I've added ntdomain to sites-available/inner-tunnel after suffix in authorize section suffix ntdomain and added domain in proxy.conf realm csd-notebook { type = radius authhost = LOCAL accthost = LOCAL } All the same Vista client could not connect to WiFi network though radius server sent Access-Accept. See output of /usr/local/sbin/radiusd -fX below. But csd-notebook is not domain name, it is a computer name which can be random name. Also we do not use NTLM authorisation. What way to choose ? ---------------------------------------------------------------------- rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=20, length=235 Message-Authenticator = 0x6754868faae917f8ecf1de1b88ffbbff Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0214001a016373642d6e6f7465626f6f6b5c6f726573686b696e NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin" [ntdomain] Found realm "csd-notebook" [ntdomain] Adding Stripped-User-Name = "oreshkin" [ntdomain] Adding Realm = "csd-notebook" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 20 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 159 [files] users: Matched entry DEFAULT at line 178 [files] users: Matched entry oreshkin at line 229 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 20 to 192.168.14.240 port 4177 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x011500061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x521bfcaa520ee591f8365bba7dae1345 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=21, length=359 Message-Authenticator = 0xd3c72a8422cc238deb3701cd984c13d6 Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 State = 0x521bfcaa520ee591f8365bba7dae1345 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0215008419800000007a16030100750100007103014a5753e9b349d723fa3d51a41542ee5a204229fd96748679796b15a731767cdd000018002f00350005000ac009c00ac013c0140032003800130004010000300000001a00180000156373642d6e6f7465626f6f6b5c6f726573686b696e000a00080006001700180019000b00020100 NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin" [ntdomain] Found realm "csd-notebook" [ntdomain] Adding Stripped-User-Name = "oreshkin" [ntdomain] Adding Realm = "csd-notebook" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 21 length 132 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 122 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0075], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 084e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 21 to 192.168.14.240 port 4177 EAP-Message = 0x0116040019c00000088b160301002a0200002603014a5753907bd1c0875fd008715f2c67278f2199d62aea212127d5799677f7611800002f00160301084e0b00084a0008470003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303632353038343934325a170d3130303632353038343934325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100afa137c1faa18184c11783fd931dbf08e3b3aab700e05e2d16471c85e470302c6d9db3068b833e463ff3cdaa6b2140447d2b7d151704863ad7439873ea51 EAP-Message = 0xe98c8abecfdd6268e021a8a17fb6966857f052859cef7a6bdcec12d2127ab2bc72c2b785a25f33c61aec0ff80079a53fb35cdbaebbfa29de9b24841a9a6c46a08073d66b09f3149fc840696c56ef61943d5e2679be18fc2733a012e261b9e9e6ae20c7ba01e2c6e4bfb3ce39325000bc51a2230319e4f8b16bffa46deb80631149f3e97333105b307b101958e9b83407c4398deb9cb32f7c23bdba70c091e79258f0c191edd239290beb26d0aaa8adf6f5ece5f633aef45ef0d4fea2c52b56fc39110203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100973882c5663e2d6b29 EAP-Message = 0xf37acb064274e515f88c05490e81fcb594b8678a665ae9d17134a3e3fdb2df801547f84071730fa696eef58f5c1d73841e52aa2c9a4074cf288ef7158e4f3ae68db182c1798f3da6d86bda0a8a9c54de39f2d94d3e0687a8fa46faedcd36bcc64fd9f2cd74055682782684f674d377c0e2457f5ad4efa4ec460c7527c80769a270128e0a6d12cb79d0bb12fe0a1bb81f6c20b98873ac6718cd0d02ebb7de1cdd720360252cc736c2e84bfe1c87a695dcb7e2b4d982f0736305017d65ec72506bed1578f806479bedc2b5bfa83f0e15ccc03bbe908e734351e5843806e9dcb659b98056909aeed953e9e24d7e0e1f8163deb5f4f5076e5c00049b308204 EAP-Message = 0x973082037fa0030201020201 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x521bfcaa530de591f8365bba7dae1345 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=22, length=233 Message-Authenticator = 0x4c73bb06cf9b4a279cb5f25364c25214 Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 State = 0x521bfcaa530de591f8365bba7dae1345 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x021600061900 NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin" [ntdomain] Found realm "csd-notebook" [ntdomain] Adding Stripped-User-Name = "oreshkin" [ntdomain] Adding Realm = "csd-notebook" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 22 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 22 to 192.168.14.240 port 4177 EAP-Message = 0x011703fc194000300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303632353038343934325a170d3130303632353038343934325a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d6577 EAP-Message = 0x6865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a056d1cfe5b95120cfb2ad67638c20cceb3feca1d22665f5d0379648340127cf5ffe26f48f46c04a1132b032d93b7f49417851f2e110fee7b457fbe2f99b47d3389b630dd2f78acf290b4ecb6d43466a19cb17063f1b2a1eefe1e6f34e1b0a20fa92fa17809a58e7120bc1a87db8865230df04775af5e1 EAP-Message = 0x16b46a471819383d8be674378c3d33bdc0a8d6686542a3ba1c32a97249786aea2c38a22a49992fcfaf54806b50415060a433e9dc013696f9c0240657098f46782b1d0536f691d9667f6c153a4d2982cb2f75a3a9ebfa4831caea445f4bff1ae6fe4ad8eec82213b2a20d02dd1b6cb2dc425698f21ede7c2917aa6f103749084b755046bb83a3746e2f0203010001a381f33081f0301d0603551d0e04160414d64b150fdb7f312ac6c3982680da07466046ab9f3081c00603551d230481b83081b58014d64b150fdb7f312ac6c3982680da07466046ab9fa18199a48196308193310b3009060355040613024652310f300d060355040813065261646975 EAP-Message = 0x733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d010104050003820101008d3084a08170518ab145f6969d1e61d2a228d5ffa21a60c154ab30774674df42fb32f5a22dad55d75ef2c7f44c93bb3e52c92763901b1299530780e1f195a85ccbbd78d8b527b3263bfa340a459ac472b90360b4408e11c10e81afbc325c10ec91fa EAP-Message = 0xde231ca42761b9ba Message-Authenticator = 0x00000000000000000000000000000000 State = 0x521bfcaa500ce591f8365bba7dae1345 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=23, length=233 Message-Authenticator = 0x0aee9f5b511c9ae23c11446eac0b4e78 Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 State = 0x521bfcaa500ce591f8365bba7dae1345 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x021700061900 NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin" [ntdomain] Found realm "csd-notebook" [ntdomain] Adding Stripped-User-Name = "oreshkin" [ntdomain] Adding Realm = "csd-notebook" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 23 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 23 to 192.168.14.240 port 4177 EAP-Message = 0x011800a51900504fbacfc37f212076882bd7b098391319a08e59fc4d3dee5493579716c999ee20be7eed64f3b465e8ff5b718e9751b2c4ca5d1cd6700ccf0341f6a270aed40707094b7b6c39c78c581fa330b26bfb74042202fde6398f0fa591d0e164f5980d197175a49c7b9769cebfa4eef1f5527383f230b4df20935fa3903e171a05d038c6effefc1bf76e95dd86d637a53fc8ae83bdc13ea56d16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x521bfcaa5103e591f8365bba7dae1345 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=24, length=565 Message-Authenticator = 0xe9c4f9e868333481bc3f992f2aa1a741 Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 State = 0x521bfcaa5103e591f8365bba7dae1345 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x021801501980000001461603010106100001020100769931e3139b93cc6c593060914bd072373bf39b834fc024fb0301eefb15b34f82ae8cf3f40c278ea48339b759562a70691bdae9d2787df103615f2aee215cb348ed881852c4ad851294b3d059196973ac2a88668fcdf0d8a8ea6990c1275a1a97c6401424fd45d143464a1d6bcbfd87adabbed5cdabf6f0f53784888117ec0b1b3ce8f820a58486284749ec6e0520fa08015f4f074688c4771582566051b2afe546df7d788aad9c25d2d2e1f6fedb700855ad1d3165284f8d8ae3dc3391230ca11134654abfbd4e27eed42eb42a15d65d2098c2b8f58d3183a0fc1d9766aa383093787acc0fb6af EAP-Message = 0x467d42b176b10ba4938cff43e0d0da7d98c84de4befb83c11403010001011603010030eabb7f82b63254797b0a1058de5b2d4683403cd5c5c3340b930caa85db25f479d8ea1deb4d5ba5f201b8b9a84f4d97b4 NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin" [ntdomain] Found realm "csd-notebook" [ntdomain] Adding Stripped-User-Name = "oreshkin" [ntdomain] Adding Realm = "csd-notebook" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 24 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 24 to 192.168.14.240 port 4177 EAP-Message = 0x0119004119001403010001011603010030f7a902a3cc95bd20025641fbee76e796b867fe811ed81d7ee337cddd4e18653d17378c0a926cce7da53c2afad9fc45a4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x521bfcaa5602e591f8365bba7dae1345 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=25, length=233 Message-Authenticator = 0x6cbaa61eb18daa20c579bee2679f4174 Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 State = 0x521bfcaa5602e591f8365bba7dae1345 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x021900061900 NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin" [ntdomain] Found realm "csd-notebook" [ntdomain] Adding Stripped-User-Name = "oreshkin" [ntdomain] Adding Realm = "csd-notebook" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 25 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 25 to 192.168.14.240 port 4177 EAP-Message = 0x011a002b190017030100207cf398479d0eae664ea314f623103e57f103334f1e634464e707d81835ffd07f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x521bfcaa5701e591f8365bba7dae1345 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=26, length=286 Message-Authenticator = 0x0574dd2cb5f885828ab6b8015307a036 Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 State = 0x521bfcaa5701e591f8365bba7dae1345 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x021a003b19001703010030b9c978edc0ec85f275c5f03d0842f19284727199eef9a38ad70976a9aed64260087d178e30252c000cd38f572293b58c NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin" [ntdomain] Found realm "csd-notebook" [ntdomain] Adding Stripped-User-Name = "oreshkin" [ntdomain] Adding Realm = "csd-notebook" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 26 length 59 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - csd-notebook\oreshkin [peap] Got tunneled request EAP-Message = 0x021a001a016373642d6e6f7465626f6f6b5c6f726573686b696e server { PEAP: Got tunneled identity of csd-notebook\oreshkin PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to csd-notebook\oreshkin Sending tunneled request EAP-Message = 0x021a001a016373642d6e6f7465626f6f6b5c6f726573686b696e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "csd-notebook\\oreshkin" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin" [ntdomain] Found realm "csd-notebook" [ntdomain] Adding Stripped-User-Name = "oreshkin" [ntdomain] Adding Realm = "csd-notebook" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 26 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 159 [files] users: Matched entry oreshkin at line 229 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x011b002f1a011b002a10c8f5c4e66039ee0c0248b00e7a4eb5456373642d6e6f7465626f6f6b5c6f726573686b696e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8cc4b76f8cdfad527821b84c1697460f [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x011b002f1a011b002a10c8f5c4e66039ee0c0248b00e7a4eb5456373642d6e6f7465626f6f6b5c6f726573686b696e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8cc4b76f8cdfad527821b84c1697460f [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 26 to 192.168.14.240 port 4177 EAP-Message = 0x011b004b19001703010040a35bf50ba3bd99ea37448038a8d40802007487a075177b0419b54533f76c23a67a7f0a32592f07733e74dbaa940fcf35f71de88e734ea8cad58818ef2509ebe9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x521bfcaa5400e591f8365bba7dae1345 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=27, length=334 Message-Authenticator = 0x6377408684ab7b0dafbfd5a5d5aa9dff Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 State = 0x521bfcaa5400e591f8365bba7dae1345 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x021b006b19001703010060bfbb8b002571807f3de09f5d37b7ea172b19ad7e8e6595473c7c3ecefc0f824eaa77be7eda4097a947ecbc9455c005b27d8ca23437273901a23d701f9aaaeb5a1f0a53765f353340a0a2bf5d08afa72fc1f262e00427b89039fcd28945e9d6d8 NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin" [ntdomain] Found realm "csd-notebook" [ntdomain] Adding Stripped-User-Name = "oreshkin" [ntdomain] Adding Realm = "csd-notebook" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 27 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x021b00431a021b003e31819c7b1f2f8d867cafd6f0976e6cd29c0000000000000000538c3df64ded3d79745d4b6e21702de83ca497d34302d34b006f726573686b696e server { PEAP: Setting User-Name to csd-notebook\oreshkin Sending tunneled request EAP-Message = 0x021b00431a021b003e31819c7b1f2f8d867cafd6f0976e6cd29c0000000000000000538c3df64ded3d79745d4b6e21702de83ca497d34302d34b006f726573686b696e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "csd-notebook\\oreshkin" State = 0x8cc4b76f8cdfad527821b84c1697460f server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin" [ntdomain] Found realm "csd-notebook" [ntdomain] Adding Stripped-User-Name = "oreshkin" [ntdomain] Adding Realm = "csd-notebook" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 27 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 159 [files] users: Matched entry oreshkin at line 229 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for oreshkin with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x011c00331a031b002e533d39333632383542353544363242393846463634333641323246434133313633463230443633373333 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8cc4b76f8dd8ad527821b84c1697460f [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x011c00331a031b002e533d39333632383542353544363242393846463634333641323246434133313633463230443633373333 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8cc4b76f8dd8ad527821b84c1697460f [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 27 to 192.168.14.240 port 4177 EAP-Message = 0x011c005b19001703010050abccee58e5726f5b3913595f28b77e17951e779c9392439824aed552eac47b7c9f14b166653341e272ac25914c28a1d6dbb9c55d4f912de1bf4ae76fd9a85e24cf3e164168b24fb155f39ffbc968f3db Message-Authenticator = 0x00000000000000000000000000000000 State = 0x521bfcaa5507e591f8365bba7dae1345 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=28, length=270 Message-Authenticator = 0x4c98e3edbda80d90f35e45d515a2a8af Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 State = 0x521bfcaa5507e591f8365bba7dae1345 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x021c002b19001703010020020ffb1916a6287e3fc7338c22eeafab91d8e94329c9f4c762b96345c077f2a1 NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin" [ntdomain] Found realm "csd-notebook" [ntdomain] Adding Stripped-User-Name = "oreshkin" [ntdomain] Adding Realm = "csd-notebook" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 28 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x021c00061a03 server { PEAP: Setting User-Name to csd-notebook\oreshkin Sending tunneled request EAP-Message = 0x021c00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "csd-notebook\\oreshkin" State = 0x8cc4b76f8dd8ad527821b84c1697460f server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin" [ntdomain] Found realm "csd-notebook" [ntdomain] Adding Stripped-User-Name = "oreshkin" [ntdomain] Adding Realm = "csd-notebook" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 28 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 159 [files] users: Matched entry oreshkin at line 229 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x031c0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "oreshkin" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x031c0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "oreshkin" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 28 to 192.168.14.240 port 4177 EAP-Message = 0x011d002b19001703010020b6e09090e6565d2213c2146da4d560c520e75e59c28702e5e916bd639c277d0f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x521bfcaa5a06e591f8365bba7dae1345 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=29, length=270 Message-Authenticator = 0xcc38941510510c2776d853ce35ba7fd2 Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 State = 0x521bfcaa5a06e591f8365bba7dae1345 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x021d002b190017030100207f0f1fe523589d2f59034ac7bab4797406f777f4d2cd797d272eadab787d8e77 NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin" [ntdomain] Found realm "csd-notebook" [ntdomain] Adding Stripped-User-Name = "oreshkin" [ntdomain] Adding Realm = "csd-notebook" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 29 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 29 to 192.168.14.240 port 4177 MS-MPPE-Recv-Key = 0xc12171c0071fd6f4098e5f68b570202b25bbc5d89f31d63e13645dd645e87a6d MS-MPPE-Send-Key = 0x5b383c69c087a07603a627033e58f4bf17fcf505f534f1c85117f22acf0d1ec3 EAP-Message = 0x031d0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "oreshkin" Finished request 9. Going to the next request Waking up in 4.9 seconds. -------------------------------------------------------- Thanks On Thu, 9 Jul 2009, Ivan Kalik wrote:
Date: Thu, 9 Jul 2009 11:04:11 +0100 (BST) From: Ivan Kalik <tnt@kalik.net> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: FreeRadius 2.1.6 + EAP-PEAP issue
Hi,
I've configured modules/preprocess with
with_ntdomain_hack = yes
and tried again to authenticate Vista user but got as follows:
...
[eap] Identity does not match User-Name, setting from EAP Identity.
That entry alters User-Name and shouldn't be used with EAP. It works fine with plain mschap but not here.
Enable ntdomain in inner-tunnel virtual server (just under suffix) and create a local domain in proxy.conf:
realm csd-notebook { }
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html