Hi, Here is the complete debug log : rad_recv: Access-Request packet from host 10.220.30.5 port 29010, id=194, length=179 User-Name = "STIC08862\\TechRMC" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x02000016015354494330383836325c54656368524d43 Message-Authenticator = 0xfa084ddf06908a03fe823772e3df038e # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++[preprocess] returns ok [eap] EAP packet type response id 0 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for STIC08862\TechRMC [ldap] expand: (uid=%{mschap:User-Name}) -> (uid=TechRMC) [ldap] expand: o=CSPI -> o=CSPI [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=CSPI, with filter (uid=TechRMC) [ldap] Added the eDirectory password 1234567 in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user STIC08862\TechRMC authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 194 to 10.220.30.5 port 29010 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x309c14c6309d0dd14b00d913c56dbe3f Finished request 78. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.220.30.5 port 29010, id=195, length=255 User-Name = "STIC08862\\TechRMC" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x0201005019800000004616030100410100003d03014de118d0fb7ad90b86758750890c116038cb55d9c09e4f2b4228a03e019e3d4200001600040005000a000900640062000300060013001200630100 State = 0x309c14c6309d0dd14b00d913c56dbe3f Message-Authenticator = 0xbb36f856b12e7151d07b7f62bb8ac4d1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++[preprocess] returns ok [eap] EAP packet type response id 1 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 195 to 10.220.30.5 port 29010 EAP-Message = 0x0102040019c00000089b160301002a0200002603014de118cc589bf7890a69fb3f645cbd3f8fb8e69b0de774081f186249cbb1fab400000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3131303532363131323630315a170d3132303532353131323630315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100abc6704165a82539a0386d451ff1ef7af0b77a030e0ece6ae83f509f03075fc22f4314bed080131a3f4ce4836d78b9f839e787dcf28407ebe4b4976a23b8 EAP-Message = 0x99720c1bdeb4e3a97cb664364a74231a865f1c58f96afa6060b528500f2a570c488ba5d43c1898ec6b8ccb38f66ed46fcc83c824da13c885743ae1c2fac049de6d095b694a6144ab81d6b1ae9ade3ad472fa3c505c5aad28a7f878426c5625e844a9f8980f2d6b18a2820ddc4086ae123f1b58b76e1662d5df63ec1662d44f8c302fd0f0f56bf156e2b998558ffab4e9c5967adf434ed23e28b8500d13e12d72202880234fadf61dc578fd16f6a0e9b7e62fbc7d5e93195384c6a53388a357a7e8590203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101009b9dae84aad1294971 EAP-Message = 0x085bfc65eea37216552b3898f2164a56490b8e68d7d3b809b379f74c18b249611da68f59c6ded6c40673cfe5bc870d40e305eeb2da97d2550d804d6e75fd2a42bf35e2ee7abdeae22a33a2cd27c8e5cb26a30a10cd7b9a22bb936e09effc1323a9beb1b407f375a0f197b5ea4dab4dc9f5a131bd89d64b3e61ce79250659c86de853316f63cd62edcae9ffd2ea4bba902a02e38cbf2a483f2b723f6e87bc7092f6335730a0cb24c8ec74a1d21cc0e7aa0f9b4eb991a00e10f9c54fbbe950dd0252c7eb094e26888c8bd0cf38488755f2f64822923402e46c5578ab316d899076fcab91a140b32aa180e265e8e8df263e209233432482bf0004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x309c14c6319e0dd14b00d913c56dbe3f Finished request 79. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.220.30.5 port 29010, id=196, length=181 User-Name = "STIC08862\\TechRMC" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x020200061900 State = 0x309c14c6319e0dd14b00d913c56dbe3f Message-Authenticator = 0xa462f5cd5ac6dd277077e9011fbf9c14 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++[preprocess] returns ok [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 196 to 10.220.30.5 port 29010 EAP-Message = 0x010303fc194000cbce0215a96683a7300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303532363131323630315a170d3132303532353131323630315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100bc17ac5d732962b1d8b9930162674dbc7ed2c21a022847f8d0bbf631b90c4598a9f450824c1335d535b1a3bc06344b72429484af7f8a7470f387f9b3314ca14b85328e7ed7c94f40f821bc5b69b1828a4eb5ca30e4cb30668c7b8dada3769f20a61fa244d158eb43fa343001a80195 EAP-Message = 0xb1b11e518865a45a3b1f8116ffc29a79de5bc4f72c54e53632a1c49f84aa523b39519bfdac4cf067f0bff3455f17f44c8e40b04b06ad175fcf5fcc9d88e047d95a35ee4581d243207a1c94f32aaa6ba8c59883944f8d2721493a52f0d18aa594cbaead171926e6a1f992b67ab93854a34f3d421cbe875e2909aafde2eb5bed79d233a20fa21fb9e378497d273e8f6ca14d0203010001a381fb3081f8301d0603551d0e04160414c4c3cc2ea4d081bbce0c80d92996e92cda9390dc3081c80603551d230481c03081bd8014c4c3cc2ea4d081bbce0c80d92996e92cda9390dca18199a48196308193310b3009060355040613024652310f300d06035504 EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900cbce0215a96683a7300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100022271f224357d78202aaecf9faca93ece45548fc74f4bed01bb6ad31badca58eb3d019ac1f2fcc323d33dcae04b84b6c2b443bca35258946c7f02eaa1bbeb550494b30648c47d83786b5f872facbb828d6f EAP-Message = 0x3deb8931d600ea5e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x309c14c6329f0dd14b00d913c56dbe3f Finished request 80. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.220.30.5 port 29010, id=197, length=181 User-Name = "STIC08862\\TechRMC" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x020300061900 State = 0x309c14c6329f0dd14b00d913c56dbe3f Message-Authenticator = 0xa5deb369fab7a8ab117e3a2d3a1bd99a # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++[preprocess] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 197 to 10.220.30.5 port 29010 EAP-Message = 0x010400b519001c077a0c37c0021ebd5901d8710b97ad0f8565cbe4081f184c4f48d79500d781c789cd7e4fcb9ef1c0d85e8c0e2f79b33d98067a79636b7b18c212c6fa065393ead60ccbd66b1ee55415965798592390475c38b8f1d81a8372e7e1aafcb6563a44f0be0cb173c485b071d8f18a6d6c978b2a17fc24579a3a00c360a6b43efefc2ec4f0d73ab140ec5e5d9b591a5b29b0d3a7a096774771c16065b46160051a8d1e88f6aa261516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x309c14c633980dd14b00d913c56dbe3f Finished request 81. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.220.30.5 port 29010, id=198, length=497 User-Name = "STIC08862\\TechRMC" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x0204014019800000013616030101061000010201000d5a7cfe5681de38952daa49b5a1f72a4406db283c1bdb0dbf56630552caba84d0ddd24cb5782d77a3b91ccbfbecc86a769bce2e367a77d13049c89aca7179224427b950971802c12e803af42ec507f6ded58f3ad883f4e774878bef3537d59d19e0e6697a98120a7cc029be2c20ca05e87ba0beb9376957afba29ab6bff97667ce389d9b8d5530f9456b4b6a77753596a1bd6caff20c5269203b2b6d51e70082f5592c2abb1a17235e2f1ccfe6110ea40a44f4b25b46b56eaae52ec6649d39bf5434b53b996821b1c68159f34d7695c4d0d21d6d138c62f5fa6eb7664bf2ab59facdbab3bf9eac9 EAP-Message = 0x2a59234d25f162d9c012c90c1b564c40f7a244ceb74fdbba1403010001011603010020105e724ee5343bc59dc34a12d5f6ae80cb30ee64b5e06ec66e794571315cee97 State = 0x309c14c633980dd14b00d913c56dbe3f Message-Authenticator = 0xa808596aff58e89c835ba408d22c8576 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++[preprocess] returns ok [eap] EAP packet type response id 4 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 198 to 10.220.30.5 port 29010 EAP-Message = 0x0105003119001403010001011603010020a7b524514b3cddffd4a8160f9eb6cc6a58975c324fe0d9ad042931b8bffb2bbd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x309c14c634990dd14b00d913c56dbe3f Finished request 82. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.220.30.5 port 29010, id=199, length=181 User-Name = "STIC08862\\TechRMC" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x020500061900 State = 0x309c14c634990dd14b00d913c56dbe3f Message-Authenticator = 0xfbb387ec4960fce18fa01d5ff1c5e01e # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++[preprocess] returns ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 199 to 10.220.30.5 port 29010 EAP-Message = 0x010600201900170301001571c76260985f4c2cdee93f9c926ad4e44dbc5089bd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x309c14c6359a0dd14b00d913c56dbe3f Finished request 83. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.220.30.5 port 29010, id=200, length=220 User-Name = "STIC08862\\TechRMC" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x0206002d1900170301002265afc9d83fb63b3df1fa050064293a1d5724034b497cd6917712aed52e33e5c50a93 State = 0x309c14c6359a0dd14b00d913c56dbe3f Message-Authenticator = 0x1d9a3ba6178e12c05cfd06e7b2a2c601 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++[preprocess] returns ok [eap] EAP packet type response id 6 length 45 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - STIC08862\TechRMC [peap] Got inner identity 'STIC08862\TechRMC' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02060016015354494330383836325c54656368524d43 server { PEAP: Setting User-Name to STIC08862\TechRMC Sending tunneled request EAP-Message = 0x02060016015354494330383836325c54656368524d43 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "STIC08862\\TechRMC" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE [eap] EAP packet type response id 6 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for STIC08862\TechRMC [ldap] expand: (uid=%{mschap:User-Name}) -> (uid=TechRMC) [ldap] expand: o=CSPI -> o=CSPI [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=CSPI, with filter (uid=TechRMC) [ldap] Added the eDirectory password 1234567 in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user STIC08862\TechRMC authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) ? Evaluating (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) -> TRUE ++? if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) -> TRUE ++- entering if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) {...} +++[control] returns ok ++- if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0107002b1a010700261012b5c4c3a3dbd6a23fe3af6f3db81bc15354494330383836325c54656368524d43 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x510e2245510938eb25e1ac3222e20688 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0107002b1a010700261012b5c4c3a3dbd6a23fe3af6f3db81bc15354494330383836325c54656368524d43 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x510e2245510938eb25e1ac3222e20688 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 200 to 10.220.30.5 port 29010 EAP-Message = 0x0107004219001703010037421203ab26df0308676a4f2cb9e0fa8ff6e390152e6e971e94d31eda95d20b849007bca062f718e1d559e79b10a5b6a188768b6fe1907c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x309c14c6369b0dd14b00d913c56dbe3f Finished request 84. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.220.30.5 port 29010, id=201, length=264 User-Name = "STIC08862\\TechRMC" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x020700591900170301004eb1f256aa2e900c41ef37f9d0933df166344a6edbc9356301e0fdc15cb87b6cbe03f6b07e54ccfd7fca446c7ce6cca1a742794be48c57b8e2ac735d7b2a2b38fe4483984103fc270b54d6c691b4c2 State = 0x309c14c6369b0dd14b00d913c56dbe3f Message-Authenticator = 0x8d693684ec5593182b54ce7c3d5e7d8f # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++[preprocess] returns ok [eap] EAP packet type response id 7 length 89 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700421a0207003d3187ddf68b18fb1dce4cdd5b001c06abc000000000000000009a7812e4d4a1f425347de951e68fac50054fd8ff32d403fa0054656368524d43 server { PEAP: Setting User-Name to STIC08862\TechRMC Sending tunneled request EAP-Message = 0x020700421a0207003d3187ddf68b18fb1dce4cdd5b001c06abc000000000000000009a7812e4d4a1f425347de951e68fac50054fd8ff32d403fa0054656368524d43 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "STIC08862\\TechRMC" State = 0x510e2245510938eb25e1ac3222e20688 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE [eap] EAP packet type response id 7 length 66 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for STIC08862\TechRMC [ldap] expand: (uid=%{mschap:User-Name}) -> (uid=TechRMC) [ldap] expand: o=CSPI -> o=CSPI [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=CSPI, with filter (uid=TechRMC) [ldap] Added the eDirectory password 1234567 in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user STIC08862\TechRMC authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) ? Evaluating (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) -> TRUE ++? if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) -> TRUE ++- entering if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) {...} +++[control] returns ok ++- if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] ERROR: User-Name (STIC08862\TechRMC) is not the same as MS-CHAP Name (TechRMC) from EAP-MSCHAPv2 ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 201 to 10.220.30.5 port 29010 EAP-Message = 0x010800261900170301001bd9addceecce69a0bbcafd532787f06f03515b539bbb8c598213707 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x309c14c637940dd14b00d913c56dbe3f Finished request 85. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.220.30.5 port 29010, id=202, length=213 User-Name = "STIC08862\\TechRMC" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x020800261900170301001b5d49f3ad65771949521891ede66912ccf09cfa17c7d6a9965f229e State = 0x309c14c637940dd14b00d913c56dbe3f Message-Authenticator = 0xf8e78209cd1bbc051781ce0db38fb367 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++[preprocess] returns ok [eap] EAP packet type response id 8 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> STIC08862\TechRMC attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 86 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 86 Sending Access-Reject of id 202 to 10.220.30.5 port 29010 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. On 11-05-28 10:32 AM, Francois Gaudreault wrote:
Hi Phil, and Alan,
I will get you the debug output for Windows XP SP3 boxes (likely Monday).
I will summarise what we have. Basically, this is a setup where the client is using eDirectory to authorize the users using the rlm_ldap module. On the windows boxes, it is configured to do PEAP using MSCHAPv2. When we send a host credential (ie. host/mycomputer.domain.tld) it will pass the authorization and during the authentication phase, it will use ntlm_auth to ensure that the machine is member of the domain. That part is working fine, the mschap module does its job. For the users, they have windows 7s and windows XPs. Windows 7 appears to be working without problems since the username is sent without the computer name as the domain prefix. The problem comes with the windows XP boxes. If we let windows send the credentials automatically (when novell logs in), the LDAP authorization will work properly, but the authentication will fail even if the Cleartext-Password attribute is set by the LDAP module. It will throw that MS-CHAP error. We also ensure that everything that comes from something that is not matching host/something will use the MS-CHAP-NTLM-Auth = No. The only way to make Windows XP work is to disable the "automatically send username" thing and only send the username without the domain name. However, the user experience will definitely be terrible.
The NAS Client is an Avaya Access Point.
Thanks for your feedbacks guys, it is appreciated. I will get you the debug information and the sites configuration as soon as I can.
Have a nice weekend.
-- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)