Freeradius and Active directory
Hi. What am I trying to do: I would like to authenticate my Windows XP wireless clients against Active Directory server via Freeradius. What do I have: I'm using freeradius 1.1.6 (installed via emerge) on Gentoo, Windows XP Pro What works: [WinXP]-->[freeradius]-->[w2003server] 1.)I'm able to send requests from Windows XP to freeradius (using NTradping). (In an earlier testing phase I was able to authenticate against "radius users file") 2.)I'm able to authenticate against AD (ntlm_auth). What doesn't work: When I try to bind phase 1.) and 2.) (ie. send request from winXP to radius and let radius to authenticate against AD), it returns: ********************************************************************** rad_recv: Access-Request packet from host 1.2.3.4:1224, id=1, length=59 User-Name = "MYNTDOMAIN\\user" CHAP-Password = 0x6036fd239ead000176def7ade553072c87 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '\' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [user/<CHAP-Password>] (from client MYNETWORK port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- NTradping retunrs: Response: Access-Reject ********************************************************************* I see the problem in "No authenticate method...", but have no idea how to repair it:( Here is radiusd log: ********************************************************************* notes ~ # radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/jaesrvkey.pem" tls: certificate_file = "/etc/raddb/certs/jaesrvcert.pem" tls: CA_file = "/etc/raddb/certs/jaecacert.pem" tls: private_key_password = "(null)" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel =no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = yes preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "prefix" realm: delimiter = "\" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (ntdomain) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. ********************************************************************* I know there is something rotten in my configuration files, but can't find it. Thanks for any advice -- Tomáš Janeček
Tomáš Janeček wrote:
I would like to authenticate my Windows XP wireless clients against Active Directory server via Freeradius. ,,, What doesn't work: When I try to bind phase 1.) and 2.) (ie. send request from winXP to radius and let radius to authenticate against AD), it returns:
********************************************************************** rad_recv: Access-Request packet from host 1.2.3.4:1224, id=1, length=59 User-Name = "MYNTDOMAIN\\user" CHAP-Password = 0x6036fd239ead000176def7ade553072c87
It is impossible to use CHAP to authenticate to AD. You MUST use MS-CHAP, or PAP. Alan DeKok.
Do you mean something like: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO Have a nice day! Am 20.05.2008 um 12:54 schrieb Tomáš Janeček:
Thanks for reply.
Is there any specific HOW-TO? -- Tomáš Janeček - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
Yes, something like that, but working. I've walked through this exact article about 10 times during last two months, but never made it:-( I'm really looking for working howto for months... -- Tomáš Janeček
Tomáš Janeček wrote:
Yes, something like that, but working. I've walked through this exact article about 10 times during last two months, but never made it:-(
I'm really looking for working howto for months...
Please explain what's going wrong. Use debug output. If the NAS is doing CHAP, then authenticating to AD is *impossible*. See the following web page: http://deployingradius.com/documents/protocols/compatibility.html Fix the NAS so that it uses one of the support authentication types. Stop trying to re-configure the server to do something impossible. It's *impossible*. For the supported authentication types, it's easy. Follow the HOW-TO's, and it will work. Alan DeKok.
Hi. I didn't want to say, that this howto is somehow wrong or bad... It just didn't worked in my case. (understand: I did/I'm doing something wrong) Now I'm focusing on what you wrote in first e-mail: do MS-CHAP instead of CHAP for AD auth. (Thanks for advice) I see a progress, because I have 0xC000006A error in my AD log (wrong password). That is a good message, because radius server (understand: my wrong configuration of the server) finally communicates with AD. Hurray! -- Tomáš Janeček
Hi,
I see a progress, because I have 0xC000006A error in my AD log (wrong password). That is a good message, because radius server (understand: my wrong configuration of the server) finally communicates with AD. Hurray!
yay! now , dont forgert, depending on how you talk to you rAD< you'll either use the radiusd username/password or you'll be using the login EAP username/password to join the AD for LDAP lookups etc. alan
Hi. Because we can authenticate against AD only (not only, but...) using MS-CHAP, I had to extend the system to its final form (I don't know any MS-CHAP testing utility): [WinXP] -> [AP] -> [FreeRadius] -> [AD server] (ie. I'm using wireless interface in Windows to connect to AP and authenticate against AD) Everything looks good. I can see the request from AP and authentication activities it entails between FreeRadius and AD. But the authentication is never successful. This is the request in radiusd -X: ********************************************************************* rad_recv: Access-Request packet from host 192.168.5.34:1122, id=0, length=205 Message-Authenticator = 0x90afa24eace068c65cabf864bfd330e5 Service-Type = Framed-User User-Name = "MYNTDOMAIN\\user" Framed-MTU = 1488 Called-Station-Id = "00-1E-C1-30-51-C0:CCA2" Calling-Station-Id = "00-13-CE-3B-44-4F" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02000010014b524b415645435c6a6165 NAS-IP-Address = 192.168.5.34 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=user' radius_xlat: '--password=' modcall[authorize]: module "ntlm_auth" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [user/<no User-Password attribute>] (from client 3com7760 port 1 cli 00-13-CE-3B-44-4F) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.5.34 port 1122 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 4833c099 Nothing to do. Sleeping until we see a request. ********************************************************************* The problem I see is "Login incorrect: [user/<no User-Password attribute>]". It looks like Windows doesn't send user's password. I followed the supplicant configuration part from http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO. I know that this is not exactly FreeRadius question... Does anybody know, what is the problem, what to double check ... ? radiusd -X : ********************************************************************* notes ~ # radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) exec: wait = no exec: program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYNTDOMAIN --username=%{mschap:User-Name:-None} --password=%{User-Password}" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" Module: Instantiated exec (ntlm_auth) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = yes preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/jaesrvkey.pem" tls: certificate_file = "/etc/raddb/certs/jaesrvcert.pem" tls: CA_file = "/etc/raddb/certs/jaecacert.pem" tls: private_key_password = "(null)" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. ********************************************************************* -- Toma's( Janec(ek
Tomás wrote:
Everything looks good. I can see the request from AP and authentication activities it entails between FreeRadius and AD. But the authentication is never successful. ...
auth: No authenticate method (Auth-Type) configuration found for the request:
You have deleted all references to the "eap" module from the "authorize" section of radiusd.conf. How do you expect it to do EAP? i.e. You have edited the default configuration, and broken it. Don't do that. Alan DeKok.
Hi. Now I went back to the default configuration and made only a few changes (according to http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO). Everything looks much better now, but I still get the "wrong password" error. I think, that the problem is in this part of the log: ************************************************************************* modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for user with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: '--domain=MYNTDOMAIN' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=user' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: fc radius_xlat: '--challenge=7bb63d62291bd255' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=1ace51d8b230eef7abd8ab34bd4dd34694160c3005d8d237' Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 ********************************************************************** especially in Exec-Program-Wait: plaintext: Logon failure (0xc000006d). Why is it using PLAINTEXT? When I try ntlm_auth --domain=MYNTDOMAIN --username=user --challenge=bla --nt-response=blabla it returns the same error. But the password is correct, so think it is just sending it in another form... Has anybody any idea? Thanks for any advice PS: here is my log (little bit to long): ************************************************************************ Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/usersrvkey.pem" tls: certificate_file = "/etc/raddb/certs/usersrvcert.pem" tls: CA_file = "/etc/raddb/certs/usercacert.pem" tls: private_key_password = "(null)" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. ************************************************************************************** rad_recv: Access-Request packet from host 192.168.5.34:1412, id=0, length=205 Message-Authenticator = 0x0d7b226426c5e809db75464166db3e9e Service-Type = Framed-User User-Name = "MYNTDOMAIN\\user" Framed-MTU = 1488 Called-Station-Id = "00-1E-C1-30-51-C0:CCA2" Calling-Station-Id = "00-13-CE-3B-44-4F" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02000010014b524b415645435c6a6165 NAS-IP-Address = 192.168.5.34 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "MYNTDOMAIN\user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 192.168.5.34 port 1412 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee685e482b26d2cd30f28860c4b5549d Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.34:1412, id=1, length=287 Message-Authenticator = 0xdf9240bde280bd0703c4a940e69f80b2 Service-Type = Framed-User User-Name = "MYNTDOMAIN\\user" Framed-MTU = 1488 State = 0xee685e482b26d2cd30f28860c4b5549d Called-Station-Id = "00-1E-C1-30-51-C0:CCA2" Calling-Station-Id = "00-13-CE-3B-44-4F" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201005019800000004616030100410100003d0301483510b328865954c5f7509d89968aa0a6e2de3bc5b6d6f0a13b0ed4a59a9ff400001600040005000a000900640062000300060013001200630100 NAS-IP-Address = 192.168.5.34 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "MYNTDOMAIN\user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module "files" returns ok for request 1 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0641], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 1 to 192.168.5.34 port 1412 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0102040a19c00000069e160301004a020000460301483510b39830caf1c0b26f868a88438cecd44857ad7fec8a8243659aabbebd3f203d70816528c29969171a797d12e18a32b30c14199da1c19a58307137b061aa1200040016030106410b00063d00063a0002db308202d730820240a003020102020101300d06092a864886f70d0101050500307b310b300906035504061302435a311730150603550408130e437a6563682052657075626c6963310e300c06035504071305506c7a656e310c300a060355040a1303434341310c300a060355040b1303535450310c300a060355040313034a41453119301706092a864886f70d010901160a6a6165 EAP-Message = 0x406363612e637a301e170d3038303332363131313331345a170d3039303332363131313331345a306b310b300906035504061302435a311730150603550408130e437a6563682052657075626c6963310c300a060355040a1303434341310c300a060355040b1303535450310c300a060355040313034a41453119301706092a864886f70d010901160a6a6165406363612e637a30819f300d06092a864886f70d010101050003818d0030818902818100d37848b2c54c81ee1ad8ab0a58197bac35bebbb203aad2356b4b3a49c10c455476f47d097b43204aff3aa5f2ad58c8eb1dc04f1db8ccc809f122838519dc604675fc6d7539be541e6889f9e9 EAP-Message = 0xa024392963f6e1c19519662a5bf0bf27fa0983d3b0090e0094638f3c67d11f273da895931628775e03836845f1478bc7225dd55b0203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e041604145c73ee21febd0dbd9ad0383ff506764d8cd1458c301f0603551d230418301680147003f249d199478c76d27bf41da15d1991e1ebc8300d06092a864886f70d01010505000381810063b68d99dd03138bb08c8f619de28c72837f76e429f5e521d136674df9a8599a8b87be521518a1611aa3c86582f611e81e03beae EAP-Message = 0x19942d9ddf6adb8efc258bbd99cde5db6fba089291d8f3ade42c8d0f3c4e2797fb3130ba215a486582c4572b35862eb25abcba3bc11108d79ee4214744ee50129f11aca1071945db22b24c0800035930820355308202bea003020102020900fd89d0cd70495e4d300d06092a864886f70d0101050500307b310b300906035504061302435a311730150603550408130e437a6563682052657075626c6963310e300c06035504071305506c7a656e310c300a060355040a1303434341310c300a060355040b1303535450310c300a060355040313034a41453119301706092a864886f70d010901160a6a6165406363612e637a301e170d303830333236 EAP-Message = 0x3131303331315a170d3131303332393131303331315a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5064993365bb78cded61beff6d56f9c Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.34:1412, id=2, length=213 Message-Authenticator = 0x89ed55c78a5aafb14a2d871ad7f76d7a Service-Type = Framed-User User-Name = "MYNTDOMAIN\\user" Framed-MTU = 1488 State = 0xa5064993365bb78cded61beff6d56f9c Called-Station-Id = "00-1E-C1-30-51-C0:CCA2" Calling-Station-Id = "00-13-CE-3B-44-4F" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200061900 NAS-IP-Address = 192.168.5.34 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "MYNTDOMAIN\user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module "files" returns ok for request 2 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 2 to 192.168.5.34 port 1412 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010302a41900307b310b300906035504061302435a311730150603550408130e437a6563682052657075626c6963310e300c06035504071305506c7a656e310c300a060355040a1303434341310c300a060355040b1303535450310c300a060355040313034a41453119301706092a864886f70d010901160a6a6165406363612e637a30819f300d06092a864886f70d010101050003818d0030818902818100dbd048dbeb96877af89967de38a852f1e4cd9963c1dc01fd892ef19260032ef995743617e9ce0d8d8efb2c76eebfc2c4bc27cd9404bfdb945bb3df9caf9049aaac31f3121af30bd123ed76f9c8e7fe359bcb56c9bc17a742148ceb5cd7 EAP-Message = 0xcb21d7913c30e656dc43948a7531238a847ea5d0d8c081241e1dea93ef9c2b4b7e1d9d0203010001a381e03081dd301d0603551d0e041604147003f249d199478c76d27bf41da15d1991e1ebc83081ad0603551d230481a53081a280147003f249d199478c76d27bf41da15d1991e1ebc8a17fa47d307b310b300906035504061302435a311730150603550408130e437a6563682052657075626c6963310e300c06035504071305506c7a656e310c300a060355040a1303434341310c300a060355040b1303535450310c300a060355040313034a41453119301706092a864886f70d010901160a6a6165406363612e637a820900fd89d0cd70495e4d EAP-Message = 0x300c0603551d13040530030101ff300d06092a864886f70d010105050003818100b49fb4c9fd8e685e150b020811bd951ee33bf179c1f0180004e4bbb55430b4e3e940940bb1627c8aec4e18db82d6b5004f12aa689bf95f4a0d104e170e35ed86288da242ab66298519c9818060b63540e1073ff415e5b6d3fb49095f4cba08a695af63857c2e9696571b1a46c0bb8c67f676dc83dd9ca418b03b1665a810c82516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1edaad6860d013b492e09fae97fd31e9 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.34:1412, id=3, length=399 Message-Authenticator = 0x8f83b0c32b41ba930617fa7d34e7bcda Service-Type = Framed-User User-Name = "MYNTDOMAIN\\user" Framed-MTU = 1488 State = 0x1edaad6860d013b492e09fae97fd31e9 Called-Station-Id = "00-1E-C1-30-51-C0:CCA2" Calling-Station-Id = "00-13-CE-3B-44-4F" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300c01980000000b6160301008610000082008068dac8fba4cee8d311874c68e32ddaa636c0b6134a3b6e17e1bc2ab2f48b97c65a8e81b292cb4277129c38864d12fb11e7b4dca6397ce80148f539d4e0d67cd4699b4d8ac4351dc78f927a9a7304fc2e09a5fdb043cd14cc98efbac98940b4b93704e7702710b9abf4df638a8598d0ef6dce259c934f18bdc4ade6abb6cd27f914030100010116030100207f93b7886a15bf3d878bc5e2b0f178cdbf35b2ef1587978a7743b1be07b141db NAS-IP-Address = 192.168.5.34 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "MYNTDOMAIN\user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 3 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module "files" returns ok for request 3 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 3 to 192.168.5.34 port 1412 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x01040031190014030100010116030100206b5928c403961228e50bc96bbc4566051cbc872880635c3454e0fcc2927e202b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x55a505118358b8e4c1eb13d890f5f93e Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.34:1412, id=4, length=213 Message-Authenticator = 0x61d9e7da9afb1e5f593a4f49da38aea5 Service-Type = Framed-User User-Name = "MYNTDOMAIN\\user" Framed-MTU = 1488 State = 0x55a505118358b8e4c1eb13d890f5f93e Called-Station-Id = "00-1E-C1-30-51-C0:CCA2" Calling-Station-Id = "00-13-CE-3B-44-4F" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 NAS-IP-Address = 192.168.5.34 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "MYNTDOMAIN\user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module "files" returns ok for request 4 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 4 to 192.168.5.34 port 1412 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0105002019001703010015e5cb904a4ae17227ee548f2e59713b357264b39a3e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x54ba7141dd65ceaf3ceab7b38c5a51e5 Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.34:1412, id=5, length=246 Message-Authenticator = 0x6daa02772e4ba5606e88b8579fc97316 Service-Type = Framed-User User-Name = "MYNTDOMAIN\\user" Framed-MTU = 1488 State = 0x54ba7141dd65ceaf3ceab7b38c5a51e5 Called-Station-Id = "00-1E-C1-30-51-C0:CCA2" Calling-Station-Id = "00-13-CE-3B-44-4F" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500271900170301001c301f39be5a21dd1e4e6d5ecc323d922c6b934d124b96bd13542eda00 NAS-IP-Address = 192.168.5.34 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "MYNTDOMAIN\user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 39 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module "files" returns ok for request 5 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - MYNTDOMAIN\user rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of MYNTDOMAIN\user PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to MYNTDOMAIN\user Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "MYNTDOMAIN\user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 5 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 5 to 192.168.5.34 port 1412 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0106003c19001703010031e5cef74da06987f33ffda9d515e2ec9c0d3a0312bd499add52ef378e1b48dc48c46eca9e42827bc312295eed4fdc74649f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa06b14df569b5c41a36b859535b3b5f2 Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.34:1412, id=6, length=300 Message-Authenticator = 0x046443a3556f1099bad21bc449ae407a Service-Type = Framed-User User-Name = "MYNTDOMAIN\\user" Framed-MTU = 1488 State = 0xa06b14df569b5c41a36b859535b3b5f2 Called-Station-Id = "00-1E-C1-30-51-C0:CCA2" Calling-Station-Id = "00-13-CE-3B-44-4F" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0206005d1900170301005281ed9614a3f65d1fdb80684aba8ac543824a545affa1141e61b90c8a8cd6d666f81929e3e25185ad5f3f21bfaf3637d57f06a38bf23cf6105db5b3e98b42027dfad4972c973477282cb49cd43a4b2e4260c9 NAS-IP-Address = 192.168.5.34 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "MYNTDOMAIN\user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 93 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module "files" returns ok for request 6 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to MYNTDOMAIN\user PEAP: Adding old state with 43 75 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "MYNTDOMAIN\user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 70 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 6 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for user with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: '--domain=MYNTDOMAIN' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=user' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: fc radius_xlat: '--challenge=7bb63d62291bd255' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=1ace51d8b230eef7abd8ab34bd4dd34694160c3005d8d237' Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: leaving group authenticate (returns reject) for request 6 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 6 to 192.168.5.34 port 1412 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010700261900170301001bebdaf31c825260a93d9dbcbbcc30fdd0a420825e60fac9a90ddcaa Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcfbc84ecb15a9701fbe8881a991353ad Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.34:1412, id=7, length=245 Message-Authenticator = 0x7da4f7bb0a8b7917661ad80df2fc8039 Service-Type = Framed-User User-Name = "MYNTDOMAIN\\user" Framed-MTU = 1488 State = 0xcfbc84ecb15a9701fbe8881a991353ad Called-Station-Id = "00-1E-C1-30-51-C0:CCA2" Calling-Station-Id = "00-13-CE-3B-44-4F" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020700261900170301001bcd75d98ab21f529d4287baa177a67afb1ea3f01c7e3cf4901ad156 NAS-IP-Address = 192.168.5.34 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "MYNTDOMAIN\user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 7 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module "files" returns ok for request 7 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.34:1412, id=7, length=245 Sending Access-Reject of id 7 to 192.168.5.34 port 1412 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 483510b3 Cleaning up request 1 ID 1 with timestamp 483510b3 Cleaning up request 2 ID 2 with timestamp 483510b3 Cleaning up request 3 ID 3 with timestamp 483510b3 Cleaning up request 4 ID 4 with timestamp 483510b3 Cleaning up request 5 ID 5 with timestamp 483510b3 Cleaning up request 6 ID 6 with timestamp 483510b3 Cleaning up request 7 ID 7 with timestamp 483510b3 Nothing to do. Sleeping until we see a request. -- Tomáš Janeček
Hi,
Now I went back to the default configuration and made only a few changes (according to http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO).
Everything looks much better now, but I still get the "wrong password" error.
ntlm_auth isnt happy - the ouput shows this..
Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
i see you have this: --domain=MYNTDOMAIN is this the correct domain? is this a domain that you AD can handle? your basic unconfigured PC will have any random name if the system itself isnt in the AD etc - you will need to ensure that the radiusd.conf etc is configured to override any random DOMAIN values that get sent. as per comments and examples in the source code... alan
MYNTDOMAIN is just a fake Domain name I pasted in the log. But ntlm_auth on server uses my real domain... I see the error announced by ntlm_auth, but don't know how to repair it. When I run ntlm_auth --request-nt-key --domain=MYREALNTDOMAIN --username=user and provide the password, everything works fine... The Windows machine is member of domain (for few months). Isn't there a problem with the PLAINTEXT? -- Tomáš Janeček
Tomáš Janeček wrote:
MYNTDOMAIN is just a fake Domain name I pasted in the log. But ntlm_auth on server uses my real domain...
I see the error announced by ntlm_auth, but don't know how to repair it. When I run ntlm_auth --request-nt-key --domain=MYREALNTDOMAIN --username=user and provide the password, everything works fine...
The Windows machine is member of domain (for few months).
Isn't there a problem with the PLAINTEXT?
No. ntlm_auth will take the MS-CHAP data, and send it to Active Directory. AD *should* use that to authenticate the user, and return ok/fail. To test MS-CHAP, I suggest using eapol_test, from wpa_supplicant. See src/tests/eap-ttls-mschap.conf for a sample configuration. 1) test ntlm_auth on the command-line with clear-text passwords 2) test EAP-TTLS + MSCHAP with eapol_test, and a user in the "users" file. 3) test EAP-TTLS + MSCHAP with eapol_test, and the username/password from (1). 4) test it with a real supplicant. Alan DeKok.
Alan DeKok said:
It is impossible to use CHAP to authenticate to AD. You MUST use MS-CHAP, or PAP.
When testing my Radius server with AD and XSupplicant I found that EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with CHAP inner auth all failed. So you have explained why EAP-TTLS (CHAP) fails, thanks! So, is EAP-MD5 and EAP-TTLS (MD5) not possible also, or is my Radius config broken? --------------- Barry Dean Networks Team
Am 20.05.2008 um 16:05 schrieb Dean, Barry:
Alan DeKok said:
It is impossible to use CHAP to authenticate to AD. You MUST use MS-CHAP, or PAP.
When testing my Radius server with AD and XSupplicant I found that EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with CHAP inner auth all failed.
So you have explained why EAP-TTLS (CHAP) fails, thanks!
So, is EAP-MD5 and EAP-TTLS (MD5) not possible also, or is my Radius config broken?
As far as I understand, the password for MS-CHAP is MD4 on UTF-16LE. So if you have only a password for MS-CHAP, you do not have a MD5 version of the password.
--------------- Barry Dean Networks Team
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
Nicolas Goutte wrote:
Am 20.05.2008 um 16:05 schrieb Dean, Barry:
Alan DeKok said:
It is impossible to use CHAP to authenticate to AD. You MUST use MS-CHAP, or PAP.
When testing my Radius server with AD and XSupplicant I found that EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with CHAP inner auth all failed.
So you have explained why EAP-TTLS (CHAP) fails, thanks!
So, is EAP-MD5 and EAP-TTLS (MD5) not possible also, or is my Radius config broken?
As far as I understand, the password for MS-CHAP is MD4 on UTF-16LE. So if you have only a password for MS-CHAP, you do not have a MD5 version of the password.
That's correct. We don't use AD so didn't have the NT Hash of the users password in out LDAP directory. We used transparent credential capture on one of our major web applications over a few months to populate the NT Password field. Here is a nice one-liner (well three with the example) in PHP <?php $str = 'myPassword' $hash = bin2hex(mhash(MHASH_MD4,mb_substr(mb_convert_encoding($str,'UCS-2LE','auto'),0,128))); echo $hash; ?>
--------------- Barry Dean Networks Team
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Have a nice day!
Nicolas Goutte
extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services (IT Services) E1-1-08, Engineering 1, University Of Sussex, Brighton EXT: +44 1273 873900 | INT: 3900
Dean, Barry wrote:
Alan DeKok said:
It is impossible to use CHAP to authenticate to AD. You MUST use MS-CHAP, or PAP.
When testing my Radius server with AD and XSupplicant I found that EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with CHAP inner auth all failed.
So you have explained why EAP-TTLS (CHAP) fails, thanks!
So, is EAP-MD5 and EAP-TTLS (MD5) not possible also, or is my Radius config broken?
EAP-MD5 won't work either... Ok the basic requirement for most Authentication schemes transferring the users credentials as a none reversible hash, is that the password is available RADIUS side as either a clear-text string, or as a reversible hash which can be transformed back into a clear-text string. I say most because there is of course a few exceptions, the most notable being MSCHAP & MSCHAPv2 which allow you to store the password directory side as an MD4 hash of the passphrase encoded as a 16bit unicode string (NT Password) or a LANMAN password (can't remember the encoding for that). I believe that AD uses NT Password hashes, which is why PEAP just works out of the box with Microsoft IAS. So no MD5/ CHAP won't work with active directory. But PAP, MSCHAP/ MSCHAPv2 should all work just fine. Thanks, Arran
--------------- Barry Dean Networks Team
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services (IT Services) E1-1-08, Engineering 1, University Of Sussex, Brighton EXT: +44 1273 873900 | INT: 3900
Am 20.05.2008 um 16:20 schrieb Arran Cudbard-Bell:
Dean, Barry wrote:
Alan DeKok said:
It is impossible to use CHAP to authenticate to AD. You MUST use MS-CHAP, or PAP.
When testing my Radius server with AD and XSupplicant I found that EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with CHAP inner auth all failed.
So you have explained why EAP-TTLS (CHAP) fails, thanks!
So, is EAP-MD5 and EAP-TTLS (MD5) not possible also, or is my Radius config broken?
EAP-MD5 won't work either...
Ok the basic requirement for most Authentication schemes transferring the users credentials as a none reversible hash, is that the password is available RADIUS side as either a clear-text string, or as a reversible hash which can be transformed back into a clear-text string.
I say most because there is of course a few exceptions, the most notable being MSCHAP & MSCHAPv2 which allow you to store the password directory side as an MD4 hash of the passphrase encoded as a 16bit unicode string (NT Password) or a LANMAN password (can't remember the encoding for that).
For those interested how the passwords are made, see the man page for smbpasswd(5). e.g.: http://samba.org/samba/docs/man/manpages-3/ smbpasswd.5.html
I believe that AD uses NT Password hashes, which is why PEAP just works out of the box with Microsoft IAS. So no MD5/ CHAP won't work with active directory. But PAP, MSCHAP/ MSCHAPv2 should all work just fine.
Thanks, Arran
--------------- Barry Dean Networks Team
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services (IT Services) E1-1-08, Engineering 1, University Of Sussex, Brighton EXT: +44 1273 873900 | INT: 3900
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Dean, Barry -
Nicolas Goutte -
Tomás( Janec(ek -
Tomáš Janeček