I am testing the new version of FreeRadius (v2.1.10) on a CentOS 5 server with Samba 3.4.3 installed. The ultimate goal is to do 802.1x port authentication (Vista machines) for Wired connections and authenticate the users against Windows 2008 R2 AD. I configured Samba and join it to the Domain, and configured FreeRadius per the instructions on the Wiki. Testing against AD was successful, so I configured FreeRadius to use EAP-PEAP, generated my own certificates and ran into problems when testing it out. When I generated the certificates, I created the server key and server csr with openssl. I signed the csr with a Windows CA (adding the XPextensions) and then converted the DER format to PEM using openssl. I verified that the certificate did have the Extended Key Attributes: [root@radius mycerts]# openssl x509 -text -noout -in radius2.pem shows: X509v3 Extended Key Usage: TLS Web Server Authentication When I try to authenticate, I did not see any errors, but at the end of the debug output shows: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x17d5444b10dc5de2 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests. I regenerated the certificates with the same results. Does anyone have a clue on what is happening? Here is the Debug output: rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=177, length=112 User-Name = "MEM\\test1" Service-Type = Framed-User Framed-MTU = 1500 NAS-IP-Address = 172.16.1.2 NAS-Port = 2 Calling-Station-Id = "00-1B-78-4E-00-12" EAP-Message = 0x02010010014d454d5c7267726168616d Message-Authenticator = 0xe1910a3453bca0c7c905bfc2e5cd5aec # Executing section authorize from file /usr//etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 53 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 177 to 172.16.1.2 port 1645 Service-Type = Framed-User Framed-Protocol = PPP EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x17d5444b17d75de2f7dce27aee56b663 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=178, length=236 User-Name = "MEM\\test1" Service-Type = Framed-User Framed-MTU = 1500 NAS-IP-Address = 172.16.1.2 NAS-Port = 2 Calling-Station-Id = "00-1B-78-4E-00-12" State = 0x17d5444b17d75de2f7dce27aee56b663 EAP-Message = 0x0202007a198000000070160301006b0100006703014d2f6a09730b74f908bd8b719705 896b0b5eb2fe01f3fa3e0c26d38bcffa7361000018002f00350005000ac009c00ac013c0 1400320038001300040100002600000010000e00000b6d656d5c7267726168616d000a00 080006001700180019000b00020100 Message-Authenticator = 0x63e3265e98a3bb083f39d950ae2ade9f # Executing section authorize from file /usr//etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 122 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 112 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 006b], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 084e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 178 to 172.16.1.2 port 1645 EAP-Message = 0x0103040019c00000088b160301002a0200002603014d2f698b6d3788f388aa9228162c 3f76d3fe9a63fe494c39669259b60b9de8ad00002f00160301084e0b00084a0008470004 af308204ab30820393a003020102020a23987bed000000000009300d06092a864886f70d 0101050500304f31133011060a0992268993f22c6401191603636f6d31173015060a0992 268993f22c64011916076d656d2d696e73311f301d060355040313166d656d2d696e732d 4d454d2d4c41422d4443332d4341301e170d3131303131333138313134385a170d313230 3131333138323134385a308190310b30090603550406130255533111300f060355040813 084d EAP-Message = 0x6973736f7572693111300f06035504071308436f6c756d626961310c300a060355040a 13034d454d310b3009060355040b13024953311b3019060355040313127261646975732e 6d656d2d696e732e636f6d3123302106092a864886f70d01090116147365637572697479 406d656d2d696e732e636f6d305c300d06092a864886f70d0101010500034b0030480241 00f36a27a2cafae70e6ba4a457802e352b6cb99976513c47cad6ec7585eedc5a565e736d bbc5377935dc2143414ee3620b1657503df4f5658c6d4549b322db5a090203010001a382 020d30820209301d0603551d0e04160414787066c86e7a89d1c0bc0df2d001a9de5a7590 a630 EAP-Message = 0x1f0603551d2304183016801477292debc77ac57e073627dba3229e6faf5b76103081d8 0603551d1f0481d03081cd3081caa081c7a081c48681c16c6461703a2f2f2f434e3d6d65 6d2d696e732d4d454d2d4c41422d4443332d43412c434e3d6d656d2d6c61622d6463332c 434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e 3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d6d656d2d696e 732c44433d636f6d3f63657274696669636174655265766f636174696f6e4c6973743f62 6173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e74 3081 EAP-Message = 0xc806082b060105050701010481bb3081b83081b506082b060105050730028681a86c64 61703a2f2f2f434e3d6d656d2d696e732d4d454d2d4c41422d4443332d43412c434e3d41 49412c434e3d5075626c69632532304b657925323053657276696365732c434e3d536572 76696365732c434e3d436f6e66696775726174696f6e2c44433d6d656d2d696e732c4443 3d636f6d3f634143657274696669636174653f626173653f6f626a656374436c6173733d 63657274696669636174696f6e417574686f72697479300c0603551d130101ff04023000 30130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500 0382 EAP-Message = 0x0101003a8b2d68ea968ca3eb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x17d5444b16d65de2f7dce27aee56b663 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=179, length=120 User-Name = "MEM\\test1" Service-Type = Framed-User Framed-MTU = 1500 NAS-IP-Address = 172.16.1.2 NAS-Port = 2 Calling-Station-Id = "00-1B-78-4E-00-12" State = 0x17d5444b16d65de2f7dce27aee56b663 EAP-Message = 0x020300061900 Message-Authenticator = 0x1a2ddd0cffc8a6eeb4bd5af56a73316f # Executing section authorize from file /usr//etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 179 to 172.16.1.2 port 1645 EAP-Message = 0x010403fc19407aa413407a16a4e2e344994d020646636e4b03b012a0a7011631e0a917 fd491b2ad6795c8e210fbeb759e66ace486020b3c2da8778d05bf6b04431547da91e04bc 304cc957f8782b5a6a903608da92903dc7bef79579d77e65b65ab8984156d8a6997219b9 0bbd75db4b432c48d3c97430916cc47a76bc095daedc0f0749f05f51bce08543a2192b78 7f15a208d6a2db4009df5079cf20e7986548032df3b55d36428bceae20295f7b7db4b745 18a92058f72016204e226e158f3b1150dcfca79b3f831954b7917f3b52f22e831506b0f0 3d8970e4be34e73ce4edbfe2b52917939b0a1b3026467291a722f3fafa13ec7ad395d76c 7ee0 EAP-Message = 0x0003923082038e30820276a00302010202101d65a3c4272ba9ae4000af16adf133e830 0d06092a864886f70d0101050500304f31133011060a0992268993f22c6401191603636f 6d31173015060a0992268993f22c64011916076d656d2d696e73311f301d060355040313 166d656d2d696e732d4d454d2d4c41422d4443332d4341301e170d313031303134303035 3434315a170d3335313031343031303433395a304f31133011060a0992268993f22c6401 191603636f6d31173015060a0992268993f22c64011916076d656d2d696e73311f301d06 0355040313166d656d2d696e732d4d454d2d4c41422d4443332d434130820122300d0609 2a86 EAP-Message = 0x4886f70d01010105000382010f003082010a0282010100dec78b70f45103e5f3d835b4 d757320e0442c0ce223a37d5148087d0d9cac90f1244fab1b4d6e57bf0f04a9df770d973 d1a35379bd1448159880adb6c059d7bc48c19790b784e0cb0519f73605687435a943a99f 063e36eb4584535c35a7f3d6f4900c54712280080bb229245b8a7f9ec39047ed0e1a906f 632f97d4b75c6369817f85479e6cb009bb5be487ecd7b2186c818efd595b13faafbe0385 5adf655cdf70f23fbc7ddb63c8ea3466ae027252fccb877bc9adebfc4d637faf3f55366c 4fa53cab5dde9edfc1dead59b4b56479ec52fdb91cc8a282ebc2529d41f3088c3858e80b 1628 EAP-Message = 0x708eda94966f51a236d785f13193e252ea7279b5bd6c2ee4553b0203010001a3663064 301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f 0603551d130101ff040530030101ff301d0603551d0e0416041477292debc77ac57e0736 27dba3229e6faf5b7610301006092b06010401823715010403020100300d06092a864886 f70d010105050003820101004ed045d54a6ec8362174cc3b70e9617f31fcec9951c61f8c f8e850fed2b86207295690201a1cbb174870927fa6c847289688da1a0b33ee935c9d2b57 83547de88e1b42e1f04aa001fe2af230e35da26b6cfe17ae58b5e4a875c53d7249380777 82df EAP-Message = 0x6c3bec718651f019 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x17d5444b15d15de2f7dce27aee56b663 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=180, length=120 User-Name = "MEM\\test1" Service-Type = Framed-User Framed-MTU = 1500 NAS-IP-Address = 172.16.1.2 NAS-Port = 2 Calling-Station-Id = "00-1B-78-4E-00-12" State = 0x17d5444b15d15de2f7dce27aee56b663 EAP-Message = 0x020400061900 Message-Authenticator = 0x952d481043dda4da8eca2b39ffd30fcb # Executing section authorize from file /usr//etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 180 to 172.16.1.2 port 1645 EAP-Message = 0x010500a519002b3a66c8e8526d8ca3c9e036f7c21295735cffc7cca62e8d1da2526a65 a9f79a69c80e259b2ac75781bf6c6f80ec149a46dd773307ecdfc2346ecd140ae08475e2 bbf8d4cc45677d0c0821e9f3b3001899691830b151c99665a689a177a97682fb1a740da6 bf92d05b83f293bc3d3ce00dea49df7eb6d39032dc5e4ad50419e189e57751e10cb9939b 43a4c39b945fa0fd57f05dc01c16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x17d5444b14d05de2f7dce27aee56b663 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=181, length=258 User-Name = "MEM\\test1" Service-Type = Framed-User Framed-MTU = 1500 NAS-IP-Address = 172.16.1.2 NAS-Port = 2 Calling-Station-Id = "00-1B-78-4E-00-12" State = 0x17d5444b14d05de2f7dce27aee56b663 EAP-Message = 0x02050090198000000086160301004610000042004019a92f516c2ed12eed5c4b4f4de6 3dbd4200f5c6293ff30e2565451f3775ffcbb01d71c341ac94d80926258517db6c5e7512 05e76bdc724f025dc43e441288b51403010001011603010030b7b8c1cc4e21a2c6fd1e52 308e75c347510b2336a38c4ace61bde40495ac3bc86b53995adf75e9c428d63028edb075 4b Message-Authenticator = 0x502b16df4abdeec82fb8a4031b883444 # Executing section authorize from file /usr//etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 181 to 172.16.1.2 port 1645 EAP-Message = 0x0106004119001403010001011603010030740816e4b8e4c191780d546c1443a25171c6 2261bb4bbd7fa91dd713403f86418f33de753f3af5259f8ad46ed0d64abf Message-Authenticator = 0x00000000000000000000000000000000 State = 0x17d5444b13d35de2f7dce27aee56b663 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=182, length=120 User-Name = "MEM\\test1" Service-Type = Framed-User Framed-MTU = 1500 NAS-IP-Address = 172.16.1.2 NAS-Port = 2 Calling-Station-Id = "00-1B-78-4E-00-12" State = 0x17d5444b13d35de2f7dce27aee56b663 EAP-Message = 0x020600061900 Message-Authenticator = 0x01334a4b91706f8128e35f10f6c74e0d # Executing section authorize from file /usr//etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 182 to 172.16.1.2 port 1645 EAP-Message = 0x0107002b190017030100201437bd7da4e0d7dccb3f7880d51fa1881eae5c67aad13229 4e712cd80416cfbb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x17d5444b12d25de2f7dce27aee56b663 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=183, length=173 User-Name = "MEM\\test1" Service-Type = Framed-User Framed-MTU = 1500 NAS-IP-Address = 172.16.1.2 NAS-Port = 2 Calling-Station-Id = "00-1B-78-4E-00-12" State = 0x17d5444b12d25de2f7dce27aee56b663 EAP-Message = 0x0207003b1900170301003076edeff553f5cb4d13a2ed7029ba397c77cf9d64c3d4712d 1fc345d3d0dfdd1cec8ba1521e7800fab983b4b9c28068bb Message-Authenticator = 0xea354eec0fbb47ee4a142b0d6920754e # Executing section authorize from file /usr//etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 59 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - MEM\test1 [peap] Got inner identity 'MEM\test1' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02070010014d454d5c7267726168616d server { PEAP: Setting User-Name to MEM\test1 Sending tunneled request EAP-Message = 0x02070010014d454d5c7267726168616d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "MEM\\test1" server inner-tunnel { # Executing section authorize from file /usr//etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800251a0108002010a088cefe33e2d8f8c4b799ed59c5fb0d4d454d5c7267726168 616d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0c1c1a1c0c9db106b079f71f54582b1 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800251a0108002010a088cefe33e2d8f8c4b799ed59c5fb0d4d454d5c7267726168 616d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0c1c1a1c0c9db106b079f71f54582b1 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 183 to 172.16.1.2 port 1645 EAP-Message = 0x0108004b190017030100402047ac117f1fb44413571911d8cc5218a52dcd31033604e2 4e1884e44ef4d3a56b0540d56451fbbcaa3dc0ba6856c560b31b06642fa27235651d8869 8617735b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x17d5444b11dd5de2f7dce27aee56b663 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=184, length=221 User-Name = "MEM\\test1" Service-Type = Framed-User Framed-MTU = 1500 NAS-IP-Address = 172.16.1.2 NAS-Port = 2 Calling-Station-Id = "00-1B-78-4E-00-12" State = 0x17d5444b11dd5de2f7dce27aee56b663 EAP-Message = 0x0208006b19001703010060ed7d3f594ba21455ac85cb59be5680cbec08cd20c7e2ac70 5c3d5289aadb43318fded2bc16e793b1fe21206e81054dece94dc95f6a5402014a10a21c 4f09d86a069d624832465c2ed89040cda57f84cb0298184274cec6eeb88a17f0198a0594 Message-Authenticator = 0x4c97f3f00ebaf2a9bd5a748646064d04 # Executing section authorize from file /usr//etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800461a020800413139db069aec3a1482eaf5437cc12dc36200000000000000002f f233ba94c6cc0ff8b204e09e8217c1f93dd23f6a175caa004d454d5c7267726168616d server { PEAP: Setting User-Name to MEM\test1 Sending tunneled request EAP-Message = 0x020800461a020800413139db069aec3a1482eaf5437cc12dc36200000000000000002f f233ba94c6cc0ff8b204e09e8217c1f93dd23f6a175caa004d454d5c7267726168616d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "MEM\\test1" State = 0xc0c1c1a1c0c9db106b079f71f54582b1 server inner-tunnel { # Executing section authorize from file /usr//etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 70 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /usr//etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: test1 [mschap] Told to do MS-CHAPv2 for test1 with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=test1 [mschap] expand: %{mschap:NT-Domain} -> MEM [mschap] expand: --domain=%{%{mschap:NT-Domain}:-MEM} -> --domain=MEM [mschap] mschap2: a0 [mschap] Creating challenge hash with username: test1 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=101d5affa80deb2a [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=2ff233ba94c6cc0ff8b204e09e8217c1f93dd23f6a175caa Exec-Program output: NT_KEY: D17434B7303CD6FA2ABE17CDB536D69D Exec-Program-Wait: plaintext: NT_KEY: D17434B7303CD6FA2ABE17CDB536D69D Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d363836324644434335413636363431333041383135354636 43454332414535354530433031354133 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0c1c1a1c1c8db106b079f71f54582b1 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d363836324644434335413636363431333041383135354636 43454332414535354530433031354133 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0c1c1a1c1c8db106b079f71f54582b1 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 184 to 172.16.1.2 port 1645 EAP-Message = 0x0109005b190017030100503ab95bfb4fc74f8bdbc39c6a332f01e8238c1548c1d905ed c81dc513033f398190f455a6a164b10035f08c1b0eef983b1174dc9136c66507a8209a06 f26adf1ed27f08e7c1f157ae925b63dc1d3452f0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x17d5444b10dc5de2f7dce27aee56b663 Finished request 7. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 177 with timestamp +72 Cleaning up request 1 ID 178 with timestamp +72 Cleaning up request 2 ID 179 with timestamp +72 Cleaning up request 3 ID 180 with timestamp +72 Cleaning up request 4 ID 181 with timestamp +72 Cleaning up request 5 ID 182 with timestamp +72 Cleaning up request 6 ID 183 with timestamp +72 Cleaning up request 7 ID 184 with timestamp +72 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x17d5444b10dc5de2 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!