<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
No there are no other lines before that one. <br>
<br>
I cannot update, because univention ucs2.4 is based on lenny and FR
2.2 depends on newer packets from squeeze. Already tried that.<br>
<br>
well radlogin worked even when unix in default was active. But after
i #-ed everything with unix i could login. After the login there
comes the information for accepting the certificate. <br>
But after a klick for accepting there comes the loginscreen another
time. <br>
<br>
output from -X: <br>
<small><small>rad_recv: Access-Request packet from host 10.119.12.2
port 1332, id=74, length=197<br>
Message-Authenticator = 0xb8f705a6d721830c471b297ff86bc1da<br>
Service-Type = Framed-User<br>
User-Name = "nadine.bosshard"<br>
Framed-MTU = 1488<br>
Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"<br>
Calling-Station-Id = "9803D861E85C"<br>
NAS-Identifier = "aptcsvo02"<br>
NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 54Mbps 802.11g"<br>
EAP-Message = 0x02000014016e6164696e652e626f737368617264<br>
NAS-IP-Address = 10.119.12.2<br>
NAS-Port = 1<br>
NAS-Port-Id = "STA port # 1"<br>
+- entering group authorize<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
rlm_realm: No '@' in User-Name = "nadine.bosshard", looking
up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
++[suffix] returns noop<br>
rlm_eap: EAP packet type response id 0 length 20<br>
rlm_eap: No EAP Start, assuming it's an on-going EAP
conversation<br>
++[eap] returns updated<br>
++[files] returns noop<br>
rlm_ldap: - authorize<br>
rlm_ldap: performing user authorization for nadine.bosshard<br>
WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details<br>
expand:
(&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=%{Stripped-User-Name:-%{User-Name}}))
->
(&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard))<br>
expand: dc=tcsvo,dc=local -> dc=tcsvo,dc=local<br>
rlm_ldap: ldap_get_conn: Checking Id: 0<br>
rlm_ldap: ldap_get_conn: Got Id: 0<br>
rlm_ldap: attempting LDAP reconnection<br>
rlm_ldap: (re)connect to localhost:389, authentication 0<br>
rlm_ldap: starting TLS<br>
rlm_ldap: bind as cn=admin,dc=tcsvo,dc=local/pPWSrf5 to
localhost:389<br>
rlm_ldap: waiting for bind result ...<br>
rlm_ldap: Bind was successful<br>
rlm_ldap: performing search in dc=tcsvo,dc=local, with filter
(&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard))<br>
rlm_ldap: checking if remote access for nadine.bosshard is
allowed by uid<br>
rlm_ldap: No default NMAS login sequence<br>
rlm_ldap: looking for check items in directory...<br>
rlm_ldap: LDAP attribute userPassword as RADIUS attribute
Cleartext-Password ==
"{crypt}$1$QWzPnrgt$zDhDp8t6inQRkVyuvb6en/"<br>
rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute
NT-Password ==
0x4431393433313746304145303337384139434535423745394230313835334233<br>
rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute
LM-Password ==
0x3944443632393938313730333033343036463342414634373331353033384646<br>
rlm_ldap: looking for reply items in directory...<br>
rlm_ldap: user nadine.bosshard authorized to use remote access<br>
rlm_ldap: ldap_release_conn: Release Id: 0<br>
++[ldap] returns ok<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
rlm_pap: Normalizing NT-Password from hex encoding<br>
rlm_pap: Normalizing LM-Password from hex encoding<br>
rlm_pap: Found existing Auth-Type, not changing it.<br>
++[pap] returns noop<br>
rad_check_password: Found Auth-Type EAP<br>
auth: type "EAP"<br>
+- entering group authenticate<br>
rlm_eap: EAP Identity<br>
rlm_eap: processing type md5<br>
rlm_eap_md5: Issuing Challenge<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 74 to 10.119.12.2 port 1332<br>
EAP-Message = 0x010100160410ce5ed62bba0b994eed20635dd85199a8<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x16b4654516b5618cb11aad47c413c7ca<br>
Finished request 0.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 10.119.12.2 port 1332,
id=75, length=201<br>
Message-Authenticator = 0x4ba48fcb53c68cc0e385d0d12cfad5fc<br>
Service-Type = Framed-User<br>
User-Name = "nadine.bosshard"<br>
Framed-MTU = 1488<br>
State = 0x16b4654516b5618cb11aad47c413c7ca<br>
Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"<br>
Calling-Station-Id = "9803D861E85C"<br>
NAS-Identifier = "aptcsvo02"<br>
NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 54Mbps 802.11g"<br>
EAP-Message = 0x020100060319<br>
NAS-IP-Address = 10.119.12.2<br>
NAS-Port = 1<br>
NAS-Port-Id = "STA port # 1"<br>
+- entering group authorize<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
rlm_realm: No '@' in User-Name = "nadine.bosshard", looking
up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
++[suffix] returns noop<br>
rlm_eap: EAP packet type response id 1 length 6<br>
rlm_eap: No EAP Start, assuming it's an on-going EAP
conversation<br>
++[eap] returns updated<br>
++[files] returns noop<br>
rlm_ldap: - authorize<br>
rlm_ldap: performing user authorization for nadine.bosshard<br>
WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details<br>
expand:
(&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=%{Stripped-User-Name:-%{User-Name}}))
->
(&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard))<br>
expand: dc=tcsvo,dc=local -> dc=tcsvo,dc=local<br>
rlm_ldap: ldap_get_conn: Checking Id: 0<br>
rlm_ldap: ldap_get_conn: Got Id: 0<br>
rlm_ldap: performing search in dc=tcsvo,dc=local, with filter
(&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard))<br>
rlm_ldap: checking if remote access for nadine.bosshard is
allowed by uid<br>
rlm_ldap: No default NMAS login sequence<br>
rlm_ldap: looking for check items in directory...<br>
rlm_ldap: LDAP attribute userPassword as RADIUS attribute
Cleartext-Password ==
"{crypt}$1$QWzPnrgt$zDhDp8t6inQRkVyuvb6en/"<br>
rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute
NT-Password ==
0x4431393433313746304145303337384139434535423745394230313835334233<br>
rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute
LM-Password ==
0x3944443632393938313730333033343036463342414634373331353033384646<br>
rlm_ldap: looking for reply items in directory...<br>
rlm_ldap: user nadine.bosshard authorized to use remote access<br>
rlm_ldap: ldap_release_conn: Release Id: 0<br>
++[ldap] returns ok<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
rlm_pap: Normalizing NT-Password from hex encoding<br>
rlm_pap: Normalizing LM-Password from hex encoding<br>
rlm_pap: Found existing Auth-Type, not changing it.<br>
++[pap] returns noop<br>
rad_check_password: Found Auth-Type EAP<br>
auth: type "EAP"<br>
+- entering group authenticate<br>
rlm_eap: Request found, released from the list<br>
rlm_eap: EAP NAK<br>
rlm_eap: EAP-NAK asked for EAP-Type/peap<br>
rlm_eap: processing type tls<br>
rlm_eap_tls: Initiate<br>
rlm_eap_tls: Start returned 1<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 75 to 10.119.12.2 port 1332<br>
EAP-Message = 0x010200061920<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x16b4654517b67c8cb11aad47c413c7ca<br>
Finished request 1.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 10.119.12.2 port 1332,
id=76, length=323<br>
Message-Authenticator = 0x32ce24190f3bd9a7fe8b5bfcba1fc4dc<br>
Service-Type = Framed-User<br>
User-Name = "nadine.bosshard"<br>
Framed-MTU = 1488<br>
State = 0x16b4654517b67c8cb11aad47c413c7ca<br>
Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"<br>
Calling-Station-Id = "9803D861E85C"<br>
NAS-Identifier = "aptcsvo02"<br>
NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 54Mbps 802.11g"<br>
EAP-Message =
0x0202008019800000007616030100710100006d0301504f2f339bf42035c99689e4b9f5f239952eeccfc90cde3694f18e32a18a204e00003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00330039001601000012000a00080006001700180019000b00020100<br>
NAS-IP-Address = 10.119.12.2<br>
NAS-Port = 1<br>
NAS-Port-Id = "STA port # 1"<br>
+- entering group authorize<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
rlm_realm: No '@' in User-Name = "nadine.bosshard", looking
up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
++[suffix] returns noop<br>
rlm_eap: EAP packet type response id 2 length 128<br>
rlm_eap: Continuing tunnel setup.<br>
++[eap] returns ok<br>
rad_check_password: Found Auth-Type EAP<br>
auth: type "EAP"<br>
+- entering group authenticate<br>
rlm_eap: Request found, released from the list<br>
rlm_eap: EAP/peap<br>
rlm_eap: processing type peap<br>
rlm_eap_peap: Authenticate<br>
rlm_eap_tls: processing TLS<br>
TLS Length 118<br>
rlm_eap_tls: Length Included<br>
eaptls_verify returned 11 <br>
(other): before/accept initialization <br>
TLS_accept: before/accept initialization <br>
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0071],
ClientHello <br>
TLS_accept: SSLv3 read client hello A <br>
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0051],
ServerHello <br>
TLS_accept: SSLv3 write server hello A <br>
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0ac9],
Certificate <br>
TLS_accept: SSLv3 write certificate A <br>
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004],
ServerHelloDone <br>
TLS_accept: SSLv3 write server done A <br>
TLS_accept: SSLv3 flush data <br>
TLS_accept: Need to read more data: SSLv3 read client
certificate A<br>
In SSL Handshake Phase <br>
In SSL Accept mode <br>
eaptls_process returned 13 <br>
rlm_eap_peap: EAPTLS_HANDLED<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 76 to 10.119.12.2 port 1332<br>
EAP-Message =
0x0103040019c000000b2d16030100510200004d0301504f2f34362fc1262c3b636e2050c8649ca8051cd6e96e77afeacceb0b82f6b020d64590097eda15b621fa50f97c6ff690cbe70000754bfce0db0efd7bb2f58af5002f000005ff010001001603010ac90b000ac5000ac20004c5308204c1308203a9a003020102020101300d06092a864886f70d01010505003081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b301906035504<br>
EAP-Message =
0x0b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74696f6e20436f72706f726174652053657276657220526f6f74204341311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c301e170d3131313031383132343135325a170d3136313031363132343135325a3081c1310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b13125443532053657276<br>
EAP-Message =
0x6963652043656e746572311e301c060355040313157372746373766f30342e746373766f2e6c6f63616c311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c30819f300d06092a864886f70d010101050003818d0030818902818100aa068e1696137a6013728212da97bde84338a84c01434740dd7c3d76e9ac208d33efef6cf5b19436e09f71aae9517ec9a79ab6386ac2cee886c4b82e306ab065799071439537013af6f32fcf103e563341e5ec03837fefb32cab3a80e085624a722dca77fb2d0881e2912d078a404708506df80f9fa5459a3846c41b3a1be8410203010001a38201363082013230090603551d130402<br>
EAP-Message =
0x3000301d0603551d0e04160414d60b8a292f824ee8593ead12079908a996fa25ce308201040603551d230481fc3081f980141894cd73cc0286f2e6b0ab65777f605667044a3ca181d5a481d23081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74696f6e20436f72706f726174652053657276657220526f6f742043<br>
EAP-Message = 0x41311e301c06092a864886f7<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x16b4654514b77c8cb11aad47c413c7ca<br>
Finished request 2.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 10.119.12.2 port 1332,
id=77, length=201<br>
Message-Authenticator = 0xc5cd91f31beec31485c1a018cca1a538<br>
Service-Type = Framed-User<br>
User-Name = "nadine.bosshard"<br>
Framed-MTU = 1488<br>
State = 0x16b4654514b77c8cb11aad47c413c7ca<br>
Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"<br>
Calling-Station-Id = "9803D861E85C"<br>
NAS-Identifier = "aptcsvo02"<br>
NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 54Mbps 802.11g"<br>
EAP-Message = 0x020300061900<br>
NAS-IP-Address = 10.119.12.2<br>
NAS-Port = 1<br>
NAS-Port-Id = "STA port # 1"<br>
+- entering group authorize<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
rlm_realm: No '@' in User-Name = "nadine.bosshard", looking
up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
++[suffix] returns noop<br>
rlm_eap: EAP packet type response id 3 length 6<br>
rlm_eap: Continuing tunnel setup.<br>
++[eap] returns ok<br>
rad_check_password: Found Auth-Type EAP<br>
auth: type "EAP"<br>
+- entering group authenticate<br>
rlm_eap: Request found, released from the list<br>
rlm_eap: EAP/peap<br>
rlm_eap: processing type peap<br>
rlm_eap_peap: Authenticate<br>
rlm_eap_tls: processing TLS<br>
rlm_eap_tls: Received EAP-TLS ACK message<br>
rlm_eap_tls: ack handshake fragment handler<br>
eaptls_verify returned 1 <br>
eaptls_process returned 13 <br>
rlm_eap_peap: EAPTLS_HANDLED<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 77 to 10.119.12.2 port 1332<br>
EAP-Message =
0x010403fc19400d010901160f73736c40746373766f2e6c6f63616c820900de6d547bd0d02bb7300d06092a864886f70d0101050500038201010070b8aa764d29097af2190422c618f6c5a4753df81c1ff392cb1b379de862bd338b414b5fdcdc7b8ed053df5224ec2e4e85babe4adac4a490fd663627c211c837819ae267f4d9125d19e04fc82ac089a9ab9c3a7f01be2f54ff64381d8f233dd0f4e1070221a6d9751e3f5c5f4a4d3a81c2784377ac37056e3472e64770818f741f39659163dfb5b72e44cba594acb1fc8549bbd3ca2a42eed1741fedd1fd784f88270182168861461bf8e395f33544d1d6950ccb5bd39bf31e06c7a95e3134dba44f7a<br>
EAP-Message =
0x00f72b04cb086681c2fca1497fd8842e6453e9c305971535d8ec031581b1a37c97199ed6295c692c91515b121b459421b4d320429da9eebf9fa46692560005f7308205f3308204dba003020102020900de6d547bd0d02bb7300d06092a864886f70d01010505003081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74<br>
EAP-Message =
0x696f6e20436f72706f726174652053657276657220526f6f74204341311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c301e170d3131313031383132343135325a170d3136313031363132343135325a3081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74696f6e20436f72706f7261<br>
EAP-Message =
0x74652053657276657220526f6f74204341311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb23aad5b224b6451b2b71d383a8fdab7fc47c1d3c01a4cbbc495530c121edf8e00206507e5c357930f32483539f43f3f4523fbc6f180225477898f1e28d89627ebeda8a0f33264ba5431b43403033b32b662913717a2ced71906fb24c710dcd2b51494c2f9f9a4cdbe655248673c6d520d3012350b8cc999d7e319bd0dc15bd28696d03c06adea3e7e45d506f342f54428c9914664b30110c85771b9b6b6d4709ba70075d85c4a96860b4<br>
EAP-Message = 0xcbfcc9fde3fc1e69<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x16b4654515b07c8cb11aad47c413c7ca<br>
Finished request 3.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 10.119.12.2 port 1332,
id=78, length=201<br>
Message-Authenticator = 0xe1657a312df473007ae4e66e5386abba<br>
Service-Type = Framed-User<br>
User-Name = "nadine.bosshard"<br>
Framed-MTU = 1488<br>
State = 0x16b4654515b07c8cb11aad47c413c7ca<br>
Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"<br>
Calling-Station-Id = "9803D861E85C"<br>
NAS-Identifier = "aptcsvo02"<br>
NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 54Mbps 802.11g"<br>
EAP-Message = 0x020400061900<br>
NAS-IP-Address = 10.119.12.2<br>
NAS-Port = 1<br>
NAS-Port-Id = "STA port # 1"<br>
+- entering group authorize<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
rlm_realm: No '@' in User-Name = "nadine.bosshard", looking
up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
++[suffix] returns noop<br>
rlm_eap: EAP packet type response id 4 length 6<br>
rlm_eap: Continuing tunnel setup.<br>
++[eap] returns ok<br>
rad_check_password: Found Auth-Type EAP<br>
auth: type "EAP"<br>
+- entering group authenticate<br>
rlm_eap: Request found, released from the list<br>
rlm_eap: EAP/peap<br>
rlm_eap: processing type peap<br>
rlm_eap_peap: Authenticate<br>
rlm_eap_tls: processing TLS<br>
rlm_eap_tls: Received EAP-TLS ACK message<br>
rlm_eap_tls: ack handshake fragment handler<br>
eaptls_verify returned 1 <br>
eaptls_process returned 13 <br>
rlm_eap_peap: EAPTLS_HANDLED<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 78 to 10.119.12.2 port 1332<br>
EAP-Message =
0x0105034719006c0ac5bff0ac06e64f339336a607f02d6f89c67c8db227cf7d6dd61df083dc348a6b83d9f5a6b83186380ef5fd3ea29a95649910de04d80494fae634bd6ea242623c8a520c996d77b9e43ceaa10203010001a38201ce308201ca300f0603551d130101ff040530030101ff301d0603551d0e041604141894cd73cc0286f2e6b0ab65777f605667044a3c308201040603551d230481fc3081f980141894cd73cc0286f2e6b0ab65777f605667044a3ca181d5a481d23081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355<br>
EAP-Message =
0x040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74696f6e20436f72706f726174652053657276657220526f6f74204341311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c820900de6d547bd0d02bb7300b0603551d0f040403020106301106096086480186f8420101040403020007301a0603551d1104133011810f73736c40746373766f2e6c6f63616c301a0603551d1204133011810f73736c40746373766f2e6c6f63616c303806096086480186f8<br>
EAP-Message =
0x42010d042b162954686973206365727469666963617465206973206120526f6f74204341204365727469666963617465300d06092a864886f70d01010505000382010100620c56161414e3959e61866f66eb546cd7bf45398138cfb59e89c222e518454951c9fb0bb3dee9a950d577e4d48ac79dcada6a52b9abee23756bf3af3132425af8367294e2766d119ddfa86ebf64be0ad752149a9b42762f94ddbbc9a85f338c53a9252175dea564dc6c74bcf9bfb60c63f4580e463c2c21cb0048b08f8e6a93026de80f60191ec1fe5a07074161986f7f18eb4b5e2e93b1e1b084ceed5193a264aaa275353c7d1bc13b2dce45a799727b68aa79a39073263d<br>
EAP-Message =
0xb65a905d7bab8419a963ea7f069d0c618070bb107ffd9c291baf3f3908a4fbbf9a8ca172e1f39301934bdf17939a65b9c794b7162169b2c5bceb6aaf48fa715a584c6eea1e0dd916030100040e000000<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x16b4654512b17c8cb11aad47c413c7ca<br>
Finished request 4.<br>
Going to the next request<br>
Waking up in 4.8 seconds.<br>
rad_recv: Access-Request packet from host 10.119.12.2 port 1332,
id=79, length=403<br>
Message-Authenticator = 0xf76ea41848db75155a999de19b0b8ab8<br>
Service-Type = Framed-User<br>
User-Name = "nadine.bosshard"<br>
Framed-MTU = 1488<br>
State = 0x16b4654512b17c8cb11aad47c413c7ca<br>
Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"<br>
Calling-Station-Id = "9803D861E85C"<br>
NAS-Identifier = "aptcsvo02"<br>
NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 54Mbps 802.11g"<br>
EAP-Message =
0x020500d01980000000c61603010086100000820080a9fa249e85b6565a5675f299fd98e7f2db6767a944b7691b5b42e738a2034e254510fa33eaa56734c708cf596d81b193ea6a1947769cb63f83fac6c2d71dd434985b3a115e8a90a68349d2dd7cca49d3cec3f32fa190b21111949bf1829bfe7dbe5bd1ac6a1c37544a1b04d81ad98f89e0806aeb827a955deefc1bdf0b60e82e1403010001011603010030341c5ed324da181fd43d39d7ed41f23724e32cb3e2e55a57da946c5691257bb74199385181f308e2e6450489745d04c9<br>
NAS-IP-Address = 10.119.12.2<br>
NAS-Port = 1<br>
NAS-Port-Id = "STA port # 1"<br>
+- entering group authorize<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
rlm_realm: No '@' in User-Name = "nadine.bosshard", looking
up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
++[suffix] returns noop<br>
rlm_eap: EAP packet type response id 5 length 208<br>
rlm_eap: Continuing tunnel setup.<br>
++[eap] returns ok<br>
rad_check_password: Found Auth-Type EAP<br>
auth: type "EAP"<br>
+- entering group authenticate<br>
rlm_eap: Request found, released from the list<br>
rlm_eap: EAP/peap<br>
rlm_eap: processing type peap<br>
rlm_eap_peap: Authenticate<br>
rlm_eap_tls: processing TLS<br>
TLS Length 198<br>
rlm_eap_tls: Length Included<br>
eaptls_verify returned 11 <br>
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086],
ClientKeyExchange <br>
TLS_accept: SSLv3 read client key exchange A <br>
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length
0001] <br>
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010],
Finished <br>
TLS_accept: SSLv3 read finished A <br>
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length
0001] <br>
TLS_accept: SSLv3 write change cipher spec A <br>
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010],
Finished <br>
TLS_accept: SSLv3 write finished A <br>
TLS_accept: SSLv3 flush data <br>
(other): SSL negotiation finished successfully <br>
SSL Connection Established <br>
eaptls_process returned 13 <br>
rlm_eap_peap: EAPTLS_HANDLED<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 79 to 10.119.12.2 port 1332<br>
EAP-Message =
0x0106004119001403010001011603010030b213aaedf5b207d7f89aa93d1379c29e85c4c32f1927ca9318dcd335398921d3014d7ef185c94ecc6167c183f3178c37<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x16b4654513b27c8cb11aad47c413c7ca<br>
Finished request 5.<br>
Going to the next request<br>
Waking up in 4.8 seconds.<br>
rad_recv: Access-Request packet from host 10.119.12.2 port 1332,
id=80, length=201<br>
Message-Authenticator = 0xa7658f5b5828f25d72267be5a62ee3d9<br>
Service-Type = Framed-User<br>
User-Name = "nadine.bosshard"<br>
Framed-MTU = 1488<br>
State = 0x16b4654513b27c8cb11aad47c413c7ca<br>
Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"<br>
Calling-Station-Id = "9803D861E85C"<br>
NAS-Identifier = "aptcsvo02"<br>
NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 54Mbps 802.11g"<br>
EAP-Message = 0x020600061900<br>
NAS-IP-Address = 10.119.12.2<br>
NAS-Port = 1<br>
NAS-Port-Id = "STA port # 1"<br>
+- entering group authorize<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
rlm_realm: No '@' in User-Name = "nadine.bosshard", looking
up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
++[suffix] returns noop<br>
rlm_eap: EAP packet type response id 6 length 6<br>
rlm_eap: Continuing tunnel setup.<br>
++[eap] returns ok<br>
rad_check_password: Found Auth-Type EAP<br>
auth: type "EAP"<br>
+- entering group authenticate<br>
rlm_eap: Request found, released from the list<br>
rlm_eap: EAP/peap<br>
rlm_eap: processing type peap<br>
rlm_eap_peap: Authenticate<br>
rlm_eap_tls: processing TLS<br>
rlm_eap_tls: Received EAP-TLS ACK message<br>
rlm_eap_tls: ack handshake is finished<br>
eaptls_verify returned 3 <br>
eaptls_process returned 3 <br>
rlm_eap_peap: EAPTLS_SUCCESS<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 80 to 10.119.12.2 port 1332<br>
EAP-Message =
0x0107002b1900170301002076cff579edcc27200d5c7a2da8010742e440dcfec3cbf4a4586062522b8feee8<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x16b4654510b37c8cb11aad47c413c7ca<br>
Finished request 6.<br>
Going to the next request<br>
Waking up in 1.2 seconds.<br>
rad_recv: Access-Request packet from host 10.119.12.2 port 1332,
id=81, length=254<br>
Message-Authenticator = 0xe19f6b601971918ae28622d4e1023915<br>
Service-Type = Framed-User<br>
User-Name = "nadine.bosshard"<br>
Framed-MTU = 1488<br>
State = 0x16b4654510b37c8cb11aad47c413c7ca<br>
Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"<br>
Calling-Station-Id = "9803D861E85C"<br>
NAS-Identifier = "aptcsvo02"<br>
NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 54Mbps 802.11g"<br>
EAP-Message =
0x0207003b19001703010030a363428512dd817485942d2771ad4bc57cfd522bbca80127738d56ba90b901fdc460d220b30b1e326ed6ef5392338784<br>
NAS-IP-Address = 10.119.12.2<br>
NAS-Port = 1<br>
NAS-Port-Id = "STA port # 1"<br>
+- entering group authorize<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
rlm_realm: No '@' in User-Name = "nadine.bosshard", looking
up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
++[suffix] returns noop<br>
rlm_eap: EAP packet type response id 7 length 59<br>
rlm_eap: Continuing tunnel setup.<br>
++[eap] returns ok<br>
rad_check_password: Found Auth-Type EAP<br>
auth: type "EAP"<br>
+- entering group authenticate<br>
rlm_eap: Request found, released from the list<br>
rlm_eap: EAP/peap<br>
rlm_eap: processing type peap<br>
rlm_eap_peap: Authenticate<br>
rlm_eap_tls: processing TLS<br>
eaptls_verify returned 7 <br>
rlm_eap_tls: Done initial handshake<br>
eaptls_process returned 7 <br>
rlm_eap_peap: EAPTLS_OK<br>
rlm_eap_peap: Session established. Decoding tunneled
attributes.<br>
rlm_eap_peap: Identity - nadine.bosshard<br>
PEAP: Got tunneled EAP-Message<br>
EAP-Message = 0x02070014016e6164696e652e626f737368617264<br>
PEAP: Got tunneled identity of nadine.bosshard<br>
PEAP: Setting default EAP type for tunneled EAP session.<br>
PEAP: Setting User-Name to nadine.bosshard<br>
PEAP: Sending tunneled request<br>
EAP-Message = 0x02070014016e6164696e652e626f737368617264<br>
FreeRADIUS-Proxied-To = 127.0.0.1<br>
User-Name = "nadine.bosshard"<br>
server inner-tunnel {<br>
+- entering group authorize<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
rlm_realm: No '@' in User-Name = "nadine.bosshard", looking
up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
++[suffix] returns noop<br>
++[control] returns noop<br>
rlm_eap: Request is supposed to be proxied to Realm LOCAL.
Not doing EAP.<br>
++[eap] returns noop<br>
++[files] returns noop<br>
rlm_ldap: - authorize<br>
rlm_ldap: performing user authorization for nadine.bosshard<br>
WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details<br>
expand:
(&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=%{Stripped-User-Name:-%{User-Name}}))
->
(&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard))<br>
expand: dc=tcsvo,dc=local -> dc=tcsvo,dc=local<br>
rlm_ldap: ldap_get_conn: Checking Id: 0<br>
rlm_ldap: ldap_get_conn: Got Id: 0<br>
rlm_ldap: performing search in dc=tcsvo,dc=local, with filter
(&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard))<br>
rlm_ldap: checking if remote access for nadine.bosshard is
allowed by uid<br>
rlm_ldap: No default NMAS login sequence<br>
rlm_ldap: looking for check items in directory...<br>
rlm_ldap: LDAP attribute userPassword as RADIUS attribute
Cleartext-Password ==
"{crypt}$1$QWzPnrgt$zDhDp8t6inQRkVyuvb6en/"<br>
rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute
NT-Password ==
0x4431393433313746304145303337384139434535423745394230313835334233<br>
rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute
LM-Password ==
0x3944443632393938313730333033343036463342414634373331353033384646<br>
rlm_ldap: looking for reply items in directory...<br>
rlm_ldap: user nadine.bosshard authorized to use remote access<br>
rlm_ldap: ldap_release_conn: Release Id: 0<br>
++[ldap] returns ok<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
rlm_pap: Normalizing NT-Password from hex encoding<br>
rlm_pap: Normalizing LM-Password from hex encoding<br>
rlm_pap: No clear-text password in the request. Not performing
PAP.<br>
++[pap] returns noop<br>
WARNING: You set Proxy-To-Realm = LOCAL, but the realm does
not exist! Cancelling invalid proxy request.<br>
auth: type Local<br>
auth: No User-Password or CHAP-Password attribute in the request<br>
auth: Failed to validate the user.<br>
Login incorrect: [nadine.bosshard/<no User-Password
attribute>] (from client aptcsvo02 port 0 via TLS tunnel)<br>
} # server inner-tunnel<br>
PEAP: Got tunneled reply RADIUS code 3<br>
PEAP: Processing from tunneled session code 0x15a7cd0 3<br>
PEAP: Tunneled authentication was rejected.<br>
rlm_eap_peap: FAILURE<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 81 to 10.119.12.2 port 1332<br>
EAP-Message =
0x0108002b19001703010020fd01c27653428a0b4c1b91a8c8a72745376f00967edad64c2942c892ce583c95<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x16b4654511bc7c8cb11aad47c413c7ca<br>
Finished request 7.<br>
Going to the next request<br>
Waking up in 1.2 seconds.<br>
rad_recv: Access-Request packet from host 10.119.12.2 port 1332,
id=82, length=238<br>
Message-Authenticator = 0xf77a7553970336997c53b0f4dd243710<br>
Service-Type = Framed-User<br>
User-Name = "nadine.bosshard"<br>
Framed-MTU = 1488<br>
State = 0x16b4654511bc7c8cb11aad47c413c7ca<br>
Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"<br>
Calling-Station-Id = "9803D861E85C"<br>
NAS-Identifier = "aptcsvo02"<br>
NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 54Mbps 802.11g"<br>
EAP-Message =
0x0208002b1900170301002025cb1272fcd8494d630037f0c267cf2b860f7edfeeb4b730993de53c79e20735<br>
NAS-IP-Address = 10.119.12.2<br>
NAS-Port = 1<br>
NAS-Port-Id = "STA port # 1"<br>
+- entering group authorize<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
rlm_realm: No '@' in User-Name = "nadine.bosshard", looking
up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
++[suffix] returns noop<br>
rlm_eap: EAP packet type response id 8 length 43<br>
rlm_eap: Continuing tunnel setup.<br>
++[eap] returns ok<br>
rad_check_password: Found Auth-Type EAP<br>
auth: type "EAP"<br>
+- entering group authenticate<br>
rlm_eap: Request found, released from the list<br>
rlm_eap: EAP/peap<br>
rlm_eap: processing type peap<br>
rlm_eap_peap: Authenticate<br>
rlm_eap_tls: processing TLS<br>
eaptls_verify returned 7 <br>
rlm_eap_tls: Done initial handshake<br>
eaptls_process returned 7 <br>
rlm_eap_peap: EAPTLS_OK<br>
rlm_eap_peap: Session established. Decoding tunneled
attributes.<br>
rlm_eap_peap: Received EAP-TLV response.<br>
rlm_eap_peap: Had sent TLV failure. User was rejected
earlier in this session.<br>
rlm_eap: Handler failed in EAP/peap<br>
rlm_eap: Failed in EAP select<br>
++[eap] returns invalid<br>
auth: Failed to validate the user.<br>
Login incorrect: [nadine.bosshard/<via Auth-Type = EAP>]
(from client aptcsvo02 port 1 cli 9803D861E85C)<br>
Found Post-Auth-Type Reject<br>
+- entering group REJECT<br>
expand: %{User-Name} -> nadine.bosshard<br>
attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 8 for 1 seconds<br>
Going to the next request<br>
Waking up in 0.9 seconds.<br>
rad_recv: Access-Request packet from host 10.119.12.2 port 1332,
id=82, length=238<br>
Waiting to send Access-Reject to client aptcsvo02 port 1332 -
ID: 82<br>
Sending delayed reject for request 8<br>
Sending Access-Reject of id 82 to 10.119.12.2 port 1332<br>
EAP-Message = 0x04080004<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
Waking up in 0.1 seconds.<br>
Cleaning up request 0 ID 74 with timestamp +313<br>
Cleaning up request 1 ID 75 with timestamp +313<br>
Cleaning up request 2 ID 76 with timestamp +313<br>
Cleaning up request 3 ID 77 with timestamp +313<br>
Cleaning up request 4 ID 78 with timestamp +313<br>
Cleaning up request 5 ID 79 with timestamp +313<br>
Waking up in 3.6 seconds.<br>
Cleaning up request 6 ID 80 with timestamp +317<br>
Cleaning up request 7 ID 81 with timestamp +317<br>
Waking up in 1.0 seconds.<br>
Cleaning up request 8 ID 82 with timestamp +317<br>
Ready to process requests.</small></small><br>
<br>
Thanks for the help. <br>
<br>
<br>
<br>
Am 09/11/2012 11:06 AM, schrieb Fajar A. Nugraha:
<blockquote
cite="mid:CAG1y0sfOCnzvfmh7c87JrWBahdGtjzG7Tp8h5A0khgv5ezHqPg@mail.gmail.com"
type="cite">
<pre wrap="">On Tue, Sep 11, 2012 at 3:54 PM, Mihajlo Joksimovic
<a class="moz-txt-link-rfc2396E" href="mailto:mihajlo.joksimovic@adfinis-sygroup.ch"><mihajlo.joksimovic@adfinis-sygroup.ch></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">IPhone test:
rad_recv: Access-Request packet from host 10.119.12.2 port 1318, id=21,
length=197
Message-Authenticator = 0x24691ccd1f2040d828405d72ef7189ec
Service-Type = Framed-User
User-Name = "nadine.bosshard"
Framed-MTU = 1488
Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"
Calling-Station-Id = "9803D861E85C"
NAS-Identifier = "aptcsvo02"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02000014016e6164696e652e626f737368617264
NAS-IP-Address = 10.119.12.2
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm
NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 20
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
</pre>
</blockquote>
<pre wrap="">
There should be other lines before that. Like the ones that says it's
using inner-tunnel?
</pre>
<blockquote type="cite">
<pre wrap="">rlm_unix: [nadine.bosshard]: invalid shell [/bin/false]
++[unix] returns reject
</pre>
</blockquote>
<pre wrap="">
Did you read that line? You have "unix" in authorize section of inner
tunnel. And user nadine.bosshard is not allowed to login to the system
(invalid shell). FR does the right thing. Comment-out that line in
inner tunnel.
Your radlogin test succeed because you don't have "unix" in authorize
section of default virtual server.
See how important complete debug logs are?
... and seriously, upgrade. There are many known bugs fixed since
2.0.x. And if you can edit the configuration freely by hand, you
should be able to upgrade.
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Adfinis SyGroup AG
Mihajlo Joksimovic, System Engineer
Güterstrasse 86 | CH-4053 Basel
Tel. 061 333 80 33</pre>
</body>
</html>