Am 18.12.2013 10:54, schrieb Hubert Kupper:
Am 18.12.2013 10:16, schrieb Olivier Beytrison:
On 18.12.2013 09:56, Hubert Kupper wrote:
Bingo. You are right. When I use ldaps the ldap bind was successful now. With FR 2.x on OpenSuse 12.3 ldap and ldaps work both. Good news !
(9) ldap : Added eDirectory password in check items as Cleartext-Password = pwddummy Is that the password you used to test the authentication ?
(9) mschap : Creating challenge hash with username: dumm (9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password (9) mschap : FAILED: MS-CHAP2-Response is incorrect (9) [mschap] = reject It looks like you provided the wrong password.
Olivier no, I used "pwddummy" only in my posting. In my tests I used the right password for the testuser dumm. With our other FR servers, the testuser and password works fine!
Hubert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ok, I resetted the password for user dumm and tried it again. Here is the output:
Listening on auth address * port 1812 as server default Listening on acct address * port 1813 as server default Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel Opening new proxy address * port 1814 Listening on proxy address * port 1814 Ready to process requests rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=172, length=213 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020200090164756d6d Message-Authenticator = 0x19d1460f5e754fa9589131e27aa1631b (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) ? if (!User-Name) (0) ? if (!User-Name) -> FALSE (0) ? if (User-Name != "%{tolower:%{User-Name}}") (0) expand: "%{tolower:%{User-Name}}" -> 'dumm' (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) ? if (User-Name =~ / /) (0) ? if (User-Name =~ / /) -> FALSE (0) ? if (User-Name =~ /@.*@/ ) (0) ? if (User-Name =~ /@.*@/ ) -> FALSE (0) ? if (User-Name =~ /\\.\\./ ) (0) ? if (User-Name =~ /\\.\\./ ) -> FALSE (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) ? if (User-Name =~ /\\.$/) (0) ? if (User-Name =~ /\\.$/) -> FALSE (0) ? if (User-Name =~ /@\\./) (0) ? if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "dumm", looking up realm NULL (0) suffix : Found realm "NULL" (0) suffix : Adding Stripped-User-Name = "dumm" (0) suffix : Adding Realm = "NULL" (0) suffix : Authentication realm is LOCAL (0) [suffix] = ok (0) eap : EAP packet type response id 2 length 9 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Peer sent Identity (1) (0) eap : Calling eap_peap to process EAP data (0) eap_peap : Flushing SSL sessions (of #0) (0) eap_peap : Initiate (0) eap_peap : Start returned 1 (0) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfa867997d (0) [eap] = handled (0) } # authenticate = handled Sending Access-Challenge of id 172 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfa867997d12828dafc6890954 (0) Finished request 0. Waking up in 0.3 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=173, length=327 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x0203006919800000005f160301005a01000056030152b1966ea0268f428ae5f5a4c8c1c0d1b6ad2fa9945b4b8f9d132cce1a818aec000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 State = 0xa86480cfa867997d12828dafc6890954 Message-Authenticator = 0xb4bdc760cfea245ec3ae498b0e0303a8 (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) ? if (!User-Name) (1) ? if (!User-Name) -> FALSE (1) ? if (User-Name != "%{tolower:%{User-Name}}") (1) expand: "%{tolower:%{User-Name}}" -> 'dumm' (1) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (1) ? if (User-Name =~ / /) (1) ? if (User-Name =~ / /) -> FALSE (1) ? if (User-Name =~ /@.*@/ ) (1) ? if (User-Name =~ /@.*@/ ) -> FALSE (1) ? if (User-Name =~ /\\.\\./ ) (1) ? if (User-Name =~ /\\.\\./ ) -> FALSE (1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) ? if (User-Name =~ /\\.$/) (1) ? if (User-Name =~ /\\.$/) -> FALSE (1) ? if (User-Name =~ /@\\./) (1) ? if (User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "dumm", looking up realm NULL (1) suffix : Found realm "NULL" (1) suffix : Adding Stripped-User-Name = "dumm" (1) suffix : Adding Realm = "NULL" (1) suffix : Authentication realm is LOCAL (1) [suffix] = ok (1) eap : EAP packet type response id 3 length 105 (1) eap : Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = EAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0xa86480cfa867997d (1) eap : Finished EAP session with state 0xa86480cfa867997d (1) eap : Previous EAP request found for state 0xa86480cfa867997d, released from the list (1) eap : Peer sent PEAP (25) (1) eap : EAP PEAP (25) (1) eap : Calling eap_peap to process EAP data (1) eap_peap : processing EAP-TLS TLS Length 95 (1) eap_peap : Length Included (1) eap_peap : eaptls_verify returned 11 (1) eap_peap : (other): before/accept initialization (1) eap_peap : TLS_accept: before/accept initialization (1) eap_peap : <<< TLS 1.0 Handshake [length 005a], ClientHello (1) eap_peap : TLS_accept: SSLv3 read client hello A (1) eap_peap : >>> TLS 1.0 Handshake [length 0051], ServerHello (1) eap_peap : TLS_accept: SSLv3 write server hello A (1) eap_peap : >>> TLS 1.0 Handshake [length 12e2], Certificate (1) eap_peap : TLS_accept: SSLv3 write certificate A (1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap : TLS_accept: SSLv3 write server done A (1) eap_peap : TLS_accept: SSLv3 flush data (1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (1) eap_peap : eaptls_process returned 13 (1) eap_peap : FR_TLS_HANDLED (1) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfa960997d (1) [eap] = handled (1) } # authenticate = handled Sending Access-Challenge of id 173 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfa960997d12828dafc6890954 (1) Finished request 1. Waking up in 0.3 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=174, length=228 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020400061900 State = 0xa86480cfa960997d12828dafc6890954 Message-Authenticator = 0xbce2adf33028b31939f2dadd25dc21a6 (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) ? if (!User-Name) (2) ? if (!User-Name) -> FALSE (2) ? if (User-Name != "%{tolower:%{User-Name}}") (2) expand: "%{tolower:%{User-Name}}" -> 'dumm' (2) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (2) ? if (User-Name =~ / /) (2) ? if (User-Name =~ / /) -> FALSE (2) ? if (User-Name =~ /@.*@/ ) (2) ? if (User-Name =~ /@.*@/ ) -> FALSE (2) ? if (User-Name =~ /\\.\\./ ) (2) ? if (User-Name =~ /\\.\\./ ) -> FALSE (2) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (2) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) ? if (User-Name =~ /\\.$/) (2) ? if (User-Name =~ /\\.$/) -> FALSE (2) ? if (User-Name =~ /@\\./) (2) ? if (User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "dumm", looking up realm NULL (2) suffix : Found realm "NULL" (2) suffix : Adding Stripped-User-Name = "dumm" (2) suffix : Adding Realm = "NULL" (2) suffix : Authentication realm is LOCAL (2) [suffix] = ok (2) eap : EAP packet type response id 4 length 6 (2) eap : Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0xa86480cfa960997d (2) eap : Finished EAP session with state 0xa86480cfa960997d (2) eap : Previous EAP request found for state 0xa86480cfa960997d, released from the list (2) eap : Peer sent PEAP (25) (2) eap : EAP PEAP (25) (2) eap : Calling eap_peap to process EAP data (2) eap_peap : processing EAP-TLS (2) eap_peap : Received TLS ACK (2) eap_peap : Received TLS ACK (2) eap_peap : ACK handshake fragment handler (2) eap_peap : eaptls_verify returned 1 (2) eap_peap : eaptls_process returned 13 (2) eap_peap : FR_TLS_HANDLED (2) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfaa61997d (2) [eap] = handled (2) } # authenticate = handled Sending Access-Challenge of id 174 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfaa61997d12828dafc6890954 (2) Finished request 2. Waking up in 0.3 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=175, length=228 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020500061900 State = 0xa86480cfaa61997d12828dafc6890954 Message-Authenticator = 0x6424ccb720f6e6d11e217657449ec5b1 (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) filter_username filter_username { (3) ? if (!User-Name) (3) ? if (!User-Name) -> FALSE (3) ? if (User-Name != "%{tolower:%{User-Name}}") (3) expand: "%{tolower:%{User-Name}}" -> 'dumm' (3) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (3) ? if (User-Name =~ / /) (3) ? if (User-Name =~ / /) -> FALSE (3) ? if (User-Name =~ /@.*@/ ) (3) ? if (User-Name =~ /@.*@/ ) -> FALSE (3) ? if (User-Name =~ /\\.\\./ ) (3) ? if (User-Name =~ /\\.\\./ ) -> FALSE (3) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (3) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (3) ? if (User-Name =~ /\\.$/) (3) ? if (User-Name =~ /\\.$/) -> FALSE (3) ? if (User-Name =~ /@\\./) (3) ? if (User-Name =~ /@\\./) -> FALSE (3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : No '@' in User-Name = "dumm", looking up realm NULL (3) suffix : Found realm "NULL" (3) suffix : Adding Stripped-User-Name = "dumm" (3) suffix : Adding Realm = "NULL" (3) suffix : Authentication realm is LOCAL (3) [suffix] = ok (3) eap : EAP packet type response id 5 length 6 (3) eap : Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0xa86480cfaa61997d (3) eap : Finished EAP session with state 0xa86480cfaa61997d (3) eap : Previous EAP request found for state 0xa86480cfaa61997d, released from the list (3) eap : Peer sent PEAP (25) (3) eap : EAP PEAP (25) (3) eap : Calling eap_peap to process EAP data (3) eap_peap : processing EAP-TLS (3) eap_peap : Received TLS ACK (3) eap_peap : Received TLS ACK (3) eap_peap : ACK handshake fragment handler (3) eap_peap : eaptls_verify returned 1 (3) eap_peap : eaptls_process returned 13 (3) eap_peap : FR_TLS_HANDLED (3) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfab62997d (3) [eap] = handled (3) } # authenticate = handled Sending Access-Challenge of id 175 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfab62997d12828dafc6890954 (3) Finished request 3. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=176, length=228 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020600061900 State = 0xa86480cfab62997d12828dafc6890954 Message-Authenticator = 0xed7f6b286401975720341fcbc89f9455 (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) filter_username filter_username { (4) ? if (!User-Name) (4) ? if (!User-Name) -> FALSE (4) ? if (User-Name != "%{tolower:%{User-Name}}") (4) expand: "%{tolower:%{User-Name}}" -> 'dumm' (4) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (4) ? if (User-Name =~ / /) (4) ? if (User-Name =~ / /) -> FALSE (4) ? if (User-Name =~ /@.*@/ ) (4) ? if (User-Name =~ /@.*@/ ) -> FALSE (4) ? if (User-Name =~ /\\.\\./ ) (4) ? if (User-Name =~ /\\.\\./ ) -> FALSE (4) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (4) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (4) ? if (User-Name =~ /\\.$/) (4) ? if (User-Name =~ /\\.$/) -> FALSE (4) ? if (User-Name =~ /@\\./) (4) ? if (User-Name =~ /@\\./) -> FALSE (4) } # filter_username filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : No '@' in User-Name = "dumm", looking up realm NULL (4) suffix : Found realm "NULL" (4) suffix : Adding Stripped-User-Name = "dumm" (4) suffix : Adding Realm = "NULL" (4) suffix : Authentication realm is LOCAL (4) [suffix] = ok (4) eap : EAP packet type response id 6 length 6 (4) eap : Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap : Expiring EAP session with state 0xa86480cfab62997d (4) eap : Finished EAP session with state 0xa86480cfab62997d (4) eap : Previous EAP request found for state 0xa86480cfab62997d, released from the list (4) eap : Peer sent PEAP (25) (4) eap : EAP PEAP (25) (4) eap : Calling eap_peap to process EAP data (4) eap_peap : processing EAP-TLS (4) eap_peap : Received TLS ACK (4) eap_peap : Received TLS ACK (4) eap_peap : ACK handshake fragment handler (4) eap_peap : eaptls_verify returned 1 (4) eap_peap : eaptls_process returned 13 (4) eap_peap : FR_TLS_HANDLED (4) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfac63997d (4) [eap] = handled (4) } # authenticate = handled Sending Access-Challenge of id 176 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfac63997d12828dafc6890954 (4) Finished request 4. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=177, length=228 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020700061900 State = 0xa86480cfac63997d12828dafc6890954 Message-Authenticator = 0x350c6496caddb678f4145338d352ff5f (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) filter_username filter_username { (5) ? if (!User-Name) (5) ? if (!User-Name) -> FALSE (5) ? if (User-Name != "%{tolower:%{User-Name}}") (5) expand: "%{tolower:%{User-Name}}" -> 'dumm' (5) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (5) ? if (User-Name =~ / /) (5) ? if (User-Name =~ / /) -> FALSE (5) ? if (User-Name =~ /@.*@/ ) (5) ? if (User-Name =~ /@.*@/ ) -> FALSE (5) ? if (User-Name =~ /\\.\\./ ) (5) ? if (User-Name =~ /\\.\\./ ) -> FALSE (5) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (5) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (5) ? if (User-Name =~ /\\.$/) (5) ? if (User-Name =~ /\\.$/) -> FALSE (5) ? if (User-Name =~ /@\\./) (5) ? if (User-Name =~ /@\\./) -> FALSE (5) } # filter_username filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : No '@' in User-Name = "dumm", looking up realm NULL (5) suffix : Found realm "NULL" (5) suffix : Adding Stripped-User-Name = "dumm" (5) suffix : Adding Realm = "NULL" (5) suffix : Authentication realm is LOCAL (5) [suffix] = ok (5) eap : EAP packet type response id 7 length 6 (5) eap : Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0xa86480cfac63997d (5) eap : Finished EAP session with state 0xa86480cfac63997d (5) eap : Previous EAP request found for state 0xa86480cfac63997d, released from the list (5) eap : Peer sent PEAP (25) (5) eap : EAP PEAP (25) (5) eap : Calling eap_peap to process EAP data (5) eap_peap : processing EAP-TLS (5) eap_peap : Received TLS ACK (5) eap_peap : Received TLS ACK (5) eap_peap : ACK handshake fragment handler (5) eap_peap : eaptls_verify returned 1 (5) eap_peap : eaptls_process returned 13 (5) eap_peap : FR_TLS_HANDLED (5) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfad6c997d (5) [eap] = handled (5) } # authenticate = handled Sending Access-Challenge of id 177 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfad6c997d12828dafc6890954 (5) Finished request 5. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=178, length=560 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020801501980000001461603010106100001020100895db16795383e66c1fbe477e6a32de3bbf7284cedcb90d740413663bb5723b9d64ebc2cd4fc722d68bbb218dd74930a5696ae34e6b6668d6da308cb4f056eaa47e914dfb5afc1ac3ea4060d56430d37b79b3f61203a2f5f13faa11be9ee39f6ad29e894d7fe443569ba4ce8c91245e17b0d198d0bdd5a5a838eaad32d44be2fa954ad8be8ca01c9542f438fd9c2018ccc398b5fc326cd2bd6610d6fe3cc57fbffca875bcd9a93c812ecf0e33f9fcbfd9c11ef94b2f730de6d2745976d5c74521cb4628257351c280ec41f32b9311cde2b72d8cb3919a5d6c8dbbee1542d0014b02ba361ac9a156fd03226538d356541c6f6a3412f5db8251c9a5a25de2ee2c81403010001011603010030119978f0e9951fc0d9d6d4850d606edc4b3339ae5452c58db1699e709dfa5d5e3f910008914565a5b8d435aa41888ce3 State = 0xa86480cfad6c997d12828dafc6890954 Message-Authenticator = 0xa0338b8ac9c33aa4898dff4aaff042fc (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) filter_username filter_username { (6) ? if (!User-Name) (6) ? if (!User-Name) -> FALSE (6) ? if (User-Name != "%{tolower:%{User-Name}}") (6) expand: "%{tolower:%{User-Name}}" -> 'dumm' (6) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (6) ? if (User-Name =~ / /) (6) ? if (User-Name =~ / /) -> FALSE (6) ? if (User-Name =~ /@.*@/ ) (6) ? if (User-Name =~ /@.*@/ ) -> FALSE (6) ? if (User-Name =~ /\\.\\./ ) (6) ? if (User-Name =~ /\\.\\./ ) -> FALSE (6) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (6) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (6) ? if (User-Name =~ /\\.$/) (6) ? if (User-Name =~ /\\.$/) -> FALSE (6) ? if (User-Name =~ /@\\./) (6) ? if (User-Name =~ /@\\./) -> FALSE (6) } # filter_username filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix : No '@' in User-Name = "dumm", looking up realm NULL (6) suffix : Found realm "NULL" (6) suffix : Adding Stripped-User-Name = "dumm" (6) suffix : Adding Realm = "NULL" (6) suffix : Authentication realm is LOCAL (6) [suffix] = ok (6) eap : EAP packet type response id 8 length 336 (6) eap : Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap : Expiring EAP session with state 0xa86480cfad6c997d (6) eap : Finished EAP session with state 0xa86480cfad6c997d (6) eap : Previous EAP request found for state 0xa86480cfad6c997d, released from the list (6) eap : Peer sent PEAP (25) (6) eap : EAP PEAP (25) (6) eap : Calling eap_peap to process EAP data (6) eap_peap : processing EAP-TLS TLS Length 326 (6) eap_peap : Length Included (6) eap_peap : eaptls_verify returned 11 (6) eap_peap : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange (6) eap_peap : TLS_accept: SSLv3 read client key exchange A (6) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001] (6) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished (6) eap_peap : TLS_accept: SSLv3 read finished A (6) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001] (6) eap_peap : TLS_accept: SSLv3 write change cipher spec A (6) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished (6) eap_peap : TLS_accept: SSLv3 write finished A (6) eap_peap : TLS_accept: SSLv3 flush data SSL: adding session e467ff943668da672a3a7da5e39dd0f027275656dc6f0b17019d463e6946fd42 to cache (6) eap_peap : (other): SSL negotiation finished successfully SSL Connection Established (6) eap_peap : eaptls_process returned 13 (6) eap_peap : FR_TLS_HANDLED (6) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfae6d997d (6) [eap] = handled (6) } # authenticate = handled Sending Access-Challenge of id 178 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = 0x01090041190014030100010116030100304363285a0957c59d896553101f3d7e4de5404484f6dea4258eca26e9699b520777556fd173f270a97f987c2e7a01394d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfae6d997d12828dafc6890954 (6) Finished request 6. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=179, length=228 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020900061900 State = 0xa86480cfae6d997d12828dafc6890954 Message-Authenticator = 0xba508282c219aea5755f50bf9de8429e (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) filter_username filter_username { (7) ? if (!User-Name) (7) ? if (!User-Name) -> FALSE (7) ? if (User-Name != "%{tolower:%{User-Name}}") (7) expand: "%{tolower:%{User-Name}}" -> 'dumm' (7) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (7) ? if (User-Name =~ / /) (7) ? if (User-Name =~ / /) -> FALSE (7) ? if (User-Name =~ /@.*@/ ) (7) ? if (User-Name =~ /@.*@/ ) -> FALSE (7) ? if (User-Name =~ /\\.\\./ ) (7) ? if (User-Name =~ /\\.\\./ ) -> FALSE (7) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (7) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (7) ? if (User-Name =~ /\\.$/) (7) ? if (User-Name =~ /\\.$/) -> FALSE (7) ? if (User-Name =~ /@\\./) (7) ? if (User-Name =~ /@\\./) -> FALSE (7) } # filter_username filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix : No '@' in User-Name = "dumm", looking up realm NULL (7) suffix : Found realm "NULL" (7) suffix : Adding Stripped-User-Name = "dumm" (7) suffix : Adding Realm = "NULL" (7) suffix : Authentication realm is LOCAL (7) [suffix] = ok (7) eap : EAP packet type response id 9 length 6 (7) eap : Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap : Expiring EAP session with state 0xa86480cfae6d997d (7) eap : Finished EAP session with state 0xa86480cfae6d997d (7) eap : Previous EAP request found for state 0xa86480cfae6d997d, released from the list (7) eap : Peer sent PEAP (25) (7) eap : EAP PEAP (25) (7) eap : Calling eap_peap to process EAP data (7) eap_peap : processing EAP-TLS (7) eap_peap : Received TLS ACK (7) eap_peap : Received TLS ACK (7) eap_peap : ACK handshake is finished (7) eap_peap : eaptls_verify returned 3 (7) eap_peap : eaptls_process returned 3 (7) eap_peap : FR_TLS_SUCCESS (7) eap_peap : Session established. Decoding tunneled attributes (7) eap_peap : Peap state TUNNEL ESTABLISHED (7) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfaf6e997d (7) [eap] = handled (7) } # authenticate = handled Sending Access-Challenge of id 179 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = 0x010a002b19001703010020be713b3d1fc2d5f5b78ada5c59f71d259becb60cfd631484fe72a2b116382a42 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfaf6e997d12828dafc6890954 (7) Finished request 7. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=180, length=265 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020a002b19001703010020d1ef31ba5764aeaecaa4d794b45d9412106b7d2d16fab86405e45bf76a79f9fd State = 0xa86480cfaf6e997d12828dafc6890954 Message-Authenticator = 0x390272675aad0fd9a3bb808b7e842d1d (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { (8) filter_username filter_username { (8) ? if (!User-Name) (8) ? if (!User-Name) -> FALSE (8) ? if (User-Name != "%{tolower:%{User-Name}}") (8) expand: "%{tolower:%{User-Name}}" -> 'dumm' (8) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (8) ? if (User-Name =~ / /) (8) ? if (User-Name =~ / /) -> FALSE (8) ? if (User-Name =~ /@.*@/ ) (8) ? if (User-Name =~ /@.*@/ ) -> FALSE (8) ? if (User-Name =~ /\\.\\./ ) (8) ? if (User-Name =~ /\\.\\./ ) -> FALSE (8) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (8) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (8) ? if (User-Name =~ /\\.$/) (8) ? if (User-Name =~ /\\.$/) -> FALSE (8) ? if (User-Name =~ /@\\./) (8) ? if (User-Name =~ /@\\./) -> FALSE (8) } # filter_username filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix : No '@' in User-Name = "dumm", looking up realm NULL (8) suffix : Found realm "NULL" (8) suffix : Adding Stripped-User-Name = "dumm" (8) suffix : Adding Realm = "NULL" (8) suffix : Authentication realm is LOCAL (8) [suffix] = ok (8) eap : EAP packet type response id 10 length 43 (8) eap : Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/raddb/sites-enabled/default (8) authenticate { (8) eap : Expiring EAP session with state 0xa86480cfaf6e997d (8) eap : Finished EAP session with state 0xa86480cfaf6e997d (8) eap : Previous EAP request found for state 0xa86480cfaf6e997d, released from the list (8) eap : Peer sent PEAP (25) (8) eap : EAP PEAP (25) (8) eap : Calling eap_peap to process EAP data (8) eap_peap : processing EAP-TLS (8) eap_peap : eaptls_verify returned 7 (8) eap_peap : Done initial handshake (8) eap_peap : eaptls_process returned 7 (8) eap_peap : FR_TLS_OK (8) eap_peap : Session established. Decoding tunneled attributes (8) eap_peap : Peap state WAITING FOR INNER IDENTITY (8) eap_peap : Identity - dumm (8) eap_peap : Got inner identity 'dumm' (8) eap_peap : Setting default EAP type for tunneled EAP session (8) eap_peap : Got tunneled request EAP-Message = 0x020a00090164756d6d server default { (8) eap_peap : Setting User-Name to dumm Sending tunneled request EAP-Message = 0x020a00090164756d6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'dumm' server inner-tunnel { (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) [chap] = noop (8) [mschap] = noop (8) suffix : No '@' in User-Name = "dumm", looking up realm NULL (8) suffix : Found realm "NULL" (8) suffix : Adding Stripped-User-Name = "dumm" (8) suffix : Adding Realm = "NULL" (8) suffix : Authentication realm is LOCAL (8) [suffix] = ok (8) update control { (8) Proxy-To-Realm := 'LOCAL' (8) } # update control = noop (8) eap : EAP packet type response id 10 length 9 (8) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Peer sent Identity (1) (8) eap : Calling eap_mschapv2 to process EAP data (8) eap_mschapv2 : Issuing Challenge (8) eap : New EAP session, adding 'State' attribute to reply 0xee5b016dee501bdf (8) [eap] = handled (8) } # authenticate = handled } # server inner-tunnel (8) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010b001e1a010b0019109661dbd36e0ae001fea904bee60562ae64756d6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee5b016dee501bdf8d4c45a0081cd9a7 (8) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010b001e1a010b0019109661dbd36e0ae001fea904bee60562ae64756d6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee5b016dee501bdf8d4c45a0081cd9a7 (8) eap_peap : Got tunneled Access-Challenge (8) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfa06f997d (8) [eap] = handled (8) } # authenticate = handled Sending Access-Challenge of id 180 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = 0x010b005b1900170301005073ea643c33410b75bddafebb5c6dfcb84d36924a83410e9111f31a559c3dd1583d191d435a92bab18f28ffe91e6e877127f7ad007cfbfacaead6ab6ba3a224bdad252b5049a926b9031d12e1dfa0f57d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfa06f997d12828dafc6890954 (8) Finished request 8. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=181, length=313 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020b005b190017030100501e92d5aac9bc32d3633a445500b65cf43ba2fafff188597ff64350f659c20099cd4d3cc1b46e10d3af5d214a9117445e49ff1d0117cded672220a5889795b4b0a148f0bd43b5e703cec7f0a4271868a7 State = 0xa86480cfa06f997d12828dafc6890954 Message-Authenticator = 0xd1a70dbde1b61df2d5cb92820834b904 (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) filter_username filter_username { (9) ? if (!User-Name) (9) ? if (!User-Name) -> FALSE (9) ? if (User-Name != "%{tolower:%{User-Name}}") (9) expand: "%{tolower:%{User-Name}}" -> 'dumm' (9) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (9) ? if (User-Name =~ / /) (9) ? if (User-Name =~ / /) -> FALSE (9) ? if (User-Name =~ /@.*@/ ) (9) ? if (User-Name =~ /@.*@/ ) -> FALSE (9) ? if (User-Name =~ /\\.\\./ ) (9) ? if (User-Name =~ /\\.\\./ ) -> FALSE (9) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (9) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (9) ? if (User-Name =~ /\\.$/) (9) ? if (User-Name =~ /\\.$/) -> FALSE (9) ? if (User-Name =~ /@\\./) (9) ? if (User-Name =~ /@\\./) -> FALSE (9) } # filter_username filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix : No '@' in User-Name = "dumm", looking up realm NULL (9) suffix : Found realm "NULL" (9) suffix : Adding Stripped-User-Name = "dumm" (9) suffix : Adding Realm = "NULL" (9) suffix : Authentication realm is LOCAL (9) [suffix] = ok (9) eap : EAP packet type response id 11 length 91 (9) eap : Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap : Expiring EAP session with state 0xee5b016dee501bdf (9) eap : Finished EAP session with state 0xa86480cfa06f997d (9) eap : Previous EAP request found for state 0xa86480cfa06f997d, released from the list (9) eap : Peer sent PEAP (25) (9) eap : EAP PEAP (25) (9) eap : Calling eap_peap to process EAP data (9) eap_peap : processing EAP-TLS (9) eap_peap : eaptls_verify returned 7 (9) eap_peap : Done initial handshake (9) eap_peap : eaptls_process returned 7 (9) eap_peap : FR_TLS_OK (9) eap_peap : Session established. Decoding tunneled attributes (9) eap_peap : Peap state phase2 (9) eap_peap : EAP type MSCHAPv2 (26) (9) eap_peap : Got tunneled request EAP-Message = 0x020b003f1a020b003a313eb867d7b4cd2ac386791c7fcbb3317400000000000000003772c1653fd3f345180b5ba9bd0c862349062d4fa8c63d530064756d6d server default { (9) eap_peap : Setting User-Name to dumm Sending tunneled request EAP-Message = 0x020b003f1a020b003a313eb867d7b4cd2ac386791c7fcbb3317400000000000000003772c1653fd3f345180b5ba9bd0c862349062d4fa8c63d530064756d6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'dumm' State = 0xee5b016dee501bdf8d4c45a0081cd9a7 server inner-tunnel { (9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) [chap] = noop (9) [mschap] = noop (9) suffix : No '@' in User-Name = "dumm", looking up realm NULL (9) suffix : Found realm "NULL" (9) suffix : Adding Stripped-User-Name = "dumm" (9) suffix : Adding Realm = "NULL" (9) suffix : Authentication realm is LOCAL (9) [suffix] = ok (9) update control { (9) Proxy-To-Realm := 'LOCAL' (9) } # update control = noop (9) eap : EAP packet type response id 11 length 63 (9) eap : No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) [files] = noop rlm_ldap (ldap): Reserved connection (2) (9) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=dumm)' (9) ldap : expand: "o=org" -> 'o=org' (9) ldap : Performing search in 'o=org' with filter '(cn=dumm)' (9) ldap : Waiting for search result... (9) ldap : User object found at DN "cn=dumm,ou=test1,ou=test,o=org" (9) ldap : Added eDirectory password in check items as Cleartext-Password = pwddummy (9) ldap : Binding as user for eDirectory authorization checks (9) ldap : Waiting for bind result... (9) ldap : Bind successful (9) ldap : Bind as user "cn=dumm,ou=test1,ou=test,o=org" was successful rlm_ldap (ldap): Released connection (2) (9) [ldap] = ok (9) [expiration] = noop (9) [logintime] = noop (9) WARNING: pap : Auth-Type already set. Not setting to PAP (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = EAP (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap : Expiring EAP session with state 0xee5b016dee501bdf (9) eap : Finished EAP session with state 0xee5b016dee501bdf (9) eap : Previous EAP request found for state 0xee5b016dee501bdf, released from the list (9) eap : Peer sent MSCHAPv2 (26) (9) eap : EAP MSCHAPv2 (26) (9) eap : Calling eap_mschapv2 to process EAP data (9) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) eap_mschapv2 : Auth-Type MS-CHAP { (9) mschap : Creating challenge hash with username: dumm (9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password (9) mschap : adding MS-CHAPv2 MPPE keys (9) [mschap] = ok (9) } # Auth-Type MS-CHAP = ok MSCHAP Success (9) eap : New EAP session, adding 'State' attribute to reply 0xee5b016def571bdf (9) [eap] = handled (9) } # authenticate = handled } # server inner-tunnel (9) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010c00331a030b002e533d33393932423341383241334531364636313133364145443537463742314531383142423232323739 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee5b016def571bdf8d4c45a0081cd9a7 (9) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010c00331a030b002e533d33393932423341383241334531364636313133364145443537463742314531383142423232323739 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee5b016def571bdf8d4c45a0081cd9a7 (9) eap_peap : Got tunneled Access-Challenge (9) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfa168997d (9) [eap] = handled (9) } # authenticate = handled Sending Access-Challenge of id 181 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = 0x010c008b1900170301008046339821146757e1169814d336fa5f44c5ce7a0e601f78caedb3fd62a4fa62b2f7d8d34cc19780af80a57723dadd2585f7fa37d7cdca90f4cdb16b2d35e36f36c6a4bcb7638a02e9dd200cde370816f25c171bc348b6a5282ae214face960bd0eede6e44d5006125861933e0fdc966b82a9a03e63641d184d1c5244f6023ecae Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfa168997d12828dafc6890954 (9) Finished request 9. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=182, length=265 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020c002b19001703010020b0ac95690bead98890fb01b1789e3dcdc33e358f214f171ebe643ab87330ea1a State = 0xa86480cfa168997d12828dafc6890954 Message-Authenticator = 0x7c14084404119159c3d9e6416e0a8110 (10) # Executing section authorize from file /etc/raddb/sites-enabled/default (10) authorize { (10) filter_username filter_username { (10) ? if (!User-Name) (10) ? if (!User-Name) -> FALSE (10) ? if (User-Name != "%{tolower:%{User-Name}}") (10) expand: "%{tolower:%{User-Name}}" -> 'dumm' (10) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (10) ? if (User-Name =~ / /) (10) ? if (User-Name =~ / /) -> FALSE (10) ? if (User-Name =~ /@.*@/ ) (10) ? if (User-Name =~ /@.*@/ ) -> FALSE (10) ? if (User-Name =~ /\\.\\./ ) (10) ? if (User-Name =~ /\\.\\./ ) -> FALSE (10) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (10) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (10) ? if (User-Name =~ /\\.$/) (10) ? if (User-Name =~ /\\.$/) -> FALSE (10) ? if (User-Name =~ /@\\./) (10) ? if (User-Name =~ /@\\./) -> FALSE (10) } # filter_username filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix : No '@' in User-Name = "dumm", looking up realm NULL (10) suffix : Found realm "NULL" (10) suffix : Adding Stripped-User-Name = "dumm" (10) suffix : Adding Realm = "NULL" (10) suffix : Authentication realm is LOCAL (10) [suffix] = ok (10) eap : EAP packet type response id 12 length 43 (10) eap : Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = EAP (10) # Executing group from file /etc/raddb/sites-enabled/default (10) authenticate { (10) eap : Expiring EAP session with state 0xee5b016def571bdf (10) eap : Finished EAP session with state 0xa86480cfa168997d (10) eap : Previous EAP request found for state 0xa86480cfa168997d, released from the list (10) eap : Peer sent PEAP (25) (10) eap : EAP PEAP (25) (10) eap : Calling eap_peap to process EAP data (10) eap_peap : processing EAP-TLS (10) eap_peap : eaptls_verify returned 7 (10) eap_peap : Done initial handshake (10) eap_peap : eaptls_process returned 7 (10) eap_peap : FR_TLS_OK (10) eap_peap : Session established. Decoding tunneled attributes (10) eap_peap : Peap state phase2 (10) eap_peap : EAP type MSCHAPv2 (26) (10) eap_peap : Got tunneled request EAP-Message = 0x020c00061a03 server default { (10) eap_peap : Setting User-Name to dumm Sending tunneled request EAP-Message = 0x020c00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'dumm' State = 0xee5b016def571bdf8d4c45a0081cd9a7 server inner-tunnel { (10) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (10) authorize { (10) [chap] = noop (10) [mschap] = noop (10) suffix : No '@' in User-Name = "dumm", looking up realm NULL (10) suffix : Found realm "NULL" (10) suffix : Adding Stripped-User-Name = "dumm" (10) suffix : Adding Realm = "NULL" (10) suffix : Authentication realm is LOCAL (10) [suffix] = ok (10) update control { (10) Proxy-To-Realm := 'LOCAL' (10) } # update control = noop (10) eap : EAP packet type response id 12 length 6 (10) eap : EAP-MSCHAPV2 success, returning short-circuit ok (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = EAP (10) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (10) authenticate { (10) eap : Expiring EAP session with state 0xee5b016def571bdf (10) eap : Finished EAP session with state 0xee5b016def571bdf (10) eap : Previous EAP request found for state 0xee5b016def571bdf, released from the list (10) eap : Peer sent MSCHAPv2 (26) (10) eap : EAP MSCHAPv2 (26) (10) eap : Calling eap_mschapv2 to process EAP data (10) eap : Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) Login OK: [dumm/<via Auth-Type = EAP>] (from client uni port 0 via TLS tunnel) (10) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (10) post-auth { (10) reply_log : expand: "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" -> '/var/log/radacct/xxx.xx.xxx.x/reply-detail-20131218' (10) reply_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radacct/xxx.xx.xxx.x/reply-detail-20131218 (10) reply_log : expand: "%t" -> 'Wed Dec 18 13:34:42 2013' (10) [reply_log] = ok (10) ldap : expand: "." -> '.' (10) ldap : expand: "Authenticated at %S" -> 'Authenticated at 2013-12-18 13:34:42' rlm_ldap (ldap): Reserved connection (2) (10) ldap : Waiting for bind result... (10) ldap : Bind successful (10) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=dumm)' (10) ldap : expand: "o=org" -> 'o=org' (10) ldap : Performing search in 'o=org' with filter '(cn=dumm)' (10) ldap : Waiting for search result... (10) ldap : User object found at DN "cn=dumm,ou=test1,ou=test,o=org" (10) ldap : Modifying object with DN "cn=dumm,ou=test1,ou=test,o=org" (10) ldap : Waiting for modify result... rlm_ldap (ldap): Released connection (2) (10) [ldap] = reject (10) } # post-auth = reject } # server inner-tunnel (10) eap_peap : Got tunneled reply code 3 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0x30a31126813a40c345aeaa9b3c725a4f MS-MPPE-Recv-Key = 0x3d6d7a5365ac052cd38b9f526e56747d EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 Stripped-User-Name = 'dumm' (10) eap_peap : Got tunneled reply RADIUS code 3 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0x30a31126813a40c345aeaa9b3c725a4f MS-MPPE-Recv-Key = 0x3d6d7a5365ac052cd38b9f526e56747d EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 Stripped-User-Name = 'dumm' (10) eap_peap : Tunneled authentication was rejected (10) eap_peap : FAILURE (10) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfa269997d (10) [eap] = handled (10) } # authenticate = handled Sending Access-Challenge of id 182 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = 0x010d002b19001703010020b5173c1b2cec565ddf2100e27bc0bea6358257604cbf176f1e6b006c028fccb9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfa269997d12828dafc6890954 (10) Finished request 10. Waking up in 0.1 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=183, length=265 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020d002b19001703010020c712a6ac4a0db2089c88254691e2fc91f9efdff20bffff880f830a5a22706162 State = 0xa86480cfa269997d12828dafc6890954 Message-Authenticator = 0xdfd550bec019140e91d79fe8c9eb081a (11) # Executing section authorize from file /etc/raddb/sites-enabled/default (11) authorize { (11) filter_username filter_username { (11) ? if (!User-Name) (11) ? if (!User-Name) -> FALSE (11) ? if (User-Name != "%{tolower:%{User-Name}}") (11) expand: "%{tolower:%{User-Name}}" -> 'dumm' (11) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (11) ? if (User-Name =~ / /) (11) ? if (User-Name =~ / /) -> FALSE (11) ? if (User-Name =~ /@.*@/ ) (11) ? if (User-Name =~ /@.*@/ ) -> FALSE (11) ? if (User-Name =~ /\\.\\./ ) (11) ? if (User-Name =~ /\\.\\./ ) -> FALSE (11) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (11) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (11) ? if (User-Name =~ /\\.$/) (11) ? if (User-Name =~ /\\.$/) -> FALSE (11) ? if (User-Name =~ /@\\./) (11) ? if (User-Name =~ /@\\./) -> FALSE (11) } # filter_username filter_username = notfound (11) [preprocess] = ok (11) [chap] = noop (11) [mschap] = noop (11) [digest] = noop (11) suffix : No '@' in User-Name = "dumm", looking up realm NULL (11) suffix : Found realm "NULL" (11) suffix : Adding Stripped-User-Name = "dumm" (11) suffix : Adding Realm = "NULL" (11) suffix : Authentication realm is LOCAL (11) [suffix] = ok (11) eap : EAP packet type response id 13 length 43 (11) eap : Continuing tunnel setup (11) [eap] = ok (11) } # authorize = ok (11) Found Auth-Type = EAP (11) # Executing group from file /etc/raddb/sites-enabled/default (11) authenticate { (11) eap : Expiring EAP session with state 0xa86480cfa269997d (11) eap : Finished EAP session with state 0xa86480cfa269997d (11) eap : Previous EAP request found for state 0xa86480cfa269997d, released from the list (11) eap : Peer sent PEAP (25) (11) eap : EAP PEAP (25) (11) eap : Calling eap_peap to process EAP data (11) eap_peap : processing EAP-TLS (11) eap_peap : eaptls_verify returned 7 (11) eap_peap : Done initial handshake (11) eap_peap : eaptls_process returned 7 (11) eap_peap : FR_TLS_OK (11) eap_peap : Session established. Decoding tunneled attributes (11) eap_peap : Peap state send tlv failure (11) eap_peap : Received EAP-TLV response (11) eap_peap : The users session was previously rejected: returning reject (again.) (11) eap_peap : *** This means you need to read the PREVIOUS messages in the debug output (11) eap_peap : *** to find out the reason why the user was rejected (11) eap_peap : *** Look for "reject" or "fail". Those earlier messages will tell you (11) eap_peap : *** what went wrong, and how to fix the problem SSL: Removing session e467ff943668da672a3a7da5e39dd0f027275656dc6f0b17019d463e6946fd42 from the cache (11) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed (11) eap : Failed in EAP select (11) [eap] = invalid (11) } # authenticate = invalid (11) Failed to authenticate the user (11) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed): [dumm/<via Auth-Type = EAP>] (from client uni port 1 cli xx-xx-xx-xx-xx-xx) (11) Using Post-Auth-Type Reject (11) # Executing group from file /etc/raddb/sites-enabled/default (11) Post-Auth-Type REJECT { (11) attr_filter.access_reject : expand: "%{User-Name}" -> 'dumm' (11) attr_filter.access_reject : Matched entry DEFAULT at line 11 (11) [attr_filter.access_reject] = updated (11) ldap : expand: "." -> '.' (11) ldap : expand: "Authenticated at %S" -> 'Authenticated at 2013-12-18 13:34:42' rlm_ldap (ldap): Reserved connection (2) (11) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=dumm)' (11) ldap : expand: "o=org" -> 'o=org' (11) ldap : Performing search in 'o=org' with filter '(cn=dumm)' (11) ldap : Waiting for search result... (11) ldap : User object found at DN "cn=dumm,ou=test1,ou=test,o=org" (11) ldap : Modifying object with DN "cn=dumm,ou=test1,ou=test,o=org" (11) ldap : Waiting for modify result... rlm_ldap (ldap): Released connection (2) (11) [ldap] = reject (11) } # Post-Auth-Type REJECT = reject (11) Finished request 11. Waking up in 0.1 seconds. Waking up in 0.6 seconds. (11) Sending delayed reject Sending Access-Reject of id 183 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = 0x040d0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (0) Cleaning up request packet ID 172 with timestamp +22 (1) Cleaning up request packet ID 173 with timestamp +22 (2) Cleaning up request packet ID 174 with timestamp +22 (3) Cleaning up request packet ID 175 with timestamp +22 (4) Cleaning up request packet ID 176 with timestamp +22 (5) Cleaning up request packet ID 177 with timestamp +22 (6) Cleaning up request packet ID 178 with timestamp +22 (7) Cleaning up request packet ID 179 with timestamp +22 (8) Cleaning up request packet ID 180 with timestamp +22 (9) Cleaning up request packet ID 181 with timestamp +22 (10) Cleaning up request packet ID 182 with timestamp +22 Waking up in 1.0 seconds. (11) Cleaning up request packet ID 183 with timestamp +22 Ready to process requests Signalled to terminate Exiting normally rlm_ldap (ldap): Removing connection pool rlm_ldap (ldap): Closing connection (2) rlm_ldap (ldap): Closing connection (1) rlm_ldap (ldap): Closing connection (0)