Ok, I minted the Certificates/Keys with a CA running on a Windows 2003 server and was able to get them into the PEM format. The EAP.CONF was modified accordingly and RADIUSD is happy. I am still able to authenticate with no problems with 802.1x PEAP (EAP-MSCHAP V2) when using Cisco's ADU configuration tool. Still have problems when using the Windows XP supplicant.
In trying to authenticate with the Windows XP supplicant, I can see from the logs that it's changing the password's 1st character to an "a". If you look at the log data below, you'll see that the user account "UOHI-40615" being used to authenticate is failing because the password sent is "aassword2" instead of "password2".
I'm so close, please help me find the needle in the haystack.
—---------------------------------Log data, Win XP authentication still failing—---------------------------------
ohisles1:/ # radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded LDAP
ldap: server = "ohiapp2.ottawaheart.ca"
ldap: port = 636
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "cn=radiusadmin,o=ohico"
ldap: tls_mode = yes
ldap: start_tls = no
ldap: tls_cacertfile = "/etc/raddb/certs/ohicoca.b64"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "demand"
ldap: password = "password1"
ldap: basedn = "o=OHICO"
ldap: filter = "(&(objectClass=inetOrgPerson)(cn=%{Stripped-User-Name:-%{User-Name}}))"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "nspmPassword"
ldap: access_attr = "dialupAccess"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 10
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: edir_account_policy_check = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
conns: 0x8151a80
Module: Instantiated ldap (ldap)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/raddb/certs/ohisles1-server2.pem"
tls: certificate_file = "/etc/raddb/certs/ohisles1-server2.pem"
tls: CA_file = "/etc/raddb/certs/uohi-ca-root.pem"
tls: private_key_password = "snakepie"
tls: dh_file = "/etc/raddb/certs/dh"
tls: random_file = "/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = "md5"
ttls: copy_request_to_tunnel = yes
ttls: use_tunneled_reply = yes
rlm_eap: Loaded and initialized type ttls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.242.4:32768, id=101, length=184
User-Name = "uohi-40615"
Calling-Station-Id = "00-40-96-B1-43-19"
Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2"
NAS-Port = 1
NAS-IP-Address = 192.168.242.4
NAS-Identifier = "UOHIWLAN2"
Vendor-14179-Attr-1 = 0x00000002
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "23"
EAP-Message = 0x0208000f01756f68692d3430363135
Message-Authenticator = 0xb6e0c23865931345f4e69bb76e8c26fd
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No
'@' in User-Name = "uohi-40615", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for uohi-40615
radius_xlat: '(&(objectClass=inetOrgPerson)(cn=uohi-40615))'
radius_xlat: 'o=OHICO'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ohiapp2.ottawaheart.ca:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/ohicoca.b64
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as cn=radiusadmin,o=ohico/password1 to ohiapp2.ottawaheart.ca:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=OHICO, with filter (&(objectClass=inetOrgPerson)(cn=uohi-40615))
rlm_ldap: checking if remote access for uohi-40615 is allowed by dialupAccess
rlm_ldap: Added the eDirectory password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user uohi-40615 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
rlm_eap: EAP packet type response id 8 length 15
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 101 to 192.168.242.4:32768
EAP-Message = 0x010900061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x37e3d22fde30998bea28f6180cfa1cba
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.242.4:32768, id=102, length=267
User-Name = "uohi-40615"
Calling-Station-Id = "00-40-96-B1-43-19"
Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2"
NAS-Port = 1
NAS-IP-Address = 192.168.242.4
NAS-Identifier = "UOHIWLAN2"
Vendor-14179-Attr-1 = 0x00000002
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "23"
EAP-Message = 0x0209005019800000004616030100410100003d03014630b80b03e2cb98be0b94df02381297df862f15c0536d9fdc1ac51c1d7e1ce300001600040005000a000900640062000300060013001200630100
State = 0x37e3d22fde30998bea28f6180cfa1cba
Message-Authenticator = 0x7e4294278950604acaba806c812ef18f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No
'@' in User-Name = "uohi-40615", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for uohi-40615
radius_xlat: '(&(objectClass=inetOrgPerson)(cn=uohi-40615))'
radius_xlat: 'o=OHICO'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=OHICO, with filter (&(objectClass=inetOrgPerson)(cn=uohi-40615))
rlm_ldap: checking if remote access for uohi-40615 is allowed by dialupAccess
rlm_ldap: Added the eDirectory password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user uohi-40615 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
rlm_eap: EAP packet type response id 9 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0a5e], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 102 to 192.168.242.4:32768
EAP-Message = 0x010a040a19c000000abb160301004a02000046030146300f87e306bf349b58586ed302326513983358cca1bda869c45ba355f28741204e798eb591510e8b2da6aea2f3ab2bddb1b8d205fce25e392ecb300bf6adc76a0004001603010a5e0b000a5a000a570005a4308205a030820488a003020102020a17bfc68400000000000d300d06092a864886f70d0101050500305a31153013060a0992268993f22c64011916056c6f63616c31123010060a0992268993f22c64011916026361311b3019060a0992268993f22c640119160b6f747461776168656172743110300e06035504031307756f68692d6361301e170d3037303432363031323435375a
EAP-Message = 0x170d3039303432363031333435375a307f310b30090603550406130243413110300e060355040813074f6e746172696f310f300d060355040713064f7474617761310d300b060355040a1304554f484931193017060355040313106f6869736c6573312d736572766572323123302106092a864886f70d010901161461646d696e406f747461776168656172742e636130819f300d06092a864886f70d010101050003818d0030818902818100e67e413047fdab003b911b759fe8a33bb2f6174693099a6bdc691c62534be23884f611fec8127beac5e11db08ad73ebae7a276412f46dd3024f7b3a55a02e4262018aa20e8de748568c937d36a3d7642
EAP-Message = 0x3edac4ee4faf9798013f9bd15103995f520f5601653763e73bbf8af7f3323167f150c816d26da17d498136f76e4306510203010001a38202c5308202c1300b0603551d0f040403020186301d0603551d0e0416041435b6daa9fcc024edaf8214637106e303f21e98d2301906092b0601040182371402040c1e0a00530075006200430041301f0603551d23041830168014f2e6025e7d0e816e7f54b3c650fd4d7bca8a5ef2308201120603551d1f048201093082010530820101a081fea081fb8681bb6c6461703a2f2f2f434e3d756f68692d63612c434e3d6f686961707033302c434e3d4344502c434e3d5075626c69632532304b65792532305365
EAP-Message = 0x7276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d6f747461776168656172742c44433d63612c44433d6c6f63616c3f63657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e74863b687474703a2f2f6f686961707033302e6f747461776168656172742e63612e6c6f63616c2f43657274456e726f6c6c2f756f68692d63612e63726c3082012e06082b06010505070101048201203082011c3081b206082b060105050730028681a56c6461703a2f2f2f434e3d756f68692d63612c434e3d414941
EAP-Message = 0x2c434e3d5075626c69632532304b6579253230536572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7cbac86eb7c85c6bf2528a08d5c7f10b
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.242.4:32768, id=103, length=193
User-Name = "uohi-40615"
Calling-Station-Id = "00-40-96-B1-43-19"
Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2"
NAS-Port = 1
NAS-IP-Address = 192.168.242.4
NAS-Identifier = "UOHIWLAN2"
Vendor-14179-Attr-1 = 0x00000002
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "23"
EAP-Message = 0x020a00061900
State = 0x7cbac86eb7c85c6bf2528a08d5c7f10b
Message-Authenticator = 0x53331bf0647a5f9e59c34847a6f2dc85
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No
'@' in User-Name = "uohi-40615", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for uohi-40615
radius_xlat: '(&(objectClass=inetOrgPerson)(cn=uohi-40615))'
radius_xlat: 'o=OHICO'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=OHICO, with filter (&(objectClass=inetOrgPerson)(cn=uohi-40615))
rlm_ldap: checking if remote access for uohi-40615 is allowed by dialupAccess
rlm_ldap: Added the eDirectory password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user uohi-40615 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 2
rlm_eap: EAP packet type response id 10 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 103 to 192.168.242.4:32768
EAP-Message = 0x010b0406194076696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d6f747461776168656172742c44433d63612c44433d6c6f63616c3f634143657274696669636174653f626173653f6f626a656374436c6173733d63657274696669636174696f6e417574686f72697479306506082b060105050730028659687474703a2f2f6f686961707033302e6f747461776168656172742e63612e6c6f63616c2f43657274456e726f6c6c2f6f686961707033302e6f747461776168656172742e63612e6c6f63616c5f756f68692d63612e637274300f0603551d130101ff040530030101ff300d06092a864886f7
EAP-Message = 0x0d010105050003820101006e27e9b908957952b3bb8185d5b67ad46fa97c451ecf8b43b492d9535ce20ae0e166b5730e1bc1821fc4e789245ffc1278333884f989dc483c6667a941491ab55bbfe0cfbd80b503eb7e150c7acaa409835e9c3c02d9b8a718cf7f620911503ebd91da8d437d9feb730fb3bf4ad816ddba07476ad4d08d3441889c1d5d38549a039fd2b8aab0ca62b0c0e6429d916d077a9c752538ab700adb66fa5504b526b5bd77a2fbb6c8223fb4bfae29b4629834cff7840681cf5437e5d918c155fe0810f9bdaaa702de7a835266d7d391cea18242b1fd21e071f68a483a3969306cfccfa0bcf056a76993b4cca02119a15494990b22
EAP-Message = 0x47dd080eb5d480a5c2371161d3540004ad308204a930820391a003020102021015846cfa42f5b2904f917bb3c3381bc4300d06092a864886f70d0101050500305a31153013060a0992268993f22c64011916056c6f63616c31123010060a0992268993f22c64011916026361311b3019060a0992268993f22c640119160b6f747461776168656172743110300e06035504031307756f68692d6361301e170d3036313031383132333134325a170d3131313031383132343033395a305a31153013060a0992268993f22c64011916056c6f63616c31123010060a0992268993f22c64011916026361311b3019060a0992268993f22c640119160b6f7474
EAP-Message = 0x61776168656172743110300e06035504031307756f68692d636130820122300d06092a864886f70d01010105000382010f003082010a02820101009d08ba6ca5266c5161bff2aba9fea2dfc2f20347f7de7f21c9886b4cd7a1a189159fa78815bbd73b43e1bf73f4af9701ecd685f783c48b6db282334729fba65a9bcea13348a832fdd9f743540dbf469fa33ded81e81d9f8c2804615338d1b58e2a08489ae9e2e06701acf2e0a7b2f80e8db33e66909c635a8394d65a38029534e4bf3b354a3c0b0c59b6e632403f60b7550bf8f2ba89ad153b180c1eb4dc7af81353be9bcc46b33081ad7e30c49b1723d49a693a1b7eb0d21067fecbf0d9605a534e
EAP-Message = 0xad434135e560d1893c6fe98870d5e738586b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe328bf6ca4456897ba0520c82cb2e130
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.242.4:32768, id=104, length=193
User-Name = "uohi-40615"
Calling-Station-Id = "00-40-96-B1-43-19"
Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2"
NAS-Port = 1
NAS-IP-Address = 192.168.242.4
NAS-Identifier = "UOHIWLAN2"
Vendor-14179-Attr-1 = 0x00000002
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "23"
EAP-Message = 0x020b00061900
State = 0xe328bf6ca4456897ba0520c82cb2e130
Message-Authenticator = 0xaf03a722231cbf43dad00f06deb21764
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No
'@' in User-Name = "uohi-40615", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for uohi-40615
radius_xlat: '(&(objectClass=inetOrgPerson)(cn=uohi-40615))'
radius_xlat: 'o=OHICO'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=OHICO, with filter (&(objectClass=inetOrgPerson)(cn=uohi-40615))
rlm_ldap: checking if remote access for uohi-40615 is allowed by dialupAccess
rlm_ldap: Added the eDirectory password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user uohi-40615 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 3
rlm_eap: EAP packet type response id 11 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 104 to 192.168.242.4:32768
EAP-Message = 0x010c02c1190014e159b3ed3fb3f26a4fcd43ed310b6f180cf159fb0906753cf0d48b4a76da4de0cdc2e60ed27477e175827f0203010001a382016930820165300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414f2e6025e7d0e816e7f54b3c650fd4d7bca8a5ef2308201120603551d1f048201093082010530820101a081fea081fb8681bb6c6461703a2f2f2f434e3d756f68692d63612c434e3d6f686961707033302c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d6f74
EAP-Message = 0x7461776168656172742c44433d63612c44433d6c6f63616c3f63657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e74863b687474703a2f2f6f686961707033302e6f747461776168656172742e63612e6c6f63616c2f43657274456e726f6c6c2f756f68692d63612e63726c301006092b06010401823715010403020100300d06092a864886f70d0101050500038201010023dfb3904e1074c246fbc07768eca45df19cb8ad335cbf200d9c09522d29b1a7789d29f2dc5b679c458b05f80fee7919925e50522b9a13f4f72a088dc9f07531d760
EAP-Message = 0xfb234fe068f89dcc55b1642736af943a02e2a8bd977736b0cb0276351d5050c9f9728e13dd077d95642f4d3a53775a7526c5d52db54bc78745d693d4f6b3ed3fca557814ed7b88cd5246926152ce560d0e1cb6870256a0e9f04f574ac426e1f9b2e4bde527b9be683acaee9aa90766a60226065015dd876f17096ec0c2f0895af9208207742d9760c2195c8044511e279f772f9cda8300facba05aab206f608931126fa901aef3d1e6fbe3658c1dd407b01430e259a178311890491a788016030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3e66b22c771fe106639f5ee4adffa376
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.242.4:32768, id=105, length=379
User-Name = "uohi-40615"
Calling-Station-Id = "00-40-96-B1-43-19"
Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2"
NAS-Port = 1
NAS-IP-Address = 192.168.242.4
NAS-Identifier = "UOHIWLAN2"
Vendor-14179-Attr-1 = 0x00000002
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "23"
EAP-Message = 0x020c00c01980000000b61603010086100000820080a35912c21690119d0c47ec8637c615fd6dd85d88ccf7170cb9e5757bd70cce6391b0d24b46ced984fbe36cd7270f5246a3f4bfafa0b6998479bdd81e9c6d40d1f58031b73596bb78e43382c003eacf1848e26e88ee89dd67411211f4d55046981216f0db5e96697c2dd2927650b1c7d91d7c17fbfe772f76cd6b0dafa1da4fe6140301000101160301002019b6c288a231ecd2cb10237f9569dbaa21b612daaf50526454b1faa2b21ebd08
State = 0x3e66b22c771fe106639f5ee4adffa376
Message-Authenticator = 0x49d70b631f0d0a70ee21563438eb08b8
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No
'@' in User-Name = "uohi-40615", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for uohi-40615
radius_xlat: '(&(objectClass=inetOrgPerson)(cn=uohi-40615))'
radius_xlat: 'o=OHICO'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=OHICO, with filter (&(objectClass=inetOrgPerson)(cn=uohi-40615))
rlm_ldap: checking if remote access for uohi-40615 is allowed by dialupAccess
rlm_ldap: Added the eDirectory password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user uohi-40615 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 4
rlm_eap: EAP packet type response id 12 length 192
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 105 to 192.168.242.4:32768
EAP-Message = 0x010d00311900140301000101160301002052299a655e2d3e68952b7af365e12a37f9a8c5f4bcd4eeef8eb13994bb68480f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf12339622fe74707097ca72a3b36fd6a
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.242.4:32768, id=106, length=220
User-Name = "uohi-40615"
Calling-Station-Id = "00-40-96-B1-43-19"
Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2"
NAS-Port = 1
NAS-IP-Address = 192.168.242.4
NAS-Identifier = "UOHIWLAN2"
Vendor-14179-Attr-1 = 0x00000002
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "23"
EAP-Message = 0x020d00211980000000171503010012b39e80d3c2a720105b63569561d503400461
State = 0xf12339622fe74707097ca72a3b36fd6a
Message-Authenticator = 0xf86ea187cb783cc4508eb288226b22ee
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No
'@' in User-Name = "uohi-40615", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for uohi-40615
radius_xlat: '(&(objectClass=inetOrgPerson)(cn=uohi-40615))'
radius_xlat: 'o=OHICO'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=OHICO, with filter (&(objectClass=inetOrgPerson)(cn=uohi-40615))
rlm_ldap: checking if remote access for uohi-40615 is allowed by dialupAccess
rlm_ldap: Added the eDirectory password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user uohi-40615 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 5
rlm_eap: EAP packet type response id 13 length 33
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
rlm_eap_peap: No data inside of the tunnel.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 5
modcall: group authenticate returns invalid for request 5
auth: Failed to validate the user.
Processing the post-auth section of radiusd.conf
modcall: entering group Post-Auth-Type for request 5
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ohiapp2.ottawaheart.ca:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/ohicoca.b64
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as cn=UOHI-40615,o=OHICO/aassword2 to ohiapp2.ottawaheart.ca:636
rlm_ldap: waiting for bind result ...
rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf
rlm_ldap: eDirectory account policy check failed.
rlm_ldap: NDS error: failed authentication (-669)
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[post-auth]: module "ldap" returns reject for request 5
modcall: group Post-Auth-Type returns reject for request 5
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.242.4:32768, id=106, length=220
Sending Access-Reject of id 106 to 192.168.242.4:32768
EAP-Message = 0x040d0004
Message-Authenticator = 0x00000000000000000000000000000000
Reply-Message = "NDS error: failed authentication (-669)"
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 101 with timestamp 46300f87
Cleaning up request 1 ID 102 with timestamp 46300f87
Cleaning up request 2 ID 103 with timestamp 46300f87
Cleaning up request 3 ID 104 with timestamp 46300f87
Cleaning up request 4 ID 105 with timestamp 46300f87
Cleaning up request 5 ID 106 with timestamp 46300f87
Nothing to do. Sleeping until we see a request.