Re: Unable to authenticate to Open Directory
I trimmed this down some, although I'm sure it could be trimmed a lot more... Ready to process requests. rad_recv: Access-Request packet from host 72.33.52.18:1645, id=158, length=139 User-Name = "DOMAIN\\testuser" Framed-MTU = 1400 Called-Station-Id = "0012.014d.d511" Calling-Station-Id = "001f.5bbe.f006" Service-Type = Login-User Message-Authenticator = 0x9c667cafd791e54213885defa1c14f5f EAP-Message = 0x020200140142494f4348454d5c6b77746f62696e NAS-Port-Type = Wireless-802.11 NAS-Port = 26830 NAS-IP-Address = 72.33.52.18 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 0 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 72.33.52.18 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 158 to 72.33.52.18 port 1645 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9ffcbe4309dcfe1624d52b4001437bc6 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 72.33.52.18:1645, id=159, length=143 User-Name = "DOMAIN\\testuser" Framed-MTU = 1400 Called-Station-Id = "0012.014d.d511" Calling-Station-Id = "001f.5bbe.f006" Service-Type = Login-User Message-Authenticator = 0x2a97d54ce690c33ab793c9d08a60af28 EAP-Message = 0x020300060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 26830 State = 0x9ffcbe4309dcfe1624d52b4001437bc6 NAS-IP-Address = 72.33.52.18 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 1 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 1 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 72.33.52.18 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 159 to 72.33.52.18 port 1645 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x28e762b2e07141efde83bdebb85bb2c5 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 72.33.52.18:1645, id=160, length=295 User-Name = "DOMAIN\\testuser" Framed-MTU = 1400 Called-Station-Id = "0012.014d.d511" Calling-Station-Id = "001f.5bbe.f006" Service-Type = Login-User Message-Authenticator = 0xdb772428162765ec5ec66a0e883d323c EAP-Message = 0x0204009e198000000094160301008f0100008b030 NAS-Port-Type = Wireless-802.11 NAS-Port = 26830 State = 0x28e762b2e07141efde83bdebb85bb2c5 NAS-IP-Address = 72.33.52.18 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 2 rlm_eap: EAP packet type response id 4 length 158 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 2 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 72.33.52.18 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 008f], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0652], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 160 to 72.33.52.18 port 1645 EAP-Message = 0x0105040a19c0000006af160301004a020 EAP-Message = 0x0b3009060355040613025553311230100 EAP-Message = 0x5d6e4a169057cacdca0c241f7664b4ee3 EAP-Message = 0x0d06092a864886f70d010105050003818 EAP-Message = 0x20417574686f72697479301e170d3938303832323136 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6f4f1292aabb7bebdee1f88f31407af8 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 72.33.52.18:1645, id=161, length=143 User-Name = "DOMAIN\\testuser" Framed-MTU = 1400 Called-Station-Id = "0012.014d.d511" Calling-Station-Id = "001f.5bbe.f006" Service-Type = Login-User Message-Authenticator = 0x105bbd75eae3037f337d028796f90340 EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 26830 State = 0x6f4f1292aabb7bebdee1f88f31407af8 NAS-IP-Address = 72.33.52.18 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 3 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 3 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 72.33.52.18 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 161 to 72.33.52.18 port 1645 EAP-Message = 0x010602b51900343135315a170d31383038323231363 EAP-Message = 0x0f3a88e7bf14fde0c7b90203010001a382010930820 EAP-Message = 0x0101ff301a06092a864886f67d074100040d300b1b0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee3b3812e9ee0e12d7bdb69c59963942 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 72.33.52.18:1645, id=162, length=345 User-Name = "DOMAIN\\testuser" Framed-MTU = 1400 Called-Station-Id = "0012.014d.d511" Calling-Station-Id = "001f.5bbe.f006" Service-Type = Login-User Message-Authenticator = 0x859d480da5b4827c223dd8358789478c EAP-Message = 0x020600d01980000000c6160301008610000082008036 NAS-Port-Type = Wireless-802.11 NAS-Port = 26830 State = 0xee3b3812e9ee0e12d7bdb69c59963942 NAS-IP-Address = 72.33.52.18 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 4 rlm_eap: EAP packet type response id 6 length 208 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 4 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 72.33.52.18 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 162 to 72.33.52.18 port 1645 EAP-Message = 0x0107004119001403010001011603010030f3769ba79 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd002e1d1d12a1423701aa22fd36caecb Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 72.33.52.18:1645, id=163, length=143 User-Name = "DOMAIN\\testuser" Framed-MTU = 1400 Called-Station-Id = "0012.014d.d511" Calling-Station-Id = "001f.5bbe.f006" Service-Type = Login-User Message-Authenticator = 0xc7607f7b1b4df6de6d61f3ab291f389f EAP-Message = 0x020700061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 26830 State = 0xd002e1d1d12a1423701aa22fd36caecb NAS-IP-Address = 72.33.52.18 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 5 rlm_eap: EAP packet type response id 7 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 5 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 72.33.52.18 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 163 to 72.33.52.18 port 1645 EAP-Message = 0x0108002b190017030100204511cb4accee4ad2cbd Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf59a14428dc50b51e681cead9795e59 Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 72.33.52.18:1645, id=164, length=196 User-Name = "DOMAIN\\testuser" Framed-MTU = 1400 Called-Station-Id = "0012.014d.d511" Calling-Station-Id = "001f.5bbe.f006" Service-Type = Login-User Message-Authenticator = 0x3c6cc76368bbd0064007012bd9a56286 EAP-Message = 0x0208003b19001703010030435e58e7bc3f43b1004d NAS-Port-Type = Wireless-802.11 NAS-Port = 26830 State = 0xaf59a14428dc50b51e681cead9795e59 NAS-IP-Address = 72.33.52.18 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 6 rlm_eap: EAP packet type response id 8 length 59 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 6 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 72.33.52.18 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - DOMAIN\testuser rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020800140142494f4348454d5c6b77746f62696e PEAP: Got tunneled identity of DOMAIN\testuser PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to DOMAIN\testuser PEAP: Sending tunneled request EAP-Message = 0x020800140142494f4348454d5c6b77746f62696e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "DOMAIN\\testuser" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 6 rlm_eap: EAP packet type response id 8 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 215 modcall[authorize]: module "files" returns ok for request 6 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 127.0.0.1 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 PEAP: Got tunneled reply RADIUS code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 PEAP: Cancelling proxy to realm DOMAIN2 until the tunneled EAP session has been established PEAP: Processing from tunneled session code 0x3d1130 11 EAP-Message = 0x010900291a010900241023e844fb299922328bcd9afb85 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eccb033105fdb6a479a942749c87c81 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 164 to 72.33.52.18 port 1645 EAP-Message = 0x0109004b190017030100407a57237c993df0b86a51e4e9d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x297dcaf7b8e27012949b741e7450c53d Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 72.33.52.18:1645, id=165, length=244 User-Name = "DOMAIN\\testuser" Framed-MTU = 1400 Called-Station-Id = "0012.014d.d511" Calling-Station-Id = "001f.5bbe.f006" Service-Type = Login-User Message-Authenticator = 0x85fc0a7a6f33fd4e6ae3c878b1899924 EAP-Message = 0x0209006b190017030100608ff942023de3a18f37dcdd NAS-Port-Type = Wireless-802.11 NAS-Port = 26830 State = 0x297dcaf7b8e27012949b741e7450c53d NAS-IP-Address = 72.33.52.18 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 107 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 7 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 72.33.52.18 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x0209004a1a02090045314473091d3995ad42145fd87434b PEAP: Setting User-Name to DOMAIN\testuser PEAP: Adding old state with 2e cc PEAP: Sending tunneled request EAP-Message = 0x0209004a1a02090045314473091d3995ad42145fd87434b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "DOMAIN\\testuser" State = 0x2eccb033105fdb6a479a942749c87c81 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 74 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 215 modcall[authorize]: module "files" returns ok for request 7 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 127.0.0.1 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 PEAP: Got tunneled reply RADIUS code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Not-EAP proxy set. Not composing EAP modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 PEAP: Tunneled authentication will be proxied to DOMAIN2 PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy. Tunneled session will be proxied. Not doing EAP. modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Request of id 0 to 128.104.117.22 port 1812 User-Name = "testuser" NAS-IP-Address = 127.0.0.1 MS-CHAP-Challenge = 0x23e844fb299922328bcd9afb85604ade MS-CHAP2-Response = 0x09494473091d3995ad42145fd87434bc693200000000 Proxy-State = 0x313635 Waking up in 6 seconds... rad_recv: Access-Accept packet from host 128.104.117.22:1812, id=0, length=76 MS-CHAP2-Success = 0x09533d46414634414241314436303436383634313932 Proxy-State = 0x313635 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 7 PEAP: Passing reply from proxy back into the tunnel. PEAP: Passing reply back for EAP-MS-CHAP-V2 0x3d2d80 2 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 7 rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x3d2d80 2. rlm_eap_mschapv2: Authentication succeeded. MSCHAP Success modcall[post-proxy]: module "eap" returns ok for request 7 modcall: leaving group post-proxy (returns ok) for request 7 POST-PROXY 2 POST-AUTH 2 PEAP: Final reply from tunneled session code 11 Proxy-State = 0x313635 EAP-Message = 0x010a00331a0309002e533d46414634414241314436303 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x33ada0ae4018cfd21fc1676f5cde8477 PEAP: Got reply 11 PEAP: Processing from tunneled session code 0x3d2ca0 11 Proxy-State = 0x313635 EAP-Message = 0x010a00331a0309002e533d464146344142413144363 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x33ada0ae4018cfd21fc1676f5cde8477 PEAP: Got tunneled Access-Challenge PEAP: Reply was handled modcall[post-proxy]: module "eap" returns ok for request 7 modcall: leaving group post-proxy (returns ok) for request 7 Sending Access-Challenge of id 165 to 72.33.52.18 port 1645 EAP-Message = 0x010a005b19001703010050ab3d27c44ba17259fa4f5a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3c06f6d9b33bbb14f5aa5d3120fdc7c6 Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 72.33.52.18:1645, id=166, length=180 User-Name = "DOMAIN\\testuser" Framed-MTU = 1400 Called-Station-Id = "0012.014d.d511" Calling-Station-Id = "001f.5bbe.f006" Service-Type = Login-User Message-Authenticator = 0xcc902bdbb6da0a2113692c7cbe6f0e22 EAP-Message = 0x020a002b190017030100202fd67124633b5504682f NAS-Port-Type = Wireless-802.11 NAS-Port = 26830 State = 0x3c06f6d9b33bbb14f5aa5d3120fdc7c6 NAS-IP-Address = 72.33.52.18 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 8 rlm_eap: EAP packet type response id 10 length 43 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 8 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 72.33.52.18 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020a00061a03 PEAP: Setting User-Name to DOMAIN\testuser PEAP: Adding old state with 33 ad PEAP: Sending tunneled request EAP-Message = 0x020a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "DOMAIN\\testuser" State = 0x33ada0ae4018cfd21fc1676f5cde8477 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 8 rlm_eap: EAP packet type response id 10 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 215 modcall[authorize]: module "files" returns ok for request 8 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 127.0.0.1 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 PEAP: Got tunneled reply RADIUS code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 8 modcall: leaving group authenticate (returns invalid) for request 8 PEAP: Can't handle the return code 4 rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 8 modcall: leaving group authenticate (returns invalid) for request 8 auth: Failed to validate the user. Login incorrect: [testuser] (from client BiochemWireless port 26830 cli 001f.5bbe.f006) Delaying request 8 for 1 seconds Finished request 8 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 72.33.52.18:1645, id=166, length=180 Sending Access-Reject of id 166 to 72.33.52.18 port 1645 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Cleaning up request 0 ID 158 with timestamp 49120210 Cleaning up request 1 ID 159 with timestamp 49120210 Cleaning up request 2 ID 160 with timestamp 49120210 Cleaning up request 3 ID 161 with timestamp 49120210 Cleaning up request 4 ID 162 with timestamp 49120210 Cleaning up request 5 ID 163 with timestamp 49120210 Cleaning up request 6 ID 164 with timestamp 49120210 Cleaning up request 7 ID 165 with timestamp 49120210 Cleaning up request 8 ID 166 with timestamp 49120210 Nothing to do. Sleeping until we see a request. ^C sh-3.2# Kerry Tobin
------------------------------
Message: 4 Date: Wed, 05 Nov 2008 16:24:44 +0100 From: <tnt@kalik.net> Subject: Re: Freeradius-Users Digest, Vol 43, Issue 17 To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <wdb2w2Tp.1225898684.9428930.tnt@kalik.net> Content-Type: text/plain; charset=ISO-8859-2
OK, I think I'm another step closer now. I made the suggested change and there was no change in the logs. EAP still was not being done on the local machine and was failing on the proxy. However, I tried creating a second domain, set the original domain to go to LOCAL and the second domain to go to the proxy server. When I do that the proxy properly authenticates to Open Directory, step one. However, eventually I get a failure in rlm_eap again.
modcall: entering group authenticate for request 8 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler
Am I on to the beginning of a solution by using two domains or do I need to go back and then change something else?
Can you post both debugs from the server that is terminating eap. You can start with the request before it decides to proxy (you can leave out eap-tls tunnel creation).
Ivan Kalik Kalik Informatika ISP
I trimmed this down some, although I'm sure it could be trimmed a lot more...
I have tested this: EAP ==> 1.1.7 ==> MSCHAPv2 ==> 2.0.5 fails with the same problem:
rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
EAP ==> 2.0.5 ==> MSCHAPv2 ==> 1.1.7 works. Answer: upgrade. Ivan Kalik Kalik Informatika ISP
participants (2)
-
Kerry Tobin -
tnt@kalik.net