Here it is: FreeRADIUS Debugging Output This colorized output was produced by an automated tool from Network RADIUS ---------------------------------------------------------------------------- ---- Packet 0 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=171, length=177 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x020b00150143414430383836325c54656368524d43 Message-Authenticator = 0x0a731b00ed8632709fd7a0cd73425aac # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 11 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 171 to 10.220.30.5 port 29002 EAP-Message = 0x010c00160410b6e7676fb05991e0012286fb7d646c1e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5fe4130a5f2453a08d7b8b3e893ab3f Finished request 229. Going to the next request Waking up in 4.9 seconds. Packet 1 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=172, length=180 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x020c00060319 State = 0xa5fe4130a5f2453a08d7b8b3e893ab3f Message-Authenticator = 0xa70f38635c3dc90b94a63ba069f76ebb # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 12 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 172 to 10.220.30.5 port 29002 EAP-Message = 0x010d00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5fe4130a4f3583a08d7b8b3e893ab3f Finished request 230. Going to the next request Waking up in 4.9 seconds. Packet 2 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=173, length=254 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x020d005019800000004616030100410100003d03014dc932cb ... State = 0xa5fe4130a4f3583a08d7b8b3e893ab3f Message-Authenticator = 0x2e2e0708c73b34e905daee695ee8032a # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 13 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 173 to 10.220.30.5 port 29002 EAP-Message = 0x010e040019c00000089b160301002a0200002603014dc932cb ... EAP-Message = 0x301e170d3131303531303131343933315a170d313230353039 ... EAP-Message = 0x247a871d8a28fca6ca77871f75158cb881bc154162482826dd ... EAP-Message = 0x3ca0d3dd2e4fe050819da932da5eb9b05a8732cdbfae1ecd97 ... EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5fe4130a7f0583a08d7b8b3e893ab3f Finished request 231. Going to the next request Waking up in 4.9 seconds. Packet 3 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=174, length=180 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x020e00061900 State = 0xa5fe4130a7f0583a08d7b8b3e893ab3f Message-Authenticator = 0x299e7d9bc6c1576d75b2dc575bb8d131 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 14 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 174 to 10.220.30.5 port 29002 EAP-Message = 0x010f03fc194000ae4924c977166296300d06092a864886f70d ... EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578 ... EAP-Message = 0x9f6d4aba6ff7e424f8e3053ecd0d88e8e2b8441d43588d5519 ... EAP-Message = 0x0813065261646975733112301006035504071309536f6d6577 ... EAP-Message = 0x912aa6d3291cd0dc Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5fe4130a6f1583a08d7b8b3e893ab3f Finished request 232. Going to the next request Waking up in 4.9 seconds. Packet 4 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=175, length=180 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x020f00061900 State = 0xa5fe4130a6f1583a08d7b8b3e893ab3f Message-Authenticator = 0x21deff950681e5b9ed5d0b915238df63 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 15 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 175 to 10.220.30.5 port 29002 EAP-Message = 0x011000b519000dd9a5fde73f897737b0f264443de17265d729 ... Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5fe4130a1ee583a08d7b8b3e893ab3f Finished request 233. Going to the next request Waking up in 4.9 seconds. Packet 5 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=176, length=496 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x0210014019800000013616030101061000010201000cd623d8 ... EAP-Message = 0x7e97ab57b201610cb97da732dc3ea2fa8d945c59af7f5d6e14 ... State = 0xa5fe4130a1ee583a08d7b8b3e893ab3f Message-Authenticator = 0x9b6a444a93ad642167d08affdee03b15 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 16 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 176 to 10.220.30.5 port 29002 EAP-Message = 0x01110031190014030100010116030100208a615f5002c2f168 ... Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5fe4130a0ef583a08d7b8b3e893ab3f Finished request 234. Going to the next request Waking up in 4.8 seconds. Packet 6 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=177, length=180 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x021100061900 State = 0xa5fe4130a0ef583a08d7b8b3e893ab3f Message-Authenticator = 0x40f129dcea3d601dbd5f744da4c406c3 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 17 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 177 to 10.220.30.5 port 29002 EAP-Message = 0x011200201900170301001586534e83dd452d3c59548f8ad4e9 ... Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5fe4130a3ec583a08d7b8b3e893ab3f Finished request 235. Going to the next request Waking up in 4.8 seconds. Packet 7 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=178, length=218 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x0212002c19001703010021a58a75cc4381a250bba38251cd2c ... State = 0xa5fe4130a3ec583a08d7b8b3e893ab3f Message-Authenticator = 0x265a6aa891e196ddbd3280a30cfb3e0f # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 18 length 44 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - CAD08862\ldapuser [peap] Got inner identity 'CAD08862\ldapuser' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x021200150143414430383836325c54656368524d43 server { PEAP: Setting User-Name to CAD08862\ldapuser Sending tunneled request EAP-Message = 0x021200150143414430383836325c54656368524d43 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "CAD08862\\ldapuser" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++? if (User-Name !~ /^host\//) ? Evaluating (User-Name !~ /^host\//) -> TRUE ++? if (User-Name !~ /^host\//) -> TRUE ++- entering if (User-Name !~ /^host\//) {...} +++[control] returns notfound ++- if (User-Name !~ /^host\//) returns notfound ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [copy.user-name] expand: %{User-Name} -> CAD08862\ldapuser copy.user-name: Added attribute Stripped-User-Name with value 'CAD08862\ldapuser' ++[copy.user-name] returns ok [remove-domain-name] expand: (.nw2.test.local) -> (.nw2.test.local) remove-domain-name: Does not match: Stripped-User-Name = CAD08862\ldapuser ++[remove-domain-name] returns ok [add-dollar-sign] expand: ^(host/.*) -> ^(host/.*) add-dollar-sign: Does not match: Stripped-User-Name = CAD08862\ldapuser ++[add-dollar-sign] returns ok [strip-realm-name] expand: ^(.*[\/]+) -> ^(.*[\/]+) strip-realm-name: Changed value for attribute Stripped-User-Name from 'CAD08862\ldapuser' to 'ldapuser' ++[strip-realm-name] returns ok [ntdomain] Looking up realm "CAD08862" for User-Name = "CAD08862\ldapuser" [ntdomain] No such realm "CAD08862" ++[ntdomain] returns noop ++[control] returns noop [eap] EAP packet type response id 18 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for CAD08862\ldapuser [ldap] expand: %{Stripped-User-Name} -> ldapuser [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ldapuser) [ldap] expand: o=test -> o=test [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=test, with filter (uid=ldapuser) [ldap] Added the eDirectory password 1234567 in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user CAD08862\ldapuser authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0113002a1a0113002510cf908a1b7ebf4d936c15f1224e9ed3 ... Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb1d14868b1c252824a02ce38607236ef [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0113002a1a0113002510cf908a1b7ebf4d936c15f1224e9ed3 ... Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb1d14868b1c252824a02ce38607236ef [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 178 to 10.220.30.5 port 29002 EAP-Message = 0x011300411900170301003636791f38ba2c2c44f57b5e62c92e ... Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5fe4130a2ed583a08d7b8b3e893ab3f Finished request 236. Going to the next request Waking up in 4.8 seconds. Packet 8 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=179, length=263 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x021300591900170301004ebc0a4c73422ad0f2958deff363d6 ... State = 0xa5fe4130a2ed583a08d7b8b3e893ab3f Message-Authenticator = 0x7db4139bac8a822e9a923f4758080856 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 19 length 89 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x021300421a0213003d315d7829b8f975c70fa9a07456cb5f19 ... server { PEAP: Setting User-Name to CAD08862\ldapuser Sending tunneled request EAP-Message = 0x021300421a0213003d315d7829b8f975c70fa9a07456cb5f19 ... FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "CAD08862\\ldapuser" State = 0xb1d14868b1c252824a02ce38607236ef server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++? if (User-Name !~ /^host\//) ? Evaluating (User-Name !~ /^host\//) -> TRUE ++? if (User-Name !~ /^host\//) -> TRUE ++- entering if (User-Name !~ /^host\//) {...} +++[control] returns notfound ++- if (User-Name !~ /^host\//) returns notfound ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [copy.user-name] expand: %{User-Name} -> CAD08862\ldapuser copy.user-name: Added attribute Stripped-User-Name with value 'CAD08862\ldapuser' ++[copy.user-name] returns ok [remove-domain-name] expand: (.nw2.test.local) -> (.nw2.test.local) remove-domain-name: Does not match: Stripped-User-Name = CAD08862\ldapuser ++[remove-domain-name] returns ok [add-dollar-sign] expand: ^(host/.*) -> ^(host/.*) add-dollar-sign: Does not match: Stripped-User-Name = CAD08862\ldapuser ++[add-dollar-sign] returns ok [strip-realm-name] expand: ^(.*[\/]+) -> ^(.*[\/]+) strip-realm-name: Changed value for attribute Stripped-User-Name from 'CAD08862\ldapuser' to 'ldapuser' ++[strip-realm-name] returns ok [ntdomain] Looking up realm "CAD08862" for User-Name = "CAD08862\ldapuser" [ntdomain] No such realm "CAD08862" ++[ntdomain] returns noop ++[control] returns noop [eap] EAP packet type response id 19 length 66 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for CAD08862\ldapuser [ldap] expand: %{Stripped-User-Name} -> ldapuser [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ldapuser) [ldap] expand: o=test -> o=test [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=test, with filter (uid=ldapuser) [ldap] Added the eDirectory password 1234567 in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user CAD08862\ldapuser authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2 ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 EAP-Message = 0x04130004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04130004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 179 to 10.220.30.5 port 29002 EAP-Message = 0x011400261900170301001b042d951bea675042a05ce3fed5c1 ... Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5fe4130adea583a08d7b8b3e893ab3f Finished request 237. Going to the next request Waking up in 4.8 seconds. Packet 9 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=180, length=212 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x021400261900170301001b7a27bfb0b0524f3a9afbf1b1f407 ... State = 0xa5fe4130adea583a08d7b8b3e893ab3f Message-Authenticator = 0xe8c786bb73038b5f6172a3637d73a61d # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 20 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> CAD08862\ldapuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 238 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 238 Sending Access-Reject of id 180 to 10.220.30.5 port 29002 EAP-Message = 0x04140004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. Cleaning up request 229 ID 171 with timestamp +857 Cleaning up request 230 ID 172 with timestamp +857 Cleaning up request 231 ID 173 with timestamp +857 Cleaning up request 232 ID 174 with timestamp +857 Cleaning up request 233 ID 175 with timestamp +857 Cleaning up request 234 ID 176 with timestamp +857 Cleaning up request 235 ID 177 with timestamp +857 Cleaning up request 236 ID 178 with timestamp +857 Cleaning up request 237 ID 179 with timestamp +857 Waking up in 1.0 seconds. --------------------------------------------------------------------------- On 05/10/2011 03:35 PM, Robert Mc Cready wrote:
If the User-Name is being rewritten it is not intentional.
Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = "CAD08862\\ldapuser" but I don't know want I am doing wrong.
I presume there's a debug at this URL, but I have no reachability to it from where I am (tried from a couple of different source networks): 17 Vlan1999.icore1.MTT-Montreal.as6453.net (216.6.115.54) 90.786 ms 90.770 ms 90.740 ms 18 Vlan50.icore1.MTT-Montreal.as6453.net (206.82.135.10) 90.800 ms 90.918 ms 91.056 ms 19 tge-1-3.ar1.mtl2.mtotelecom.net (64.254.224.165) 91.241 ms 90.598 ms 90.634 ms 20 tge-1-2.ar1.mtrlpq07.mtotelecom.net (64.254.224.198) 79.405 ms 79.282 ms 79.230 ms 21 * * * 22 * * * 23 * * * __________ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __________ Le message a ete verifie par ESET NOD32 Antivirus. http://www.eset.com