiusd<br>including dictionary file /etc/raddb/dictionary<br>main {<br> prefix = "/usr"<br> localstatedir = "/var"<br>
logdir = "/var/log/radius"<br> libdir = "/usr/lib/freeradius"<br> radacctdir = "/var/log/radius/radacct"<br> hostname_lookups = no<br> max_request_time = 30<br> cleanup_delay = 5<br>
max_requests = 1024<br> allow_core_dumps = no<br> pidfile = "/var/run/radiusd/radiusd.pid"<br> checkrad = "/usr/sbin/checkrad"<br> debug_level = 0<br> proxy_requests = yes<br> log {<br>
stripped_names = no<br> auth = no<br> auth_badpass = no<br> auth_goodpass = no<br> }<br> security {<br> max_attributes = 200<br> reject_delay = 1<br> status_server = yes<br> }<br>}<br>radiusd: #### Loading Realms and Home Servers ####<br>
proxy server {<br> retry_delay = 5<br> retry_count = 3<br> default_fallback = no<br> dead_time = 120<br> wake_all_if_all_dead = no<br> }<br> realm CITYHALL {<br> }<br> realm LOCAL {<br> }<br> home_server localhost {<br>
ipaddr = 127.0.0.1<br> port = 1812<br> type = "auth"<br> secret = "testing123"<br> response_window = 20<br> max_outstanding = 65536<br> require_message_authenticator = no<br> zombie_period = 40<br>
status_check = "status-server"<br> ping_interval = 30<br> check_interval = 30<br> num_answers_to_alive = 3<br> num_pings_to_alive = 3<br> revive_interval = 120<br> status_check_timeout = 4<br>
irt = 2<br> mrt = 16<br> mrc = 5<br> mrd = 30<br> }<br> home_server_pool my_auth_failover {<br> type = fail-over<br> home_server = localhost<br> }<br>radiusd: #### Loading Clients ####<br> client localhost {<br>
ipaddr = 127.0.0.1<br> require_message_authenticator = no<br> secret = "testing123"<br> nastype = "other"<br> }<br> client <a href="http://10.39.0.0/24">10.39.0.0/24</a> {<br> require_message_authenticator = no<br>
secret = "cityhall11"<br> nastype = "other"<br> }<br>radiusd: #### Instantiating modules ####<br> instantiate {<br> Module: Linked to module rlm_exec<br> Module: Instantiating exec<br> exec {<br>
wait = no<br> input_pairs = "request"<br> shell_escape = yes<br> }<br> Module: Linked to module rlm_expr<br> Module: Instantiating expr<br> Module: Linked to module rlm_expiration<br> Module: Instantiating expiration<br>
expiration {<br> reply-message = "Password Has Expired "<br> }<br> Module: Linked to module rlm_logintime<br> Module: Instantiating logintime<br> logintime {<br> reply-message = "You are calling outside your allowed timespan "<br>
minimum-timeout = 60<br> }<br> }<br>radiusd: #### Loading Virtual Servers ####<br>server inner-tunnel {<br> modules {<br> Module: Checking authenticate {...} for more modules to load<br> Module: Linked to module rlm_pap<br>
Module: Instantiating pap<br> pap {<br> encryption_scheme = "auto"<br> auto_header = no<br> }<br> Module: Linked to module rlm_chap<br> Module: Instantiating chap<br> Module: Linked to module rlm_mschap<br>
Module: Instantiating mschap<br> mschap {<br> use_mppe = yes<br> require_encryption = yes<br> require_strong = no<br> with_ntdomain_hack = yes<br> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"<br>
}<br> Module: Linked to module rlm_unix<br> Module: Instantiating unix<br> unix {<br> radwtmp = "/var/log/radius/radwtmp"<br> }<br> Module: Linked to module rlm_eap<br> Module: Instantiating eap<br> eap {<br>
default_eap_type = "peap"<br> timer_expire = 60<br> ignore_unknown_eap_types = no<br> cisco_accounting_username_bug = no<br> max_sessions = 2048<br> }<br> Module: Linked to sub-module rlm_eap_md5<br>
Module: Instantiating eap-md5<br> Module: Linked to sub-module rlm_eap_leap<br> Module: Instantiating eap-leap<br> Module: Linked to sub-module rlm_eap_gtc<br> Module: Instantiating eap-gtc<br> gtc {<br> challenge = "Password: "<br>
auth_type = "PAP"<br> }<br> Module: Linked to sub-module rlm_eap_tls<br> Module: Instantiating eap-tls<br> tls {<br> rsa_key_exchange = no<br> dh_key_exchange = yes<br> rsa_key_length = 512<br> dh_key_length = 512<br>
verify_depth = 0<br> pem_file_type = yes<br> private_key_file = "/etc/raddb/certs/radiuskey.pem"<br> certificate_file = "/etc/raddb/certs/radius.pem"<br> CA_file = "/etc/raddb/certs/ca.pem"<br>
private_key_password = "server2003"<br> dh_file = "/etc/raddb/certs/dh"<br> random_file = "/etc/raddb/certs/random"<br> fragment_size = 1024<br> include_length = yes<br> check_crl = no<br>
cipher_list = "DEFAULT"<br> cache {<br> enable = no<br> lifetime = 24<br> max_entries = 255<br> }<br> }<br> Module: Linked to sub-module rlm_eap_ttls<br> Module: Instantiating eap-ttls<br> ttls {<br>
default_eap_type = "peap"<br> copy_request_to_tunnel = no<br> use_tunneled_reply = no<br> virtual_server = "inner-tunnel"<br> include_length = yes<br> }<br> Module: Linked to sub-module rlm_eap_peap<br>
Module: Instantiating eap-peap<br> peap {<br> default_eap_type = "mschapv2"<br> copy_request_to_tunnel = yes<br> use_tunneled_reply = yes<br> proxy_tunneled_request_as_eap = yes<br> virtual_server = "inner-tunnel"<br>
}<br> Module: Linked to sub-module rlm_eap_mschapv2<br> Module: Instantiating eap-mschapv2<br> mschapv2 {<br> with_ntdomain_hack = no<br> }<br> Module: Checking authorize {...} for more modules to load<br> Module: Linked to module rlm_realm<br>
Module: Instantiating ntdomain<br> realm ntdomain {<br> format = "prefix"<br> delimiter = "\"<br> ignore_default = no<br> ignore_null = no<br> }<br> Module: Linked to module rlm_files<br>
Module: Instantiating files<br> files {<br> usersfile = "/etc/raddb/users"<br> acctusersfile = "/etc/raddb/acct_users"<br> preproxy_usersfile = "/etc/raddb/preproxy_users"<br> compat = "no"<br>
}<br> Module: Checking session {...} for more modules to load<br> Module: Linked to module rlm_radutmp<br> Module: Instantiating radutmp<br> radutmp {<br> filename = "/var/log/radius/radutmp"<br> username = "%{User-Name}"<br>
case_sensitive = yes<br> check_with_nas = yes<br> perm = 384<br> callerid = yes<br> }<br> Module: Checking pre-proxy {...} for more modules to load<br> Module: Checking post-proxy {...} for more modules to load<br>
Module: Checking post-auth {...} for more modules to load<br> Module: Linked to module rlm_attr_filter<br> Module: Instantiating attr_filter.access_reject<br> attr_filter attr_filter.access_reject {<br> attrsfile = "/etc/raddb/attrs.access_reject"<br>
key = "%{User-Name}"<br> }<br> } # modules<br>} # server<br>server {<br> modules {<br> Module: Checking authenticate {...} for more modules to load<br> Module: Checking authorize {...} for more modules to load<br>
Module: Linked to module rlm_preprocess<br> Module: Instantiating preprocess<br> preprocess {<br> huntgroups = "/etc/raddb/huntgroups"<br> hints = "/etc/raddb/hints"<br> with_ascend_hack = no<br>
ascend_channels_per_line = 23<br> with_ntdomain_hack = no<br> with_specialix_jetstream_hack = no<br> with_cisco_vsa_hack = no<br> with_alvarion_vsa_hack = no<br> }<br> Module: Instantiating suffix<br> realm suffix {<br>
format = "suffix"<br> delimiter = "@"<br> ignore_default = no<br> ignore_null = no<br> }<br> Module: Checking preacct {...} for more modules to load<br> Module: Linked to module rlm_acct_unique<br>
Module: Instantiating acct_unique<br> acct_unique {<br> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<br> }<br> Module: Checking accounting {...} for more modules to load<br>
Module: Linked to module rlm_detail<br> Module: Instantiating detail<br> detail {<br> detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<br> header = "%t"<br> detailperm = 384<br>
dirperm = 493<br> locking = no<br> log_packet_header = no<br> }<br> Module: Instantiating attr_filter.accounting_response<br> attr_filter attr_filter.accounting_response {<br> attrsfile = "/etc/raddb/attrs.accounting_response"<br>
key = "%{User-Name}"<br> }<br> Module: Checking session {...} for more modules to load<br> Module: Checking pre-proxy {...} for more modules to load<br> Module: Checking post-proxy {...} for more modules to load<br>
Module: Checking post-auth {...} for more modules to load<br> } # modules<br>} # server<br>radiusd: #### Opening IP addresses and Ports ####<br>listen {<br> type = "auth"<br> ipaddr = *<br> port = 0<br>
}<br>listen {<br> type = "acct"<br> ipaddr = *<br> port = 0<br>}<br>listen {<br> type = "control"<br> listen {<br> socket = "/var/run/radiusd/radiusd.sock"<br> }<br>}<br>Listening on authentication address * port 1812<br>
Listening on accounting address * port 1813<br>Listening on command file /var/run/radiusd/radiusd.sock<br>Listening on proxy address * port 1814<br>Ready to process requests.<br>rad_recv: Access-Request packet from host 10.39.0.31 port 8021, id=234, length=245<br>
Framed-MTU = 1466<br> NAS-IP-Address = 10.39.0.31<br> NAS-Identifier = "D-Link"<br> User-Name = "CITYHALL\\Администратор"<br> Service-Type = Framed-User<br> NAS-Port = 25<br>
NAS-Port-Type = Ethernet<br> NAS-Port-Id = "ether25_385"<br> Called-Station-Id = "00-15-e9-89-df-33"<br> Calling-Station-Id = "90-e6-ba-19-a6-b4"<br> Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"<br>
EAP-Message = 0x02010028014349545948414c4c5cd090d0b4d0bcd0b8d0bdd0b8d181d182d180d0b0d182d0bed180<br> Message-Authenticator = 0x490abe1078ee3c188763003c6e43e205<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>
[eap] EAP packet type response id 1 length 40<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "CITYHALL\Р?РґРјРёРЅРёС?С?С?Р°С?РѕС?", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[ntdomain] Looking up realm "CITYHALL" for User-Name = "CITYHALL\Р?РґРјРёРЅРёС?С?С?Р°С?РѕС?"<br>[ntdomain] Found realm "CITYHALL"<br>
[ntdomain] Adding Stripped-User-Name = "Р?РґРјРёРЅРёС?С?С?Р°С?РѕС?"<br>[ntdomain] Adding Realm = "CITYHALL"<br>[ntdomain] Authentication realm is LOCAL.<br>++[ntdomain] returns ok<br>++[unix] returns notfound<br>
++[files] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>++[pap] returns noop<br>
Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] EAP Identity<br>[eap] processing type tls<br>[tls] Initiate<br>[tls] Start returned 1<br>++[eap] returns handled<br>Sending Access-Challenge of id 234 to 10.39.0.31 port 8021<br>
EAP-Message = 0x010200061920<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x8d379fb08d3586c6b10255917bdeca99<br>Finished request 0.<br>Going to the next request<br>Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 10.39.0.31 port 8021, id=235, length=310<br> Framed-MTU = 1466<br> NAS-IP-Address = 10.39.0.31<br> NAS-Identifier = "D-Link"<br> User-Name = "CITYHALL\\Администратор"<br>
Service-Type = Framed-User<br> NAS-Port = 25<br> NAS-Port-Type = Ethernet<br> NAS-Port-Id = "ether25_385"<br> Called-Station-Id = "00-15-e9-89-df-33"<br> Calling-Station-Id = "90-e6-ba-19-a6-b4"<br>
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"<br> State = 0x8d379fb08d3586c6b10255917bdeca99<br> EAP-Message = 0x0202005719800000004d16030100480100004403014e44cca9cfd29aea47fb1b5aac0d1e4525a05de3cf196712e5fcd92c5f9f15c500001600040005000a0009006400620003000600130012006301000005ff01000100<br>
Message-Authenticator = 0x38c1ccd58c27c231538169fa80f1cdee<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>[eap] EAP packet type response id 2 length 87<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>
Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br> TLS Length 77<br>[peap] Length Included<br>
[peap] eaptls_verify returned 11 <br>[peap] (other): before/accept initialization <br>[peap] TLS_accept: before/accept initialization <br>[peap] <<< TLS 1.0 Handshake [length 0048], ClientHello <br>[peap] TLS_accept: SSLv3 read client hello A <br>
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello <br>[peap] TLS_accept: SSLv3 write server hello A <br>[peap] >>> TLS 1.0 Handshake [length 0795], Certificate <br>[peap] TLS_accept: SSLv3 write certificate A <br>
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone <br>[peap] TLS_accept: SSLv3 write server done A <br>[peap] TLS_accept: SSLv3 flush data <br>[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A<br>
In SSL Handshake Phase <br>In SSL Accept mode <br>[peap] eaptls_process returned 13 <br>[peap] EAPTLS_HANDLED<br>++[eap] returns handled<br>Sending Access-Challenge of id 235 to 10.39.0.31 port 8021<br> EAP-Message = 0x0103040019c0000007d916030100310200002d03014e44ce2e9ba714cd6ce2c2b6f65ff2b111d047de00f9fc1ba16448194c9295b0000004000005ff0100010016030107950b00079100078e0002ea308202e6308201cea003020102020101300d06092a864886f70d0101050500304a31133011060a0992268993f22c6401191603676f7631183016060a0992268993f22c64011916086369747968616c6c31193017060355040313104369747968616c6c20726f6f74204341301e170d3131303532373039303335365a170d3132303532363039303335365a30818d310b3009060355040613025255311430120603550408130b4b616c696e696e67<br>
EAP-Message = 0x726164311430120603550407130b4b616c696e696e677261643111300f060355040a13084349545948414c4c310d300b060355040b130443494b54310f300d06035504031306726164697573311f301d06092a864886f70d0109011610616665646f746f76406b6c67642e727530819f300d06092a864886f70d010101050003818d0030818902818100a9bd01fbcd1c9a73ed78777a5e47d6cd1b1a2a60db68bcde416c57bb50d06dcc5fa138befe517fda4a711a0814b4c00712b87475f48fbdfdfac7c35f0ca6ae315722d0c120d0e4070acd700dca4e38f05dcfa6900c86bc967018524d89c568dde6a6735badfa6395a5f593db7405433859f7bd<br>
EAP-Message = 0xa737106bb78cf4b142fbc7ebf10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101001c15824d2f157cae2a05b2c8d789c4f5a3749e5fb167b9da4db29ce3516e3652a8f22be40dcc92501379ac9735107470f47a28298df01d50eed08e74a5ec221d7f83723d5cb80fbfb5f0b9da6efa688e6f15aefe1219a161418e99ce38d305bb0b2a29078f063ba77ab1066e32067f0aaa6d3043089e146016c4a3eda16e99df4eab49d4ae34811d1e34538ea010d40f4a9e0d077fda374798ede64caab96c71b74c0edf1f47c0c196335974c49e30edaf9ff4935998553a3d86a8bee30b<br>
EAP-Message = 0x754c01c0196a66b0e0819a55e41eab738bf64e15412245297cffd3b72320e03d314e7a9e086341d5ec412176d1e117484759070d24209bcadf7b9c21feeb74b1b33d00049e3082049a30820382a00302010202102fad09775656c3b0478e136a8c5e2f49300d06092a864886f70d0101050500304a31133011060a0992268993f22c6401191603676f7631183016060a0992268993f22c64011916086369747968616c6c31193017060355040313104369747968616c6c20726f6f74204341301e170d3131303132313130333132375a170d3136303132313130333833325a304a31133011060a0992268993f22c6401191603676f7631183016060a09<br>
EAP-Message = 0x92268993f22c640119160863<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x8d379fb08c3486c6b10255917bdeca99<br>Finished request 1.<br>Going to the next request<br>Waking up in 4.6 seconds.<br>
rad_recv: Access-Request packet from host 10.39.0.31 port 8021, id=236, length=229<br> Framed-MTU = 1466<br> NAS-IP-Address = 10.39.0.31<br> NAS-Identifier = "D-Link"<br> User-Name = "CITYHALL\\Администратор"<br>
Service-Type = Framed-User<br> NAS-Port = 25<br> NAS-Port-Type = Ethernet<br> NAS-Port-Id = "ether25_385"<br> Called-Station-Id = "00-15-e9-89-df-33"<br> Calling-Station-Id = "90-e6-ba-19-a6-b4"<br>
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"<br> State = 0x8d379fb08c3486c6b10255917bdeca99<br> EAP-Message = 0x020300061900<br> Message-Authenticator = 0x9883ed0aaa11a28c464901ada6337fdb<br>
+- entering group authorize {...}<br>++[preprocess] returns ok<br>[eap] EAP packet type response id 3 length 6<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] Received TLS ACK<br>[peap] ACK handshake fragment handler<br>[peap] eaptls_verify returned 1 <br>
[peap] eaptls_process returned 13 <br>[peap] EAPTLS_HANDLED<br>++[eap] returns handled<br>Sending Access-Challenge of id 236 to 10.39.0.31 port 8021<br> EAP-Message = 0x010403e9190069747968616c6c31193017060355040313104369747968616c6c20726f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d135657ca57b1d317762f095fb46ffc5dd19e111a22f9de73622decfd2fc1682ba69f6d2d30a8b2cc4d3ca04b7eda61a4e5e45da02ae2a85bbf1b5c18a328e9d61f115bc16cdd048cf888aec1233d76dfb873a64df7bd89847c891deb710119f15e460b43a38cb7521d83925eff7ba75d9ab0c5b25d9de4db2164d118c573ddf378b794c1d53d97e0de48afb074103a6370d673cfc9f3ec5399fce8bb43072d9cf06dea65a5579cfbb0a2e7c39624836396a90f2<br>
EAP-Message = 0x9c08ce5273a8637ab8c90607392b530c4dfad4834a29e84c74aaa6affee215dc483ac3adc07f0e5d696dd38dce89cc46a45dbd981a9ebdb8439bd277f14b58d230eb97057a27134018bc54c70203010001a382017a30820176301306092b060104018237140204061e0400430041300b0603551d0f040403020146300f0603551d130101ff040530030101ff301d0603551d0e04160414b593101da731658da59dca69f6caf9fd70389f0d3082010e0603551d1f04820105308201013081fea081fba081f88681b86c6461703a2f2f2f434e3d4369747968616c6c253230726f6f7425323043412c434e3d6264632c434e3d4344502c434e3d5075626c<br>
EAP-Message = 0x69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d6369747968616c6c2c44433d676f763f63657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e74863b687474703a2f2f6264632e6369747968616c6c2e676f762f43657274456e726f6c6c2f4369747968616c6c253230726f6f7425323043412e63726c301006092b06010401823715010403020100300d06092a864886f70d01010505000382010100290eb63146fa57bc17e2ad53cc23cfddbd401bec6e9dbd<br>
EAP-Message = 0x9830c126145da35ba20446567798f7448a1c2e246f96b92945059fd26a169768a3018e5862ce5f532680c81c19bf3ef62f054bb59140162dc340ac5bfc9e5ec8dd753f4fb85d63515d3318b5dcde064322d5ef1d188405905fcb036c3e0e1d0781fa3b359b0dbc033d788147b15e8cd8cb2112fdb01fe4fa13fe5e1adeae0fb16bd07d1757d562cd313c6c7ffbaa6b27e05e443e191ad9ee9ca78dbcfc1d64c5c5b254abbf680eb0afd3ac15d110277e9bc268324b9602a3a90ddf24d032daa1fd4a29838bfbf748533ae570380ff88bd7aa0e82dc3b5317208d880ec71d3b1d5080e624ac882c737616030100040e000000<br>
Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x8d379fb08f3386c6b10255917bdeca99<br>Finished request 2.<br>Going to the next request<br>Waking up in 4.2 seconds.<br>rad_recv: Access-Request packet from host 10.39.0.31 port 8021, id=237, length=415<br>
Framed-MTU = 1466<br> NAS-IP-Address = 10.39.0.31<br> NAS-Identifier = "D-Link"<br> User-Name = "CITYHALL\\Администратор"<br> Service-Type = Framed-User<br> NAS-Port = 25<br>
NAS-Port-Type = Ethernet<br> NAS-Port-Id = "ether25_385"<br> Called-Station-Id = "00-15-e9-89-df-33"<br> Calling-Station-Id = "90-e6-ba-19-a6-b4"<br> Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"<br>
State = 0x8d379fb08f3386c6b10255917bdeca99<br> EAP-Message = 0x020400c01980000000b61603010086100000820080236bdcc292f96b0adae8ef253c3cb67e3f890dfb46400795d06b8dfbeb45c6e0dc5b17ea6fec5e0d05d30b85beeba725430d3afc5b51eb415097ceeb3f2a6fde3338447dd7e798dc5cb6fbb1decb68aa8aa3d12eaf7737c16db714e482e1041769e3a101bd6493095f54b534b42c23a3f71f9ed5dfc7f0b1bf014154c2f38fd814030100010116030100206bf24afa2fcbee2b43b902dc86cc3ac4a01c7e898133f4acd87c2eba5aa4b9f8<br>
Message-Authenticator = 0xb247a94690e297dde906468db367fbb8<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>[eap] EAP packet type response id 4 length 192<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>
Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br> TLS Length 182<br>[peap] Length Included<br>
[peap] eaptls_verify returned 11 <br>[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange <br>[peap] TLS_accept: SSLv3 read client key exchange A <br>[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] <br>
[peap] <<< TLS 1.0 Handshake [length 0010], Finished <br>[peap] TLS_accept: SSLv3 read finished A <br>[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] <br>[peap] TLS_accept: SSLv3 write change cipher spec A <br>
[peap] >>> TLS 1.0 Handshake [length 0010], Finished <br>[peap] TLS_accept: SSLv3 write finished A <br>[peap] TLS_accept: SSLv3 flush data <br>[peap] (other): SSL negotiation finished successfully <br>
SSL Connection Established <br>[peap] eaptls_process returned 13 <br>[peap] EAPTLS_HANDLED<br>++[eap] returns handled<br>Sending Access-Challenge of id 237 to 10.39.0.31 port 8021<br> EAP-Message = 0x01050031190014030100010116030100209a715dd6ad5982ce3989d9ae57c213029d6e204b1ed737b033ed07a84aaff445<br>
Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x8d379fb08e3286c6b10255917bdeca99<br>Finished request 3.<br>Going to the next request<br>Waking up in 3.9 seconds.<br>rad_recv: Access-Request packet from host 10.39.0.31 port 8021, id=238, length=229<br>
Framed-MTU = 1466<br> NAS-IP-Address = 10.39.0.31<br> NAS-Identifier = "D-Link"<br> User-Name = "CITYHALL\\Администратор"<br> Service-Type = Framed-User<br> NAS-Port = 25<br>
NAS-Port-Type = Ethernet<br> NAS-Port-Id = "ether25_385"<br> Called-Station-Id = "00-15-e9-89-df-33"<br> Calling-Station-Id = "90-e6-ba-19-a6-b4"<br> Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"<br>
State = 0x8d379fb08e3286c6b10255917bdeca99<br> EAP-Message = 0x020500061900<br> Message-Authenticator = 0x517d7879c30312c2bfb56144c18ab9c4<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>[eap] EAP packet type response id 5 length 6<br>
[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>
[peap] Received TLS ACK<br>[peap] ACK handshake is finished<br>[peap] eaptls_verify returned 3 <br>[peap] eaptls_process returned 3 <br>[peap] EAPTLS_SUCCESS<br>++[eap] returns handled<br>Sending Access-Challenge of id 238 to 10.39.0.31 port 8021<br>
EAP-Message = 0x01060020190017030100157002069875e353f5077b12fa9c7f4e4f6b94a82296<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x8d379fb0893186c6b10255917bdeca99<br>Finished request 4.<br>
Going to the next request<br>Waking up in 3.5 seconds.<br>rad_recv: Access-Request packet from host 10.39.0.31 port 8021, id=239, length=273<br> Framed-MTU = 1466<br> NAS-IP-Address = 10.39.0.31<br> NAS-Identifier = "D-Link"<br>
User-Name = "CITYHALL\\Администратор"<br> Service-Type = Framed-User<br> NAS-Port = 25<br> NAS-Port-Type = Ethernet<br> NAS-Port-Id = "ether25_385"<br> Called-Station-Id = "00-15-e9-89-df-33"<br>
Calling-Station-Id = "90-e6-ba-19-a6-b4"<br> Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"<br> State = 0x8d379fb0893186c6b10255917bdeca99<br> EAP-Message = 0x0206003219001703010027a6784f0a6407aa8060b50026ac58d5f4dc07b743cf774080b0e4de533093eda7d924b25de04dec<br>
Message-Authenticator = 0xda9123f296bc3c3a0d63639b2a7fbc55<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>[eap] EAP packet type response id 6 length 50<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>
Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] eaptls_verify returned 7 <br>
[peap] Done initial handshake<br>[peap] eaptls_process returned 7 <br>[peap] EAPTLS_OK<br>[peap] Session established. Decoding tunneled attributes.<br>[peap] Identity - CITYHALL\Администратор<br>[peap] Got tunneled request<br>
EAP-Message = 0x0206001b014349545948414c4c5cc0e4ece8ede8f1f2f0e0f2eef0<br>server {<br> PEAP: Got tunneled identity of CITYHALL\Администратор<br> PEAP: Setting default EAP type for tunneled EAP session.<br> PEAP: Setting User-Name to CITYHALL\Администратор<br>
Sending tunneled request<br> EAP-Message = 0x0206001b014349545948414c4c5cc0e4ece8ede8f1f2f0e0f2eef0<br> FreeRADIUS-Proxied-To = 127.0.0.1<br> User-Name = "CITYHALL\\\300\344\354\350\355\350\361\362\360\340\362\356\360"<br>
Framed-MTU = 1466<br> NAS-IP-Address = 10.39.0.31<br> NAS-Identifier = "D-Link"<br> Service-Type = Framed-User<br> NAS-Port = 25<br> NAS-Port-Type = Ethernet<br> NAS-Port-Id = "ether25_385"<br>
Called-Station-Id = "00-15-e9-89-df-33"<br> Calling-Station-Id = "90-e6-ba-19-a6-b4"<br> Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"<br>server inner-tunnel {<br>+- entering group authorize {...}<br>
++[chap] returns noop<br>++[mschap] returns noop<br>++[unix] returns notfound<br>[ntdomain] Looking up realm "CITYHALL" for User-Name = "CITYHALL\Администратор"<br>[ntdomain] Found realm "CITYHALL"<br>
[ntdomain] Adding Stripped-User-Name = "Администратор"<br>[ntdomain] Adding Realm = "CITYHALL"<br>[ntdomain] Authentication realm is LOCAL.<br>++[ntdomain] returns ok<br>[eap] EAP packet type response id 6 length 27<br>
[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[files] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>
++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] EAP Identity<br>[eap] processing type mschapv2<br>rlm_eap_mschapv2: Issuing Challenge<br>++[eap] returns handled<br>} # server inner-tunnel<br>
[peap] Got tunneled reply code 11<br> EAP-Message = 0x010700301a0107002b107b7305ea3d639e01377b94165b681bd34349545948414c4c5cc0e4ece8ede8f1f2f0e0f2eef0<br> Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x8fe5640c8fe27eb8d28b73f97bdd495d<br>[peap] Got tunneled reply RADIUS code 11<br> EAP-Message = 0x010700301a0107002b107b7305ea3d639e01377b94165b681bd34349545948414c4c5cc0e4ece8ede8f1f2f0e0f2eef0<br> Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x8fe5640c8fe27eb8d28b73f97bdd495d<br>[peap] Got tunneled Access-Challenge<br>++[eap] returns handled<br>Sending Access-Challenge of id 239 to 10.39.0.31 port 8021<br> EAP-Message = 0x010700471900170301003c9fab18041f649ec70fd959e26c8c64c5352072aba84b45fb915c0a3d15285cbed97e2138bbad857f7ebcec0e5343c9bd53f6b23d65442972e3d2eeb7<br>
Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x8d379fb0883086c6b10255917bdeca99<br>Finished request 5.<br>Going to the next request<br>Waking up in 3.3 seconds.<br>rad_recv: Access-Request packet from host 10.39.0.31 port 8021, id=240, length=327<br>
Framed-MTU = 1466<br> NAS-IP-Address = 10.39.0.31<br> NAS-Identifier = "D-Link"<br> User-Name = "CITYHALL\\Администратор"<br> Service-Type = Framed-User<br> NAS-Port = 25<br>
NAS-Port-Type = Ethernet<br> NAS-Port-Id = "ether25_385"<br> Called-Station-Id = "00-15-e9-89-df-33"<br> Calling-Station-Id = "90-e6-ba-19-a6-b4"<br> Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"<br>
State = 0x8d379fb0883086c6b10255917bdeca99<br> EAP-Message = 0x020700681900170301005da909dcf8173126b7ea1d4e916dac8852c048e706f0d1daa8fd70db91b9cd6b46caf88e50e4d91c0769209604f568bb6dbb9febdf9c5e58b04f90e7535b61a0b6c7d31d323dcab7b42425688402b194a0d3885662b5f11dea9b78dac3d2<br>
Message-Authenticator = 0x708d7f3eb810cc33c716ca7794e3a122<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>[eap] EAP packet type response id 7 length 104<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>
Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] eaptls_verify returned 7 <br>
[peap] Done initial handshake<br>[peap] eaptls_process returned 7 <br>[peap] EAPTLS_OK<br>[peap] Session established. Decoding tunneled attributes.<br>[peap] EAP type mschapv2<br>[peap] Got tunneled request<br> EAP-Message = 0x020700511a0207004c3186d476f9cd2a50a117453e30b8c0a9ee00000000000000003fa59f14170c3c64156be08dce431349620d99bc9f74cb79004349545948414c4c5cc0e4ece8ede8f1f2f0e0f2eef0<br>
server {<br> PEAP: Setting User-Name to CITYHALL\Администратор<br>Sending tunneled request<br> EAP-Message = 0x020700511a0207004c3186d476f9cd2a50a117453e30b8c0a9ee00000000000000003fa59f14170c3c64156be08dce431349620d99bc9f74cb79004349545948414c4c5cc0e4ece8ede8f1f2f0e0f2eef0<br>
FreeRADIUS-Proxied-To = 127.0.0.1<br> User-Name = "CITYHALL\\\300\344\354\350\355\350\361\362\360\340\362\356\360"<br> State = 0x8fe5640c8fe27eb8d28b73f97bdd495d<br> Framed-MTU = 1466<br> NAS-IP-Address = 10.39.0.31<br>
NAS-Identifier = "D-Link"<br> Service-Type = Framed-User<br> NAS-Port = 25<br> NAS-Port-Type = Ethernet<br> NAS-Port-Id = "ether25_385"<br> Called-Station-Id = "00-15-e9-89-df-33"<br>
Calling-Station-Id = "90-e6-ba-19-a6-b4"<br> Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"<br>server inner-tunnel {<br>+- entering group authorize {...}<br>++[chap] returns noop<br>++[mschap] returns noop<br>
++[unix] returns notfound<br>[ntdomain] Looking up realm "CITYHALL" for User-Name = "CITYHALL\Администратор"<br>[ntdomain] Found realm "CITYHALL"<br>[ntdomain] Adding Stripped-User-Name = "Администратор"<br>
[ntdomain] Adding Realm = "CITYHALL"<br>[ntdomain] Authentication realm is LOCAL.<br>++[ntdomain] returns ok<br>[eap] EAP packet type response id 7 length 81<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] returns updated<br>++[files] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>
++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/mschapv2<br>[eap] processing type mschapv2<br>[mschapv2] +- entering group MS-CHAP {...}<br>
[mschap] Told to do MS-CHAPv2 for Администратор with NT-Password<br>[mschap] expand: --username=%{mschap:User-Name} -> --username=Администратор<br>[mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=CITYHALL<br>
[mschap] mschap2: 7b<br>[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=86c94cfffd3f36fa<br>[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=3fa59f14170c3c64156be08dce431349620d99bc9f74cb79<br>
Exec-Program output: Invalid parameter (0xc000000d) <br>Exec-Program-Wait: plaintext: Invalid parameter (0xc000000d) <br>Exec-Program: returned: 1<br>[mschap] External script failed.<br>[mschap] FAILED: MS-CHAP2-Response is incorrect<br>
++[mschap] returns reject<br>[eap] Freeing handler<br>++[eap] returns reject<br>Failed to authenticate the user.<br>} # server inner-tunnel<br>[peap] Got tunneled reply code 3<br> MS-CHAP-Error = "\007E=691 R=1"<br>
EAP-Message = 0x04070004<br> Message-Authenticator = 0x00000000000000000000000000000000<br>[peap] Got tunneled reply RADIUS code 3<br> MS-CHAP-Error = "\007E=691 R=1"<br> EAP-Message = 0x04070004<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>[peap] Tunneled authentication was rejected.<br>[peap] FAILURE<br>++[eap] returns handled<br>Sending Access-Challenge of id 240 to 10.39.0.31 port 8021<br>
EAP-Message = 0x010800261900170301001b1bde4546a9bbb84b9d5584803374118b54f1de192a880f8b560f02<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x8d379fb08b3f86c6b10255917bdeca99<br>Finished request 6.<br>
<br>...<br><br>The ntlm_auth string in mschap module has the following format:<br>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name}<br> --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00}<br>
--nt-response=%{mschap:NT-Response:-00}"<br><br>ntlm_auth succeeds in authentication if I use it separately.<br><br>What's wrong with that "invalid parameter"? How do I trace it?<br><br>