We're having an odd problem here, and I just can't pin down quite where to look to fix it. We use PEAP-MSCHAPv2 for authentication of our windows domain users on wireless. This is accomplished by terminating the TLS conversation at FreeRADIUS and sending along the MSCHAP conversation to an IAS server. We've tested this in the past, and it's worked fine, and we're doing a modified form of this in production, and it's working fine, but I've lately been unable to get it to work in our pre-production 2.1.11 environment. What's particularly odd is that it's only affecting the Windows clients. My OS X client doing PEAP with the same credentials is happy. What we're doing in production, which continues to work, is this: We terminate TLS at FreeRADIUS. This allows us to manage the wireless service certificate there, keeps the IAS operators from having to keep up with it. We proxy the MSCHAP conversation to our OpenRADIUS server (which is also running and interacting with TACACS). OpenRADIUS proxies the CHAP stuff to IAS. It may be tinkering with the MSCHAP fields from IAS to make them more compatible (basically changing out the secrets because it's standing in the middle). Successful authentication then percolates back through the chain and the user is happy. In pre-production, it looks like this: Request comes in from Windows client, is recognized to be a Domain authentication request, gets proxied to an FR virtual server. Said virtual server gets it, processes the TLS and terminates it, and proxies the MSCHAP conversation to IAS. IAS does its MSCHAP thing, accepts the user. Access-Accept percolates back up through the chain. We send an access challenge, the user sends an Access request, and FR says the user said something weird, so it's rejecting them. Request comes in from non-windows client, is recognized to be Domain authentication request, gets proxied to an FR virtual server Said virtual server gets it, processes the TLS and terminates it, and proxies the MSCHAP conversation to IAS. IAS does its MSCHAP thing, accepts the user. Access-Accept percolates back up through the chain. We send an access challenge, the user sends an Access request, and FR says everything's fine, user gets Access-Accept. Thoughts on where I need to look? I can't parse out what's happening to cause a response to be invalid for Windows users but not for, say, Mac users. Our initial guess here is that the Windows clients are looking at the MPPE keys, and are unhappy about them, whereas the Mac clients are not, though we suspect neither set of clients requires them. Posting relevant bits of debug output below. Thanks much, Jacob M. Dawson --------- Pre-production failure: rad_recv: Access-Request packet from host 198.82.171.153 port 32768, id=138, length=293 User-Name = "HOKIES\\dawson" Calling-Station-Id = "00-1d-e0-90-5f-db" Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" NAS-Port = 29 NAS-IP-Address = 198.82.171.153 NAS-Identifier = "cas-6509-3.wsm8b" Airespace-Wlan-Id = 17 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1381" EAP-Message = 0x020b005f19001703010054bdd79574acfa8744908880dfa66a9e861f5fff5d2b3b7e387679b867704afa60476df6cc1ac0f30d92a4dc753cebb4bc4e71f4e0bc4db75534ab2403ec993619f05ad02497597deaa193debe78641e14b4718e84 State = 0x5b4a8e485341972bae816e794759d3ea Message-Authenticator = 0xc234d7f3f04c9d023687fd78e4d5c9da (75) # Executing section authorize from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default (75) group authorize { (75) - entering group authorize {...} (75) policy split_username_prefix { (75) - entering policy split_username_prefix {...} (75) ? if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) (75) ? Evaluating (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) -> TRUE (75) ? if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) -> TRUE (75) if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) { (75) - entering if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) {...} (75) update request { (75) expand: %{2} -> dawson (75) expand: %{1} -> HOKIES (75) } # update request = notfound (75) [updated] = updated (75) - if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) returns updated (75) ... skipping else for request 75: Preceding "if" was taken (75) - policy split_username_prefix returns updated (75) policy split_username_suffix { (75) - entering policy split_username_suffix {...} (75) ? if (request:User-Name =~ /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) (75) ? Evaluating (request:User-Name =~ /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) -> FALSE (75) ? if (request:User-Name =~ /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) -> FALSE (75) else else { (75) - entering else else {...} (75) [noop] = noop (75) - else else returns noop (75) - policy split_username_suffix returns noop (75) [preprocess] = ok (75) auth_log : expand: /usr/local/freeradius-2.1.11/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/freeradius-2.1.11/var/log/radius/radacct/198.82.171.153/auth-detail-20110823 (75) auth_log : /usr/local/freeradius-2.1.11/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius-2.1.11/var/log/radius/radacct/198.82.171.153/auth-detail-20110823 (75) auth_log : expand: %t -> Tue Aug 23 10:40:16 2011 (75) [auth_log] = ok rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Tunnel-Type = VLAN rlm_perl: Added pair State = 0x5b4a8e485341972bae816e794759d3ea rlm_perl: Added pair Called-Station-Id = 00-21-55-4d-c4-40:CNS-Test rlm_perl: Added pair Message-Authenticator = 0xc234d7f3f04c9d023687fd78e4d5c9da rlm_perl: Added pair Airespace-Wlan-Id = 17 rlm_perl: Added pair Stripped-User-Domain = HOKIES rlm_perl: Added pair NAS-IP-Address = 198.82.171.153 rlm_perl: Added pair Tunnel-Private-Group-Id = 1381 rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 rlm_perl: Added pair Calling-Station-Id = 00-1d-e0-90-5f-db rlm_perl: Added pair User-Name = HOKIES\\dawson rlm_perl: Added pair NAS-Identifier = cas-6509-3.wsm8b rlm_perl: Added pair EAP-Message = 0x020b005f19001703010054bdd79574acfa8744908880dfa66a9e861f5fff5d2b3b7e387679b867704afa60476df6cc1ac0f30d92a4dc753cebb4bc4e71f4e0bc4db75534ab2403ec993619f05ad02497597deaa193debe78641e14b4718e84 rlm_perl: Added pair Stripped-User-Name = dawson rlm_perl: Added pair NAS-Port = 29 rlm_perl: Added pair Framed-MTU = 1300 (75) [perl] = noop (75) ? if ("%{Stripped-User-Domain}" != "HOKIES") (75) expand: %{Stripped-User-Domain} -> HOKIES (75) ? Evaluating ("%{Stripped-User-Domain}" != "HOKIES") -> FALSE (75) ? if ("%{Stripped-User-Domain}" != "HOKIES") -> FALSE (75) eap : EAP packet type response id 11 length 95 (75) eap : Continuing tunnel setup. (75) [eap] = ok (75) Found Auth-Type = ? (75) # Executing group from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default (75) group authenticate { (75) - entering group authenticate {...} (75) eap : Request found, released from the list (75) eap : EAP/peap (75) eap : processing type peap (75) peap : processing EAP-TLS (75) peap : eaptls_verify returned 7 (75) peap : Done initial handshake (75) peap : eaptls_process returned 7 (75) peap : FR_TLS_OK (75) peap : Session established. Decoding tunneled attributes. (75) peap : Peap state phase2 (75) peap : EAP type mschapv2 (75) peap : Got tunneled request EAP-Message = 0x020b00481a020b004331bf4d439d3028cbdba8fff532c04f1cf60000000000000000bee44f94acbe708a682535adc0505e56a87462580576d06600484f4b4945535c646177736f6e server { (75) peap : Setting User-Name to HOKIES\dawson Sending tunneled request EAP-Message = 0x020b00481a020b004331bf4d439d3028cbdba8fff532c04f1cf60000000000000000bee44f94acbe708a682535adc0505e56a87462580576d06600484f4b4945535c646177736f6e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "HOKIES\\dawson" State = 0x21ebcfee21e0d5ab22fbf5cfb29bfd25 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Tunnel-Type:0 = VLAN Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" NAS-IP-Address = 198.82.171.153 Tunnel-Private-Group-Id:0 = "1381" Tunnel-Medium-Type:0 = IEEE-802 Calling-Station-Id = "00-1d-e0-90-5f-db" NAS-Identifier = "cas-6509-3.wsm8b" NAS-Port = 29 Framed-MTU = 1300 server proxy-inner-tunnel { (75) # Executing section authorize from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/proxy-inner-tunnel (75) group authorize { (75) - entering group authorize {...} (75) ? if ("%{User-Name}" =~ /^(host\/.*)$/) (75) expand: %{User-Name} -> HOKIES\dawson (75) ? Evaluating ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE (75) ? if ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE (75) else else { (75) - entering else else {...} (75) update control { (75) } # update control = notfound (75) - else else returns notfound } # server proxy-inner-tunnel (75) peap : Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. (75) # Executing group from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/proxy-inner-tunnel (75) group authenticate { (75) - entering group authenticate {...} (75) eap : Request found, released from the list (75) eap : EAP/mschapv2 (75) eap : processing type mschapv2 rlm_eap_mschapv2: cancelling authentication and letting it be proxied (75) eap : Not-EAP proxy set. Not composing EAP (75) [eap] = handled PEAP: Tunneled authentication will be proxied to DomainUser PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy. (75) eap : Tunneled session will be proxied. Not doing EAP. (75) [eap] = handled (75) WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 161 to 198.82.160.219 port 1812 User-Name = "HOKIES\\dawson" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Tunnel-Type:0 = VLAN Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" NAS-IP-Address = 198.82.171.153 Tunnel-Private-Group-Id:0 = "1381" Tunnel-Medium-Type:0 = IEEE-802 Calling-Station-Id = "00-1d-e0-90-5f-db" NAS-Identifier = "cas-6509-3.wsm8b" NAS-Port = 29 Framed-MTU = 1300 MS-CHAP-Challenge = 0xd3827513a357a99d4eb9a5c87a716418 MS-CHAP2-Response = 0x0b4fbf4d439d3028cbdba8fff532c04f1cf60000000000000000bee44f94acbe708a682535adc0505e56a87462580576d066 Proxy-State = 0x313338 (75) Proxying request to home server 198.82.160.219 port 1812 Sending Access-Request of id 161 to 198.82.160.219 port 1812 User-Name = "HOKIES\\dawson" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Tunnel-Type:0 = VLAN Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" NAS-IP-Address = 198.82.171.153 Tunnel-Private-Group-Id:0 = "1381" Tunnel-Medium-Type:0 = IEEE-802 Calling-Station-Id = "00-1d-e0-90-5f-db" NAS-Identifier = "cas-6509-3.wsm8b" NAS-Port = 29 Framed-MTU = 1300 MS-CHAP-Challenge = 0xd3827513a357a99d4eb9a5c87a716418 MS-CHAP2-Response = 0x0b4fbf4d439d3028cbdba8fff532c04f1cf60000000000000000bee44f94acbe708a682535adc0505e56a87462580576d066 Proxy-State = 0x313338 Waking up in 0.2 seconds. rad_recv: Access-Accept packet from host 198.82.160.219 port 1812, id=161, length=219 DEBUG: Compare b472204 to calculated digest f796ca40, secret temporaryS3CR3T Proxy-State = 0x313338 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x6538078a000001370001c652a0db01cc5476fe414ece0000000000004586 MS-MPPE-Recv-Key = 0x7208bb9a9555b125d123303ac3db12a1 MS-MPPE-Send-Key = 0x0cd6218a695a558ade111bcd7b05cfc2 MS-CHAP2-Success = 0x0b533d32434230433038364541464632333233453842414534314643443231333130453939354641454134 MS-CHAP-Domain = "\013HOKIES" (75) # Executing section post-proxy from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default (75) group post-proxy { (75) - entering group post-proxy {...} (75) eap : Doing post-proxy callback (75) eap : Passing reply from proxy back into the tunnel. server proxy-inner-tunnel { (75) eap : Passing reply back for EAP-MS-CHAP-V2 (75) # Executing section post-proxy from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/proxy-inner-tunnel (75) group post-proxy { (75) - entering group post-proxy {...} (75) [eap] = noop (75) WARNING: Empty post-auth section. Using default return values. } # server proxy-inner-tunnel (75) eap : Final reply from tunneled session code 2 Proxy-State = 0x313338 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x6538078a000001370001c652a0db01cc5476fe414ece0000000000004586 MS-MPPE-Recv-Key = 0x7208bb9a9555b125d123303ac3db12a1 MS-MPPE-Send-Key = 0x0cd6218a695a558ade111bcd7b05cfc2 MS-CHAP2-Success = 0x0b533d32434230433038364541464632333233453842414534314643443231333130453939354641454134 MS-CHAP-Domain = "\013HOKIES" (75) eap : Got reply 2 (75) eap : Got tunneled reply RADIUS code 2 Proxy-State = 0x313338 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x6538078a000001370001c652a0db01cc5476fe414ece0000000000004586 MS-MPPE-Recv-Key = 0x7208bb9a9555b125d123303ac3db12a1 MS-MPPE-Send-Key = 0x0cd6218a695a558ade111bcd7b05cfc2 MS-CHAP2-Success = 0x0b533d32434230433038364541464632333233453842414534314643443231333130453939354641454134 MS-CHAP-Domain = "\013HOKIES" (75) eap : Tunneled authentication was successful. (75) eap : SUCCESS (75) eap : Reply was handled (75) [eap] = ok (75) Found Auth-Type = ? (75) Found Auth-Type = ? (75) Warning: Found 2 auth-types on request for user 'HOKIES\dawson' (75) Auth-Type = Accept, accepting the user (75) Login OK: [HOKIES\\dawson] (from client 198.82.171.153 port 29 cli 00-1d-e0-90-5f-db) (75) # Executing section post-auth from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default (75) group post-auth { (75) - entering group post-auth {...} (75) [exec] = noop Sending Access-Challenge of id 138 to 198.82.171.153 port 32768 EAP-Message = 0x010c00261900170301001b0167b434a0313cb3f29b20e1f731efe3d173083c964cda1451135a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5b4a8e485246972bae816e794759d3ea (75) Finished request 75. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host 198.82.171.153 port 32768, id=139, length=236 User-Name = "HOKIES\\dawson" Calling-Station-Id = "00-1d-e0-90-5f-db" Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" NAS-Port = 29 NAS-IP-Address = 198.82.171.153 NAS-Identifier = "cas-6509-3.wsm8b" Airespace-Wlan-Id = 17 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1381" EAP-Message = 0x020c00261900170301001b00dae368dd150e9d42e0c8888cb128e6ecc520b887a849a8a1d743 State = 0x5b4a8e485246972bae816e794759d3ea Message-Authenticator = 0x26b42d72271f1819599977a28920622f (76) # Executing section authorize from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default (76) group authorize { (76) - entering group authorize {...} (76) policy split_username_prefix { (76) - entering policy split_username_prefix {...} (76) ? if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) (76) ? Evaluating (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) -> TRUE (76) ? if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) -> TRUE (76) if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) { (76) - entering if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) {...} (76) update request { (76) expand: %{2} -> dawson (76) expand: %{1} -> HOKIES (76) } # update request = notfound (76) [updated] = updated (76) - if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) returns updated (76) ... skipping else for request 76: Preceding "if" was taken (76) - policy split_username_prefix returns updated (76) policy split_username_suffix { (76) - entering policy split_username_suffix {...} (76) ? if (request:User-Name =~ /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) (76) ? Evaluating (request:User-Name =~ /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) -> FALSE (76) ? if (request:User-Name =~ /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) -> FALSE (76) else else { (76) - entering else else {...} (76) [noop] = noop (76) - else else returns noop (76) - policy split_username_suffix returns noop (76) [preprocess] = ok (76) auth_log : expand: /usr/local/freeradius-2.1.11/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/freeradius-2.1.11/var/log/radius/radacct/198.82.171.153/auth-detail-20110823 (76) auth_log : /usr/local/freeradius-2.1.11/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius-2.1.11/var/log/radius/radacct/198.82.171.153/auth-detail-20110823 (76) auth_log : expand: %t -> Tue Aug 23 10:40:16 2011 (76) [auth_log] = ok rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Tunnel-Type = VLAN rlm_perl: Added pair State = 0x5b4a8e485246972bae816e794759d3ea rlm_perl: Added pair Called-Station-Id = 00-21-55-4d-c4-40:CNS-Test rlm_perl: Added pair Message-Authenticator = 0x26b42d72271f1819599977a28920622f rlm_perl: Added pair Airespace-Wlan-Id = 17 rlm_perl: Added pair Stripped-User-Domain = HOKIES rlm_perl: Added pair NAS-IP-Address = 198.82.171.153 rlm_perl: Added pair Tunnel-Private-Group-Id = 1381 rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 rlm_perl: Added pair Calling-Station-Id = 00-1d-e0-90-5f-db rlm_perl: Added pair User-Name = HOKIES\\dawson rlm_perl: Added pair NAS-Identifier = cas-6509-3.wsm8b rlm_perl: Added pair EAP-Message = 0x020c00261900170301001b00dae368dd150e9d42e0c8888cb128e6ecc520b887a849a8a1d743 rlm_perl: Added pair Stripped-User-Name = dawson rlm_perl: Added pair NAS-Port = 29 rlm_perl: Added pair Framed-MTU = 1300 (76) [perl] = noop (76) ? if ("%{Stripped-User-Domain}" != "HOKIES") (76) expand: %{Stripped-User-Domain} -> HOKIES (76) ? Evaluating ("%{Stripped-User-Domain}" != "HOKIES") -> FALSE (76) ? if ("%{Stripped-User-Domain}" != "HOKIES") -> FALSE (76) eap : EAP packet type response id 12 length 38 (76) eap : Continuing tunnel setup. (76) [eap] = ok (76) Found Auth-Type = ? (76) # Executing group from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default (76) group authenticate { (76) - entering group authenticate {...} (76) eap : Request found, released from the list (76) eap : EAP/peap (76) eap : processing type peap (76) peap : processing EAP-TLS (76) peap : eaptls_verify returned 7 (76) peap : Done initial handshake (76) peap : eaptls_process returned 7 (76) peap : FR_TLS_OK (76) peap : Session established. Decoding tunneled attributes. (76) peap : Peap state send tlv success (76) peap : Received EAP-TLV response. (76) peap : Client rejected our response. The password is probably incorrect. (76) peap : We sent a success, but received something weird in return. (76) eap : Handler failed in EAP/peap (76) eap : Failed in EAP select (76) [eap] = invalid (76) Failed to authenticate the user. (76) Login incorrect: [HOKIES\\dawson] (from client 198.82.171.153 port 29 cli 00-1d-e0-90-5f-db) (76) Using Post-Auth-Type Reject (76) # Executing group from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default (76) group REJECT { (76) - entering group REJECT {...} (76) attr_filter.access_reject : expand: %{User-Name} -> HOKIES\dawson attr_filter: Matched entry DEFAULT at line 11 (76) [attr_filter.access_reject] = updated (76) Finished request 76. Waking up in 0.2 seconds. Waking up in 0.6 seconds. (76) Sending delayed reject Sending Access-Reject of id 139 to 198.82.171.153 port 32768 EAP-Message = 0x040c0004 Message-Authenticator = 0x00000000000000000000000000000000 ----- Production Success: Waking up in 4.9 seconds. User-Name = "HOKIES\\dawson" Calling-Station-Id = "00-1d-e0-90-5f-db" Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" NAS-Port = 29 NAS-IP-Address = 198.82.171.153 NAS-Identifier = "cas-6509-3.wsm8b" Airespace-Wlan-Id = 17 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1381" EAP-Message = 0x020a005f1900170301005499a000fc4d08b0c067d3251047d61b836767466160c386b38d37d4b6c39b07ce3b09c85590c8a923419e6f0ae464ac472050214b71b4d641e06f8a439348319233d622cd7900f8f172726407b0010bcb54c6a1d6 State = 0x764462057e4e7bc59f1c525ed4400d40 Message-Authenticator = 0xd9566738adb17439ce7d7568c8bc8264 +- entering group authorize ++[mschap] returns noop rlm_eap: EAP packet type response id 10 length 95 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group EAP rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Setting User-Name to HOKIES\dawson +- entering group authorize ++? if ("%{User-Name}" =~ /^(host\/.*)$/) expand: %{User-Name} -> HOKIES\dawson ? Evaluating ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE ++? if ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE ++- entering else else +++[control] returns notfound ++- else else returns notfound PEAP: Calling authenticate in order to initiate tunneled EAP session. +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Not-EAP proxy set. Not composing EAP ++[eap] returns handled PEAP: Tunneled authentication will be proxied to openradius PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy. Tunneled session will be proxied. Not doing EAP. ++[eap] returns handled +- entering group pre-proxy preproxy_users: Matched entry DEFAULT at line 1 ++[files] returns ok User-Name = "HOKIES\\dawson" Calling-Station-Id = "00-1d-e0-90-5f-db" Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" NAS-Port = 29 NAS-IP-Address := 198.82.247.103 NAS-Identifier = "cas-6509-3.wsm8b" Airespace-Wlan-Id = 17 Service-Type := Framed-User Framed-MTU = 1300 NAS-Port-Type := Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1381" MS-CHAP-Challenge = 0x20760eb105e545d6a131f324c1d30464 MS-CHAP2-Response = 0x0a4f84e590f059f31dc3ca5b621b238582190000000000000000385984c78f91f816edb8f1b279838a0a890bdd6573bac9f7 Proxy-State = 0x323433 Proxying request 9 to home server 198.82.247.67 port 1812 User-Name = "HOKIES\\dawson" Calling-Station-Id = "00-1d-e0-90-5f-db" Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" NAS-Port = 29 NAS-IP-Address := 198.82.247.103 NAS-Identifier = "cas-6509-3.wsm8b" Airespace-Wlan-Id = 17 Service-Type := Framed-User Framed-MTU = 1300 NAS-Port-Type := Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1381" MS-CHAP-Challenge = 0x20760eb105e545d6a131f324c1d30464 MS-CHAP2-Response = 0x0a4f84e590f059f31dc3ca5b621b238582190000000000000000385984c78f91f816edb8f1b279838a0a890bdd6573bac9f7 Proxy-State = 0x323433 Going to the next request Waking up in 0.9 seconds. Framed-Protocol = PPP Service-Type = Framed-User MS-MPPE-Recv-Key = 0xe32365fe45921738025084f44fd7822a MS-MPPE-Send-Key = 0xf65c13fbcd70a80768ea868ec27085ff MS-CHAP2-Success = 0x0a533d46333146313034313438374339373131303542344546363341364339333146344135424141383434 MS-CHAP-Domain = "\nHOKIES" +- entering group post-proxy rlm_eap: Doing post-proxy callback PEAP: Passing reply from proxy back into the tunnel. PEAP: Passing reply back for EAP-MS-CHAP-V2 +- entering group post-proxy rlm_eap: Doing post-proxy callback rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x1cd469a0 2. rlm_eap_mschapv2: Authentication succeeded. MSCHAP Success ++[eap] returns ok PEAP: Got reply 11 PEAP: Got tunneled Access-Challenge PEAP: Reply was handled ++[eap] returns ok EAP-Message = 0x010b004a1900170301003f084cf62c48fb9b9e951aa3801c9a88bbe2078c7a667df320929296299bdff2863bf8572a744dac5d9409953cda9855feca24aa24b8205677fbf3f7e3767f36 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x764462057f4f7bc59f1c525ed4400d40 Finished request 9. Going to the next request Waking up in 4.9 seconds. User-Name = "HOKIES\\dawson" Calling-Station-Id = "00-1d-e0-90-5f-db" Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" NAS-Port = 29 NAS-IP-Address = 198.82.171.153 NAS-Identifier = "cas-6509-3.wsm8b" Airespace-Wlan-Id = 17 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1381" EAP-Message = 0x020b001d19001703010012091d2f1089b72dd14c76daf331c2dc4de167 State = 0x764462057f4f7bc59f1c525ed4400d40 Message-Authenticator = 0xee39bc3d804727c33f69fc7d8172d2bf +- entering group authorize ++[mschap] returns noop rlm_eap: EAP packet type response id 11 length 29 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group EAP rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Setting User-Name to HOKIES\dawson +- entering group authorize ++? if ("%{User-Name}" =~ /^(host\/.*)$/) expand: %{User-Name} -> HOKIES\dawson ? Evaluating ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE ++? if ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE ++- entering else else +++[control] returns notfound ++- else else returns notfound PEAP: Calling authenticate in order to initiate tunneled EAP session. +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap: Freeing handler ++[eap] returns ok PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS ++[eap] returns handled EAP-Message = 0x010c00261900170301001badffc5c8196273037ffc5ae8b421cb5a11d4cdbf3d67e521a2dd10 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x764462057c487bc59f1c525ed4400d40 Finished request 10. Going to the next request Waking up in 4.9 seconds. User-Name = "HOKIES\\dawson" Calling-Station-Id = "00-1d-e0-90-5f-db" Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" NAS-Port = 29 NAS-IP-Address = 198.82.171.153 NAS-Identifier = "cas-6509-3.wsm8b" Airespace-Wlan-Id = 17 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1381" EAP-Message = 0x020c00261900170301001be252b19386182f2a3d9b6255f0b51007da074f90f732568c1dfbb8 State = 0x764462057c487bc59f1c525ed4400d40 Message-Authenticator = 0xc04ab29e63cd60e30bfd3fed2ba3be09 +- entering group authorize ++[mschap] returns noop rlm_eap: EAP packet type response id 12 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group EAP rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Success rlm_eap: Freeing handler ++[eap] returns ok perl_pool: item 0x17a6e7a0 asigned new request. Handled so far: 1 found interpetator at address 0x17a6e7a0 rlm_perl: no serial number; assuming non-TLS authentication rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Tunnel-Type = VLAN rlm_perl: Added pair State = 0x764462057c487bc59f1c525ed4400d40 rlm_perl: Added pair Called-Station-Id = 00-21-55-4d-c4-40:CNS-Test rlm_perl: Added pair Message-Authenticator = 0xc04ab29e63cd60e30bfd3fed2ba3be09 rlm_perl: Added pair Airespace-Wlan-Id = 17 rlm_perl: Added pair EAP-Type = PEAP rlm_perl: Added pair NAS-IP-Address = 198.82.171.153 rlm_perl: Added pair Tunnel-Private-Group-Id = 1381 rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 rlm_perl: Added pair Calling-Station-Id = 00-1d-e0-90-5f-db rlm_perl: Added pair User-Name = HOKIES\\dawson rlm_perl: Added pair NAS-Identifier = cas-6509-3.wsm8b rlm_perl: Added pair EAP-Message = 0x020c00261900170301001be252b19386182f2a3d9b6255f0b51007da074f90f732568c1dfbb8 rlm_perl: Added pair NAS-Port = 29 rlm_perl: Added pair Framed-MTU = 1300 rlm_perl: Added pair User-Name = HOKIES\\dawson rlm_perl: Added pair MS-MPPE-Recv-Key = 0x4e3e827b7fb173dbe293fadd607586b838cd55ae5261090fd483569509a070de rlm_perl: Added pair EAP-Message = 0x030c0004 rlm_perl: Added pair MS-MPPE-Send-Key = 0xb43ef9e36d44d66d205184ee8ca81f0f14e3a52cd254bd27268c7c99f58a18b0 rlm_perl: Added pair Message-Authenticator = 0x00000000000000000000000000000000 rlm_perl: Added pair Auth-Type = EAP perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x17a6e7a0 ++[perl] returns ok Login OK: [HOKIES\\\\dawson/<via Auth-Type = EAP>] (from client cas-6509-3.wsm8b port 29 cli 00-1d-e0-90-5f-db) User-Name = "HOKIES\\\\dawson" MS-MPPE-Recv-Key = 0x4e3e827b7fb173dbe293fadd607586b838cd55ae5261090fd483569509a070de EAP-Message = 0x030c0004 MS-MPPE-Send-Key = 0xb43ef9e36d44d66d205184ee8ca81f0f14e3a52cd254bd27268c7c99f58a18b0 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 11. Going to the next request Waking up in 4.9 seconds.