Hello,<div><br></div><div>I'm having some trouble with my setup and I am not sure where things have gone wrong. I don't think there is anything from with the freeradius server or the switch setup.</div><div><br></div>
<div>My goal is to get computer authentication working, and from what I understand from this post it should just work with the default setup with only two modifications:</div><div><br></div><div>See the post from Phil Mayers</div>
<div><br></div><div><a href="http://freeradius.1045715.n5.nabble.com/PEAP-with-Machine-auth-td4939666.html">http://freeradius.1045715.n5.nabble.com/PEAP-with-Machine-auth-td4939666.html</a></div><div><br></div><div><br></div>
<div><br></div><div>Here is my debug log:</div><div><br></div><div><div>rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=236, length=158</div><div> User-Name = "host/DAN01"</div><div> Service-Type = Framed-User</div>
<div> Framed-MTU = 1500</div><div> Called-Station-Id = "9C-AF-CA-F4-40-10"</div><div> Calling-Station-Id = "64-31-50-7D-72-DE"</div><div> EAP-Message = 0x0201000f01686f73742f44414e3031</div>
<div> Message-Authenticator = 0xd542a2a3a3407e6908953cd7dca08817</div><div> NAS-Port-Type = Ethernet</div><div> NAS-Port = 50016</div><div> NAS-Port-Id = "GigabitEthernet0/16"</div><div>
NAS-IP-Address = 10.11.200.73</div><div># Executing section authorize from file /etc/raddb/sites-enabled/default</div><div>+- entering group authorize {...}</div><div>++[preprocess] returns ok</div><div>++[chap] returns noop</div>
<div>++[mschap] returns noop</div><div>++[digest] returns noop</div><div>[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL</div><div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div>
<div>[eap] EAP packet type response id 1 length 15</div><div>[eap] No EAP Start, assuming it's an on-going EAP conversation</div><div>++[eap] returns updated</div><div>++[files] returns noop</div><div>++[expiration] returns noop</div>
<div>++[logintime] returns noop</div><div>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.</div><div>++[pap] returns noop</div><div>Found Auth-Type = EAP</div>
<div># Executing group from file /etc/raddb/sites-enabled/default</div><div>+- entering group authenticate {...}</div><div>[eap] EAP Identity</div><div>[eap] processing type md5</div><div>rlm_eap_md5: Issuing Challenge</div>
<div>++[eap] returns handled</div><div>Sending Access-Challenge of id 236 to 10.11.200.73 port 1645</div><div> EAP-Message = 0x010200160410dda0857597b1b9c5d2114f6c83f2606d</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div>
<div> State = 0x01794096017b44e4c1b393ed153b7774</div><div>Finished request 0.</div><div>Going to the next request</div><div>Waking up in 4.9 seconds.</div><div>rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=237, length=167</div>
<div> User-Name = "host/DAN01"</div><div> Service-Type = Framed-User</div><div> Framed-MTU = 1500</div><div> Called-Station-Id = "9C-AF-CA-F4-40-10"</div><div> Calling-Station-Id = "64-31-50-7D-72-DE"</div>
<div> EAP-Message = 0x020200060319</div><div> Message-Authenticator = 0x36c72a6e152d0376c4c2e898ed25103b</div><div> NAS-Port-Type = Ethernet</div><div> NAS-Port = 50016</div><div> NAS-Port-Id = "GigabitEthernet0/16"</div>
<div> State = 0x01794096017b44e4c1b393ed153b7774</div><div> NAS-IP-Address = 10.11.200.73</div><div># Executing section authorize from file /etc/raddb/sites-enabled/default</div><div>+- entering group authorize {...}</div>
<div>++[preprocess] returns ok</div><div>++[chap] returns noop</div><div>++[mschap] returns noop</div><div>++[digest] returns noop</div><div>[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL</div>
<div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div><div>[eap] EAP packet type response id 2 length 6</div><div>[eap] No EAP Start, assuming it's an on-going EAP conversation</div><div>
++[eap] returns updated</div><div>++[files] returns noop</div><div>++[expiration] returns noop</div><div>++[logintime] returns noop</div><div>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.</div>
<div>++[pap] returns noop</div><div>Found Auth-Type = EAP</div><div># Executing group from file /etc/raddb/sites-enabled/default</div><div>+- entering group authenticate {...}</div><div>[eap] Request found, released from the list</div>
<div>[eap] EAP NAK</div><div>[eap] EAP-NAK asked for EAP-Type/peap</div><div>[eap] processing type tls</div><div>[tls] Initiate</div><div>[tls] Start returned 1</div><div>++[eap] returns handled</div><div>Sending Access-Challenge of id 237 to 10.11.200.73 port 1645</div>
<div> EAP-Message = 0x010300061920</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div><div> State = 0x01794096007a59e4c1b393ed153b7774</div><div>Finished request 1.</div><div>Going to the next request</div>
<div>Waking up in 4.9 seconds.</div><div>rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=238, length=266</div><div> User-Name = "host/DAN01"</div><div> Service-Type = Framed-User</div>
<div> Framed-MTU = 1500</div><div> Called-Station-Id = "9C-AF-CA-F4-40-10"</div><div> Calling-Station-Id = "64-31-50-7D-72-DE"</div><div> EAP-Message = 0x0203006919800000005f160301005a01000056030150c2020ad42f8473aaa4763bfe5559b68809e4731258d02a19bd5a83025e02fc000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100</div>
<div> Message-Authenticator = 0x0a4d04f9f52dbc7c000f26f2b9046e3d</div><div> NAS-Port-Type = Ethernet</div><div> NAS-Port = 50016</div><div> NAS-Port-Id = "GigabitEthernet0/16"</div><div>
State = 0x01794096007a59e4c1b393ed153b7774</div><div> NAS-IP-Address = 10.11.200.73</div><div># Executing section authorize from file /etc/raddb/sites-enabled/default</div><div>+- entering group authorize {...}</div>
<div>++[preprocess] returns ok</div><div>++[chap] returns noop</div><div>++[mschap] returns noop</div><div>++[digest] returns noop</div><div>[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL</div>
<div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div><div>[eap] EAP packet type response id 3 length 105</div><div>[eap] Continuing tunnel setup.</div><div>++[eap] returns ok</div><div>Found Auth-Type = EAP</div>
<div># Executing group from file /etc/raddb/sites-enabled/default</div><div>+- entering group authenticate {...}</div><div>[eap] Request found, released from the list</div><div>[eap] EAP/peap</div><div>[eap] processing type peap</div>
<div>[peap] processing EAP-TLS</div><div> TLS Length 95</div><div>[peap] Length Included</div><div>[peap] eaptls_verify returned 11</div><div>[peap] (other): before/accept initialization</div><div>[peap] TLS_accept: before/accept initialization</div>
<div>[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello</div><div>[peap] TLS_accept: SSLv3 read client hello A</div><div>[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello</div><div>[peap] TLS_accept: SSLv3 write server hello A</div>
<div>[peap] >>> TLS 1.0 Handshake [length 085e], Certificate</div><div>[peap] TLS_accept: SSLv3 write certificate A</div><div>[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone</div><div>[peap] TLS_accept: SSLv3 write server done A</div>
<div>[peap] TLS_accept: SSLv3 flush data</div><div>[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A</div><div>In SSL Handshake Phase</div><div>In SSL Accept mode</div><div>[peap] eaptls_process returned 13</div>
<div>[peap] EAPTLS_HANDLED</div><div>++[eap] returns handled</div><div>Sending Access-Challenge of id 238 to 10.11.200.73 port 1645</div><div> EAP-Message = 0x0104040019c0000008a216030100310200002d030150c1ad7788786b10acec0131f1a69bc414f87718bb71685367e6e6a53ec0a1e600002f000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175</div>
<div> EAP-Message = 0x74686f72697479301e170d3132313230363138333330375a170d3133303230343138333330375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100badff6cb7179506abce81b22c0c12ce92f128d1fc2ffd51b159010f8bd9aa0352e9eb68fa01ede9d61214a39d78d2972b5406699eae304</div>
<div> EAP-Message = 0xb40a74524471ec05582582a7aa9710aabd4a895773a02042e67db8e42572635efda35a45df5c9518a02c6a7e75a64051d60d436bfa62bfd6e5f88a8ebf3ba48c19e48a25c8662e19a29d92cb6317e067b7c6cb4f24976519a55c2681eb97f8d5974f8244dc50f641b03615ee14d5c8085664bff3c1be7247c1e4d98c9120319edfb4c167d0888140cbc768a81e8d1d016a0d093490a913578946ea9b21706066f1428370666364ed5f80919a0ca2d368daf1c85311c8375a27adb09e7d5bb7800c1bf66af0a86690470203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101004857</div>
<div> EAP-Message = 0xf861c78b2469007a3a0faeca30c4dd0c107a661f63e949e4ddfb4ffd28045199bd58e642837569ffa14e8521d161b0940802b3ad216b021a30c322814659bc1d6224205d65000c39c6edcea942e8c06965e1b9f6fb7f1654191940a392c2ef81a11d25fb73ce358bd6eadca1ef0e15f8572c232a04ec1629f0e727021ced7bd079d72cdb2d86bcc8ffdf334842f089ab15936eb7ba0cffcc0e9b37a37a216f0ed402d7200f210a7352cb339affdae7e5b6ba90f4108b22a3b1b713057809817b46cc6733fe03884dfb9f895552203bf1e1e403cf1f663a831936d41c25b9514f360416020b0fdb33a3b573396f3ae552c08799d85a40efb32cda9d1e60</div>
<div> EAP-Message = 0xa00004ab308204a73082038f</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div><div> State = 0x01794096037d59e4c1b393ed153b7774</div><div>Finished request 2.</div>
<div>Going to the next request</div><div>Waking up in 4.9 seconds.</div><div>rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=239, length=167</div><div> User-Name = "host/DAN01"</div><div>
Service-Type = Framed-User</div><div> Framed-MTU = 1500</div><div> Called-Station-Id = "9C-AF-CA-F4-40-10"</div><div> Calling-Station-Id = "64-31-50-7D-72-DE"</div><div> EAP-Message = 0x020400061900</div>
<div> Message-Authenticator = 0x57fa2f2fa8a12654c84ef47f24b9300c</div><div> NAS-Port-Type = Ethernet</div><div> NAS-Port = 50016</div><div> NAS-Port-Id = "GigabitEthernet0/16"</div><div>
State = 0x01794096037d59e4c1b393ed153b7774</div><div> NAS-IP-Address = 10.11.200.73</div><div># Executing section authorize from file /etc/raddb/sites-enabled/default</div><div>+- entering group authorize {...}</div>
<div>++[preprocess] returns ok</div><div>++[chap] returns noop</div><div>++[mschap] returns noop</div><div>++[digest] returns noop</div><div>[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL</div>
<div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div><div>[eap] EAP packet type response id 4 length 6</div><div>[eap] Continuing tunnel setup.</div><div>++[eap] returns ok</div><div>Found Auth-Type = EAP</div>
<div># Executing group from file /etc/raddb/sites-enabled/default</div><div>+- entering group authenticate {...}</div><div>[eap] Request found, released from the list</div><div>[eap] EAP/peap</div><div>[eap] processing type peap</div>
<div>[peap] processing EAP-TLS</div><div>[peap] Received TLS ACK</div><div>[peap] ACK handshake fragment handler</div><div>[peap] eaptls_verify returned 1</div><div>[peap] eaptls_process returned 13</div><div>[peap] EAPTLS_HANDLED</div>
<div>++[eap] returns handled</div><div>Sending Access-Challenge of id 239 to 10.11.200.73 port 1645</div><div> EAP-Message = 0x010503fc1940a003020102020900a33fb10c1664a44e300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3132313230363138333330375a170d3133303230343138333330375a308193310b3009060355040613024652310f300d0603550408130652616469757331</div>
<div> EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100ba09abda0f9f2632773b404162045d145d1961f5d44cf7feafb38e5d352d7b7a47091b9156ef81be2c8d1ed9994cc2d88b530cdaa51bdc2d4f3132329fd958ffb5fe7f8a2a2d0c699ce8d434041d80898eb0a0ff623813aeb5d0f8e82dc094db92237c3b17987a19</div>
<div> EAP-Message = 0x5711bd563ba0d6f947104787918866aa0c6fdc717bef128d0038637d4fa15a0a8428f3ff47235404c78e050425cd6ea33ad80dc5fc7dda16a76d4f49d679ac0cdac557620d3c7fb5dd508889d75c014f2bab7281a6514e9ef8801b49b2b62d7346e381ef28280ba2654505b85c1cc63ecb7664dfd46e3e1561d87c24ee7bd2ffea5e3282b2c722ccafb1ffe460fa8612ae82267c3e1df60d0203010001a381fb3081f8301d0603551d0e041604149a8d8e6f296e96fcc7d303cccfeeae2052615f093081c80603551d230481c03081bd80149a8d8e6f296e96fcc7d303cccfeeae2052615f09a18199a48196308193310b300906035504061302465231</div>
<div> EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900a33fb10c1664a44e300c0603551d13040530030101ff300d06092a864886f70d010105050003820101002a98ee33183e9c46aafd4385195180fff00f029253c1c1818934722dc09e3722378f93ecf6a21a98cf44c848e524a051bfa6c0d5b22b26088b06313e84de17bc22e7d9a3a87d466abd8ffc</div>
<div> EAP-Message = 0x1e707bf177e925d2</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div><div> State = 0x01794096027c59e4c1b393ed153b7774</div><div>Finished request 3.</div><div>
Going to the next request</div><div>Waking up in 4.9 seconds.</div><div>rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=240, length=167</div><div> User-Name = "host/DAN01"</div><div> Service-Type = Framed-User</div>
<div> Framed-MTU = 1500</div><div> Called-Station-Id = "9C-AF-CA-F4-40-10"</div><div> Calling-Station-Id = "64-31-50-7D-72-DE"</div><div> EAP-Message = 0x020500061900</div><div>
Message-Authenticator = 0xbb0a37ac80ac127d37623ac19d8cb7d7</div><div> NAS-Port-Type = Ethernet</div><div> NAS-Port = 50016</div><div> NAS-Port-Id = "GigabitEthernet0/16"</div><div> State = 0x01794096027c59e4c1b393ed153b7774</div>
<div> NAS-IP-Address = 10.11.200.73</div><div># Executing section authorize from file /etc/raddb/sites-enabled/default</div><div>+- entering group authorize {...}</div><div>++[preprocess] returns ok</div><div>++[chap] returns noop</div>
<div>++[mschap] returns noop</div><div>++[digest] returns noop</div><div>[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL</div><div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div>
<div>[eap] EAP packet type response id 5 length 6</div><div>[eap] Continuing tunnel setup.</div><div>++[eap] returns ok</div><div>Found Auth-Type = EAP</div><div># Executing group from file /etc/raddb/sites-enabled/default</div>
<div>+- entering group authenticate {...}</div><div>[eap] Request found, released from the list</div><div>[eap] EAP/peap</div><div>[eap] processing type peap</div><div>[peap] processing EAP-TLS</div><div>[peap] Received TLS ACK</div>
<div>[peap] ACK handshake fragment handler</div><div>[peap] eaptls_verify returned 1</div><div>[peap] eaptls_process returned 13</div><div>[peap] EAPTLS_HANDLED</div><div>++[eap] returns handled</div><div>Sending Access-Challenge of id 240 to 10.11.200.73 port 1645</div>
<div> EAP-Message = 0x010600bc1900c35695b88d735375e6daf6e9fd7517c11036a05a4e769075fda1f4931e91e5a98d20c5f13886c0502b7e5fadd8851996d4cf5f418695e9e485411c391758f37c7ee4a00cf3f5eeebec0deb2bbfdfbdcc9a7df103311f69d7e81dba31d00cc887f1c93b24bc2bd77affe2451277fb4df09d82bbe43269c1b591503e03c5f678db04a77d6a42e55816b412aedf69c2b379d07157c74d5efe0b1ff411a138624d54324d91438a42c0d71567a80f1316030100040e000000</div>
<div> Message-Authenticator = 0x00000000000000000000000000000000</div><div> State = 0x01794096057f59e4c1b393ed153b7774</div><div>Finished request 4.</div><div>Going to the next request</div><div>Waking up in 4.9 seconds.</div>
<div>rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=241, length=499</div><div> User-Name = "host/DAN01"</div><div> Service-Type = Framed-User</div><div> Framed-MTU = 1500</div>
<div> Called-Station-Id = "9C-AF-CA-F4-40-10"</div><div> Calling-Station-Id = "64-31-50-7D-72-DE"</div><div> EAP-Message = 0x02060150198000000146160301010610000102010052d9ea3856c176e5673da4cbe02a911e8f5fb543684e6ae8649d79c8e15d3a4fb6c1ed37d45ed785d3891bbdf1c3868cde05e75d91280f2c026c15f4e968ef6cdd4094a8a59e2ad1ceac5c53ce8af6084b98de2668567a254913920f266e0a7bca00f50db7c7c26552fe2b171b0287003ffea4ba84143cc567a4cb7748f46312957f4997aed1b64f62c21d03bb7139f79e44534c0158175a629a98f4b585f87330442382e4e51b6de60635494d4e66a3aabd88b4c8874f268cd5ec3e5f334b84b75e06fd0fbc3afaa27a6af9303ed65e2af56d02a8aeaceadcd48679055748fa722d14f6c4961534</div>
<div> EAP-Message = 0x5a1cade40955c92b534083c6292fd0bac23cb7bb5bb1d90f14030100010116030100307e72a5c4189bf36cac8747ffabc198bd4f5d400baf2bb5cb001a022908448a37cf7ddea27654ff7fc282934932a55ffa</div><div> Message-Authenticator = 0x11d9f6622d3f3949df452fd64e4e7a03</div>
<div> NAS-Port-Type = Ethernet</div><div> NAS-Port = 50016</div><div> NAS-Port-Id = "GigabitEthernet0/16"</div><div> State = 0x01794096057f59e4c1b393ed153b7774</div><div> NAS-IP-Address = 10.11.200.73</div>
<div># Executing section authorize from file /etc/raddb/sites-enabled/default</div><div>+- entering group authorize {...}</div><div>++[preprocess] returns ok</div><div>++[chap] returns noop</div><div>++[mschap] returns noop</div>
<div>++[digest] returns noop</div><div>[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL</div><div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div><div>[eap] EAP packet type response id 6 length 253</div>
<div>[eap] Continuing tunnel setup.</div><div>++[eap] returns ok</div><div>Found Auth-Type = EAP</div><div># Executing group from file /etc/raddb/sites-enabled/default</div><div>+- entering group authenticate {...}</div><div>
[eap] Request found, released from the list</div><div>[eap] EAP/peap</div><div>[eap] processing type peap</div><div>[peap] processing EAP-TLS</div><div> TLS Length 326</div><div>[peap] Length Included</div><div>[peap] eaptls_verify returned 11</div>
<div>[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange</div><div>[peap] TLS_accept: SSLv3 read client key exchange A</div><div>[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]</div><div>
[peap] <<< TLS 1.0 Handshake [length 0010], Finished</div><div>[peap] TLS_accept: SSLv3 read finished A</div><div>[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]</div><div>[peap] TLS_accept: SSLv3 write change cipher spec A</div>
<div>[peap] >>> TLS 1.0 Handshake [length 0010], Finished</div><div>[peap] TLS_accept: SSLv3 write finished A</div><div>[peap] TLS_accept: SSLv3 flush data</div><div>[peap] (other): SSL negotiation finished successfully</div>
<div>SSL Connection Established</div><div>[peap] eaptls_process returned 13</div><div>[peap] EAPTLS_HANDLED</div><div>++[eap] returns handled</div><div>Sending Access-Challenge of id 241 to 10.11.200.73 port 1645</div><div>
EAP-Message = 0x010700411900140301000101160301003088525279f0a666be9158b77193e0cb5d44491d1d577a8862254f5ef9f6dba07116b5e566e39572ba0e981cbd85b7bbc5</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div>
<div> State = 0x01794096047e59e4c1b393ed153b7774</div><div>Finished request 5.</div><div>Going to the next request</div><div>Waking up in 4.9 seconds.</div><div>rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=242, length=167</div>
<div> User-Name = "host/DAN01"</div><div> Service-Type = Framed-User</div><div> Framed-MTU = 1500</div><div> Called-Station-Id = "9C-AF-CA-F4-40-10"</div><div> Calling-Station-Id = "64-31-50-7D-72-DE"</div>
<div> EAP-Message = 0x020700061900</div><div> Message-Authenticator = 0x211323fa12841ee03e548aa79f457385</div><div> NAS-Port-Type = Ethernet</div><div> NAS-Port = 50016</div><div> NAS-Port-Id = "GigabitEthernet0/16"</div>
<div> State = 0x01794096047e59e4c1b393ed153b7774</div><div> NAS-IP-Address = 10.11.200.73</div><div># Executing section authorize from file /etc/raddb/sites-enabled/default</div><div>+- entering group authorize {...}</div>
<div>++[preprocess] returns ok</div><div>++[chap] returns noop</div><div>++[mschap] returns noop</div><div>++[digest] returns noop</div><div>[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL</div>
<div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div><div>[eap] EAP packet type response id 7 length 6</div><div>[eap] Continuing tunnel setup.</div><div>++[eap] returns ok</div><div>Found Auth-Type = EAP</div>
<div># Executing group from file /etc/raddb/sites-enabled/default</div><div>+- entering group authenticate {...}</div><div>[eap] Request found, released from the list</div><div>[eap] EAP/peap</div><div>[eap] processing type peap</div>
<div>[peap] processing EAP-TLS</div><div>[peap] Received TLS ACK</div><div>[peap] ACK handshake is finished</div><div>[peap] eaptls_verify returned 3</div><div>[peap] eaptls_process returned 3</div><div>[peap] EAPTLS_SUCCESS</div>
<div>[peap] Session established. Decoding tunneled attributes.</div><div>[peap] Peap state TUNNEL ESTABLISHED</div><div>++[eap] returns handled</div><div>Sending Access-Challenge of id 242 to 10.11.200.73 port 1645</div>
<div> EAP-Message = 0x0108002b19001703010020ac4efbfa7535f97705d24f884cbcff69c35d3995a8cf49f9f54b5839d5fbbc70</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div><div> State = 0x01794096077159e4c1b393ed153b7774</div>
<div>Finished request 6.</div><div>Going to the next request</div><div>Waking up in 4.9 seconds.</div><div>rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=243, length=204</div><div> User-Name = "host/DAN01"</div>
<div> Service-Type = Framed-User</div><div> Framed-MTU = 1500</div><div> Called-Station-Id = "9C-AF-CA-F4-40-10"</div><div> Calling-Station-Id = "64-31-50-7D-72-DE"</div><div>
EAP-Message = 0x0208002b190017030100207a18e0fc66bc4e107ff7c3add2fd502f7c9de5a24918f020cd08237c80606225</div><div> Message-Authenticator = 0x58eb948731c85961f83971425c7f49d0</div><div> NAS-Port-Type = Ethernet</div>
<div> NAS-Port = 50016</div><div> NAS-Port-Id = "GigabitEthernet0/16"</div><div> State = 0x01794096077159e4c1b393ed153b7774</div><div> NAS-IP-Address = 10.11.200.73</div><div># Executing section authorize from file /etc/raddb/sites-enabled/default</div>
<div>+- entering group authorize {...}</div><div>++[preprocess] returns ok</div><div>++[chap] returns noop</div><div>++[mschap] returns noop</div><div>++[digest] returns noop</div><div>[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL</div>
<div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div><div>[eap] EAP packet type response id 8 length 43</div><div>[eap] Continuing tunnel setup.</div><div>++[eap] returns ok</div><div>Found Auth-Type = EAP</div>
<div># Executing group from file /etc/raddb/sites-enabled/default</div><div>+- entering group authenticate {...}</div><div>[eap] Request found, released from the list</div><div>[eap] EAP/peap</div><div>[eap] processing type peap</div>
<div>[peap] processing EAP-TLS</div><div>[peap] eaptls_verify returned 7</div><div>[peap] Done initial handshake</div><div>[peap] eaptls_process returned 7</div><div>[peap] EAPTLS_OK</div><div>[peap] Session established. Decoding tunneled attributes.</div>
<div>[peap] Peap state WAITING FOR INNER IDENTITY</div><div>[peap] Identity - host/DAN01</div><div>[peap] Got inner identity 'host/DAN01'</div><div>[peap] Setting default EAP type for tunneled EAP session.</div><div>
[peap] Got tunneled request</div><div> EAP-Message = 0x0208000f01686f73742f44414e3031</div><div>server {</div><div>[peap] Setting User-Name to host/DAN01</div><div>Sending tunneled request</div><div> EAP-Message = 0x0208000f01686f73742f44414e3031</div>
<div> FreeRADIUS-Proxied-To = 127.0.0.1</div><div> User-Name = "host/DAN01"</div><div>server inner-tunnel {</div><div># Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel</div>
<div>+- entering group authorize {...}</div><div>++[chap] returns noop</div><div>++[mschap] returns noop</div><div>[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL</div><div>[suffix] No such realm "NULL"</div>
<div>++[suffix] returns noop</div><div>++[control] returns noop</div><div>[eap] EAP packet type response id 8 length 15</div><div>[eap] No EAP Start, assuming it's an on-going EAP conversation</div><div>++[eap] returns updated</div>
<div>++[files] returns noop</div><div>++[expiration] returns noop</div><div>++[logintime] returns noop</div><div>++[pap] returns noop</div><div>Found Auth-Type = EAP</div><div># Executing group from file /etc/raddb/sites-enabled/inner-tunnel</div>
<div>+- entering group authenticate {...}</div><div>[eap] EAP Identity</div><div>[eap] processing type mschapv2</div><div>rlm_eap_mschapv2: Issuing Challenge</div><div>++[eap] returns handled</div><div>} # server inner-tunnel</div>
<div>[peap] Got tunneled reply code 11</div><div> EAP-Message = 0x010900241a0109001f1030afe7e31b9243b22b1edc4da600654f686f73742f44414e3031</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div>
<div> State = 0xf36f0859f36612161ae524fe7d89d60e</div><div>[peap] Got tunneled reply RADIUS code 11</div><div> EAP-Message = 0x010900241a0109001f1030afe7e31b9243b22b1edc4da600654f686f73742f44414e3031</div><div>
Message-Authenticator = 0x00000000000000000000000000000000</div><div> State = 0xf36f0859f36612161ae524fe7d89d60e</div><div>[peap] Got tunneled Access-Challenge</div><div>++[eap] returns handled</div><div>Sending Access-Challenge of id 243 to 10.11.200.73 port 1645</div>
<div> EAP-Message = 0x0109004b190017030100406378cb7289eb8c26ab103a27d7ddd562178502ee511763eb4dcdd2148b2e2828f04def0d118c5f79480070084a5d6d20db5e2d378185c951aefa1db0ed8373f8</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div>
<div> State = 0x01794096067059e4c1b393ed153b7774</div><div>Finished request 7.</div><div>Going to the next request</div><div>Waking up in 4.9 seconds.</div><div>rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=244, length=268</div>
<div> User-Name = "host/DAN01"</div><div> Service-Type = Framed-User</div><div> Framed-MTU = 1500</div><div> Called-Station-Id = "9C-AF-CA-F4-40-10"</div><div> Calling-Station-Id = "64-31-50-7D-72-DE"</div>
<div> EAP-Message = 0x0209006b190017030100602ba93efbbefd59197061b3c1cfe8a8c3ed52c8c3bb04d8407d3a8a194ff63d304de6151122e5f2ee830478996fd21f1b386795640464bd68df45b537168ea55a5733946cd255eab36e80551b6b1e1e77b43b075925fd7722f626a31be711402d</div>
<div> Message-Authenticator = 0xcc8e1ecd017ffb90d560f6c53e4646e3</div><div> NAS-Port-Type = Ethernet</div><div> NAS-Port = 50016</div><div> NAS-Port-Id = "GigabitEthernet0/16"</div><div>
State = 0x01794096067059e4c1b393ed153b7774</div><div> NAS-IP-Address = 10.11.200.73</div><div># Executing section authorize from file /etc/raddb/sites-enabled/default</div><div>+- entering group authorize {...}</div>
<div>++[preprocess] returns ok</div><div>++[chap] returns noop</div><div>++[mschap] returns noop</div><div>++[digest] returns noop</div><div>[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL</div>
<div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div><div>[eap] EAP packet type response id 9 length 107</div><div>[eap] Continuing tunnel setup.</div><div>++[eap] returns ok</div><div>Found Auth-Type = EAP</div>
<div># Executing group from file /etc/raddb/sites-enabled/default</div><div>+- entering group authenticate {...}</div><div>[eap] Request found, released from the list</div><div>[eap] EAP/peap</div><div>[eap] processing type peap</div>
<div>[peap] processing EAP-TLS</div><div>[peap] eaptls_verify returned 7</div><div>[peap] Done initial handshake</div><div>[peap] eaptls_process returned 7</div><div>[peap] EAPTLS_OK</div><div>[peap] Session established. Decoding tunneled attributes.</div>
<div>[peap] Peap state phase2</div><div>[peap] EAP type mschapv2</div><div>[peap] Got tunneled request</div><div> EAP-Message = 0x020900451a0209004031efe81adb9299be4739da1763d1702e44000000000000000000000000000000000000000000000000000000000000000000686f73742f44414e3031</div>
<div>server {</div><div>[peap] Setting User-Name to host/DAN01</div><div>Sending tunneled request</div><div> EAP-Message = 0x020900451a0209004031efe81adb9299be4739da1763d1702e44000000000000000000000000000000000000000000000000000000000000000000686f73742f44414e3031</div>
<div> FreeRADIUS-Proxied-To = 127.0.0.1</div><div> User-Name = "host/DAN01"</div><div> State = 0xf36f0859f36612161ae524fe7d89d60e</div><div>server inner-tunnel {</div><div># Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel</div>
<div>+- entering group authorize {...}</div><div>++[chap] returns noop</div><div>++[mschap] returns noop</div><div>[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL</div><div>[suffix] No such realm "NULL"</div>
<div>++[suffix] returns noop</div><div>++[control] returns noop</div><div>[eap] EAP packet type response id 9 length 69</div><div>[eap] No EAP Start, assuming it's an on-going EAP conversation</div><div>++[eap] returns updated</div>
<div>++[files] returns noop</div><div>++[expiration] returns noop</div><div>++[logintime] returns noop</div><div>++[pap] returns noop</div><div>Found Auth-Type = EAP</div><div># Executing group from file /etc/raddb/sites-enabled/inner-tunnel</div>
<div>+- entering group authenticate {...}</div><div>[eap] Request found, released from the list</div><div>[eap] EAP/mschapv2</div><div>[eap] processing type mschapv2</div><div>[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel</div>
<div>[mschapv2] +- entering group MS-CHAP {...}</div><div>[mschap] No Cleartext-Password configured. Cannot create LM-Password.</div><div>[mschap] No Cleartext-Password configured. Cannot create NT-Password.</div><div>[mschap] Creating challenge hash with username: host/DAN01</div>
<div>[mschap] Told to do MS-CHAPv2 for host/DAN01 with NT-Password</div><div>[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.</div><div>[mschap] FAILED: MS-CHAP2-Response is incorrect</div><div>++[mschap] returns reject</div>
<div>[eap] Freeing handler</div><div>++[eap] returns reject</div><div>Failed to authenticate the user.</div><div>} # server inner-tunnel</div><div>[peap] Got tunneled reply code 3</div><div> MS-CHAP-Error = "\tE=691 R=1"</div>
<div> EAP-Message = 0x04090004</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div><div>[peap] Got tunneled reply RADIUS code 3</div><div> MS-CHAP-Error = "\tE=691 R=1"</div>
<div> EAP-Message = 0x04090004</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div><div>[peap] Tunneled authentication was rejected.</div><div>[peap] FAILURE</div><div>++[eap] returns handled</div>
<div>Sending Access-Challenge of id 244 to 10.11.200.73 port 1645</div><div> EAP-Message = 0x010a002b19001703010020b18b2f6ba2a15eb8ccf6796e5f1978974c30c0ab7e60faef3aab29c75ebfa183</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div>
<div> State = 0x01794096097359e4c1b393ed153b7774</div><div>Finished request 8.</div><div>Going to the next request</div><div>Waking up in 4.8 seconds.</div><div>rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=245, length=204</div>
<div> User-Name = "host/DAN01"</div><div> Service-Type = Framed-User</div><div> Framed-MTU = 1500</div><div> Called-Station-Id = "9C-AF-CA-F4-40-10"</div><div> Calling-Station-Id = "64-31-50-7D-72-DE"</div>
<div> EAP-Message = 0x020a002b19001703010020da286d0d7cd1b91d931d0059695ecf9ed2f5640c0975ae5ec20d8b34d2cc599a</div><div> Message-Authenticator = 0xc4e84370ab6a69e7ccecf9b8f70ec4e0</div><div> NAS-Port-Type = Ethernet</div>
<div> NAS-Port = 50016</div><div> NAS-Port-Id = "GigabitEthernet0/16"</div><div> State = 0x01794096097359e4c1b393ed153b7774</div><div> NAS-IP-Address = 10.11.200.73</div><div># Executing section authorize from file /etc/raddb/sites-enabled/default</div>
<div>+- entering group authorize {...}</div><div>++[preprocess] returns ok</div><div>++[chap] returns noop</div><div>++[mschap] returns noop</div><div>++[digest] returns noop</div><div>[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL</div>
<div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div><div>[eap] EAP packet type response id 10 length 43</div><div>[eap] Continuing tunnel setup.</div><div>++[eap] returns ok</div><div>Found Auth-Type = EAP</div>
<div># Executing group from file /etc/raddb/sites-enabled/default</div><div>+- entering group authenticate {...}</div><div>[eap] Request found, released from the list</div><div>[eap] EAP/peap</div><div>[eap] processing type peap</div>
<div>[peap] processing EAP-TLS</div><div>[peap] eaptls_verify returned 7</div><div>[peap] Done initial handshake</div><div>[peap] eaptls_process returned 7</div><div>[peap] EAPTLS_OK</div><div>[peap] Session established. Decoding tunneled attributes.</div>
<div>[peap] Peap state send tlv failure</div><div>[peap] Received EAP-TLV response.</div><div>[peap] The users session was previously rejected: returning reject (again.)</div><div>[peap] *** This means you need to read the PREVIOUS messages in the debug output</div>
<div>[peap] *** to find out the reason why the user was rejected.</div><div>[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.</div><div>[peap] *** what went wrong, and how to fix the problem.</div>
<div>[eap] Handler failed in EAP/peap</div><div>[eap] Failed in EAP select</div><div>++[eap] returns invalid</div><div>Failed to authenticate the user.</div><div>Using Post-Auth-Type Reject</div><div># Executing group from file /etc/raddb/sites-enabled/default</div>
<div>+- entering group REJECT {...}</div><div>[attr_filter.access_reject] expand: %{User-Name} -> host/DAN01</div><div>attr_filter: Matched entry DEFAULT at line 11</div><div>++[attr_filter.access_reject] returns updated</div>
<div>Delaying reject of request 9 for 1 seconds</div><div>Going to the next request</div><div>Waking up in 0.9 seconds.</div><div>Sending delayed reject for request 9</div><div>Sending Access-Reject of id 245 to 10.11.200.73 port 1645</div>
<div> EAP-Message = 0x040a0004</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div><div>Waking up in 3.8 seconds.</div><div>Cleaning up request 0 ID 236 with timestamp +39</div><div>Cleaning up request 1 ID 237 with timestamp +39</div>
<div>Cleaning up request 2 ID 238 with timestamp +39</div><div>Cleaning up request 3 ID 239 with timestamp +39</div><div>Cleaning up request 4 ID 240 with timestamp +39</div><div>Cleaning up request 5 ID 241 with timestamp +39</div>
<div>Cleaning up request 6 ID 242 with timestamp +39</div><div>Cleaning up request 7 ID 243 with timestamp +39</div><div>Cleaning up request 8 ID 244 with timestamp +39</div><div>Waking up in 1.0 seconds.</div><div>Cleaning up request 9 ID 245 with timestamp +39</div>
<div>Ready to process requests.</div></div><div><br></div>