Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
December 2008
- 143 participants
- 223 discussions
While an "out of the box" solution is where I'll probably end up, I'm
battling with myself over the idea of how to best manage bandwidth on a
network including multiple remote locations, with both wired and
wireless connections.
I'm moving to using freeradius to authenticate (which ultimately will be
done by MAC for initial ease of setup) but I'm trying to figure out
where the Bandwidth attributes actually are used.
IOW, when using WISPr-Bandwidth, does that modify the client connection
at the client computer or does that occur at a proxy or firewall device?
What I'm getting at is, is a captive portal necessary or can a person
simply have client authentication via freeradius and the client network
card handle managing its own bandwidth? And if so, is there any
possibility that the client computer could be modified by someone with a
bit of skill to bypass those controls?
Hope that made sense.
Cheers,
Kevin
4
6
Here's my problem:
Wed Dec 17 15:53:16 2008 : Info: [wimax] WARNING: WiMAX-MN-NAI was not
found in the request or in the reply.
Wed Dec 17 15:53:16 2008 : Info: [wimax] WARNING: We cannot calculate
MN-HA keys.
Wed Dec 17 15:53:16 2008 : Info: [wimax] WARNING: WiMAX-IP-Technology
not found in reply.
Wed Dec 17 15:53:16 2008 : Info: [wimax] WARNING: Not calculating MN-HA
keys
My question is, where do I add these replies? I currently have my radius
doing its lookups in a MySQL database.
- Milligan -
3
4
Hi Alan
Thank you for you helping on accounting response
i got the advice for freeradius list use the unlang to modify the Accep Reject
i read the man unlang but cannot figure out how to use it
this is the whole call
the call flow :
NAS ----> Access-Request -------> FreeRadius
Freeradius ------>Access Accept(if the password is matched) ----> NAS
NAS ----> Accounting-Request -------> FreeRadius(Accounting start)
Freeradius -----> Acounting Response------> NAS
NAS ----> Access-Request -------> FreeRadius (Reauthorize to check account balance)
Freeradius ------>Access Accept(if the password is matched) ----> NAS
Freeradius ------>Access Reject(if the password isnot matched) ----> NAS
at the line 529 + 530, i should to send back to NAS server with the Acces Reject with attribute h323-return-code == "h323-return-code=2" not 0
Thank you
Ha`
1 rad_recv: Access-Request packet from host 172.26.0.8 port 1645, id=200, length=165
2 User-Name = "0873000001"
3 User-Password = "Servicecisco"
4 NAS-IP-Address = 0.0.0.0
5 NAS-Port = 0
6 Service-Type = Dialout-Framed-User
7 h323-call-type = "h323-call-type=VOIP"
8 Called-Station-Id = "0873001163"
9 Calling-Station-Id = "0873000001"
10 Acct-Session-Id = "e727dc68 ca4d11dd 812dd127 98296413 "
11 Event-Timestamp = "Dec 16 2008 09:13:03 ICT"
12 NAS-Port-Type = Ethernet
13 +- entering group authorize {...}
14 ++[preprocess] returns ok
15 [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/172.26.0.8/auth-detail-20081216
16 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.26.0.8/auth-detail-20081216
17 [auth_log] expand: %t -> Tue Dec 16 09:13:03 2008
18 ++[auth_log] returns ok
19 ++[digest] returns noop
20 [suffix] No '@' in User-Name = "0873000001", looking up realm NULL
21 [suffix] No such realm "NULL"
22 ++[suffix] returns noop
23 ++[unix] returns notfound
24 [pgsql-voip] expand: %{User-Name} -> 0873000001
25 [pgsql-voip] sql_set_user escaped user --> '0873000001'
26 rlm_sql (pgsql-voip): Reserving sql socket id: 19
27 [pgsql-voip] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '0873000001' ORDER BY id
28 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '0873000001' ORDER BY id
29 rlm_sql_postgresql: Status: PGRES_TUPLES_OK
30 rlm_sql_postgresql: query affected rows = 1 , fields = 5
31 [pgsql-voip] User found in radcheck table
32 [pgsql-voip] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '0873000001' ORDER BY id
33 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '0873000001' ORDER BY id
34 rlm_sql_postgresql: Status: PGRES_TUPLES_OK
35 rlm_sql_postgresql: query affected rows = 7 , fields = 5
36 rlm_sql (pgsql-voip): Released sql socket id: 19
37 ++[pgsql-voip] returns ok
38 rlm_counter: Entering module authorize code
39 rlm_counter: Could not find Check item value pair
40 ++[daily] returns noop
41 ++[expiration] returns noop
42 ++[logintime] returns noop
43 ++[pap] returns updated
44 Found Auth-Type = PAP
45 +- entering group PAP {...}
46 [pap] login attempt with password "Servicecisco"
47 [pap] Using clear text password "Servicecisco"
48 [pap] User authenticated successfully
49 ++[pap] returns ok
50 +- entering group post-auth {...}
51 [reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/172.26.0.8/reply-detail-20081216
52 [reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/172.26.0.8/reply-detail-20081216
53 [reply_log] expand: %t -> Tue Dec 16 09:13:03 2008
54 ++[reply_log] returns ok
55 [pgsql-voip] expand: %{User-Name} -> 0873000001
56 [pgsql-voip] sql_set_user escaped user --> '0873000001'
57 [pgsql-voip] expand: %{User-Password} -> Servicecisco
58 [pgsql-voip] expand: INSERT INTO radpostauth (username, pass, reply, authdate, calledstationid, callingstationid) VALUES ('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW(), '%{Called-Station-Id}', '%{Calling-Station-Id}') -> INSERT INTO radpostauth (username, pass, reply, authdate, calledstationid, callingstationid) VALUES ('0873000001', 'Servicecisco', 'Access-Accept', NOW(), '0873001163', '0873000001')
59 [pgsql-voip] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
60 rlm_sql (pgsql-voip) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate, calledstationid, callingstationid) VALUES ('0873000001', 'Servicecisco', 'Access-Accept', NOW(), '0873001163', '0873000001')
61 rlm_sql (pgsql-voip): Reserving sql socket id: 18
62 rlm_sql_postgresql: query: INSERT INTO radpostauth (username, pass, reply, authdate, calledstationid, callingstationid) VALUES ('0873000001', 'Servicecisco', 'Access-Accept', NOW(), '0873001163', '0873000001')
63 rlm_sql_postgresql: Status: PGRES_COMMAND_OK
64 rlm_sql_postgresql: query affected rows = 1
65 rlm_sql (pgsql-voip): Released sql socket id: 18
66 ++[pgsql-voip] returns ok
67 ++[exec] returns noop
68 Sending Access-Accept of id 200 to 172.26.0.8 port 1645
69 Class == 0x436c6173733d333030
70 h323-credit-amount == "h323-credit-amount=1000"
71 h323-return-code == "h323-return-code=0"
72 h323-preferred-lang == "hh323-preferred-lang=VN"
73 h323-billing-model == "h323-billing-model=2"
74 h323-currency == "h323-currency=USD"
75 h323-credit-time == "h323-credit-time=10"
76 Finished request 3.
77 Going to the next request
78 Waking up in 4.9 seconds.
79 rad_recv: Accounting-Request packet from host 172.26.0.8 port 1645, id=201, length=399
80 User-Name = "0873000001"
81 NAS-IP-Address = 0.0.0.0
82 Service-Type = Dialout-Framed-User
83 Class = 0x436c6173733d333030
84 Cisco-AVPair = "h323-incoming-conf-id=e727dc68 ca4d11dd 812dd127 98296413 "
85 h323-conf-id = "h323-conf-id=e727dc68 ca4d11dd 812dd127 98296413 "
86 h323-setup-time = "h323-setup-time= 2:13:03.000 UTC Tue Dec 16 2008"
87 h323-connect-time = "h323-connect-time= 2:13:05.000 UTC Tue Dec 16 2008"
88 h323-call-type = "h323-call-type=VOIP"
89 Called-Station-Id = "0873001163"
90 Calling-Station-Id = "0873000001"
91 Acct-Status-Type = Start
92 Acct-Session-Id = "e727dc68 ca4d11dd 812dd127 98296413 "
93 Event-Timestamp = "Dec 16 2008 09:13:05 ICT"
94 NAS-Port-Type = Ethernet
95 +- entering group preacct {...}
96 ++[preprocess] returns ok
97 [acct_unique] Hashing 'NAS-Port-Type = Ethernet,Client-IP-Address = 172.26.0.8,NAS-IP-Address = 0.0.0.0,Acct-Session-Id = "e727dc68 ca4d11dd 812dd127 98296413 ",User-Name = "0873000001"'
98 [acct_unique] Acct-Unique-Session-ID = "bf9a06b98413c5d2".
99 ++[acct_unique] returns ok
100 [suffix] No '@' in User-Name = "0873000001", looking up realm NULL
101 [suffix] No such realm "NULL"
102 ++[suffix] returns noop
103 [files] acct_users: Matched entry DEFAULT at line 22
104 [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
105 [files] expand: %{Stripped-User-Name:-%{User-Name}} -> 0873000001
106 ++[files] returns ok
107 +- entering group accounting {...}
108 [detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/172.26.0.8/detail-20081216
109 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/172.26.0.8/detail-20081216
110 [detail] expand: %t -> Tue Dec 16 09:13:05 2008
111 ++[detail] returns ok
112 ++[unix] returns noop
113 [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
114 [radutmp] expand: %{User-Name} -> 0873000001
115 rlm_radutmp: No NAS-Port seen. Cannot do anything.
116 rlm_radumtp: WARNING: checkrad will probably not work!
117 ++[radutmp] returns noop
118 [pgsql-voip] expand: %{User-Name} -> 0873000001
119 [pgsql-voip] sql_set_user escaped user --> '0873000001'
120 [pgsql-voip] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
121 [pgsql-voip] expand: INSERT into startvoip (RadiusServerName, UserName, NASIPAddress, AcctTime, CalledStationId, CallingStationId, AcctDelayTime, h323gwid, h323callorigin, h323setuptime, H323ConnectTime, callid) values('210.245.126.131', '%{SQL-User-Name}', '%{NAS-IP-Address}', now(), '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Delay-Time:-0}', '%{h323-gw-id}', '%{h323-call-origin}', strip_dot('%{h323-setup-time}'), strip_dot('%{h323-connect-time}'), pick_id('%{h323-conf-id}', '%{call-id}')) -> INSERT into startvoip (RadiusServerName, UserName, NASIPAddress, AcctTime, CalledStationId, CallingStationId, AcctDelayTime, h323gwid, h323callorigin, h323setuptime, H323ConnectTime, callid) values('210.245.126.131', '0873000001', '0.0.0.0', now(), '0873001163', '0873000001', '0', '', '', strip_dot(' 2:13:03.000 UTC Tue Dec 16 2008'), strip_dot(' 2:13:05.000 UTC Tue Dec 16 2008'), pick_id('e727dc68 ca4d11dd 812dd127 98296413 ', ''))
122 [pgsql-voip] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
123 rlm_sql (pgsql-voip): Reserving sql socket id: 17
124 rlm_sql_postgresql: query: INSERT into startvoip (RadiusServerName, UserName, NASIPAddress, AcctTime, CalledStationId, CallingStationId, AcctDelayTime, h323gwid, h323callorigin, h323setuptime, H323ConnectTime, callid) values('210.245.126.131', '0873000001', '0.0.0.0', now(), '0873001163', '0873000001', '0', '', '', strip_dot(' 2:13:03.000 UTC Tue Dec 16 2008'), strip_dot(' 2:13:05.000 UTC Tue Dec 16 2008'), pick_id('e727dc68 ca4d11dd 812dd127 98296413 ', ''))
125 rlm_sql_postgresql: Status: PGRES_COMMAND_OK
126 rlm_sql_postgresql: query affected rows = 1
127 rlm_sql (pgsql-voip): Released sql socket id: 17
128 ++[pgsql-voip] returns ok
129 Sending Accounting-Response of id 201 to 172.26.0.8 port 1645
130 User-Name := "0873000001"
131 h323-return-code := "h323-return-code=0"
132 h323-billing-model := "h323-billing-model=2"
133 Finished request 4.
134 Cleaning up request 4 ID 201 with timestamp +124
135 Going to the next request
136 Waking up in 2.8 seconds.
137 Cleaning up request 3 ID 200 with timestamp +122
138 Ready to process requests.
139 rad_recv: Access-Request packet from host 172.26.0.8 port 1645, id=202, length=202
140 User-Name = "0873000001"
141 User-Password = "Servicecisco"
142 NAS-IP-Address = 0.0.0.0
143 NAS-Port = 0
144 Service-Type = Dialout-Framed-User
145 Class = 0x436c6173733d333030
146 h323-call-type = "h323-call-type=VOIP"
147 h323-credit-time = "h323-credit-time=9"
148 Called-Station-Id = "0873001163"
149 Calling-Station-Id = "0873000001"
150 Acct-Session-Id = "e727dc68 ca4d11dd 812dd127 98296413 "
151 Event-Timestamp = "Dec 16 2008 09:13:14 ICT"
152 NAS-Port-Type = Ethernet
153 +- entering group authorize {...}
154 ++[preprocess] returns ok
155 [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/172.26.0.8/auth-detail-20081216
156 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.26.0.8/auth-detail-20081216
157 [auth_log] expand: %t -> Tue Dec 16 09:13:14 2008
158 ++[auth_log] returns ok
159 ++[digest] returns noop
160 [suffix] No '@' in User-Name = "0873000001", looking up realm NULL
161 [suffix] No such realm "NULL"
162 ++[suffix] returns noop
163 ++[unix] returns notfound
164 [pgsql-voip] expand: %{User-Name} -> 0873000001
165 [pgsql-voip] sql_set_user escaped user --> '0873000001'
...........
171 [pgsql-voip] User found in radcheck table
172 [pgsql-voip] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '0873000001' ORDER BY id
173 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '0873000001' ORDER BY id
174 rlm_sql_postgresql: Status: PGRES_TUPLES_OK
175 rlm_sql_postgresql: query affected rows = 7 , fields = 5
176 rlm_sql (pgsql-voip): Released sql socket id: 16
177 ++[pgsql-voip] returns ok
178 rlm_counter: Entering module authorize code
179 rlm_counter: Could not find Check item value pair
180 ++[daily] returns noop
181 ++[expiration] returns noop
182 ++[logintime] returns noop
183 ++[pap] returns updated
184 Found Auth-Type = PAP
185 +- entering group PAP {...}
186 [pap] login attempt with password "Servicecisco"
187 [pap] Using clear text password "Servicecisco"
188 [pap] User authenticated successfully
189 ++[pap] returns ok
190 +- entering group post-auth {...}
191 [reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/172.26.0.8/reply-detail-20081216
192 [reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/172.26.0.8/reply-detail-20081216
193 [reply_log] expand: %t -> Tue Dec 16 09:13:14 2008
194 ++[reply_log] returns ok
195 [pgsql-voip] expand: %{User-Name} -> 0873000001
196 [pgsql-voip] sql_set_user escaped user --> '0873000001'
197 [pgsql-voip] expand: %{User-Password} -> Servicecisco
198 [pgsql-voip] expand: INSERT INTO radpostauth (username, pass, reply, authdate, calledstationid, callingstationid) VALUES ('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW(), '%{Called-Station-Id}', '%{Calling-Station-Id}') -> INSERT INTO radpostauth (username, pass, reply, authdate, calledstationid, callingstationid) VALUES ('0873000001', 'Servicecisco', 'Access-Accept', NOW(), '0873001163', '0873000001')
199 [pgsql-voip] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
200 rlm_sql (pgsql-voip) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate, calledstationid, callingstationid) VALUES ('0873000001', 'Servicecisco', 'Access-Accept', NOW(), '0873001163', '0873000001')
201 rlm_sql (pgsql-voip): Reserving sql socket id: 15
202 rlm_sql_postgresql: query: INSERT INTO radpostauth (username, pass, reply, authdate, calledstationid, callingstationid) VALUES ('0873000001', 'Servicecisco', 'Access-Accept', NOW(), '0873001163', '0873000001')
203 rlm_sql_postgresql: Status: PGRES_COMMAND_OK
204 rlm_sql_postgresql: query affected rows = 1
205 rlm_sql (pgsql-voip): Released sql socket id: 15
206 ++[pgsql-voip] returns ok
207 ++[exec] returns noop
208 Sending Access-Accept of id 202 to 172.26.0.8 port 1645
209 Class == 0x436c6173733d333030
210 h323-credit-amount == "h323-credit-amount=1000"
211 h323-return-code == "h323-return-code=0"
212 h323-preferred-lang == "hh323-preferred-lang=VN"
213 h323-billing-model == "h323-billing-model=2"
214 h323-currency == "h323-currency=USD"
215 h323-credit-time == "h323-credit-time=10"
216 Finished request 5.
217 Going to the next request
218 Waking up in 4.9 seconds.
219 Cleaning up request 5 ID 202 with timestamp +133
220 Ready to process requests.
221 rad_recv: Access-Request packet from host 172.26.0.8 port 1645, id=203, length=203
222 User-Name = "0873000001"
223 User-Password = "Servicecisco"
224 NAS-IP-Address = 0.0.0.0
225 NAS-Port = 0
226 Service-Type = Dialout-Framed-User
227 Class = 0x436c6173733d333030
228 h323-call-type = "h323-call-type=VOIP"
229 h323-credit-time = "h323-credit-time=19"
230 Called-Station-Id = "0873001163"
231 Calling-Station-Id = "0873000001"
232 Acct-Session-Id = "e727dc68 ca4d11dd 812dd127 98296413 "
233 Event-Timestamp = "Dec 16 2008 09:13:24 ICT"
234 NAS-Port-Type = Ethernet
235 +- entering group authorize {...}
236 ++[preprocess] returns ok
237 [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/172.26.0.8/auth-detail-20081216
238 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.26.0.8/auth-detail-20081216
239 [auth_log] expand: %t -> Tue Dec 16 09:13:24 2008
240 ++[auth_log] returns ok
241 ++[digest] returns noop
242 [suffix] No '@' in User-Name = "0873000001", looking up realm NULL
243 [suffix] No such realm "NULL"
244 ++[suffix] returns noop
245 ++[unix] returns notfound
246 [pgsql-voip] expand: %{User-Name} -> 0873000001
247 [pgsql-voip] sql_set_user escaped user --> '0873000001'
248 rlm_sql (pgsql-voip): Reserving sql socket id: 14
249 [pgsql-voip] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '0873000001' ORDER BY id
250 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '0873000001' ORDER BY id
251 rlm_sql_postgresql: Status: PGRES_TUPLES_OK
252 rlm_sql_postgresql: query affected rows = 1 , fields = 5
253 [pgsql-voip] User found in radcheck table
254 [pgsql-voip] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '0873000001' ORDER BY id
255 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '0873000001' ORDER BY id
256 rlm_sql_postgresql: Status: PGRES_TUPLES_OK
257 rlm_sql_postgresql: query affected rows = 7 , fields = 5
258 rlm_sql (pgsql-voip): Released sql socket id: 14
259 ++[pgsql-voip] returns ok
260 rlm_counter: Entering module authorize code
261 rlm_counter: Could not find Check item value pair
262 ++[daily] returns noop
263 ++[expiration] returns noop
264 ++[logintime] returns noop
265 ++[pap] returns updated
266 Found Auth-Type = PAP
267 +- entering group PAP {...}
268 [pap] login attempt with password "Servicecisco"
269 [pap] Using clear text password "Servicecisco"
270 [pap] User authenticated successfully
271 ++[pap] returns ok
272 +- entering group post-auth {...}
273 [reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/172.26.0.8/reply-detail-20081216
274 [reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/172.26.0.8/reply-detail-20081216
275 [reply_log] expand: %t -> Tue Dec 16 09:13:24 2008
276 ++[reply_log] returns ok
277 [pgsql-voip] expand: %{User-Name} -> 0873000001
278 [pgsql-voip] sql_set_user escaped user --> '0873000001'
279 [pgsql-voip] expand: %{User-Password} -> Servicecisco
280 [pgsql-voip] expand: INSERT INTO radpostauth (username, pass, reply, authdate, calledstationid, callingstationid) VALUES ('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW(), '%{Called-Station-Id}', '%{Calling-Station-Id}') -> INSERT INTO radpostauth (username, pass, reply, authdate, calledstationid, callingstationid) VALUES ('0873000001', 'Servicecisco', 'Access-Accept', NOW(), '0873001163', '0873000001')
281 [pgsql-voip] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
282 rlm_sql (pgsql-voip) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate, calledstationid, callingstationid) VALUES ('0873000001', 'Servicecisco', 'Access-Accept', NOW(), '0873001163', '0873000001')
283 rlm_sql (pgsql-voip): Reserving sql socket id: 13
284 rlm_sql_postgresql: query: INSERT INTO radpostauth (username, pass, reply, authdate, calledstationid, callingstationid) VALUES ('0873000001', 'Servicecisco', 'Access-Accept', NOW(), '0873001163', '0873000001')
285 rlm_sql_postgresql: Status: PGRES_COMMAND_OK
286 rlm_sql_postgresql: query affected rows = 1
287 rlm_sql (pgsql-voip): Released sql socket id: 13
288 ++[pgsql-voip] returns ok
289 ++[exec] returns noop
290 Sending Access-Accept of id 203 to 172.26.0.8 port 1645
291 Class == 0x436c6173733d333030
292 h323-credit-amount == "h323-credit-amount=1000"
293 h323-return-code == "h323-return-code=0"
294 h323-preferred-lang == "hh323-preferred-lang=VN"
295 h323-billing-model == "h323-billing-model=2"
296 h323-currency == "h323-currency=USD"
297 h323-credit-time == "h323-credit-time=10"
298 Finished request 6.
299 Going to the next request
300 Waking up in 4.9 seconds.
301 Cleaning up request 6 ID 203 with timestamp +143
302 Ready to process requests.
303 rad_recv: Access-Request packet from host 172.26.0.8 port 1645, id=204, length=203
304 User-Name = "0873000001"
305 User-Password = "Servicecisco"
306 NAS-IP-Address = 0.0.0.0
307 NAS-Port = 0
308 Service-Type = Dialout-Framed-User
309 Class = 0x436c6173733d333030
310 h323-call-type = "h323-call-type=VOIP"
311 h323-credit-time = "h323-credit-time=29"
312 Called-Station-Id = "0873001163"
313 Calling-Station-Id = "0873000001"
314 Acct-Session-Id = "e727dc68 ca4d11dd 812dd127 98296413 "
315 Event-Timestamp = "Dec 16 2008 09:13:34 ICT"
316 NAS-Port-Type = Ethernet
317 +- entering group authorize {...}
318 ++[preprocess] returns ok
319 [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/172.26.0.8/auth-detail-20081216
320 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.26.0.8/auth-detail-20081216
321 [auth_log] expand: %t -> Tue Dec 16 09:13:34 2008
322 ++[auth_log] returns ok
323 ++[digest] returns noop
324 [suffix] No '@' in User-Name = "0873000001", looking up realm NULL
325 [suffix] No such realm "NULL"
326 ++[suffix] returns noop
327 ++[unix] returns notfound
328 [pgsql-voip] expand: %{User-Name} -> 0873000001
329 [pgsql-voip] sql_set_user escaped user --> '0873000001'
330 rlm_sql (pgsql-voip): Reserving sql socket id: 12
331 [pgsql-voip] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '0873000001' ORDER BY id
332 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '0873000001' ORDER BY id
333 rlm_sql_postgresql: Status: PGRES_TUPLES_OK
334 rlm_sql_postgresql: query affected rows = 1 , fields = 5
335 [pgsql-voip] User found in radcheck table
336 [pgsql-voip] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '0873000001' ORDER BY id
337 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '0873000001' ORDER BY id
338 rlm_sql_postgresql: Status: PGRES_TUPLES_OK
339 rlm_sql_postgresql: query affected rows = 7 , fields = 5
340 rlm_sql (pgsql-voip): Released sql socket id: 12
341 ++[pgsql-voip] returns ok
342 rlm_counter: Entering module authorize code
343 rlm_counter: Could not find Check item value pair
344 ++[daily] returns noop
345 ++[expiration] returns noop
346 ++[logintime] returns noop
347 ++[pap] returns updated
348 Found Auth-Type = PAP
349 +- entering group PAP {...}
350 [pap] login attempt with password "Servicecisco"
351 [pap] Using clear text password "Servicecisco"
352 [pap] User authenticated successfully
353 ++[pap] returns ok
354 +- entering group post-auth {...}
355 [reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/172.26.0.8/reply-detail-20081216
356 [reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/172.26.0.8/reply-detail-20081216
357 [reply_log] expand: %t -> Tue Dec 16 09:13:34 2008
358 ++[reply_log] returns ok
359 [pgsql-voip] expand: %{User-Name} -> 0873000001
360 [pgsql-voip] sql_set_user escaped user --> '0873000001'
361 [pgsql-voip] expand: %{User-Password} -> Servicecisco
362 [pgsql-voip] expand: INSERT INTO radpostauth (username, pass, reply, authdate, calledstationid, callingstationid) VALUES ('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW(), '%{Called-Station-Id}', '%{Calling-Station-Id}') -> INSERT INTO radpostauth (username, pass, reply, authdate, calledstationid, callingstationid) VALUES ('0873000001', 'Servicecisco', 'Access-Accept', NOW(), '0873001163', '0873000001')
363 [pgsql-voip] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
364 rlm_sql (pgsql-voip) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate, calledstationid, callingstationid) VALUES ('0873000001', 'Servicecisco', 'Access-Accept', NOW(), '0873001163', '0873000001')
365 rlm_sql (pgsql-voip): Reserving sql socket id: 11
366 rlm_sql_postgresql: query: INSERT INTO radpostauth (username, pass, reply, authdate, calledstationid, callingstationid) VALUES ('0873000001', 'Servicecisco', 'Access-Accept', NOW(), '0873001163', '0873000001')
367 rlm_sql_postgresql: Status: PGRES_COMMAND_OK
368 rlm_sql_postgresql: query affected rows = 1
369 rlm_sql (pgsql-voip): Released sql socket id: 11
370 ++[pgsql-voip] returns ok
371 ++[exec] returns noop
372 Sending Access-Accept of id 204 to 172.26.0.8 port 1645
373 Class == 0x436c6173733d333030
374 h323-credit-amount == "h323-credit-amount=1000"
375 h323-return-code == "h323-return-code=0"
376 h323-preferred-lang == "hh323-preferred-lang=VN"
377 h323-billing-model == "h323-billing-model=2"
378 h323-currency == "h323-currency=USD"
379 h323-credit-time == "h323-credit-time=10"
380 Finished request 7.
381 Going to the next request
382 Waking up in 4.9 seconds.
383 Cleaning up request 7 ID 204 with timestamp +153
384 Ready to process requests.
......
465 Cleaning up request 8 ID 205 with timestamp +163
466 Ready to process requests.
467 rad_recv: Access-Request packet from host 172.26.0.8 port 1645, id=206, length=203
468 User-Name = "0873000001"
469 User-Password = "\037_Ø\346"
470 NAS-IP-Address = 0.0.0.0
471 NAS-Port = 0
472 Service-Type = Dialout-Framed-User
473 Class = 0x436c6173733d333030
474 h323-call-type = "h323-call-type=VOIP"
475 h323-credit-time = "h323-credit-time=49"
476 Called-Station-Id = "0873001163"
477 Calling-Station-Id = "0873000001"
478 Acct-Session-Id = "e727dc68 ca4d11dd 812dd127 98296413 "
479 Event-Timestamp = "Dec 16 2008 09:13:54 ICT"
480 NAS-Port-Type = Ethernet
481 +- entering group authorize {...}
482 ++[preprocess] returns ok
483 [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/172.26.0.8/auth-detail-20081216
484 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.26.0.8/auth-detail-20081216
485 [auth_log] expand: %t -> Tue Dec 16 09:13:54 2008
486 ++[auth_log] returns ok
487 ++[digest] returns noop
488 [suffix] No '@' in User-Name = "0873000001", looking up realm NULL
489 [suffix] No such realm "NULL"
490 ++[suffix] returns noop
491 ++[unix] returns notfound
492 [pgsql-voip] expand: %{User-Name} -> 0873000001
493 [pgsql-voip] sql_set_user escaped user --> '0873000001'
494 rlm_sql (pgsql-voip): Reserving sql socket id: 8
495 [pgsql-voip] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '0873000001' ORDER BY id
496 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '0873000001' ORDER BY id
497 rlm_sql_postgresql: Status: PGRES_TUPLES_OK
498 rlm_sql_postgresql: query affected rows = 1 , fields = 5
499 [pgsql-voip] User found in radcheck table
500 [pgsql-voip] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '0873000001' ORDER BY id
501 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '0873000001' ORDER BY id
502 rlm_sql_postgresql: Status: PGRES_TUPLES_OK
503 rlm_sql_postgresql: query affected rows = 7 , fields = 5
504 rlm_sql (pgsql-voip): Released sql socket id: 8
505 ++[pgsql-voip] returns ok
506 rlm_counter: Entering module authorize code
507 rlm_counter: Could not find Check item value pair
508 ++[daily] returns noop
509 ++[expiration] returns noop
510 ++[logintime] returns noop
511 ++[pap] returns updated
512 Found Auth-Type = PAP
513 +- entering group PAP {...}
514 [pap] login attempt with password "?_Ø?æ"
515 [pap] Using clear text password "Servicecisco"
516 [pap] Passwords don't match
517 ++[pap] returns reject
518 Failed to authenticate the user.
519 WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
520 Using Post-Auth-Type Reject
521 +- entering group REJECT {...}
522 [attr_filter.access_reject] expand: %{User-Name} -> 0873000001
523 attr_filter: Matched entry DEFAULT at line 11
524 ++[attr_filter.access_reject] returns updated
525 Delaying reject of request 9 for 1 seconds
526 Going to the next request
527 Waking up in 0.9 seconds.
528 Sending delayed reject for request 9
529 Sending Access-Reject of id 206 to 172.26.0.8 port 1645
530 h323-return-code == "h323-return-code=0"
531 Waking up in 4.9 seconds.
532 Cleaning up request 9 ID 206 with timestamp +173
533 Ready to process requests.
534 rad_recv: Accounting-Request packet from host 172.26.0.8 port 1645, id=207, length=498
535 User-Name = "0873000001"
536 NAS-IP-Address = 0.0.0.0
537 Service-Type = Dialout-Framed-User
538 Class = 0x436c6173733d333030
539 Cisco-AVPair = "h323-incoming-conf-id=e727dc68 ca4d11dd 812dd127 98296413 "
540 h323-conf-id = "h323-conf-id=e727dc68 ca4d11dd 812dd127 98296413 "
541 h323-setup-time = "h323-setup-time= 2:13:54.000 UTC Tue Dec 16 2008"
542 h323-connect-time = "h323-connect-time= 2:13:05.000 UTC Tue Dec 16 2008"
543 h323-call-type = "h323-call-type=VOIP"
544 h323-disconnect-time = "h323-disconnect-time= 2:14:08.000 UTC Tue Dec 16 2008"
545 h323-disconnect-cause = "h323-disconnect-cause=10"
546 Called-Station-Id = "0873001163"
547 Calling-Station-Id = "0873000001"
548 Acct-Status-Type = Stop
549 Acct-Session-Id = "e727dc68 ca4d11dd 812dd127 98296413 "
550 Acct-Authentic = RADIUS
551 Event-Timestamp = "Dec 16 2008 09:14:08 ICT"
552 NAS-Port-Type = Ethernet
553 +- entering group preacct {...}
554 ++[preprocess] returns ok
555 [acct_unique] Hashing 'NAS-Port-Type = Ethernet,Client-IP-Address = 172.26.0.8,NAS-IP-Address = 0.0.0.0,Acct-Session-Id = "e727dc68 ca4d11dd 812dd127 98296413 ",User-Name = "0873000001"'
556 [acct_unique] Acct-Unique-Session-ID = "bf9a06b98413c5d2".
557 ++[acct_unique] returns ok
558 [suffix] No '@' in User-Name = "0873000001", looking up realm NULL
559 [suffix] No such realm "NULL"
560 ++[suffix] returns noop
561 [files] acct_users: Matched entry DEFAULT at line 22
562 [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
563 [files] expand: %{Stripped-User-Name:-%{User-Name}} -> 0873000001
564 ++[files] returns ok
565 +- entering group accounting {...}
566 [detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/172.26.0.8/detail-20081216
567 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/172.26.0.8/detail-20081216
568 [detail] expand: %t -> Tue Dec 16 09:14:09 2008
569 ++[detail] returns ok
570 ++[unix] returns noop
571 [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
572 [radutmp] expand: %{User-Name} -> 0873000001
573 rlm_radutmp: No NAS-Port seen. Cannot do anything.
574 rlm_radumtp: WARNING: checkrad will probably not work!
575 ++[radutmp] returns noop
576 [pgsql-voip] expand: %{User-Name} -> 0873000001
577 [pgsql-voip] sql_set_user escaped user --> '0873000001'
578 [pgsql-voip] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
579 [pgsql-voip] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
580 [pgsql-voip] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
581 [pgsql-voip] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
586 rlm_sql_postgresql: Status: PGRES_COMMAND_OK
587 rlm_sql_postgresql: query affected rows = 1
588 rlm_sql (pgsql-voip): Released sql socket id: 7
589 ++[pgsql-voip] returns ok
590 Sending Accounting-Response of id 207 to 172.26.0.8 port 1645
591 User-Name := "0873000001"
592 h323-return-code := "h323-return-code=0"
593 h323-billing-model := "h323-billing-model=2"
594 Finished request 10.
595 Cleaning up request 10 ID 207 with timestamp +188
596 Going to the next request
597 Ready to process requests.
2
1
Is there any way to make the rlm-checkval check not case sensitive
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-21-5C-7B-FF-2D
rlm_checkval: Value Name: Calling-Station-Id, Value: 00-21-5c-7b-ff-2d
I have two different types of access points that i have to use right now
and the cisco puts everything in caps and the proxium puts everything
lower case.
I am using mysql as my backed database.
mysql> select * from radcheck order by id;
+----+----------+--------------------+----+-------------------+
| id | UserName | Attribute | op | Value |
+----+----------+--------------------+----+-------------------+
| 37 | dell1 | User-Password | := | dell1 |
| 39 | dell1 | Calling-Station-Id | := | 00-19-7d-a6-ad-06 |
| 40 | hp1 | User-Password | := | hp1 |
| 41 | hp1 | Calling-Station-Id | := | 00-21-5c-7b-ff-2d |
+----+----------+--------------------+----+-------------------+
4 rows in set (0.00 sec)
3
8
>- and how, exactly, does the EAP tunnel get set up if you dont
>have a common certificate to enable such a construct? you've got
>to have a CA - and, if done properly, you've got to have the validate
>check as well!
Suppose a person who comes from outside the company, and wants to
connect to my network, do not have the certificates.
through PEAP can I give you access with a username and password
without install certificates?
What I suggest?
()
3
2
>>[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
>>TLS Alert read:fatal:unknown CA
>> TLS_accept:failed in SSLv3 read client certificate A
>But your problem has nothing to do with the user. You haven't imported
>the ca certificate onto the users machine. At least not the correct one.
but, if I want the user´s don´t use certificates and only use "user &
pass" whit PEAP ¿is posible?
2
1
hi,
I am building freeradius 2.1.3 on ubuntu (configure/make/make install)
I am trying to use perl module, but when I can't start my server.
I have put "perl" as a module in my radiusd.conf file.
I don't file the rlm_perl*.so file in /usr/local/lib/ where all the other
rlm_*.so files are located.
What am I missing?
I also tried to configure with the experimental modules flag.
Thanks
-a
3
3
Hello gentlemen
I am configuring PEAP and there is not much information about it,
Should I add a user in the user file alone?
If default is configured with EAP, what should I modify another file?
thanks.
logout:
rad_recv: Access-Request packet from host 10.10.1.21 port 1645,
id=220, length=156
User-Name = "DOMINIO\\msilvero"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0x8cc6da388d8df7f5ec4355457fe64969
EAP-Message = 0x020100130149504c414e5c6d73696c7665726f
NAS-Port-Type = Wireless-802.11
NAS-Port = 474
NAS-IP-Address = 10.10.1.21
NAS-Identifier = "ap-ap"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMINIO\msilvero", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 220 to 10.10.1.21 port 1645
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x34d23a2734d023bc90d78d0fbe96492c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.1.21 port 1645,
id=221, length=263
User-Name = "DOMINIO\\msilvero"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0x3491a2750461cd5efdc8648bf46aa49a
EAP-Message =
0x0202006c190016030100610100005d030149493f85acfcc0f2c2c47fe6fa7a57d6e421cff26116506231b3776199ed10e200003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100
NAS-Port-Type = Wireless-802.11
NAS-Port = 474
State = 0x34d23a2734d023bc90d78d0fbe96492c
NAS-IP-Address = 10.10.1.21
NAS-Identifier = "ap-ap"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMINIO\msilvero", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 108
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0061], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 221 to 10.10.1.21 port 1645
[...]
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 220 with timestamp +68
Waking up in 0.1 seconds.
Cleaning up request 1 ID 221 with timestamp +68
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.1.21 port 1645,
id=222, length=156
User-Name = "DOMINIO\\msilvero"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0x862b4eedab979983e604c4836e8ac526
EAP-Message = 0x020100130149504c414e5c6d73696c7665726f
NAS-Port-Type = Wireless-802.11
NAS-Port = 475
NAS-IP-Address = 10.10.1.21
NAS-Identifier = "ap-ap"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMINIO\msilvero", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 222 to 10.10.1.21 port 1645
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8f11b52d8f13ac786b16694f681d2fd0
Finished request 2.
[...]
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 223 to 10.10.1.21 port 1645
[...]
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.10.1.21 port 1645,
id=224, length=161
User-Name = "DOMINIO\\msilvero"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0x9f0db2567149250ed92295734e004b44
EAP-Message = 0x020300061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 475
State = 0x8f11b52d8e12ac786b16694f681d2fd0
NAS-IP-Address = 10.10.1.21
NAS-Identifier = "ap-ap"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMINIO\msilvero", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 224 to 10.10.1.21 port 1645
[...]
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.10.1.21 port 1645,
id=225, length=161
User-Name = "DOMINIO\\msilvero"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0x65d2bab3cdae40b237ce9837d9a3eacf
EAP-Message = 0x020400061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 475
State = 0x8f11b52d8d15ac786b16694f681d2fd0
NAS-IP-Address = 10.10.1.21
NAS-Identifier = "ap-ap"
[...]
Sending Access-Challenge of id 225 to 10.10.1.21 port 1645
[...]
Finished request 5.
Going to the next request
waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.10.1.21 port 1645,
id=226, length=168
User-Name = "DOMINIO\\msilvero"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0xcb5badb43459e8a2770683bef095543b
EAP-Message = 0x0205000d190015030100020230
NAS-Port-Type = Wireless-802.11
NAS-Port = 475
State = 0x8f11b52d8c14ac786b16694f681d2fd0
NAS-IP-Address = 10.10.1.21
NAS-Identifier = "ap-ap"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMINIO\msilvero", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 13
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> DOMINIO\msilvero
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 226 to 10.10.1.21 port 1645
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
Cleaning up request 2 ID 222 with timestamp +74
Waking up in 0.1 seconds.
Cleaning up request 3 ID 223 with timestamp +74
Cleaning up request 4 ID 224 with timestamp +74
Cleaning up request 5 ID 225 with timestamp +74
Waking up in 1.0 seconds.
Cleaning up request 6 ID 226 with timestamp +74
Ready to process requests.
3
2
PEAP with Windows supplicant, Automatically use my windows credentials
by splintered thoughts 17 Dec '08
by splintered thoughts 17 Dec '08
17 Dec '08
Hello,
I've configured a PEAP with the Windows SP3 supplicant with freeradius 2.1.3, and the authentication succeeds when "Automatically use my windows logon name and password (and domain if any)" is unselected, which forces a manual logon. However, when "Automatically use my ..." is selected with the same user name/domain, the authentication fails. May I have some insight into any issue(s) on how to resolve this? Here is the debug log for the failed request:
Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2
Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound
Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok
Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL.
Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring.
Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 0 length 23
Wed Dec 17 09:07:24 2008 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns updated
Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop
Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP
Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...}
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP Identity
Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type md5
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns handled
Wed Dec 17 09:07:24 2008 : Debug: Sending Access-Challenge packet to host 10.12.18.4 port 1812, id=120, length=0
Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x01010016041090013f5c9305706c9dc6340df1142df1
Wed Dec 17 09:07:24 2008 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Dec 17 09:07:24 2008 : Debug: State = 0xd0cf07f0d0ce03f56f2a90dc8079ccda
Wed Dec 17 09:07:24 2008 : Debug: Finished request 0.
Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2
Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound
Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok
Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL.
Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring.
Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 1 length 6
Wed Dec 17 09:07:24 2008 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns updated
Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop
Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP
Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...}
Wed Dec 17 09:07:24 2008 : Debug: [eap] Request found, released from the list
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP NAK
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP-NAK asked for EAP-Type/peap
Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type tls
Wed Dec 17 09:07:24 2008 : Debug: [tls] Initiate
Wed Dec 17 09:07:24 2008 : Debug: [tls] Start returned 1
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns handled
Wed Dec 17 09:07:24 2008 : Debug: Sending Access-Challenge packet to host 10.12.18.4 port 1812, id=121, length=0
Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x010200061920
Wed Dec 17 09:07:24 2008 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Dec 17 09:07:24 2008 : Debug: State = 0xd0cf07f0d1cd1ef56f2a90dc8079ccda
Wed Dec 17 09:07:24 2008 : Debug: Finished request 1.
Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2
Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound
Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok
Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL.
Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring.
Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 2 length 80
Wed Dec 17 09:07:24 2008 : Debug: [eap] Continuing tunnel setup.
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns ok
Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop
Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP
Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...}
Wed Dec 17 09:07:24 2008 : Debug: [eap] Request found, released from the list
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP/peap
Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type peap
Wed Dec 17 09:07:24 2008 : Debug: [peap] processing EAP-TLS
Wed Dec 17 09:07:24 2008 : Debug: [peap] Length Included
Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_verify returned 11
Wed Dec 17 09:07:24 2008 : Debug: [peap] (other): before/accept initialization
Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: before/accept initialization
Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 read client hello A
Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 write server hello A
Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 write certificate A
Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 write server done A
Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 flush data
Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_process returned 13
Wed Dec 17 09:07:24 2008 : Debug: [peap] EAPTLS_HANDLED
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns handled
Wed Dec 17 09:07:24 2008 : Debug: Sending Access-Challenge packet to host 10.12.18.4 port 1812, id=122, length=0
Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x0103040019c00000072c160301002a020000260301494923bcedc987028a2352b84271936aea53e99fb623ca257536e883442ea95c0000040016030106ef0b0006eb0006e80002cb308202c7308202300205122935480a300d06092a864886f70d01010505003081b8310b3009060355040613025553310b300906035504081302434f311430120603550407130b576573746d696e73746572312b3029060355040a132254697070696e67506f696e7420496e632c204469766973696f6e206f662033436f6d31173015060355040b130e53656c66205369676e6564204341311730150603550403130e546f70206c6576656c20436572743127302506
Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x092a864886f70d01090116187461636d61696c4074697070696e67706f696e742e636f6d301e170d3038313231353135323635305a170d3333313230393135323635305a30819a310b3009060355040613025553310b300906035504081302434f311430120603550407130b576573746d696e73746572310d300b060355040a130433436f6d31153013060355040b130c54697070696e67506f696e7431193017060355040313106a6967356e70732e747077352e636f6d3127302506092a864886f70d01090116187461636d61696c4074697070696e67706f696e742e636f6d30819f300d06092a864886f70d010101050003818d00308189028181
Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x00dd03f09559ddc6ea8bc0a9206d40657f7d12b2f29f283bd0d84eb2904e2720592bb18ec971bfc20f93916df7dcfd35848be2946eb2683ae6fd3ff715e95f33594ec1888038961f2561389160afa4c1ef47e3f88e935340b19ec897d4b599f927b9d878e386267b573dba0ed413a1431d63ee4e7fe9dd70f055b8d2521a9e3ad90203010001300d06092a864886f70d010105050003818100509c6044c7e7d3b2d9a7fb62c035a65361dcb0ba148aaadfd1272a65f267f913b210faf39afa24658788cb651bce6f704a528e4e63d2613de5c967dc2d904f70852412e2371a556fa69194d4f16bddf641c1397c0947ebd36b851b8d57add0f78335d369
Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x67c9080e362b607959f63dcd7f5fd80b46f31faa05b59853d8541166000417308204133082037ca003020102020900f90e79cfb7d27aab300d06092a864886f70d01010505003081b8310b3009060355040613025553310b300906035504081302434f311430120603550407130b576573746d696e73746572312b3029060355040a132254697070696e67506f696e7420496e632c204469766973696f6e206f662033436f6d31173015060355040b130e53656c66205369676e6564204341311730150603550403130e546f70206c6576656c20436572743127302506092a864886f70d01090116187461636d61696c4074697070696e67706f696e74
Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x2e636f6d301e170d30383132
Wed Dec 17 09:07:24 2008 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Dec 17 09:07:24 2008 : Debug: State = 0xd0cf07f0d2cc1ef56f2a90dc8079ccda
Wed Dec 17 09:07:24 2008 : Debug: Finished request 2.
Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2
Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound
Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok
Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL.
Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring.
Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 3 length 6
Wed Dec 17 09:07:24 2008 : Debug: [eap] Continuing tunnel setup.
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns ok
Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop
Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP
Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...}
Wed Dec 17 09:07:24 2008 : Debug: [eap] Request found, released from the list
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP/peap
Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type peap
Wed Dec 17 09:07:24 2008 : Debug: [peap] processing EAP-TLS
Wed Dec 17 09:07:24 2008 : Debug: [peap] Received TLS ACK
Wed Dec 17 09:07:24 2008 : Debug: [peap] ACK handshake fragment handler
Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_verify returned 1
Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_process returned 13
Wed Dec 17 09:07:24 2008 : Debug: [peap] EAPTLS_HANDLED
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns handled
Wed Dec 17 09:07:24 2008 : Debug: Sending Access-Challenge packet to host 10.12.18.4 port 1812, id=123, length=0
Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x0104033c190031353135323634395a170d3333313230393135323634395a3081b8310b3009060355040613025553310b300906035504081302434f311430120603550407130b576573746d696e73746572312b3029060355040a132254697070696e67506f696e7420496e632c204469766973696f6e206f662033436f6d31173015060355040b130e53656c66205369676e6564204341311730150603550403130e546f70206c6576656c20436572743127302506092a864886f70d01090116187461636d61696c4074697070696e67706f696e742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100f2d90d0838cf63
Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x4d183710d46cfc788f079ffc59ce0a3009acca61148dcc9051e40bd73a175cfcb9f8de7eabe56d45aa18e32a7d37d7659d98362853f2c210fb4c440f0275d2ce8aac8ca7b0ab55079af4b0ac72a32bc2e12a15624417ac8b9aa7a8cfbd50c501d039eb85e9f34eae97a89da8bebbcaccabaeb4b82c175ba58b0203010001a38201213082011d301d0603551d0e041604143e3c0f897946ed4d56f53c5eafa4c3313648c8de3081ed0603551d230481e53081e280143e3c0f897946ed4d56f53c5eafa4c3313648c8dea181bea481bb3081b8310b3009060355040613025553310b300906035504081302434f311430120603550407130b576573746d69
Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x6e73746572312b3029060355040a132254697070696e67506f696e7420496e632c204469766973696f6e206f662033436f6d31173015060355040b130e53656c66205369676e6564204341311730150603550403130e546f70206c6576656c20436572743127302506092a864886f70d01090116187461636d61696c4074697070696e67706f696e742e636f6d820900f90e79cfb7d27aab300c0603551d13040530030101ff300d06092a864886f70d0101050500038181002b6008a9eb5028afb1f6aff39e7488b9dcb5200691065670c2d984d3f8a1111603dc17fabd80051fc81837d4617951d9a684c4f5b5e6d065c89b58348c144582c5166e1b
Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x4488dbe4da43d384404835ce3e3b7d985c02c1a476ac1f65fc0874553af77c4f62ad840a40ccc26bb55fc2859a0347241a56ed096ebc6c081de2d60216030100040e000000
Wed Dec 17 09:07:24 2008 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Dec 17 09:07:24 2008 : Debug: State = 0xd0cf07f0d3cb1ef56f2a90dc8079ccda
Wed Dec 17 09:07:24 2008 : Debug: Finished request 3.
Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2
Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound
Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok
Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL.
Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring.
Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 4 length 192
Wed Dec 17 09:07:24 2008 : Debug: [eap] Continuing tunnel setup.
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns ok
Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop
Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP
Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...}
Wed Dec 17 09:07:24 2008 : Debug: [eap] Request found, released from the list
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP/peap
Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type peap
Wed Dec 17 09:07:24 2008 : Debug: [peap] processing EAP-TLS
Wed Dec 17 09:07:24 2008 : Debug: [peap] Length Included
Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_verify returned 11
Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 read client key exchange A
Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 read finished A
Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 write change cipher spec A
Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 write finished A
Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 flush data
Wed Dec 17 09:07:24 2008 : Debug: [peap] (other): SSL negotiation finished successfully
Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_process returned 13
Wed Dec 17 09:07:24 2008 : Debug: [peap] EAPTLS_HANDLED
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns handled
Hello,
I've configured a PEAP with the Windows SP3 supplicant with freeradius 2.1.3, and the authentication succeeds when "Automatically use my windows logon name and password (and domain if any)" is unselected, which forces a manual logon. However, when "Automatically use my ..." is selected with the same user name/domain, the authentication fails. May I have some insight into any issue(s) on how to resolve this? Here is the debug log for the failed request:
Wed Dec 17 09:07:24 2008 : Debug: Sending Access-Challenge packet to host 10.12.18.4 port 1812, id=124, length=0
Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x0105003119001403010001011603010020b483b6c6e83bf8a59f0ee6e6ad24591bc46e1e77319dacdc1a29479e8c664888
Wed Dec 17 09:07:24 2008 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Dec 17 09:07:24 2008 : Debug: State = 0xd0cf07f0d4ca1ef56f2a90dc8079ccda
Wed Dec 17 09:07:24 2008 : Debug: Finished request 4.
Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2
Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound
Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok
Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL.
Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring.
Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 5 length 6
Wed Dec 17 09:07:24 2008 : Debug: [eap] Continuing tunnel setup.
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns ok
Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop
Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP
Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...}
Wed Dec 17 09:07:24 2008 : Debug: [eap] Request found, released from the list
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP/peap
Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type peap
Wed Dec 17 09:07:24 2008 : Debug: [peap] processing EAP-TLS
Wed Dec 17 09:07:24 2008 : Debug: [peap] Received TLS ACK
Wed Dec 17 09:07:24 2008 : Debug: [peap] ACK handshake is finished
Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_verify returned 3
Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_process returned 3
Wed Dec 17 09:07:24 2008 : Debug: [peap] EAPTLS_SUCCESS
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns handled
Wed Dec 17 09:07:24 2008 : Debug: Sending Access-Challenge packet to host 10.12.18.4 port 1812, id=125, length=0
Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x01060020190017030100159a18b32d1ce86335fa6dae97724c1bd44689df8454
Wed Dec 17 09:07:24 2008 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Dec 17 09:07:24 2008 : Debug: State = 0xd0cf07f0d5c91ef56f2a90dc8079ccda
Wed Dec 17 09:07:24 2008 : Debug: Finished request 5.
Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2
Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound
Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok
Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL.
Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring.
Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 6 length 46
Wed Dec 17 09:07:24 2008 : Debug: [eap] Continuing tunnel setup.
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns ok
Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop
Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP
Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...}
Wed Dec 17 09:07:24 2008 : Debug: [eap] Request found, released from the list
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP/peap
Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type peap
Wed Dec 17 09:07:24 2008 : Debug: [peap] processing EAP-TLS
Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_verify returned 7
Wed Dec 17 09:07:24 2008 : Debug: [peap] Done initial handshake
Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_process returned 7
Wed Dec 17 09:07:24 2008 : Debug: [peap] EAPTLS_OK
Wed Dec 17 09:07:24 2008 : Debug: [peap] Session established. Decoding tunneled attributes.
Wed Dec 17 09:07:24 2008 : Debug: [peap] Identity - TPW5\administrator
Wed Dec 17 09:07:24 2008 : Debug: +- entering group authorize {...}
Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2
Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound
Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok
Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL.
Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring.
Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 6 length 23
Wed Dec 17 09:07:24 2008 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns updated
Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop
Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP
Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...}
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP Identity
Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type mschapv2
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns handled
Wed Dec 17 09:07:24 2008 : Debug: [peap] Got tunneled Access-Challenge
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns handled
Wed Dec 17 09:07:24 2008 : Debug: Sending Access-Challenge packet to host 10.12.18.4 port 1812, id=126, length=0
Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x010700431900170301003811ae41236e0a12fe5eeebc960c1f43fa29230d104856932a1007ce0b69a15a2a6ab8c8ffc8cc7f299de595c6450ce1c411633de75c334f1a
Wed Dec 17 09:07:24 2008 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Dec 17 09:07:24 2008 : Debug: State = 0xd0cf07f0d6c81ef56f2a90dc8079ccda
Wed Dec 17 09:07:24 2008 : Debug: Finished request 6.
Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2
Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound
Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok
Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL.
Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring.
Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 7 length 100
Wed Dec 17 09:07:24 2008 : Debug: [eap] Continuing tunnel setup.
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns ok
Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop
Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP
Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...}
Wed Dec 17 09:07:24 2008 : Debug: [eap] Request found, released from the list
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP/peap
Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type peap
Wed Dec 17 09:07:24 2008 : Debug: [peap] processing EAP-TLS
Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_verify returned 7
Wed Dec 17 09:07:24 2008 : Debug: [peap] Done initial handshake
Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_process returned 7
Wed Dec 17 09:07:24 2008 : Debug: [peap] EAPTLS_OK
Wed Dec 17 09:07:24 2008 : Debug: [peap] Session established. Decoding tunneled attributes.
Wed Dec 17 09:07:24 2008 : Debug: [peap] EAP type mschapv2
Wed Dec 17 09:07:24 2008 : Debug: +- entering group authorize {...}
Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2
Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound
Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok
Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL.
Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring.
Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 7 length 77
Wed Dec 17 09:07:24 2008 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns updated
Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop
Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP
Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...}
Wed Dec 17 09:07:24 2008 : Debug: [eap] Request found, released from the list
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP/mschapv2
Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type mschapv2
Wed Dec 17 09:07:24 2008 : Debug: [mschapv2] +- entering group MS-CHAP {...}
Wed Dec 17 09:07:24 2008 : Debug: [mschap] No Cleartext-Password configured. Cannot create LM-Password.
Wed Dec 17 09:07:24 2008 : Debug: [mschap] No Cleartext-Password configured. Cannot create NT-Password.
Wed Dec 17 09:07:24 2008 : Debug: [mschap] Told to do MS-CHAPv2 for administrator with NT-Password
Wed Dec 17 09:07:24 2008 : Debug: [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
Wed Dec 17 09:07:24 2008 : Debug: [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-%{mschap:User-Name}}} -> --username=administrator
Wed Dec 17 09:07:24 2008 : Debug: [mschap] mschap2: e0
Wed Dec 17 09:07:24 2008 : Debug: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=469478f224b67ca3
Wed Dec 17 09:07:24 2008 : Debug: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=c2abbe21274fad45cdcbf7db8de7de2a5be037e56415b6bc
Wed Dec 17 09:07:24 2008 : Debug: [mschap] External script failed.
Wed Dec 17 09:07:24 2008 : Debug: [mschap] FAILED: MS-CHAP2-Response is incorrect
Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns reject
Wed Dec 17 09:07:24 2008 : Debug: [eap] Freeing handler
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns reject
Wed Dec 17 09:07:24 2008 : Debug: Failed to authenticate the user.
Wed Dec 17 09:07:24 2008 : Debug: [peap] Tunneled authentication was rejected.
Wed Dec 17 09:07:24 2008 : Debug: [peap] FAILURE
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns handled
Wed Dec 17 09:07:24 2008 : Debug: Sending Access-Challenge packet to host 10.12.18.4 port 1812, id=127, length=0
Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x010800261900170301001b902fbf59b723a82af254f787d0adeb8f35a0e9dac511954bb0ef19
Wed Dec 17 09:07:24 2008 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Dec 17 09:07:24 2008 : Debug: State = 0xd0cf07f0d7c71ef56f2a90dc8079ccda
Wed Dec 17 09:07:24 2008 : Debug: Finished request 7.
Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2
Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound
Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok
Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5"
Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL.
Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring.
Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 8 length 38
Wed Dec 17 09:07:24 2008 : Debug: [eap] Continuing tunnel setup.
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns ok
Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop
Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP
Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...}
Wed Dec 17 09:07:24 2008 : Debug: [eap] Request found, released from the list
Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP/peap
Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type peap
Wed Dec 17 09:07:24 2008 : Debug: [peap] processing EAP-TLS
Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_verify returned 7
Wed Dec 17 09:07:24 2008 : Debug: [peap] Done initial handshake
Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_process returned 7
Wed Dec 17 09:07:24 2008 : Debug: [peap] EAPTLS_OK
Wed Dec 17 09:07:24 2008 : Debug: [peap] Session established. Decoding tunneled attributes.
Wed Dec 17 09:07:24 2008 : Debug: [peap] Received EAP-TLV response.
Wed Dec 17 09:07:24 2008 : Debug: [peap] Had sent TLV failure. User was rejected earlier in this session.
Wed Dec 17 09:07:24 2008 : Debug: [eap] Handler failed in EAP/peap
Wed Dec 17 09:07:24 2008 : Debug: [eap] Failed in EAP select
Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns invalid
Wed Dec 17 09:07:24 2008 : Debug: Failed to authenticate the user.
Wed Dec 17 09:07:24 2008 : Debug: Using Post-Auth-Type Reject
Wed Dec 17 09:07:24 2008 : Debug: +- entering group REJECT {...}
Wed Dec 17 09:07:24 2008 : Debug: ++[jradius] returns noop
Wed Dec 17 09:07:24 2008 : Debug: Delaying reject of request 8 for 1 seconds
Wed Dec 17 09:07:25 2008 : Debug: Sending delayed reject for request 8
Wed Dec 17 09:07:25 2008 : Debug: Sending Access-Reject packet to host 10.12.18.4 port 1812, id=128, length=0
Wed Dec 17 09:07:25 2008 : Debug: EAP-Message = 0x04080004
Wed Dec 17 09:07:25 2008 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
2
3
RE: Duplicate IPs for Radius Clients with different secrets - allow any client IP?
by Eric Geier 17 Dec '08
by Eric Geier 17 Dec '08
17 Dec '08
Thanks for the info, Anders.
Yes, I'm considering security issues. Just would be really great if I could
make everything work as I want...with still being secure.
> Why bother doing the SQL stuff, if you're going to let anyone use your
service anyway?
The way I thought it up, it would allow any IP to TRY to run its request to
the server...whereas if real client IPs are given, requests are denied
before the sever does any work if the client IP isn't on the list.
Say I did open up to any IP, the AP's MAC must match one from my list;
moreover the hacker must have the shared secret. Plus if I can add to the
example SQL statement, I would add to the WHERE clause "and domain =(domain
pulled from what's after the username's @ sign). Then the hacker must know a
username and domain that matches an acceptable AP, the user's password, that
acceptable AP's MAC address, and then finally the shared secret for the AP.
What could a hacker do to the server if he can't even get passed returning a
correct shared secret? cause DoS attacks? If so, I can try to find something
that blocks requests from originating IPs for 5mins after so many requests.
What do you think?
Thanks for your input, Eric
From: freeradius-users-bounces+me=egeier.com(a)lists.freeradius.org
[mailto:freeradius-users-bounces+me=egeier.com@lists.freeradius.org] On
Behalf Of Anders Holm
Sent: Wednesday, December 17, 2008 2:55 PM
To: FreeRadius users mailing list
Subject: Re: Duplicate IPs for Radius Clients with different secrets - allow
any client IP?
Eric Geier wrote:
Thank you for the info, David.
I think the following is an example of how this could work, which I googled:
client 212.37.57.2 {
secret = "%{sql:SELECT secret FROM accesspoints WHERE id =
%{raw:NAS-Identifier}}"
shortname = "just one of our example networks"
}
I'm thinking I could even just have one client entry like this...but set to
allow any IP. Is that possible?
clients.conf
client 0.0.0.0/0, shared secret = "open" ...
Why bother doing the SQL stuff, if you're going to let anyone use your
service anyway? Think about it ... clients.conf controls which APs/NAS' are
allowed to send you stuff to process. If your intention is to open it for
anyone that can reach your service, why then do the above? The end clients
are not what will send you requests, the APs are ....... I think you've
missed the point of the IP addressing for the end clients versus how you
wish to handle the APs ...
And for a service which allows or denies access for your internal users, I
wouldn't personally allow anyone from the outside world even get close to
that service.
You want to understand basic networking and security considerations before
seriously contemplating this.
Start looking at getting a VPN solution between your offices, or simply just
put one FreeRADIUS box in each office.
Continue on this path and fairly soon someone will have found your wireless
setup and the service which allows clients to authenticate sitting out in
the open. You might as well not have anything in place at all then...
//anders
This would prevent me from having to track Internet IP changes among the
multiple offices and locations where these separate WPA-Enterprise networks
will be located at.
Thanks! Eric
-----Original Message-----
From: freeradius-users-bounces+me=egeier.com(a)lists.freeradius.org
[mailto:freeradius-users-bounces+me=egeier.com@lists.freeradius.org] On
Behalf Of wlanmac
Sent: Wednesday, December 17, 2008 8:42 AM
To: freeradius-users(a)lists.freeradius.org
Subject: Re: Duplicate IPs for Radius Clients with different secrets
It's easy! Just google for rlm_raw and use it with a SQL xlat rule to
pick out the shared secret from a database. I have been doing this way
for years... in FreeRADIUS v1 and v2.
David
coova.org
Date: Wed, 17 Dec 2008 10:16:17 +0200
From: Johan Meiring <jmeiring(a)pcservices.co.za>
Subject: Re: Duplicate IPs for Radius Clients with different secrets
To: FreeRadius users mailing list
<freeradius-users(a)lists.freeradius.org>
Message-ID: <4948B551.6030406(a)pcservices.co.za>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Eric Geier wrote:
If I understand what you said, I would only need one IP entry (the
Internet
IP) in the config file for each location, right?
Most of these locations will be using dynamic Internet IPs; I'm not
sure
how'd I keep the config updated. Plus this would make each
location/network
use the same shared secret among all their APs, which I want to
prevent.
Alan,
The Nas-Identifier being available to dynamic clients will also solve
Eric's problem.
Any update on when it might be available?
Thanks!
No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.176 / Virus Database: 270.9.19/1853 - Release Date: 12/17/2008
8:31 AM
3
2