I have managed to setup freeradius to authenticate against AD without any issues using ntlm_auth.
Currently I'm facing issues with it.
normally sending the username as staff\user works fine via and if logged in on windows domain via Windows OS.
I did go through all the documentation and mailinglist and wiki but could not get it running.
Would greatly appreciate someones help.
FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Mar 31 2010 at 00:14:28
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/ORIG-ldap
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/OLD_mschap
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = yes
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
auth_pool = my_auth_failover
}
realm LOCAL {
}
authhost = LOCAL
accthost = LOCAL
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client xx.xx.xx.x {
require_message_authenticator = no
secret = "xxxxxxxxx"
shortname = "eduraom-test"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Instantiating ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=%{realm} --username=%{mschap:User-Name} --password=%{User-Password}"
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = yes
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.38.0.3 port 32769, id=178, length=259
Calling-Station-Id = "d0-23-db-e8-b6-01"
Called-Station-Id = "e8-ba-70-9c-a3-d0:eduraom-test"
NAS-Port = 1
Cisco-AVPair = "audit-session-id=0a2600030000afdc4eea6929"
NAS-IP-Address = 10.38.0.3
NAS-Identifier = "MAKWLC5508-1"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "19"
EAP-Message = 0x0201001901756c64617074657374406163752e6564752e6175
Message-Authenticator = 0xa6b74ce27715f3c6314f30ce435d689f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 1 length 25
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 178 to 10.38.0.3 port 32769
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x255f8b13255d9ea7b896c4c3b04c6f97
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.38.0.3 port 32769, id=179, length=404
Calling-Station-Id = "d0-23-db-e8-b6-01"
Called-Station-Id = "e8-ba-70-9c-a3-d0:eduraom-test"
NAS-Port = 1
Cisco-AVPair = "audit-session-id=0a2600030000afdc4eea6929"
NAS-IP-Address = 10.38.0.3
NAS-Identifier = "MAKWLC5508-1"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "19"
EAP-Message = 0x0202009815800000008e16030100890100008503014eea692751ed1acdf3e116c9c0875f917e2ff6fb38ff3a9c355b5e337125011700004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c004c005c002c003c00ec00fc00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100
State = 0x255f8b13255d9ea7b896c4c3b04c6f97
Message-Authenticator = 0xc8ca528a26e8648e1aa38c1c6f22a0ad
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 2 length 152
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 142
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0089], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 085e], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 179 to 10.38.0.3 port 32769
EAP-Message = 0x0103040015c0000008a216030100310200002d03014eea692667acccd592e9309a5faf894898300061d01624253fdef50f6653aae200002f000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175
EAP-Message = 0x74686f72697479301e170d3131313231333232313734335a170d3132313231323232313734335a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cfaf7a058431841af986f84a83a6e673588926ad79a0dc4f630c715ce96960ef1af4035780e923173ebdba24f8ea251743b18594812b4b
EAP-Message = 0x5369e973914dc50bf34df150e89c1bfb5dfec4f4617f6742d314720d609e517df7b2fea7bc96846799a226ce2c6f82df891bbb21b66c442fff03fc6f0f48014dc87f5a8425687abc8c1df0f80dadbb186ca7de4404c8afb5d5557bcc4085c57a6f010cb6ee7bb881f861e1c3ae008718b06b5650dccba392b9246d9518882e000cd0faa51966eecd626d139f592761bb19650880a0155bbe60a6d0f96db2c442500396a4dc010fdccdf0672b26c058af42cd1a1eb06018f9e0de40d92f213a0456d1419e0735a274f10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100aa8c
EAP-Message = 0x4b7401fcb2014b7866e9cacd1aa6d41d2dc309245b37a14ef930eda5bd254a378af0645c4b093f67373023562708492d000d4a8e726549e4df4bb207d23f648d97b10bf9194a73cc60a72958f7b9c3af24ac839b182ae6c9f3af8ace9e5b90a63190f6159de91d2d0314d87c8f14c33d2d484162000f130e512b57aac1d87855c1d8f00cbf3667ced34398d76f87bdc47d26a0402947e709e2bb870fb6987feff928160eb7f6d2960281680ca8a962ce77e7d445b1126523ac65113778149699af0bb9102597dceebbbb7837c6486165854f75ae3d9df3a495ca5ecc9ab6cd95c1bef4d8fe17b23b076b9c0647464c763f770d1b1d8a56791f2e1362de
EAP-Message = 0x010004ab308204a73082038f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x255f8b13245c9ea7b896c4c3b04c6f97
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.38.0.3 port 32769, id=180, length=258
Calling-Station-Id = "d0-23-db-e8-b6-01"
Called-Station-Id = "e8-ba-70-9c-a3-d0:eduraom-test"
NAS-Port = 1
Cisco-AVPair = "audit-session-id=0a2600030000afdc4eea6929"
NAS-IP-Address = 10.38.0.3
NAS-Identifier = "MAKWLC5508-1"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "19"
EAP-Message = 0x020300061500
State = 0x255f8b13245c9ea7b896c4c3b04c6f97
Message-Authenticator = 0xddac83b5c84460996555e7b43e235788
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 180 to 10.38.0.3 port 32769
EAP-Message = 0x0104040015c0000008a2a00302010202090081954b05fc420019300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131313231333232313734335a170d3132313231323232313734335a308193310b3009060355040613024652310f300d06035504081306526164
EAP-Message = 0x6975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100cc940f2715240f984bef0113058fb77c9c9dd5f325f8f14cc112fe8f0b367fb7e7005e20a86a0e37582884d6aeb2fdf7407bd049914a2fec7b3380698e2bddf2f3fb18418b8bd9a2601abebf02b7aa9e333bbc1802a323b213613fb99fdfe4e278bcd08a
EAP-Message = 0xbd2e65104fe99747c4446fc48bba500d8c7ede55fc5eaaa96c081a4114e76c53a378da060a61bbcdc8c71594bd26a6d373eb0de9c866af04b216ceffc93cc0e1b492b6ce447960a7b9f7488cea39d1df6771e8ed963853b12bf886b4337c40d934e259ea98bb71cbb9c3fcf6fb5fe86c0a7b25298b54d62350a2a8b740c431b7e221032cdf3f309dc628e076ba2d531292a021cd5673f009bc4b2ebd0203010001a381fb3081f8301d0603551d0e04160414ae4906d1a02877e55de58a7df11f79583bd463a33081c80603551d230481c03081bd8014ae4906d1a02877e55de58a7df11f79583bd463a3a18199a48196308193310b3009060355040613
EAP-Message = 0x024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747982090081954b05fc420019300c0603551d13040530030101ff300d06092a864886f70d010105050003820101007a6c684dd06db01bdbd75cae83074bda777c20e8be9a1be1bd56bd2b3d8c950803c003b37fc7554cb10a1122dbead4a23ba9ff6bdbeea1afef17b5a8e565a1d855277c2baebb94
EAP-Message = 0x1f57f0f52a672be403901059
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x255f8b13275b9ea7b896c4c3b04c6f97
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.38.0.3 port 32769, id=181, length=258
Calling-Station-Id = "d0-23-db-e8-b6-01"
Called-Station-Id = "e8-ba-70-9c-a3-d0:eduraom-test"
NAS-Port = 1
Cisco-AVPair = "audit-session-id=0a2600030000afdc4eea6929"
NAS-IP-Address = 10.38.0.3
NAS-Identifier = "MAKWLC5508-1"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "19"
EAP-Message = 0x020400061500
State = 0x255f8b13275b9ea7b896c4c3b04c6f97
Message-Authenticator = 0xfc99a254f9326c2e5935b07dd2be7e6c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 181 to 10.38.0.3 port 32769
EAP-Message = 0x010500c01580000008a2f93ffa21693b555e0ae5383ec5b742022c77860ffe184ee9a72c4b2e2ee19fc6999842d4fa3aa95f0701342b79e8ba09b404f50be7380f7355f11a2996a99fd0dfa756aa053fcbbc0584de34623f24affe35f9ce6ce1bb9c6324191ea71d5c0ae6886fd376847ce845e7e690c438d55e00f86ade7da9f69572f13e1bece372ddc945061caaca04e5d934db3b7304ea3236a3523c54ee4858a4020dfc66da3f0966bdffd05310a63706d02e2d8616030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x255f8b13265a9ea7b896c4c3b04c6f97
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.38.0.3 port 32769, id=182, length=590
Calling-Station-Id = "d0-23-db-e8-b6-01"
Called-Station-Id = "e8-ba-70-9c-a3-d0:eduraom-test"
NAS-Port = 1
Cisco-AVPair = "audit-session-id=0a2600030000afdc4eea6929"
NAS-IP-Address = 10.38.0.3
NAS-Identifier = "MAKWLC5508-1"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "19"
EAP-Message = 0x0205015015800000014616030101061000010201005eb0e7366af459216883bcfe66c782c2cadb93471f57894edd91701438fa5ef036269d8bc464da118bfe77f46b3ea25b8b082793b94e85e4c234cf0621f144fb785c1c691f2f55ceca405237cee5cb24e65c39694704bf16322243bfb8b6abd72a8f5c2e38de6d8d9336d0be223614f1536896c0c33e896099c10997b253b5999a8288649b1962aea6d4d02a25aaaceb9b9494fe7fc67647911b4330ec9f990d3ea555b9b79555e8b3d65d7e12bd73798a8283fcc7d954e8ae88d225cc0e44b9192ce06c9a9fb7ed89e16ae4f8d12fe4f1f8de0b5e60cf09c82455e58e301107dfa5c6b70ff22cd8
EAP-Message = 0xfc36bb4e4d9d45b2e78903cdfd098985d2e83430cd67fb941403010001011603010030be9deb372366b2a588d43e9845b2964b1a3fd1fea139f310addbc39c768cf77eba9b10ad9d403319e6a8d2721b50b94d
State = 0x255f8b13265a9ea7b896c4c3b04c6f97
Message-Authenticator = 0xb5a83699ac11acbfbe8ad5c6a4c85065
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 326
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[ttls] TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 write finished A
[ttls] TLS_accept: SSLv3 flush data
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 182 to 10.38.0.3 port 32769
EAP-Message = 0x0106004515800000003b14030100010116030100307dd7611e8f7882f4503eb58c834cbc158b60f906df5f1a34f29ec7b5eca23d080918129b5c2b822f2f6090433486eac2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x255f8b1321599ea7b896c4c3b04c6f97
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.38.0.3 port 32769, id=183, length=411
Calling-Station-Id = "d0-23-db-e8-b6-01"
Called-Station-Id = "e8-ba-70-9c-a3-d0:eduraom-test"
NAS-Port = 1
Cisco-AVPair = "audit-session-id=0a2600030000afdc4eea6929"
NAS-IP-Address = 10.38.0.3
NAS-Identifier = "MAKWLC5508-1"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "19"
EAP-Message = 0x0206009f158000000095170301009019a583666c2057ca5e6f9adb0f78e8264ff1e75fd11f0dde18ebfebec8ac135505ea649eb64ca0584b490f034e83136fce991af2f542bc71a1271674a60630161d2d863641c42c8f0cb1efe46733b7618119f2cd5dfbbadc2ed5ee55980bff1646c1e8be19117b9d0859b010fe4467daae591b3db2d824670889726294a4e6544a8c92176d21754fbc3a8c62c700097a
State = 0x255f8b1321599ea7b896c4c3b04c6f97
Message-Authenticator = 0xe625583ae40d6922617196d1c2b56a0c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 6 length 159
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 149
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
MS-CHAP-Challenge = 0x6ff7b6dd4a5155fa5d41b7b76dd50084
MS-CHAP2-Response = 0xda005b945c000516c50eaa0ae012e61fafcc0000000000000000ae2f8133e1b834293ee0a3c6bfe522d7928cf57b97ef589d
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
MS-CHAP-Challenge = 0x6ff7b6dd4a5155fa5d41b7b76dd50084
MS-CHAP2-Response = 0xda005b945c000516c50eaa0ae012e61fafcc0000000000000000ae2f8133e1b834293ee0a3c6bfe522d7928cf57b97ef589d
FreeRADIUS-Proxied-To = 127.0.0.1
Calling-Station-Id = "d0-23-db-e8-b6-01"
Called-Station-Id = "e8-ba-70-9c-a3-d0:eduraom-test"
NAS-Port = 1
Cisco-AVPair = "audit-session-id=0a2600030000afdc4eea6929"
NAS-IP-Address = 10.38.0.3
NAS-Identifier = "MAKWLC5508-1"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "19"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] Adding Stripped-User-Name = "user"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=
[mschap] mschap2: 6f
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=d1b8a20829fffe33
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=ae2f8133e1b834293ee0a3c6bfe522d7928cf57b97ef589d
Exec-Program output: No such user (0xc0000064)
Exec-Program-Wait: plaintext: No such user (0xc0000064)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect: [user/<via Auth-Type = mschap>] (from client eduraom-test port 1 cli d0-23-db-e8-b6-01 via TLS tunnel)
} # server inner-tunnel
[ttls] Got tunneled reply code 3
MS-CHAP-Error = "\332E=691 R=1"
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [
user@example.com.au/<via Auth-Type = EAP>] (from client eduraom-test port 1 cli d0-23-db-e8-b6-01)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 183 to 10.38.0.3 port 32769
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 0 ID 178 with timestamp +21
Cleaning up request 1 ID 179 with timestamp +21
Cleaning up request 2 ID 180 with timestamp +21
Cleaning up request 3 ID 181 with timestamp +21
Cleaning up request 4 ID 182 with timestamp +21
Waking up in 1.0 seconds.