Ok, I minted the Certificates/Keys with a CA running on a Windows 2003 server and was able to get them into the PEM format. The EAP.CONF was modified accordingly and RADIUSD is happy. I am still able to authenticate with no problems with 802.1x PEAP (EAP-MSCHAP V2) when using Cisco's ADU configuration tool. Still have problems when using the Windows XP supplicant. In trying to authenticate with the Windows XP supplicant, I can see from the logs that it's changing the password's 1st character to an "a". If you look at the log data below, you'll see that the user account "UOHI-40615" being used to authenticate is failing because the password sent is "aassword2" instead of "password2". Does anyone know how to fix this problem? I'm so close, please help me find the needle in the haystack. Thanks, Marc *---------------------------------Log data, Win XP authentication still failing*--------------------------------- ohisles1:/ # radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded LDAP ldap: server = "ohiapp2.ottawaheart.ca" ldap: port = 636 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "cn=radiusadmin,o=ohico" ldap: tls_mode = yes ldap: start_tls = no ldap: tls_cacertfile = "/etc/raddb/certs/ohicoca.b64" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "demand" ldap: password = "password1" ldap: basedn = "o=OHICO" ldap: filter = "(&(objectClass=inetOrgPerson)(cn=%{Stripped-User-Name:-%{User-Name}}))" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "nspmPassword" ldap: access_attr = "dialupAccess" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 10 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: edir_account_policy_check = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x8151a80 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/ohisles1-server2.pem" tls: certificate_file = "/etc/raddb/certs/ohisles1-server2.pem" tls: CA_file = "/etc/raddb/certs/uohi-ca-root.pem" tls: private_key_password = "snakepie" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.242.4:32768, id=101, length=184 User-Name = "uohi-40615" Calling-Station-Id = "00-40-96-B1-43-19" Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2" NAS-Port = 1 NAS-IP-Address = 192.168.242.4 NAS-Identifier = "UOHIWLAN2" Vendor-14179-Attr-1 = 0x00000002 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "23" EAP-Message = 0x0208000f01756f68692d3430363135 Message-Authenticator = 0xb6e0c23865931345f4e69bb76e8c26fd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "uohi-40615", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for uohi-40615 radius_xlat: '(&(objectClass=inetOrgPerson)(cn=uohi-40615))' radius_xlat: 'o=OHICO' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ohiapp2.ottawaheart.ca:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/ohicoca.b64 rlm_ldap: setting TLS Require Cert to demand rlm_ldap: bind as cn=radiusadmin,o=ohico/password1 to ohiapp2.ottawaheart.ca:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=OHICO, with filter (&(objectClass=inetOrgPerson)(cn=uohi-40615)) rlm_ldap: checking if remote access for uohi-40615 is allowed by dialupAccess rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user uohi-40615 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_eap: EAP packet type response id 8 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 101 to 192.168.242.4:32768 EAP-Message = 0x010900061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x37e3d22fde30998bea28f6180cfa1cba Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.242.4:32768, id=102, length=267 User-Name = "uohi-40615" Calling-Station-Id = "00-40-96-B1-43-19" Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2" NAS-Port = 1 NAS-IP-Address = 192.168.242.4 NAS-Identifier = "UOHIWLAN2" Vendor-14179-Attr-1 = 0x00000002 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "23" EAP-Message = 0x0209005019800000004616030100410100003d03014630b80b03e2cb98be0b94df02381297df862f15c0536d9fdc1ac51c1d7e1ce300001600040005000a000900640062000300060013001200630100 State = 0x37e3d22fde30998bea28f6180cfa1cba Message-Authenticator = 0x7e4294278950604acaba806c812ef18f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "uohi-40615", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for uohi-40615 radius_xlat: '(&(objectClass=inetOrgPerson)(cn=uohi-40615))' radius_xlat: 'o=OHICO' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=OHICO, with filter (&(objectClass=inetOrgPerson)(cn=uohi-40615)) rlm_ldap: checking if remote access for uohi-40615 is allowed by dialupAccess rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user uohi-40615 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 rlm_eap: EAP packet type response id 9 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0a5e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 102 to 192.168.242.4:32768 EAP-Message = 0x010a040a19c000000abb160301004a02000046030146300f87e306bf349b58586ed302326513983358cca1bda869c45ba355f28741204e798eb591510e8b2da6aea2f3ab2bddb1b8d205fce25e392ecb300bf6adc76a0004001603010a5e0b000a5a000a570005a4308205a030820488a003020102020a17bfc68400000000000d300d06092a864886f70d0101050500305a31153013060a0992268993f22c64011916056c6f63616c31123010060a0992268993f22c64011916026361311b3019060a0992268993f22c640119160b6f747461776168656172743110300e06035504031307756f68692d6361301e170d3037303432363031323435375a EAP-Message = 0x170d3039303432363031333435375a307f310b30090603550406130243413110300e060355040813074f6e746172696f310f300d060355040713064f7474617761310d300b060355040a1304554f484931193017060355040313106f6869736c6573312d736572766572323123302106092a864886f70d010901161461646d696e406f747461776168656172742e636130819f300d06092a864886f70d010101050003818d0030818902818100e67e413047fdab003b911b759fe8a33bb2f6174693099a6bdc691c62534be23884f611fec8127beac5e11db08ad73ebae7a276412f46dd3024f7b3a55a02e4262018aa20e8de748568c937d36a3d7642 EAP-Message = 0x3edac4ee4faf9798013f9bd15103995f520f5601653763e73bbf8af7f3323167f150c816d26da17d498136f76e4306510203010001a38202c5308202c1300b0603551d0f040403020186301d0603551d0e0416041435b6daa9fcc024edaf8214637106e303f21e98d2301906092b0601040182371402040c1e0a00530075006200430041301f0603551d23041830168014f2e6025e7d0e816e7f54b3c650fd4d7bca8a5ef2308201120603551d1f048201093082010530820101a081fea081fb8681bb6c6461703a2f2f2f434e3d756f68692d63612c434e3d6f686961707033302c434e3d4344502c434e3d5075626c69632532304b65792532305365 EAP-Message = 0x7276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d6f747461776168656172742c44433d63612c44433d6c6f63616c3f63657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e74863b687474703a2f2f6f686961707033302e6f747461776168656172742e63612e6c6f63616c2f43657274456e726f6c6c2f756f68692d63612e63726c3082012e06082b06010505070101048201203082011c3081b206082b060105050730028681a56c6461703a2f2f2f434e3d756f68692d63612c434e3d414941 EAP-Message = 0x2c434e3d5075626c69632532304b6579253230536572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7cbac86eb7c85c6bf2528a08d5c7f10b Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.242.4:32768, id=103, length=193 User-Name = "uohi-40615" Calling-Station-Id = "00-40-96-B1-43-19" Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2" NAS-Port = 1 NAS-IP-Address = 192.168.242.4 NAS-Identifier = "UOHIWLAN2" Vendor-14179-Attr-1 = 0x00000002 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "23" EAP-Message = 0x020a00061900 State = 0x7cbac86eb7c85c6bf2528a08d5c7f10b Message-Authenticator = 0x53331bf0647a5f9e59c34847a6f2dc85 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "uohi-40615", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for uohi-40615 radius_xlat: '(&(objectClass=inetOrgPerson)(cn=uohi-40615))' radius_xlat: 'o=OHICO' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=OHICO, with filter (&(objectClass=inetOrgPerson)(cn=uohi-40615)) rlm_ldap: checking if remote access for uohi-40615 is allowed by dialupAccess rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user uohi-40615 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 rlm_eap: EAP packet type response id 10 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 103 to 192.168.242.4:32768 EAP-Message = 0x010b0406194076696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d6f747461776168656172742c44433d63612c44433d6c6f63616c3f634143657274696669636174653f626173653f6f626a656374436c6173733d63657274696669636174696f6e417574686f72697479306506082b060105050730028659687474703a2f2f6f686961707033302e6f747461776168656172742e63612e6c6f63616c2f43657274456e726f6c6c2f6f686961707033302e6f747461776168656172742e63612e6c6f63616c5f756f68692d63612e637274300f0603551d130101ff040530030101ff300d06092a864886f7 EAP-Message = 0x0d010105050003820101006e27e9b908957952b3bb8185d5b67ad46fa97c451ecf8b43b492d9535ce20ae0e166b5730e1bc1821fc4e789245ffc1278333884f989dc483c6667a941491ab55bbfe0cfbd80b503eb7e150c7acaa409835e9c3c02d9b8a718cf7f620911503ebd91da8d437d9feb730fb3bf4ad816ddba07476ad4d08d3441889c1d5d38549a039fd2b8aab0ca62b0c0e6429d916d077a9c752538ab700adb66fa5504b526b5bd77a2fbb6c8223fb4bfae29b4629834cff7840681cf5437e5d918c155fe0810f9bdaaa702de7a835266d7d391cea18242b1fd21e071f68a483a3969306cfccfa0bcf056a76993b4cca02119a15494990b22 EAP-Message = 0x47dd080eb5d480a5c2371161d3540004ad308204a930820391a003020102021015846cfa42f5b2904f917bb3c3381bc4300d06092a864886f70d0101050500305a31153013060a0992268993f22c64011916056c6f63616c31123010060a0992268993f22c64011916026361311b3019060a0992268993f22c640119160b6f747461776168656172743110300e06035504031307756f68692d6361301e170d3036313031383132333134325a170d3131313031383132343033395a305a31153013060a0992268993f22c64011916056c6f63616c31123010060a0992268993f22c64011916026361311b3019060a0992268993f22c640119160b6f7474 EAP-Message = 0x61776168656172743110300e06035504031307756f68692d636130820122300d06092a864886f70d01010105000382010f003082010a02820101009d08ba6ca5266c5161bff2aba9fea2dfc2f20347f7de7f21c9886b4cd7a1a189159fa78815bbd73b43e1bf73f4af9701ecd685f783c48b6db282334729fba65a9bcea13348a832fdd9f743540dbf469fa33ded81e81d9f8c2804615338d1b58e2a08489ae9e2e06701acf2e0a7b2f80e8db33e66909c635a8394d65a38029534e4bf3b354a3c0b0c59b6e632403f60b7550bf8f2ba89ad153b180c1eb4dc7af81353be9bcc46b33081ad7e30c49b1723d49a693a1b7eb0d21067fecbf0d9605a534e EAP-Message = 0xad434135e560d1893c6fe98870d5e738586b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe328bf6ca4456897ba0520c82cb2e130 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.242.4:32768, id=104, length=193 User-Name = "uohi-40615" Calling-Station-Id = "00-40-96-B1-43-19" Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2" NAS-Port = 1 NAS-IP-Address = 192.168.242.4 NAS-Identifier = "UOHIWLAN2" Vendor-14179-Attr-1 = 0x00000002 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "23" EAP-Message = 0x020b00061900 State = 0xe328bf6ca4456897ba0520c82cb2e130 Message-Authenticator = 0xaf03a722231cbf43dad00f06deb21764 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "uohi-40615", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for uohi-40615 radius_xlat: '(&(objectClass=inetOrgPerson)(cn=uohi-40615))' radius_xlat: 'o=OHICO' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=OHICO, with filter (&(objectClass=inetOrgPerson)(cn=uohi-40615)) rlm_ldap: checking if remote access for uohi-40615 is allowed by dialupAccess rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user uohi-40615 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 rlm_eap: EAP packet type response id 11 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 104 to 192.168.242.4:32768 EAP-Message = 0x010c02c1190014e159b3ed3fb3f26a4fcd43ed310b6f180cf159fb0906753cf0d48b4a76da4de0cdc2e60ed27477e175827f0203010001a382016930820165300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414f2e6025e7d0e816e7f54b3c650fd4d7bca8a5ef2308201120603551d1f048201093082010530820101a081fea081fb8681bb6c6461703a2f2f2f434e3d756f68692d63612c434e3d6f686961707033302c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d6f74 EAP-Message = 0x7461776168656172742c44433d63612c44433d6c6f63616c3f63657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e74863b687474703a2f2f6f686961707033302e6f747461776168656172742e63612e6c6f63616c2f43657274456e726f6c6c2f756f68692d63612e63726c301006092b06010401823715010403020100300d06092a864886f70d0101050500038201010023dfb3904e1074c246fbc07768eca45df19cb8ad335cbf200d9c09522d29b1a7789d29f2dc5b679c458b05f80fee7919925e50522b9a13f4f72a088dc9f07531d760 EAP-Message = 0xfb234fe068f89dcc55b1642736af943a02e2a8bd977736b0cb0276351d5050c9f9728e13dd077d95642f4d3a53775a7526c5d52db54bc78745d693d4f6b3ed3fca557814ed7b88cd5246926152ce560d0e1cb6870256a0e9f04f574ac426e1f9b2e4bde527b9be683acaee9aa90766a60226065015dd876f17096ec0c2f0895af9208207742d9760c2195c8044511e279f772f9cda8300facba05aab206f608931126fa901aef3d1e6fbe3658c1dd407b01430e259a178311890491a788016030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3e66b22c771fe106639f5ee4adffa376 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.242.4:32768, id=105, length=379 User-Name = "uohi-40615" Calling-Station-Id = "00-40-96-B1-43-19" Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2" NAS-Port = 1 NAS-IP-Address = 192.168.242.4 NAS-Identifier = "UOHIWLAN2" Vendor-14179-Attr-1 = 0x00000002 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "23" EAP-Message = 0x020c00c01980000000b61603010086100000820080a35912c21690119d0c47ec8637c615fd6dd85d88ccf7170cb9e5757bd70cce6391b0d24b46ced984fbe36cd7270f5246a3f4bfafa0b6998479bdd81e9c6d40d1f58031b73596bb78e43382c003eacf1848e26e88ee89dd67411211f4d55046981216f0db5e96697c2dd2927650b1c7d91d7c17fbfe772f76cd6b0dafa1da4fe6140301000101160301002019b6c288a231ecd2cb10237f9569dbaa21b612daaf50526454b1faa2b21ebd08 State = 0x3e66b22c771fe106639f5ee4adffa376 Message-Authenticator = 0x49d70b631f0d0a70ee21563438eb08b8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "uohi-40615", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for uohi-40615 radius_xlat: '(&(objectClass=inetOrgPerson)(cn=uohi-40615))' radius_xlat: 'o=OHICO' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=OHICO, with filter (&(objectClass=inetOrgPerson)(cn=uohi-40615)) rlm_ldap: checking if remote access for uohi-40615 is allowed by dialupAccess rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user uohi-40615 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 4 rlm_eap: EAP packet type response id 12 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 105 to 192.168.242.4:32768 EAP-Message = 0x010d00311900140301000101160301002052299a655e2d3e68952b7af365e12a37f9a8c5f4bcd4eeef8eb13994bb68480f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf12339622fe74707097ca72a3b36fd6a Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.242.4:32768, id=106, length=220 User-Name = "uohi-40615" Calling-Station-Id = "00-40-96-B1-43-19" Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2" NAS-Port = 1 NAS-IP-Address = 192.168.242.4 NAS-Identifier = "UOHIWLAN2" Vendor-14179-Attr-1 = 0x00000002 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "23" EAP-Message = 0x020d00211980000000171503010012b39e80d3c2a720105b63569561d503400461 State = 0xf12339622fe74707097ca72a3b36fd6a Message-Authenticator = 0xf86ea187cb783cc4508eb288226b22ee Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "uohi-40615", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for uohi-40615 radius_xlat: '(&(objectClass=inetOrgPerson)(cn=uohi-40615))' radius_xlat: 'o=OHICO' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=OHICO, with filter (&(objectClass=inetOrgPerson)(cn=uohi-40615)) rlm_ldap: checking if remote access for uohi-40615 is allowed by dialupAccess rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user uohi-40615 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 rlm_eap: EAP packet type response id 13 length 33 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user. Processing the post-auth section of radiusd.conf modcall: entering group Post-Auth-Type for request 5 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ohiapp2.ottawaheart.ca:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/ohicoca.b64 rlm_ldap: setting TLS Require Cert to demand rlm_ldap: bind as cn=UOHI-40615,o=OHICO/aassword2 to ohiapp2.ottawaheart.ca:636 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: eDirectory account policy check failed. rlm_ldap: NDS error: failed authentication (-669) rlm_ldap: ldap_release_conn: Release Id: 0 modcall[post-auth]: module "ldap" returns reject for request 5 modcall: group Post-Auth-Type returns reject for request 5 Delaying request 5 for 1 seconds Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.242.4:32768, id=106, length=220 Sending Access-Reject of id 106 to 192.168.242.4:32768 EAP-Message = 0x040d0004 Message-Authenticator = 0x00000000000000000000000000000000 Reply-Message = "NDS error: failed authentication (-669)" --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 101 with timestamp 46300f87 Cleaning up request 1 ID 102 with timestamp 46300f87 Cleaning up request 2 ID 103 with timestamp 46300f87 Cleaning up request 3 ID 104 with timestamp 46300f87 Cleaning up request 4 ID 105 with timestamp 46300f87 Cleaning up request 5 ID 106 with timestamp 46300f87 Nothing to do. Sleeping until we see a request.