Greetings everyone, I'm a brand new member and am hoping to find some help with a bizarre problem. First, I'm not an expert when it comes to RADIUS. I work for a school district and I inherited this setup from someone else who left the district over a year ago. I have a fair understanding of how certificates work, but I'm not an expert in that area either. Here is some background on our setup: Network: Mixture of Windows 2000/2003 and Novell NetWare 6.5 servers. FreeRADIUS v1.1.0 is running on SuSE Linux Enterprise Server 10 SP2. Wireless infrastructure: We use Aruba wireless technology, with an Aruba 2400 controller at our district office and 3 school sites (with more to come). FreeRADIUS is configured to use LDAP authentication to eDirectory, and with EAP-TLS for the wireless. Workstations use PEAP and are configured not to validate server certificates. Wireless authentication happens by first logging in to a workstation and having Windows then pass the credentials on to RADIUS and authenticating to eDirectory. I will paste relevant portions of the debug output from "radiusd -X" below. Here is a description of the bizarre problem: I have 2 user accounts; let's call them UserA and UserB. I have 2 laptops; let's call them Laptop1 and Laptop2. Laptop1 (my laptop) is a Gateway M465 with an Intel Pro/Wireless 3945ABG card. Laptop2 (one of my user's laptops) is a Dell Latitude XT with Dell Wireless 1490 Dual Band WLAN mini-card. Both are Mini-PCI cards. UserA (me) can successfully authenticate on both laptops. UserB can successfully authenticate on Laptop1, but not on Laptop2. The fact that UserA can successfully authenticate on both tells me it's not a laptop configuration issue, and the fact that UserB can successfully authenticate on Laptop1 tell me it's not a user account issue. Also, using NTRadPing (or radtest on the RADIUS server itself), I can successfully authenticate as both users, with or without the Windows DOMAIN\ in front. That leaves me with nothing to go on. I will paste the relevant sections of the debug outputs from each user on each laptop and point out where the errors are. I have even gone so far as to set up FreeRADIUS from scratch on a test Unix machine, with no luck. In the debug output I'm pasting below, the only difference I can see between Laptop1 and Laptop2 is that Laptop2 is passing credentials with the DOMAIN\ in front, where Laptop1 is not. That in itself is odd, because both laptops are joined to our Windows domain and both laptops' users log in to the domain. But in any case, that part doesn't seem to be the problem, because FreeRADIUS is stripping the DOMAIN\ part off when it passes the authentication request on to eDirectory. I even got a 3rd user and laptop in for testing, and the results were the same as with Laptop2 - UserA can authenticate successfully on Laptop3, but UserB and UserC cannot authenticate on Laptop3. The other strange thing is that if, on the XP client, I drill down in to the properties for the wireless profile and un-check the "Automatically use my Windows logon name and password" option, Windows will prompt me for credentials, and then they will be accepted! Software-wise, the only difference between Laptop1 and Laptop2 and 3 is that Laptop1 has Service Pack 2 for XP, and the other two have SP3. But that still doesn't explain the fact that UserA can successfully authenticate on all 3 laptops. Any help will be greatly appreciated. Debug output from UserA authenticating on Laptop1: rad_recv: Access-Request packet from host 20.1.3.140:32958, id=219, length=236 User-Name = "UserA" NAS-IP-Address = 20.1.3.140 NAS-Port = 1 NAS-Identifier = "20.1.3.140" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0018DE9626C1" Called-Station-Id = "000B8640C280" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020a00261900170301001b14ecbd30fd1fe2c1fd3a31b577ef8f94002d7c99243e71e0 e82f99 State = 0x3167f4c59e25cac9b6ac583bfa7fb3d0 Aruba-Essid-Name = "STAFF" Aruba-Location-Id = "TestAP" Message-Authenticator = 0xa1cbcfee4810f80e40407ef46b9d5d39 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 radius_xlat: 'UserA' rlm_attr_rewrite: Added attribute Stripped-User-Name with value 'UserA' modcall[authorize]: module "copy.user-name" returns ok for request 8 radius_xlat: '^(host/.*)' rlm_attr_rewrite: No match found for attribute Stripped-User-Name with value 'UserA' modcall[authorize]: module "add-dollar-sign" returns ok for request 8 radius_xlat: '^(.*[\/]+)' rlm_attr_rewrite: No match found for attribute Stripped-User-Name with value 'UserA' modcall[authorize]: module "strip-realm-name" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "UserA", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 10 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry DEFAULT at line 7 modcall[authorize]: module "files" returns ok for request 8 rlm_ldap: - authorize rlm_ldap: performing user authorization for UserA radius_xlat: '(cn=UserA)' radius_xlat: 't=pusd' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in t=pusd, with filter (cn=UserA) rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user UserA authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 219 to 20.1.3.140 port 32958 MS-MPPE-Recv-Key = 0xacee5bfc2803579cd0ff5f2b474927b528067e3bb6acb22a5439eaff089f62cb MS-MPPE-Send-Key = 0xc74619156767ed997ea2729c106a9339a89b919857e4bf804d0aeb8d3f7c8455 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "UserA" Finished request 8 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 210 with timestamp 48481cbd Cleaning up request 1 ID 212 with timestamp 48481cbd Cleaning up request 2 ID 213 with timestamp 48481cbd Cleaning up request 3 ID 214 with timestamp 48481cbd Cleaning up request 4 ID 215 with timestamp 48481cbd Cleaning up request 7 ID 216 with timestamp 48481cbd Cleaning up request 5 ID 217 with timestamp 48481cbd Cleaning up request 6 ID 218 with timestamp 48481cbd Cleaning up request 8 ID 219 with timestamp 48481cbd Nothing to do. Sleeping until we see a request. Debug output from UserB authenticating on Laptop1 looks the same, so I will skip posting it due to message size limits. Debug output from UserA authenticating on Laptop2 is the same as on Laptop1, so I won't paste it here either. Debug output from UserB authenticating on Laptop2: rad_recv: Access-Request packet from host 20.1.3.140:32958, id=243, length=307 User-Name = "DOMAIN\\UserB" NAS-IP-Address = 20.1.3.140 NAS-Port = 2 NAS-Identifier = "20.1.3.140" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "001FE105CE94" Called-Station-Id = "000B8640C280" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020700631900170301005829c9dcbbb4696aec2f16239d4758e609a7c5e8134ec07054 e82abd940b225525b8c4af125b0fd0e3075ea216e190fe99ea4b1ab41b495eb6302d1ec3 093d645d827da48ec5b4edba302bb21c8e6f17721a3aab9d313924ca State = 0x6f3c13804ea9765ef5dfa905d68a4808 Aruba-Essid-Name = "STAFF" Aruba-Location-Id = "TestAP" Message-Authenticator = 0xaabdf4b276bf583e2e7373c80b31cf41 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 radius_xlat: 'DOMAIN\\UserB' rlm_attr_rewrite: Added attribute Stripped-User-Name with value 'DOMAIN\\UserB' modcall[authorize]: module "copy.user-name" returns ok for request 6 radius_xlat: '^(host/.*)' rlm_attr_rewrite: No match found for attribute Stripped-User-Name with value 'DOMAIN\\UserB' modcall[authorize]: module "add-dollar-sign" returns ok for request 6 radius_xlat: '^(.*[\/]+)' rlm_attr_rewrite: Changed value for attribute Stripped-User-Name from 'DOMAIN\\UserB' to 'UserB' modcall[authorize]: module "strip-realm-name" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "DOMAIN\UserB", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 7 length 99 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 7 modcall[authorize]: module "files" returns ok for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for DOMAIN\UserB radius_xlat: '(cn=UserB)' radius_xlat: 't=pusd' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in t=pusd, with filter (cn=UserB) rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user DOMAIN\UserB authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to DOMAIN\UserB PEAP: Adding old state with 89 6c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 radius_xlat: 'DOMAIN\\UserB' rlm_attr_rewrite: Added attribute Stripped-User-Name with value 'DOMAIN\\UserB' modcall[authorize]: module "copy.user-name" returns ok for request 6 radius_xlat: '^(host/.*)' rlm_attr_rewrite: No match found for attribute Stripped-User-Name with value 'DOMAIN\\UserB' modcall[authorize]: module "add-dollar-sign" returns ok for request 6 radius_xlat: '^(.*[\/]+)' rlm_attr_rewrite: Changed value for attribute Stripped-User-Name from 'DOMAIN\\UserB' to 'UserB' modcall[authorize]: module "strip-realm-name" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "DOMAIN\UserB", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 7 length 76 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 7 modcall[authorize]: module "files" returns ok for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for DOMAIN\UserB radius_xlat: '(cn=UserB)' radius_xlat: 't=pusd' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in t=pusd, with filter (cn=UserB) rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user DOMAIN\UserB authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 (This appears to be where the problem is) rlm_mschap: Told to do MS-CHAPv2 for UserB with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: leaving group authenticate (returns reject) for request 6 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 243 to 20.1.3.140 port 32958 EAP-Message = 0x010800261900170301001b39a19f38fd5c0b590dbba6327b62b4410446d5c8341d1831 b1dea1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7421d199fd849fb3bbcd35bd05c281b1 Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 20.1.3.140:32958, id=244, length=246 User-Name = "DOMAIN\\UserB" NAS-IP-Address = 20.1.3.140 NAS-Port = 2 NAS-Identifier = "20.1.3.140" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "001FE105CE94" Called-Station-Id = "000B8640C280" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020800261900170301001bf3eab0cca7796ad13f102214334fada4a48b4ea56c555b31 27decb State = 0x7421d199fd849fb3bbcd35bd05c281b1 Aruba-Essid-Name = "STAFF" Aruba-Location-Id = "TestAP" Message-Authenticator = 0x2458e54cc6a52e081b42407e963f6571 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 radius_xlat: 'DOMAIN\\UserB' rlm_attr_rewrite: Added attribute Stripped-User-Name with value 'DOMAIN\\UserB' modcall[authorize]: module "copy.user-name" returns ok for request 7 radius_xlat: '^(host/.*)' rlm_attr_rewrite: No match found for attribute Stripped-User-Name with value 'DOMAIN\\UserB' modcall[authorize]: module "add-dollar-sign" returns ok for request 7 radius_xlat: '^(.*[\/]+)' rlm_attr_rewrite: Changed value for attribute Stripped-User-Name from 'DOMAIN\\UserB' to 'UserB' modcall[authorize]: module "strip-realm-name" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "DOMAIN\UserB", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 8 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 7 modcall[authorize]: module "files" returns ok for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for DOMAIN\UserB radius_xlat: '(cn=UserB)' radius_xlat: 't=pusd' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in t=pusd, with filter (cn=UserB) rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user DOMAIN\UserB authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. (Another problem here) rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 20.1.3.140:32958, id=244, length=246 Sending Access-Reject of id 244 to 20.1.3.140 port 32958 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 237 with timestamp 48481e9b Cleaning up request 1 ID 238 with timestamp 48481e9b Cleaning up request 2 ID 239 with timestamp 48481e9b Cleaning up request 5 ID 240 with timestamp 48481e9b Cleaning up request 3 ID 241 with timestamp 48481e9b Cleaning up request 4 ID 242 with timestamp 48481e9b Cleaning up request 6 ID 243 with timestamp 48481e9b Cleaning up request 7 ID 244 with timestamp 48481e9b Nothing to do. Sleeping until we see a request. Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 UserA@powayusd.com <mailto:bnewall@powayusd.com>