Hi all, I have tried everything recommended to me by Novell (as far as Microsoft patches) that may address an issue with their new (beta) Client 4.91 SP4. This client allows you to select 802.1x authentication and it's suppose to pass the login credentials to the Windows XP supplicant. Once 802.1x authentication is done, the Novell Client is supposed to continue it's login process. Based on the RADIUSD logs, I'm not getting a proper PEAP authentication at the Novell login prompt stage. Once this stage times out and I log in locally to the WinXP workstation, the PEAP authentication works fine. The timeout error is: 802.1x Authentication Failed. Timeout waiting for authentication to finish. Logging to workstation only. <OK> FYI, Once the Novell 802.1x is enabled, the only thing I see that changes with WinXP supplicant's configuration (under PEAP) is that the Authentication Method is now listed as "Novell (EAP-MSCHAP v2)" instead of "Secured password (EAP-MSCHAP v2)". I'm wondering if the issue is related to something with my FreeRADIUS configuration? I've inculded the logs for when my pure Windows XP workstation authenticates and included the logs for what's going on while waiting for the Novell 802.1x client to timeout. I'm hoping a trained eye can spot something or anything that would lead me to a solution. Thanks for any help. Marc --------------------------------*------------------------------------*-------- --------------------------------Novell 802.1x*------------------------------- --------------------------------*------------------------------------*-------- Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.242.4:32768, id=156, length=184 User-Name = "UOHI-40626" Calling-Station-Id = "00-40-96-B1-43-A8" Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2" NAS-Port = 1 NAS-IP-Address = 192.168.242.4 NAS-Identifier = "UOHIWLAN2" Vendor-14179-Attr-1 = 0x00000002 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "23" EAP-Message = 0x0202000f01554f48492d3430363236 Message-Authenticator = 0xf173e2f693b6439540056725af55c9a5 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5046 modcall[authorize]: module "preprocess" returns ok for request 5046 modcall[authorize]: module "chap" returns noop for request 5046 modcall[authorize]: module "mschap" returns noop for request 5046 rlm_realm: No '@' in User-Name = "UOHI-40626", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5046 rlm_ldap: - authorize rlm_ldap: performing user authorization for UOHI-40626 radius_xlat: '(&(objectClass=inetOrgPerson)(cn=UOHI-40626))' radius_xlat: 'o=OHICO' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=OHICO, with filter (&(objectClass=inetOrgPerson)(cn=UOHI-40626)) rlm_ldap: checking if remote access for UOHI-40626 is allowed by dialupAccess rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user UOHI-40626 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5046 rlm_eap: EAP packet type response id 2 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5046 modcall: group authorize returns updated for request 5046 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5046 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 5046 modcall: group authenticate returns handled for request 5046 Sending Access-Challenge of id 156 to 192.168.242.4:32768 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x236c181e57c0ea83025c9e57460d53fb Finished request 5046 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.242.4:32768, id=157, length=267 User-Name = "UOHI-40626" Calling-Station-Id = "00-40-96-B1-43-A8" Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2" NAS-Port = 1 NAS-IP-Address = 192.168.242.4 NAS-Identifier = "UOHIWLAN2" Vendor-14179-Attr-1 = 0x00000002 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "23" EAP-Message = 0x0203005019800000004616030100410100003d0301463a53cad2f596a4d17f6cdba65ae68141b95a139ae441539224f3830ecfbd2d00001600040005000a000900640062000300060013001200630100 State = 0x236c181e57c0ea83025c9e57460d53fb Message-Authenticator = 0x3c69468e56b4da685f74f2ee77b5b65f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5047 modcall[authorize]: module "preprocess" returns ok for request 5047 modcall[authorize]: module "chap" returns noop for request 5047 modcall[authorize]: module "mschap" returns noop for request 5047 rlm_realm: No '@' in User-Name = "UOHI-40626", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5047 rlm_ldap: - authorize rlm_ldap: performing user authorization for UOHI-40626 radius_xlat: '(&(objectClass=inetOrgPerson)(cn=UOHI-40626))' radius_xlat: 'o=OHICO' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=OHICO, with filter (&(objectClass=inetOrgPerson)(cn=UOHI-40626)) rlm_ldap: checking if remote access for UOHI-40626 is allowed by dialupAccess rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user UOHI-40626 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5047 rlm_eap: EAP packet type response id 3 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5047 modcall: group authorize returns updated for request 5047 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5047 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0af4], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 5047 modcall: group authenticate returns handled for request 5047 Sending Access-Challenge of id 157 to 192.168.242.4:32768 EAP-Message = 0x0104040a19c000000b51160301004a02000046030146399d4d91edd8cb95d2ede5c24ddbf00855871dea30a66113c57772f9caf8c8206e4958d7d4c95074067aad0113ae120af60337670458b2638256c9cd7f19b6830004001603010af40b000af0000aed00063a308206363082051ea003020102020a6129017f000000000015300d06092a864886f70d0101050500305a31153013060a0992268993f22c64011916056c6f63616c31123010060a0992268993f22c64011916026361311b3019060a0992268993f22c640119160b6f747461776168656172743110300e06035504031307756f68692d6361301e170d3037303432373139343330325a EAP-Message = 0x170d3039303432363139343330325a3077310b30090603550406130243413110300e060355040813074f6e746172696f310f300d060355040713064f7474617761310d300b060355040a1304554f48493111300f060355040313084f4849534c4553313123302106092a864886f70d010901161461646d696e406f747461776168656172742e636130820122300d06092a864886f70d01010105000382010f003082010a02820101009c62aac4b4d7c2a0a3b074bc3a9922f6eade8be2b126ef833e55f97b61f8ddc0b90d016c0f0bdc12c94ba162085969a2ea5348e6ecdd88dbbd2a24723fb099730e01ae6f3b7bd7eafcdb69f847ced1b09a04eed9 EAP-Message = 0x6d813d07547b3b998f164cd74539e432acd8f0bdfdfb6a9820e92b85e0576412108da40f41775f8f4e78f34d549db299a3f74d8d01fc92c9929f4e48d4a6886656a44a37f3536c4a8da0fcec8f6f6552b5f61c3227808aaa9c6cbb5f1e927316419eaba102aea640cf280a6cbfc0f2757d7ae89d9efadc4b64ebf540af9ee1895bd5329305745ff6a9693efb9eb007e4ec939794b37d038702b1f934d58ce4f6d568cb87bc1f779b833821e30203010001a38202df308202db301d0603551d0e041604144355ae8326e8e176e53691675c60bc20e389907f301f0603551d23041830168014f2e6025e7d0e816e7f54b3c650fd4d7bca8a5ef230820112 EAP-Message = 0x0603551d1f048201093082010530820101a081fea081fb8681bb6c6461703a2f2f2f434e3d756f68692d63612c434e3d6f686961707033302c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d6f747461776168656172742c44433d63612c44433d6c6f63616c3f63657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e74863b687474703a2f2f6f686961707033302e6f747461776168656172742e63612e6c6f63616c2f43 EAP-Message = 0x657274456e726f6c6c2f756f68692d63612e63726c30 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x50ae1445bfa19e9199ff676e0527a36d Finished request 5047 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.242.4:32768, id=158, length=193 User-Name = "UOHI-40626" Calling-Station-Id = "00-40-96-B1-43-A8" Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2" NAS-Port = 1 NAS-IP-Address = 192.168.242.4 NAS-Identifier = "UOHIWLAN2" Vendor-14179-Attr-1 = 0x00000002 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "23" EAP-Message = 0x020400061900 State = 0x50ae1445bfa19e9199ff676e0527a36d Message-Authenticator = 0xe439288adf4546ea77fd4b41db6d415f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5048 modcall[authorize]: module "preprocess" returns ok for request 5048 modcall[authorize]: module "chap" returns noop for request 5048 modcall[authorize]: module "mschap" returns noop for request 5048 rlm_realm: No '@' in User-Name = "UOHI-40626", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5048 rlm_ldap: - authorize rlm_ldap: performing user authorization for UOHI-40626 radius_xlat: '(&(objectClass=inetOrgPerson)(cn=UOHI-40626))' radius_xlat: 'o=OHICO' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=OHICO, with filter (&(objectClass=inetOrgPerson)(cn=UOHI-40626)) rlm_ldap: checking if remote access for UOHI-40626 is allowed by dialupAccess rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user UOHI-40626 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5048 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5048 modcall: group authorize returns updated for request 5048 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5048 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 5048 modcall: group authenticate returns handled for request 5048 Sending Access-Challenge of id 158 to 192.168.242.4:32768 EAP-Message = 0x01050406194082012e06082b06010505070101048201203082011c3081b206082b060105050730028681a56c6461703a2f2f2f434e3d756f68692d63612c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d6f747461776168656172742c44433d63612c44433d6c6f63616c3f634143657274696669636174653f626173653f6f626a656374436c6173733d63657274696669636174696f6e417574686f72697479306506082b060105050730028659687474703a2f2f6f686961707033302e6f747461776168656172742e63612e EAP-Message = 0x6c6f63616c2f43657274456e726f6c6c2f6f686961707033302e6f747461776168656172742e63612e6c6f63616c5f756f68692d63612e637274302106092b060104018237140204141e12005700650062005300650072007600650072300c0603551d130101ff04023000300b0603551d0f0404030205a030130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038201010075b204baebe82901036bb830065f26844a0f213df174c9b4af8dd92b5a8c5290cced2f2ab28d6eda45c659fe6a331c117b0c761b590d7323f6f7bdd5b863c31bbb56085e97f0f2b0830777fab6c6760b19accb2ae195e9b5f9858bc3 EAP-Message = 0xeac04eb89e052a856661a194f8cbe3c013ea4dd5047092935bd7551cb41a5a1995f3ab82ee990e3b81fc8be9434df8172b66e358293c0a85ee8a0935b97415ac9b3133068c613ade745a4976fb8d3eca03f938cc8c7ab71b4c0fe95925b9013c0b1ab08676ec7779ca6ee8252c7252fc54b24a20bdda5ca33cb70b6308f4fc0e2af423e5fd02397e3655af5d869257b38406be19600966266b3eb6002072cd919fd602100004ad308204a930820391a003020102021015846cfa42f5b2904f917bb3c3381bc4300d06092a864886f70d0101050500305a31153013060a0992268993f22c64011916056c6f63616c31123010060a0992268993f22c6401 EAP-Message = 0x1916026361311b3019060a0992268993f22c640119160b6f747461776168656172743110300e06035504031307756f68692d6361301e170d3036313031383132333134325a170d3131313031383132343033395a305a31153013060a0992268993f22c64011916056c6f63616c31123010060a0992268993f22c64011916026361311b3019060a0992268993f22c640119160b6f747461776168656172743110300e06035504031307756f68692d636130820122300d06092a864886f70d01010105000382010f003082010a02820101009d08ba6ca5266c5161bff2aba9fea2dfc2f20347f7de7f21c9886b4cd7a1a189159fa78815bbd73b43e1bf73 EAP-Message = 0xf4af9701ecd685f783c48b6db282334729fb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x76bc89cb174520f20da1729de7efd20f Finished request 5048 Going to the next request Waking up in 6 seconds... .................truncated log................... --------------------------------*------------------------------------*-------- --------------------------------WinXP 802.1x*------------------------------ --------------------------------*------------------------------------*-------- Ready to process requests. rad_recv: Access-Request packet from host 192.168.242.4:32768, id=121, length=184 User-Name = "uohi-40626" Calling-Station-Id = "00-40-96-B1-43-A8" Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2" NAS-Port = 1 NAS-IP-Address = 192.168.242.4 NAS-Identifier = "UOHIWLAN2" Vendor-14179-Attr-1 = 0x00000002 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "23" EAP-Message = 0x0202000f01756f68692d3430363236 Message-A