Hi, I've searched high and low for answers/a solution on this and haven't had much luck, so I'm hoping someone on this list might be able to help. I have a near default freeradius3 setup using NTLM to authenticate our PEAP MSCHAP wireless clients. Non-windows machines work fine (mac, phones etc), but I'm having difficulty getting Windows 7/8 authenticated using machine authentication or user authentication. Essentially I'm seeing the below error: Auth: Invalid user: [DOMAIN\\user] or Auth: Invalid user: [host\\MACHINE-NAME] Successful authentications (from a mac) look like this: Auth: Login OK: [user] Running "ntlm_auth --request-nt-key --username=domain\\user" returns NT_STATUS_OK The only real configuration changes I've made are in the mschap mod, having tried both of the following: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Below is a debug of a windows 8 wireless client attempting to authenticate. First it tries machine authentication, then it tries user authentication. Any help would be greatly appreciated. Cheers Ready to process requests. Received Access-Request Id 211 from 172.17.6.253:32985 to 192.168.254.181:1812 length 240 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x0201002001686f73742f77696e38312d6f70732e696e2e667265736876696577 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0xb1632e4c77e27f16f9cdd51c91aa5ee9 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (User-Name != "%{tolower:%{User-Name}}") (0) EXPAND %{tolower:%{User-Name}} (0) --> host/win81-ops.in.testdomain (0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) if (User-Name =~ / /) (0) if (User-Name =~ / /) -> FALSE (0) if (User-Name =~ /@.*@/ ) (0) if (User-Name =~ /@.*@/ ) -> FALSE (0) if (User-Name =~ /\\.\\./ ) (0) if (User-Name =~ /\\.\\./ ) -> FALSE (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (User-Name =~ /\\.$/) (0) if (User-Name =~ /\\.$/) -> FALSE (0) if (User-Name =~ /@\\./) (0) if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : EAP packet type response id 1 length 32 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap : Peer sent Identity (1) (0) eap : Calling eap_peap to process EAP data (0) eap_peap : Flushing SSL sessions (of #0) (0) eap_peap : Initiate (0) eap_peap : Start returned 1 (0) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12af78b29f (0) [eap] = handled (0) } # authenticate = handled Sending Access-Challenge Id 211 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12af78b29f91f28722b6106031 (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 203 from 172.17.6.253:32985 to 192.168.254.181:1812 length 344 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x0202007619800000006c16030100670100006303015550523bf4af127e5fe0dfcfc8c5a896e7cfc31a2a7746ab87d162af997a04a5000018c014c0130035002fc00ac00900380032000a00130005000401000022ff01000100000500050100000000000a0006000400170018000b0002010000230000 State = 0xaf7aab12af78b29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0xa9f4a8b97958f630a9984c92c0fcc7bd (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) if (User-Name != "%{tolower:%{User-Name}}") (1) EXPAND %{tolower:%{User-Name}} (1) --> host/win81-ops.in.testdomain (1) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (1) if (User-Name =~ / /) (1) if (User-Name =~ / /) -> FALSE (1) if (User-Name =~ /@.*@/ ) (1) if (User-Name =~ /@.*@/ ) -> FALSE (1) if (User-Name =~ /\\.\\./ ) (1) if (User-Name =~ /\\.\\./ ) -> FALSE (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (User-Name =~ /\\.$/) (1) if (User-Name =~ /\\.$/) -> FALSE (1) if (User-Name =~ /@\\./) (1) if (User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) eap : EAP packet type response id 2 length 118 (1) eap : Continuing tunnel setup. (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = EAP (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0xaf7aab12af78b29f (1) eap : Finished EAP session with state 0xaf7aab12af78b29f (1) eap : Previous EAP request found for state 0xaf7aab12af78b29f, released from the list (1) eap : Peer sent PEAP (25) (1) eap : EAP PEAP (25) (1) eap : Calling eap_peap to process EAP data (1) eap_peap : processing EAP-TLS TLS Length 108 (1) eap_peap : Length Included (1) eap_peap : eaptls_verify returned 11 (1) eap_peap : (other): before/accept initialization (1) eap_peap : TLS_accept: before/accept initialization (1) eap_peap : <<< TLS 1.0 Handshake [length 0067], ClientHello (1) eap_peap : TLS_accept: SSLv3 read client hello A (1) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello (1) eap_peap : TLS_accept: SSLv3 write server hello A (1) eap_peap : >>> TLS 1.0 Handshake [length 0c61], Certificate (1) eap_peap : TLS_accept: SSLv3 write certificate A (1) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (1) eap_peap : TLS_accept: SSLv3 write key exchange A (1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap : TLS_accept: SSLv3 write server done A (1) eap_peap : TLS_accept: SSLv3 flush data (1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (1) eap_peap : eaptls_process returned 13 (1) eap_peap : FR_TLS_HANDLED (1) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ae79b29f (1) [eap] = handled (1) } # authenticate = handled Sending Access-Challenge Id 203 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x010303ec19c000000e1d1603010059020000550301f9a84ded3c3d019330abd1de6d7ff97f916e4aa4140b0733d9c1a1686ec5ba212041db36e17b59817fcc7a5d510c0ab6febebd2f0dfc04701386f3dad95265c63dc01400000dff01000100000b0004030001021603010c610b000c5d000c5a0004a7308204a33082038ba00302010202030439a3300d06092a864886f70d01010b05003047310b300906035504061302555331163014060355040a130d47656f547275737420496e632e3120301e06035504031317526170696453534c20534841323536204341202d204733301e170d3135303530373033333932305a170d3136303530383233353131385a30819431133011060355040b130a475432333636383233393131302f060355040b1328536565207777772e726170696473736c2e636f6d2f7265736f75726365732f637073202863293135312f302d060355040b1326446f6d61696e20436f6e74726f6c2056616c696461746564202d20526170696453534c2852293119301706035504031310776966692e63616d706d6f6e2e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c2b2d2c1ff3c2380d9d47968c4a76b101501d4b4d3efd5857da81b6610580c9021e898e1beb2f5ea06a98dfd06a3f04bfa7b68fc77481cc7b9eb5777938 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12ae79b29f91f28722b6106031 (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 213 from 172.17.6.253:32985 to 192.168.254.181:1812 length 232 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020300061900 State = 0xaf7aab12ae79b29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x78dd3eaf48cf6c7dbaa005633cb99020 (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) if (User-Name != "%{tolower:%{User-Name}}") (2) EXPAND %{tolower:%{User-Name}} (2) --> host/win81-ops.in.testdomain (2) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (2) if (User-Name =~ / /) (2) if (User-Name =~ / /) -> FALSE (2) if (User-Name =~ /@.*@/ ) (2) if (User-Name =~ /@.*@/ ) -> FALSE (2) if (User-Name =~ /\\.\\./ ) (2) if (User-Name =~ /\\.\\./ ) -> FALSE (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (User-Name =~ /\\.$/) (2) if (User-Name =~ /\\.$/) -> FALSE (2) if (User-Name =~ /@\\./) (2) if (User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : EAP packet type response id 3 length 6 (2) eap : Continuing tunnel setup. (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0xaf7aab12ae79b29f (2) eap : Finished EAP session with state 0xaf7aab12ae79b29f (2) eap : Previous EAP request found for state 0xaf7aab12ae79b29f, released from the list (2) eap : Peer sent PEAP (25) (2) eap : EAP PEAP (25) (2) eap : Calling eap_peap to process EAP data (2) eap_peap : processing EAP-TLS (2) eap_peap : Received TLS ACK (2) eap_peap : Received TLS ACK (2) eap_peap : ACK handshake fragment handler (2) eap_peap : eaptls_verify returned 1 (2) eap_peap : eaptls_process returned 13 (2) eap_peap : FR_TLS_HANDLED (2) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ad7eb29f (2) [eap] = handled (2) } # authenticate = handled Sending Access-Challenge Id 213 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x010403e8194068747470733a2f2f7777772e726170696473736c2e636f6d2f6c6567616c300d06092a864886f70d01010b05000382010100412ebe33348a8106947be103048d5e4157080515045c19a8462a51e4feeca012ee0dc94be9e68ac04f9f65e221ce68f9fbe8e8168bc96facb82798fc5b13ea06f1ffd6f2a1683b5b7724324583f81c1488b36ebb24dc5fc2869a56deca8df3d8280bd435a6a0da7538811583165a5472ac3083e17d572ee39b22330b526f78ee4cb3a6bddd5da72964d40dc24886262c496e902b113cec927570ad97c97b69139b6e7a3fd880364272157aa9d8d1282b47629eec34e7c9f7e7bcdc542844ef1ad4a5d0af52c5998f3eb7fc16750e053edfd5ec552c3605586e652059d7df62719839c9be47acc6da9bc55822c024b98fd93ea1f864785e73066c022efa89ed7f000429308204253082030da0030201020203023a77300d06092a864886f70d01010b05003042310b300906035504061302555331163014060355040a130d47656f547275737420496e632e311b30190603550403131247656f547275737420476c6f62616c204341301e170d3134303832393231333933325a170d3232303532303231333933325a3047310b300906035504061302555331163014060355040a130d47656f547275737420496e632e3120301e06035504031317526170696 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12ad7eb29f91f28722b6106031 (2) Finished request Waking up in 0.3 seconds. Received Access-Request Id 212 from 172.17.6.253:32985 to 192.168.254.181:1812 length 232 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020400061900 State = 0xaf7aab12ad7eb29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x318c68ac9fd3cec956e3ad0fe6630868 (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) filter_username filter_username { (3) if (User-Name != "%{tolower:%{User-Name}}") (3) EXPAND %{tolower:%{User-Name}} (3) --> host/win81-ops.in.testdomain (3) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (3) if (User-Name =~ / /) (3) if (User-Name =~ / /) -> FALSE (3) if (User-Name =~ /@.*@/ ) (3) if (User-Name =~ /@.*@/ ) -> FALSE (3) if (User-Name =~ /\\.\\./ ) (3) if (User-Name =~ /\\.\\./ ) -> FALSE (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (3) if (User-Name =~ /\\.$/) (3) if (User-Name =~ /\\.$/) -> FALSE (3) if (User-Name =~ /@\\./) (3) if (User-Name =~ /@\\./) -> FALSE (3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (3) suffix : No such realm "NULL" (3) [suffix] = noop (3) eap : EAP packet type response id 4 length 6 (3) eap : Continuing tunnel setup. (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0xaf7aab12ad7eb29f (3) eap : Finished EAP session with state 0xaf7aab12ad7eb29f (3) eap : Previous EAP request found for state 0xaf7aab12ad7eb29f, released from the list (3) eap : Peer sent PEAP (25) (3) eap : EAP PEAP (25) (3) eap : Calling eap_peap to process EAP data (3) eap_peap : processing EAP-TLS (3) eap_peap : Received TLS ACK (3) eap_peap : Received TLS ACK (3) eap_peap : ACK handshake fragment handler (3) eap_peap : eaptls_verify returned 1 (3) eap_peap : eaptls_process returned 13 (3) eap_peap : FR_TLS_HANDLED (3) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ac7fb29f (3) [eap] = handled (3) } # authenticate = handled Sending Access-Challenge Id 212 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x010503e819400105050730018612687474703a2f2f672e73796d63642e636f6d304c0603551d20044530433041060a6086480186f8450107363033303106082b060105050702011625687474703a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f637073300d06092a864886f70d01010b05000382010100a3581ec64332acac2f9378b7eaae5440472d7e788d50f6f866acd64f73d644efaf0bcc5bc1f44f9a8f497e60afc227c716f1fb938190a97cef6f7e6e45941684bdec49f1c40ef4af045983870f2c3b97c35a129b7b04357ba39533087b93712242b3a9d96f4f8192fc07b679bc844a9d7709f1c589f2f0b49c54aa127b0dba4fef9319ecef7d4e61a38e769c59cf8c94b18497f71ab907b8b2c64f1379dbbf4f511b7f690d512ac1d615ff3751346551f41ebe386aec0eabbf3d7b39057bf4f3fb1aa1d0c87e4e648dcd8c615590fe3aca5d250ff81da34a74564f1a5540707525a6332eba4ba55d539a0d30e18d5f612cafccefb099a180ff0bf2624c7026980003813082037d308202e6a003020102020312bbe6300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f726974793 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12ac7fb29f91f28722b6106031 (3) Finished request Waking up in 0.3 seconds. Received Access-Request Id 215 from 172.17.6.253:32985 to 192.168.254.181:1812 length 232 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020500061900 State = 0xaf7aab12ac7fb29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0xa1f200dd5a90136447ce1b37b4b067f6 (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) filter_username filter_username { (4) if (User-Name != "%{tolower:%{User-Name}}") (4) EXPAND %{tolower:%{User-Name}} (4) --> host/win81-ops.in.testdomain (4) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (4) if (User-Name =~ / /) (4) if (User-Name =~ / /) -> FALSE (4) if (User-Name =~ /@.*@/ ) (4) if (User-Name =~ /@.*@/ ) -> FALSE (4) if (User-Name =~ /\\.\\./ ) (4) if (User-Name =~ /\\.\\./ ) -> FALSE (4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (4) if (User-Name =~ /\\.$/) (4) if (User-Name =~ /\\.$/) -> FALSE (4) if (User-Name =~ /@\\./) (4) if (User-Name =~ /@\\./) -> FALSE (4) } # filter_username filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (4) suffix : No such realm "NULL" (4) [suffix] = noop (4) eap : EAP packet type response id 5 length 6 (4) eap : Continuing tunnel setup. (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap : Expiring EAP session with state 0xaf7aab12ac7fb29f (4) eap : Finished EAP session with state 0xaf7aab12ac7fb29f (4) eap : Previous EAP request found for state 0xaf7aab12ac7fb29f, released from the list (4) eap : Peer sent PEAP (25) (4) eap : EAP PEAP (25) (4) eap : Calling eap_peap to process EAP data (4) eap_peap : processing EAP-TLS (4) eap_peap : Received TLS ACK (4) eap_peap : Received TLS ACK (4) eap_peap : ACK handshake fragment handler (4) eap_peap : eaptls_verify returned 1 (4) eap_peap : eaptls_process returned 13 (4) eap_peap : FR_TLS_HANDLED (4) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ab7cb29f (4) [eap] = handled (4) } # authenticate = handled Sending Access-Challenge Id 215 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x0106027d19003a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f73656375726563612e63726c304e0603551d200447304530430604551d2000303b303906082b06010505070201162d68747470733a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f7265706f7369746f7279300d06092a864886f70d01010505000381810076e1126e4e4b1612863006b28108cff008c7c7717e66eec2edd43b1ffff0f0c84ed64338b0b9307d18d05583a26acb36119ce84866a36d7fb813d447fe8b5a5c73fcaed91b321938ab973414aa96d2eba31c140849b6bbe591ef8336eb1d566fcadabc736390e47f7b3e22cb3d07ed5f38749ce303504ea1af98ee61f2843f12160301014b0c0001470300174104897a41b10d790abe7d33a7bae7191df884039b23026439f474763fa6cb936641097d6e73ce79a5d3ee3b2dfa1b6742cbcfb4d94a2af4c9fb6f756ba052b43beb01009562f546db63c6a53f98650f9c9d234c62b3baccfd8e26d7b9d6c78e6e3a07a30382f753afb96cb8ec266b728877907a1c97f6c7948f7e9fa2ef2b571fbeb92748fee46d52b20070b28559f1f20027269f02be9d63f5756b166ceaa06afa8c13fcd38c8a4133c0288c9ed1fa2aa55e92d8a3cf16fa192847ce5bbb08ab2fdad640d11 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12ab7cb29f91f28722b6106031 (4) Finished request Waking up in 0.3 seconds. Received Access-Request Id 216 from 172.17.6.253:32985 to 192.168.254.181:1812 length 370 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020600901980000000861603010046100000424104d85d873dea9326b04b69add1a56edb8644246c919b8f460725f22d19b7bfbf30fe22e7d993c960b2ffeebbd155bb316e63ba7796287a737a52d0367b3ab5eb5614030100010116030100306bf7326dd2963bc5094534034ea75caccf46011de517912c4d0c91d510ef3644496711ac075146320a47c686b17ee94c State = 0xaf7aab12ab7cb29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x3d5c9d2133066c4b3420ff366a49e175 (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) filter_username filter_username { (5) if (User-Name != "%{tolower:%{User-Name}}") (5) EXPAND %{tolower:%{User-Name}} (5) --> host/win81-ops.in.testdomain (5) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (5) if (User-Name =~ / /) (5) if (User-Name =~ / /) -> FALSE (5) if (User-Name =~ /@.*@/ ) (5) if (User-Name =~ /@.*@/ ) -> FALSE (5) if (User-Name =~ /\\.\\./ ) (5) if (User-Name =~ /\\.\\./ ) -> FALSE (5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (5) if (User-Name =~ /\\.$/) (5) if (User-Name =~ /\\.$/) -> FALSE (5) if (User-Name =~ /@\\./) (5) if (User-Name =~ /@\\./) -> FALSE (5) } # filter_username filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (5) suffix : No such realm "NULL" (5) [suffix] = noop (5) eap : EAP packet type response id 6 length 144 (5) eap : Continuing tunnel setup. (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0xaf7aab12ab7cb29f (5) eap : Finished EAP session with state 0xaf7aab12ab7cb29f (5) eap : Previous EAP request found for state 0xaf7aab12ab7cb29f, released from the list (5) eap : Peer sent PEAP (25) (5) eap : EAP PEAP (25) (5) eap : Calling eap_peap to process EAP data (5) eap_peap : processing EAP-TLS TLS Length 134 (5) eap_peap : Length Included (5) eap_peap : eaptls_verify returned 11 (5) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (5) eap_peap : TLS_accept: SSLv3 read client key exchange A (5) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished (5) eap_peap : TLS_accept: SSLv3 read finished A (5) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap : TLS_accept: SSLv3 write change cipher spec A (5) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished (5) eap_peap : TLS_accept: SSLv3 write finished A (5) eap_peap : TLS_accept: SSLv3 flush data SSL: adding session 41db36e17b59817fcc7a5d510c0ab6febebd2f0dfc04701386f3dad95265c63d to cache (5) eap_peap : (other): SSL negotiation finished successfully SSL Connection Established (5) eap_peap : eaptls_process returned 13 (5) eap_peap : FR_TLS_HANDLED (5) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12aa7db29f (5) [eap] = handled (5) } # authenticate = handled Sending Access-Challenge Id 216 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x0107004119001403010001011603010030904c13f5aa90bc06c6a9e4a9a9fe076ac1facca994920e0028b62392ef0d62e3dffb6d45d1198e88cbe9b9ce70df1d39 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12aa7db29f91f28722b6106031 (5) Finished request Waking up in 0.2 seconds. Waking up in 4.6 seconds. Received Access-Request Id 218 from 172.17.6.253:32985 to 192.168.254.181:1812 length 232 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020700061900 State = 0xaf7aab12aa7db29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x870a84bb1fdef1e9e576bb097297dafc (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) filter_username filter_username { (6) if (User-Name != "%{tolower:%{User-Name}}") (6) EXPAND %{tolower:%{User-Name}} (6) --> host/win81-ops.in.testdomain (6) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (6) if (User-Name =~ / /) (6) if (User-Name =~ / /) -> FALSE (6) if (User-Name =~ /@.*@/ ) (6) if (User-Name =~ /@.*@/ ) -> FALSE (6) if (User-Name =~ /\\.\\./ ) (6) if (User-Name =~ /\\.\\./ ) -> FALSE (6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (6) if (User-Name =~ /\\.$/) (6) if (User-Name =~ /\\.$/) -> FALSE (6) if (User-Name =~ /@\\./) (6) if (User-Name =~ /@\\./) -> FALSE (6) } # filter_username filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (6) suffix : No such realm "NULL" (6) [suffix] = noop (6) eap : EAP packet type response id 7 length 6 (6) eap : Continuing tunnel setup. (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap : Expiring EAP session with state 0xaf7aab12aa7db29f (6) eap : Finished EAP session with state 0xaf7aab12aa7db29f (6) eap : Previous EAP request found for state 0xaf7aab12aa7db29f, released from the list (6) eap : Peer sent PEAP (25) (6) eap : EAP PEAP (25) (6) eap : Calling eap_peap to process EAP data (6) eap_peap : processing EAP-TLS (6) eap_peap : Received TLS ACK (6) eap_peap : Received TLS ACK (6) eap_peap : ACK handshake is finished (6) eap_peap : eaptls_verify returned 3 (6) eap_peap : eaptls_process returned 3 (6) eap_peap : FR_TLS_SUCCESS (6) eap_peap : Session established. Decoding tunneled attributes. (6) eap_peap : Peap state TUNNEL ESTABLISHED (6) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12a972b29f (6) [eap] = handled (6) } # authenticate = handled Sending Access-Challenge Id 218 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x0108002b19001703010020f022350972cbaf550411b0a05e940de89489d54aaa26eea60fa42c528e37b598 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12a972b29f91f28722b6106031 (6) Finished request Waking up in 0.3 seconds. Received Access-Request Id 219 from 172.17.6.253:32985 to 192.168.254.181:1812 length 301 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x0208004b190017030100401450d110896340dd1527e3b736b40db579761481d7c7bd8df6f8a8bafe346ae902d6eca6adb3ce318e7f8a82345ed565cb364dbaf6fea0c3ea2fe03f596781b8 State = 0xaf7aab12a972b29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x81748904e69029b5c562279f77a1fa9a (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) filter_username filter_username { (7) if (User-Name != "%{tolower:%{User-Name}}") (7) EXPAND %{tolower:%{User-Name}} (7) --> host/win81-ops.in.testdomain (7) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (7) if (User-Name =~ / /) (7) if (User-Name =~ / /) -> FALSE (7) if (User-Name =~ /@.*@/ ) (7) if (User-Name =~ /@.*@/ ) -> FALSE (7) if (User-Name =~ /\\.\\./ ) (7) if (User-Name =~ /\\.\\./ ) -> FALSE (7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (7) if (User-Name =~ /\\.$/) (7) if (User-Name =~ /\\.$/) -> FALSE (7) if (User-Name =~ /@\\./) (7) if (User-Name =~ /@\\./) -> FALSE (7) } # filter_username filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) eap : EAP packet type response id 8 length 75 (7) eap : Continuing tunnel setup. (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) authenticate { (7) eap : Expiring EAP session with state 0xaf7aab12a972b29f (7) eap : Finished EAP session with state 0xaf7aab12a972b29f (7) eap : Previous EAP request found for state 0xaf7aab12a972b29f, released from the list (7) eap : Peer sent PEAP (25) (7) eap : EAP PEAP (25) (7) eap : Calling eap_peap to process EAP data (7) eap_peap : processing EAP-TLS (7) eap_peap : eaptls_verify returned 7 (7) eap_peap : Done initial handshake (7) eap_peap : eaptls_process returned 7 (7) eap_peap : FR_TLS_OK (7) eap_peap : Session established. Decoding tunneled attributes. (7) eap_peap : Peap state WAITING FOR INNER IDENTITY (7) eap_peap : Identity - host/win81-ops.in.testdomain (7) eap_peap : Got inner identity 'host/win81-ops.in.testdomain' (7) eap_peap : Setting default EAP type for tunneled EAP session. (7) eap_peap : Got tunneled request EAP-Message = 0x0208002001686f73742f77696e38312d6f70732e696e2e667265736876696577 server default { (7) eap_peap : Setting User-Name to host/win81-ops.in.testdomain Sending tunneled request EAP-Message = 0x0208002001686f73742f77696e38312d6f70732e696e2e667265736876696577 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'host/win81-ops.in.testdomain' server inner-tunnel { (7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (7) authorize { (7) [chap] = noop (7) [mschap] = noop (7) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) ntdomain : No '\' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (7) ntdomain : No such realm "NULL" (7) [ntdomain] = noop (7) update control { (7) Proxy-To-Realm := 'LOCAL' (7) } # update control = noop (7) eap : EAP packet type response id 8 length 32 (7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) authenticate { (7) eap : Peer sent Identity (1) (7) eap : Calling eap_mschapv2 to process EAP data (7) eap_mschapv2 : Issuing Challenge (7) eap : New EAP session, adding 'State' attribute to reply 0xdf4bb440df42ae97 (7) [eap] = handled (7) } # authenticate = handled } # server inner-tunnel (7) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010900351a0109003010ec2d3f9c331be8cc8f308fb3e36354f7686f73742f77696e38312d6f70732e696e2e667265736876696577 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf4bb440df42ae976131f6adcea1c414 (7) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010900351a0109003010ec2d3f9c331be8cc8f308fb3e36354f7686f73742f77696e38312d6f70732e696e2e667265736876696577 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf4bb440df42ae976131f6adcea1c414 (7) eap_peap : Got tunneled Access-Challenge (7) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12a873b29f (7) [eap] = handled (7) } # authenticate = handled Sending Access-Challenge Id 219 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x0109005b1900170301005026e15c112b330ea70a897a62e1e776e56a8cfc3542db91a040be524e2ecd90127236545cd0d513ea877cdd23c887e844dd5fc775bd5cb9fc5aeb0e0d08ee6646e96621abff9801bf0b83f07219a91189 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12a873b29f91f28722b6106031 (7) Finished request Waking up in 0.3 seconds. Received Access-Request Id 217 from 172.17.6.253:32985 to 192.168.254.181:1812 length 349 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x0209007b19001703010070c28751119ce4f468f4da5543f53dfa82dc9fb4ec3663880ebc4225065cf9de7314a32afc8093225d3fc12d012659cc234ee541504d9fde5d06fa80dfe83e331aa6527744476fd0f2aed8b4596f0efd388f1b20164aba971c8de1654bc68e9b63b89c741d4067a43f254bc083a03ea937 State = 0xaf7aab12a873b29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x60c7b813e29d7f613e573fca00dadb1f (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) filter_username filter_username { (8) if (User-Name != "%{tolower:%{User-Name}}") (8) EXPAND %{tolower:%{User-Name}} (8) --> host/win81-ops.in.testdomain (8) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (8) if (User-Name =~ / /) (8) if (User-Name =~ / /) -> FALSE (8) if (User-Name =~ /@.*@/ ) (8) if (User-Name =~ /@.*@/ ) -> FALSE (8) if (User-Name =~ /\\.\\./ ) (8) if (User-Name =~ /\\.\\./ ) -> FALSE (8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (8) if (User-Name =~ /\\.$/) (8) if (User-Name =~ /\\.$/) -> FALSE (8) if (User-Name =~ /@\\./) (8) if (User-Name =~ /@\\./) -> FALSE (8) } # filter_username filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) eap : EAP packet type response id 9 length 123 (8) eap : Continuing tunnel setup. (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) authenticate { (8) eap : Expiring EAP session with state 0xdf4bb440df42ae97 (8) eap : Finished EAP session with state 0xaf7aab12a873b29f (8) eap : Previous EAP request found for state 0xaf7aab12a873b29f, released from the list (8) eap : Peer sent PEAP (25) (8) eap : EAP PEAP (25) (8) eap : Calling eap_peap to process EAP data (8) eap_peap : processing EAP-TLS (8) eap_peap : eaptls_verify returned 7 (8) eap_peap : Done initial handshake (8) eap_peap : eaptls_process returned 7 (8) eap_peap : FR_TLS_OK (8) eap_peap : Session established. Decoding tunneled attributes. (8) eap_peap : Peap state phase2 (8) eap_peap : EAP type MSCHAPv2 (26) (8) eap_peap : Got tunneled request EAP-Message = 0x020900561a020900513145439c4e90869e9f6ceab1d1297c6d380000000000000000d0dd725641db826ddf168b4b2144c203e6d3280c10fec22900686f73742f77696e38312d6f70732e696e2e667265736876696577 server default { (8) eap_peap : Setting User-Name to host/win81-ops.in.testdomain Sending tunneled request EAP-Message = 0x020900561a020900513145439c4e90869e9f6ceab1d1297c6d380000000000000000d0dd725641db826ddf168b4b2144c203e6d3280c10fec22900686f73742f77696e38312d6f70732e696e2e667265736876696577 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'host/win81-ops.in.testdomain' State = 0xdf4bb440df42ae976131f6adcea1c414 server inner-tunnel { (8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (8) authorize { (8) [chap] = noop (8) [mschap] = noop (8) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) ntdomain : No '\' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (8) ntdomain : No such realm "NULL" (8) [ntdomain] = noop (8) update control { (8) Proxy-To-Realm := 'LOCAL' (8) } # update control = noop (8) eap : EAP packet type response id 9 length 86 (8) eap : No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Expiring EAP session with state 0xdf4bb440df42ae97 (8) eap : Finished EAP session with state 0xdf4bb440df42ae97 (8) eap : Previous EAP request found for state 0xdf4bb440df42ae97, released from the list (8) eap : Peer sent MSCHAPv2 (26) (8) eap : EAP MSCHAPv2 (26) (8) eap : Calling eap_mschapv2 to process EAP data (8) eap_mschapv2 : # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) eap_mschapv2 : Auth-Type MS-CHAP { (8) mschap : Creating challenge hash with username: host/win81-ops.in.testdomain (8) mschap : Client is using MS-CHAPv2 (8) mschap : Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} (8) mschap : EXPAND --username=%{mschap:User-Name:-None} (8) mschap : --> --username=win81-ops$ (8) mschap : EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} (8) mschap : --> --domain=in (8) mschap : Creating challenge hash with username: host/win81-ops.in.testdomain (8) mschap : EXPAND --challenge=%{mschap:Challenge:-00} (8) mschap : --> --challenge=4d7bb6f00f0d7a38 (8) mschap : EXPAND --nt-response=%{mschap:NT-Response:-00} (8) mschap : --> --nt-response=d0dd725641db826ddf168b4b2144c203e6d3280c10fec229 (8) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)' (8) mschap : External script failed. (8) ERROR: mschap : External script says: Logon failure (0xc000006d) (8) ERROR: mschap : MS-CHAP2-Response is incorrect (8) [mschap] = reject (8) } # Auth-Type MS-CHAP = reject (8) eap : Freeing handler (8) [eap] = reject (8) } # authenticate = reject (8) Failed to authenticate the user. (8) Login incorrect (mschap: Program returned code (1) and output 'Logon failure (0xc000006d)'): [host/win81-ops.in.testdomain] (from client ap1-38-wlsclt-00 port 0 via TLS tunnel) (8) Using Post-Auth-Type Reject (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject : EXPAND %{User-Name} (8) attr_filter.access_reject : --> host/win81-ops.in.testdomain (8) attr_filter.access_reject : Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) } # Post-Auth-Type REJECT = updated } # server inner-tunnel (8) eap_peap : Got tunneled reply code 3 MS-CHAP-Error = '\tE=691 R=1' EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap : Got tunneled reply RADIUS code 3 MS-CHAP-Error = '\tE=691 R=1' EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap : Tunneled authentication was rejected. (8) eap_peap : FAILURE (8) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12a770b29f (8) [eap] = handled (8) } # authenticate = handled Sending Access-Challenge Id 217 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x010a002b190017030100200b738039b4f535481dff197a39ee81927b772fac96781dd6e727a46a1fce1378 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12a770b29f91f28722b6106031 (8) Finished request Waking up in 0.3 seconds. Received Access-Request Id 220 from 172.17.6.253:32985 to 192.168.254.181:1812 length 269 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020a002b19001703010020544957a4f102082595db7a5beab83a5e39c5618bc043779c4640f13519373571 State = 0xaf7aab12a770b29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x567dfee464244ff803f97a5369736c65 (9) # Executing section authorize from file /etc/freeradius/sites-enabled/default (9) authorize { (9) filter_username filter_username { (9) if (User-Name != "%{tolower:%{User-Name}}") (9) EXPAND %{tolower:%{User-Name}} (9) --> host/win81-ops.in.testdomain (9) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (9) if (User-Name =~ / /) (9) if (User-Name =~ / /) -> FALSE (9) if (User-Name =~ /@.*@/ ) (9) if (User-Name =~ /@.*@/ ) -> FALSE (9) if (User-Name =~ /\\.\\./ ) (9) if (User-Name =~ /\\.\\./ ) -> FALSE (9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (9) if (User-Name =~ /\\.$/) (9) if (User-Name =~ /\\.$/) -> FALSE (9) if (User-Name =~ /@\\./) (9) if (User-Name =~ /@\\./) -> FALSE (9) } # filter_username filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (9) suffix : No such realm "NULL" (9) [suffix] = noop (9) eap : EAP packet type response id 10 length 43 (9) eap : Continuing tunnel setup. (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) authenticate { (9) eap : Expiring EAP session with state 0xaf7aab12a770b29f (9) eap : Finished EAP session with state 0xaf7aab12a770b29f (9) eap : Previous EAP request found for state 0xaf7aab12a770b29f, released from the list (9) eap : Peer sent PEAP (25) (9) eap : EAP PEAP (25) (9) eap : Calling eap_peap to process EAP data (9) eap_peap : processing EAP-TLS (9) eap_peap : eaptls_verify returned 7 (9) eap_peap : Done initial handshake (9) eap_peap : eaptls_process returned 7 (9) eap_peap : FR_TLS_OK (9) eap_peap : Session established. Decoding tunneled attributes. (9) eap_peap : Peap state send tlv failure (9) eap_peap : Received EAP-TLV response. (9) eap_peap : The users session was previously rejected: returning reject (again.) (9) eap_peap : *** This means you need to read the PREVIOUS messages in the debug output (9) eap_peap : *** to find out the reason why the user was rejected. (9) eap_peap : *** Look for "reject" or "fail". Those earlier messages will tell you. (9) eap_peap : *** what went wrong, and how to fix the problem. SSL: Removing session 41db36e17b59817fcc7a5d510c0ab6febebd2f0dfc04701386f3dad95265c63d from the cache (9) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap : Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user. (9) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed): [host/win81-ops.in.testdomain] (from client ap1-38-wlsclt-00 port 0 cli 5C514FFA8C73) (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject : EXPAND %{User-Name} (9) attr_filter.access_reject : --> host/win81-ops.in.testdomain (9) attr_filter.access_reject : Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) eap : Reply already contained an EAP-Message, not inserting EAP-Failure (9) [eap] = noop (9) remove_reply_message_if_eap remove_reply_message_if_eap { (9) if (reply:EAP-Message && reply:Reply-Message) (9) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (9) else else { (9) [noop] = noop (9) } # else else = noop (9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response Sending Access-Reject Id 220 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.5 seconds. (0) Cleaning up request packet ID 211 with timestamp +5 (1) Cleaning up request packet ID 203 with timestamp +5 (2) Cleaning up request packet ID 213 with timestamp +5 (3) Cleaning up request packet ID 212 with timestamp +5 (4) Cleaning up request packet ID 215 with timestamp +5 (5) Cleaning up request packet ID 216 with timestamp +5 Waking up in 1.4 seconds. (6) Cleaning up request packet ID 218 with timestamp +7 (7) Cleaning up request packet ID 219 with timestamp +7 (8) Cleaning up request packet ID 217 with timestamp +7 (9) Cleaning up request packet ID 220 with timestamp +7 Ready to process requests. Received Access-Request Id 221 from 172.17.6.253:32985 to 192.168.254.181:1812 length 218 User-Name = 'TESTDOMAIN\\testuser' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x02010015014652455348564945575c74796e616e79 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0xdd9875a4f200bb105676cc44bbc1990a (10) # Executing section authorize from file /etc/freeradius/sites-enabled/default (10) authorize { (10) filter_username filter_username { (10) if (User-Name != "%{tolower:%{User-Name}}") (10) EXPAND %{tolower:%{User-Name}} (10) --> testdomain\\testuser (10) if (User-Name != "%{tolower:%{User-Name}}") -> TRUE (10) if (User-Name != "%{tolower:%{User-Name}}") { (10) [reject] = reject (10) } # if (User-Name != "%{tolower:%{User-Name}}") = reject (10) } # filter_username filter_username = reject (10) } # authorize = reject (10) Invalid user: [TESTDOMAIN\\testuser] (from client ap1-38-wlsclt-00 port 0 cli 5C514FFA8C73) (10) Using Post-Auth-Type Reject (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) Post-Auth-Type REJECT { (10) attr_filter.access_reject : EXPAND %{User-Name} (10) attr_filter.access_reject : --> TESTDOMAIN\\testuser (10) attr_filter.access_reject : Matched entry DEFAULT at line 11 (10) [attr_filter.access_reject] = updated (10) eap : Request was previously rejected, inserting EAP-Failure (10) [eap] = updated (10) remove_reply_message_if_eap remove_reply_message_if_eap { (10) if (reply:EAP-Message && reply:Reply-Message) (10) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (10) else else { (10) [noop] = noop (10) } # else else = noop (10) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (10) } # Post-Auth-Type REJECT = updated (10) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (10) Sending delayed response Sending Access-Reject Id 221 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (10) Cleaning up request packet ID 221 with timestamp +12 Ready to process requests.