Enable ldap in inner-tunnel virtual server. Radtest works because this is enabled in default virtual server. It looks like auto headers are not enabled in pap module. It defaults to crypt instead of detecting md5 header. Ivan Kalik Kalik Informatike ISP Dana 8/10/2008, "alois blasbichler" <alois.blasbichler@sb-brixen.it> piše:
Hello
Thank you for the replay.
I maked another test with user test and password test with radtest and then from a windowsxp-client (should be pap)
with radtest test test 127.0.0.1 12 password - all works fine - i see in the log : -------------------------------------------------------------------- rlm_ldap: userPassword -> User-Password == "{md5}CY9rzUYh03PK3k6DJie09g==" rlm_ldap: sambaNtPassword -> NT-Password == 0x3043423639343838303546373937424632413832383037393733423839353337 rlm_ldap: sambaLmPassword -> LM-Password == 0x3031464335413642453742433639323941414433423433354235313430344545 [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by "test" with password "test" [ldap] user DN: uid=test,ou=users,dc=sb-brixen,dc=it rlm_ldap: (re)connect to mir:389, authentication 1 rlm_ldap: bind as uid=test,ou=users,dc=sb-brixen,dc=it/test to mir:389 rlm_ldap: Bind was successful [ldap] user test authenticated succesfully ++[ldap] returns ok Login OK: [test] (from client localhost port 12) ------------------------------------------------
and here the full log for my windows-client accessing via a cisco wireless switch (maybe he gives me the problems) :
Maybe sombody see where i have the problems
By luis --------------------------------------------- rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=77, length=170 User-Name = "test" Calling-Station-Id = "00-40-96-B4-5B-0F" Called-Station-Id = "00-0B-85-95-70-80:prova" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x020f00090174657374 Message-Authenticator = 0xf69a987d74a723bbc2981decb8c871a0 +- entering group authorize {...} ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 expand: %t -> Wed Oct 8 10:33:11 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 15 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry test at line 7 ++[files] returns ok [ldap] performing user authorization for test WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=test) expand: ou=users,dc=sb-brixen,dc=it -> ou=users,dc=sb-brixen,dc=it rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to mir:389, authentication 0 rlm_ldap: bind as uid=cyrus,dc=sb-brixen,dc=it/niko2006 to mir:389 rlm_ldap: waiting for bind result ... request done: ld 0x81a9290 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,dc=sb-brixen,dc=it, with filter (uid=test) request done: ld 0x81a9290 msgid 2 [ldap] looking for check items in directory... rlm_ldap: userPassword -> User-Password == "{md5}CY9rzUYh03PK3k6DJie09g==" rlm_ldap: sambaNtPassword -> NT-Password == 0x3043423639343838303546373937424632413832383037393733423839353337 rlm_ldap: sambaLmPassword -> LM-Password == 0x3031464335413642453742433639323941414433423433354235313430344545 [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing MD5-Password from base64 encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 77 to 10.53.240.10 port 32769 EAP-Message = 0x011000160410741fcd7da1e640ba9f4390917645a3ad Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8d60a8298d70aca02ffd6ac34c7adfdb Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=78, length=185 User-Name = "test" Calling-Station-Id = "00-40-96-B4-5B-0F" Called-Station-Id = "00-0B-85-95-70-80:prova" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x021000060315 State = 0x8d60a8298d70aca02ffd6ac34c7adfdb Message-Authenticator = 0x3685ed0ea3c294147b81919044eb0a64 +- entering group authorize {...} ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 expand: %t -> Wed Oct 8 10:33:11 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 16 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated request done: ld 0x81a0bf8 msgid 3 ++[unix] returns updated [files] users: Matched entry test at line 7 ++[files] returns ok [ldap] performing user authorization for test WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=test) expand: ou=users,dc=sb-brixen,dc=it -> ou=users,dc=sb-brixen,dc=it rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,dc=sb-brixen,dc=it, with filter (uid=test) request done: ld 0x81a9290 msgid 3 [ldap] looking for check items in directory... rlm_ldap: userPassword -> User-Password == "{md5}CY9rzUYh03PK3k6DJie09g==" rlm_ldap: sambaNtPassword -> NT-Password == 0x3043423639343838303546373937424632413832383037393733423839353337 rlm_ldap: sambaLmPassword -> LM-Password == 0x3031464335413642453742433639323941414433423433354235313430344545 [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing MD5-Password from base64 encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 78 to 10.53.240.10 port 32769 EAP-Message = 0x011100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8d60a8298c71bda02ffd6ac34c7adfdb Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=79, length=239 User-Name = "test" Calling-Station-Id = "00-40-96-B4-5B-0F" Called-Station-Id = "00-0B-85-95-70-80:prova" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x0211003c158000000032160301002d010000290301647180947385016afade07e1c1aee4025498d5914d18863a7986f27daeb480ed000002000a0100 State = 0x8d60a8298c71bda02ffd6ac34c7adfdb Message-Authenticator = 0xc3b4f30b08d8182f2f8e96bb9d1c3481 +- entering group authorize {...} ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 expand: %t -> Wed Oct 8 10:33:11 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 17 length 60 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 50 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 002d], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 084e], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 79 to 10.53.240.10 port 32769 EAP-Message = 0x0112040015c00000088b160301002a02000026030148ec7047e41faf0bd701480470907705dfc6ae3ab32978b9341476c460de398a00000a00160301084e0b00084a0008470003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3038313030373036303033345a170d3039313030373036303033345a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d0c235d2108f4fdfc41f3e33ca571c24bf08d42565b74d9f4c4b5288dec81daacc4861417676b11a1c15ca654557d37870a4b1deab4c7110a56d8dcfd655 EAP-Message = 0x67910846259d83b55ae79ae7b6e9b3957abf420662abc13c2e27fcf5bc6d6280d94e9032e5e2ada4692ec7780611ae108e2244f0f1e0d31ba4480be0e1bb7cfae51f36216bf6dc2c1c3583597e7add4d96f7d649f5357350db07a98e75ea3623849d6b8e4932458a35e9d2b9f174f75fc9273523c7c719460a33fba0aa07848ec167ba9ebdfdb4657bba38a013810d3cc9707d116ee20129a141d9350984ab5f07989f400602ce01d747197f6bb8cb716b8c8361215a7e14d6d8185358e4d831a53b0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101007224e3dafb01754f74 EAP-Message = 0x17687e3cbfc9aae1fd81cef616ed7cdef40e347979775e32610fd34c40d53dc3bed22ee8a21973f0cfe96c0d4dd9ad2aded48ce6cd8f458ac5fb7ecac58acd7327458f706ae8dae101999c6a0e2ce8e8e5057f1994acd5e23aeedf818c65ad0ad3b82340540fd1782b89fb1c7104795f3a45f883609c383ca7290c2259e9ba1324e95733def13dd773ca0c599e7387dfd05fd9c29d204da8421a85d874bc6856cfa5e16bc4df298e1983b454ff461aa66308d427a859c79ef65075506390122cc4b062ddb0839ddad8fe2f439efc581deb4c2886106665ba3fb2bb26cd51dc339b3ec7a2e5fa069a6b6219e4cf560ffc35ac1f2eeb6ec800049b308204 EAP-Message = 0x973082037fa0030201020201 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8d60a8298f72bda02ffd6ac34c7adfdb Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=80, length=185 User-Name = "test" Calling-Station-Id = "00-40-96-B4-5B-0F" Called-Station-Id = "00-0B-85-95-70-80:prova" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x021200061500 State = 0x8d60a8298f72bda02ffd6ac34c7adfdb Message-Authenticator = 0x648a50991483b7be0640ef5cd06a5b31 +- entering group authorize {...} ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 expand: %t -> Wed Oct 8 10:33:11 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 18 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 80 to 10.53.240.10 port 32769 EAP-Message = 0x0113040015c00000088b00300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038313030373036303033335a170d3038313130363036303033335a308193310b3009060355040613024652310f300d06035504081306526164697573311230100603550407130953 EAP-Message = 0x6f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b800fce416ece3a7add843bb04c2b40edc73f80788896ad2c56ec4d7e8fb68d48d9b17403ad387f62f4224fd397d0c5d873c62c17844bab1fcd212a19e0957f8fc01576753a15d663b35881d9c8b7f599d4ea7dfe2716e3b200965f400bfb62226a5d956cc3b723b90dc2651c41c95d62b37a5 EAP-Message = 0xc7e3ad95673716d18cf1f843d72391a95ab0208fe0dc76c05b198a2095e3830c5dae1721e3720b0ccdb9547f0b69b6cacdfd9188726b47a52923c055d4e636b87f3cd00bfc454f9118b3eec168db32792d1a3e336189ccc9e0a014a83ca48362ed467ad449d0237448e241616e057cd92cf0c0f8a9e34e3e48d001ce6594068b0081365799a1e7be78198ed0870203010001a381f33081f0301d0603551d0e041604148cc4eb7eea1f20a3d8789e038e8e8304b095a1d03081c00603551d230481b83081b580148cc4eb7eea1f20a3d8789e038e8e8304b095a1d0a18199a48196308193310b3009060355040613024652310f300d0603550408130652 EAP-Message = 0x61646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d0101040500038201010090b34a955dea80cb5e531f57f20e4ce19c7eda9989ca4b9f77016d632bc0787956ff2874084c907df5ccc3871e3c78375c9ca6778ff5aa72b1aaeb2304c9553ee3fdc7f0dbe0932d6356536704353ce7a8f681caef5cd2c85aa5d3c5a9c4 EAP-Message = 0xb9b5d21e94fda70e48d37a63 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8d60a8298e73bda02ffd6ac34c7adfdb Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=81, length=185 User-Name = "test" Calling-Station-Id = "00-40-96-B4-5B-0F" Called-Station-Id = "00-0B-85-95-70-80:prova" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x021300061500 State = 0x8d60a8298e73bda02ffd6ac34c7adfdb Message-Authenticator = 0x04c7c433cde93f5907549411693be5a0 +- entering group authorize {...} ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 expand: %t -> Wed Oct 8 10:33:11 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 19 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 81 to 10.53.240.10 port 32769 EAP-Message = 0x011400a915800000088bbfc7693750c4129758a5306294f4463759b16f7bae93c2731e05abeaeab06fdad57189c07a6ef75b3433076e2d165ed9557e2914dcaa70e04f450b72739246120f5b130ecc138cd6668d0998fbd9e41474a7212981b276d535e29cc76ae5f3065512d3093ac1fece71dc9838641d13969a7ad543768d855c344af83312a85a6fce6b004b9d9442db3975081a0e6f575b826bcbec811916030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8d60a8298974bda02ffd6ac34c7adfdb Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=82, length=509 User-Name = "test" Calling-Station-Id = "00-40-96-B4-5B-0F" Called-Station-Id = "00-0B-85-95-70-80:prova" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x0214014815800000013e1603010106100001020100186af5eadf773c69da0fb6252f6723fe51cad32b5d9254cef43d20a56985b465203d58645ffb504b899127f37cce6891e3b0eab53bb85400505597999b959fcf422b9b051eedb30faea2a88ec2dddc81bab5f6fda1fe676acc140aeddec921f912ca405dbfb67f9ba8c5050658efa031afa855f3ebbccf22692c6ed3df9ec1c0f153150d96202d2ac4eb8d3e5d8bef436cd9839924fd6f0bde64439b2c63e95431e1f84ce1aea42fb6e170cd1f09a5a157cc5fc9e9b8141feb304de77807d3886745b979b8ef9dc7bbbf77c4c9175f4cffca780f4016427a2e151309aed4ccfa822175f8b8121b7d EAP-Message = 0x4636ce00734021c727568b0b121abd80db2d43786737ebb014030100010116030100287be243965ffa1e3388fda7d72ef09595602e801d906ca2b8adaf5031174d7d0e4ea112fa8262d12d State = 0x8d60a8298974bda02ffd6ac34c7adfdb Message-Authenticator = 0x47bfef45ee4572e17f2bbd52e3dcca49 +- entering group authorize {...} ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 expand: %t -> Wed Oct 8 10:33:12 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 20 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 318 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 82 to 10.53.240.10 port 32769 EAP-Message = 0x0115003d1580000000331403010001011603010028b3f16a3201dd66a8d32b026ee5919178a05011a7df4888d38c2f49ad7a07a3d25ed4a36f3da49695 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8d60a8298875bda02ffd6ac34c7adfdb Finished request 5. Going to the next request Waking up in 4.0 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=83, length=242 User-Name = "test" Calling-Station-Id = "00-40-96-B4-5B-0F" Called-Station-Id = "00-0B-85-95-70-80:prova" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x0215003f1580000000351703010030c9a8dc64815c9dd7f626ba6c6692826ad4cbf8dea0f267d6825fb59b80d67290060d7ce1b062da06c4a255cbc2c26652 State = 0x8d60a8298875bda02ffd6ac34c7adfdb Message-Authenticator = 0xdf9441685dd3878652094fdb63819741 +- entering group authorize {...} ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 expand: %t -> Wed Oct 8 10:33:12 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 21 length 63 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 53 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "test" User-Password = "test" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "test" User-Password = "test" FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop request done: ld 0x81a0bf8 msgid 4 ++[unix] returns updated [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry test at line 7 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "test" [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Login incorrect (rlm_pap: CRYPT password check failed): [test] (from client ciscosw port 0 via TLS tunnel) } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [test] (from client ciscosw port 29 cli 00-40-96-B4-5B-0F) Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 83 to 10.53.240.10 port 32769 EAP-Message = 0x04150004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.0 seconds. Cleaning up request 0 ID 77 with timestamp +24 Cleaning up request 1 ID 78 with timestamp +24 Cleaning up request 2 ID 79 with timestamp +24 Cleaning up request 3 ID 80 with timestamp +24 Cleaning up request 4 ID 81 with timestamp +24 Waking up in 0.8 seconds. Cleaning up request 5 ID 82 with timestamp +25 Waking up in 1.0 seconds. Cleaning up request 6 ID 83 with timestamp +25 Ready to process requests. ---------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html