WPA Enterprise, 802.1X, Freeradius, EAP & Kerberos
Hello, I am trying to implement WPA Enterprise / 802.1X, Freeradius and Kerberos. The client is a Linksys running DD-WRT. The Supplicant is Mac OS Laptop. Both are most recent versions of OS. I can exececute radtest on localhost and authenticate through Freeradius to my KDC. I can get my wireless AP to authenticate through WPA if the user is located in /etc/raddb/users. I cannot get all the pieces working together. Laptop->AP->Freeradius-
Kerberos.
I can see this problem has been posted to the list many times, and I have read all the archived followups to no avail. I apologize for bringing it up again. Thanks for reading the details below and I sincerely appreciate your time and assistance. Here are the details: FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu All conf files are freshly installed default, with ONLY the following exceptions: == /etc/raddb/users = (1st line) DEFAULT Auth-Type = Kerberos == /etc/raddb/clients.conf == client wireless { ipaddr = 10.3.10.244 secret = testing123 require_message_authenticator = no nastype = other } == /etc/raddb/modules/krb5 == krb5 { keytab = /etc/krb5.keytab service_principal = radius/phylloxera.int } == /etc/raddb/sites-enabled/default == (authenticate section, added just after pap) Auth-Type Kerberos { krb5 } == /etc/raddb/sites-enabled/inner-tunnel == (authenticate section, added just after pap) Auth-Type Kerberos { krb5 } Here is the debug when I execute /usr/sbin/radiusd -X [root@phylloxera raddb]# /usr/sbin/radiusd -X FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu, built on Dec 8 2008 at 16:00:08 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/krb5.rpmsave including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/ sqlcounter_expire_on_login including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client wireless { ipaddr = 10.3.10.244 require_message_authenticator = no secret = "testing123" nastype = "other" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_krb5 Module: Instantiating krb5 krb5 { keytab = "/etc/krb5.keytab" service_principal = "radius/phylloxera.int" } rlm_krb5: krb5_init ok Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m %d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=125 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000b01746573746572 Message-Authenticator = 0x21503e7549c19cf09711c9f0e287924d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x010100160410b73513541291ee275ba096e282e75d16 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd8c31a9cd8d359f12250e26f4639c84 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=138 Cleaning up request 0 ID 0 with timestamp +69 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0xcd8c31a9cd8d359f12250e26f4639c84 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100060319 Message-Authenticator = 0xca9d479dd79b6db64344460001c1dcff +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd8c31a9cc8e289f12250e26f4639c84 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=244 Cleaning up request 1 ID 0 with timestamp +69 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0xcd8c31a9cc8e289f12250e26f4639c84 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202007019800000006616030100610100005d03014a046f6ffd4622727b7fe840548093a6cd6529401366712b6a4a021431d0890e000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100 Message-Authenticator = 0xc01bb915e0c7c19e635ab791c0a6f397 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 102 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0061], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 075b], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0103040019c000000798160301002a0200002603014a046f70d73689ab83ac05850c5bd976108681d95b675f64a04355c10acba8f300002f00160301075b0b0007570007540003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303431353231323835395a170d3130303431353231323835395a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c21fdea27ea336dee51d82d37aa2cd6cb5ac428edc9589e722a11dd0b6d2406a3424524f18f4a4ac96cf1fe7efc4181966d8e3feb450d6d77663a5dc055b EAP-Message = 0xb70617d30dec2ade308d5e6530e8a10239e8031b19e63a9e47a910d1001d2467f2698e7bda7440f9836e836ae8cfa0e0a399ba4daecbb10a39e87779c171f508403da72423897f9c29dc234729bc3e65f504a3008281ec186af0b66d3a85556c9155815a827275fdb08bbc88b853df3302f319e3797db5e4c73c35440ac088bb6f844de1f658e38f9d03065f1eb1753f1f366af383b8554dcb18515f8a6bdb218b193d22ecf42b31b5e90360f0c660874b06eceab5ce20164d113703bb519f897fe10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100ade71a6cecf1ac01e6 EAP-Message = 0xb8b60a0d957897b4d4150ad59299f204cae4806c36bb0c3df5dae241cbf61f9301544e29e51adc5836c0fe2c959c80f77ab2bd91e1a1faf7d42993133d836e4dc772edf387cb4972fcbed57654f0ec76218e39e550a45e7b772a5ef589e8f640da93a36de0d1dc9a24c05f46951ab9c0a74eacf63f4f12366007fdbc01e318dea668aabde8b3a27be808375ab6738e15f9c86478624d81b7af3d60ce6e0e2af140488e82c6ebc7876da321fdc5ff8306e02a7d0e2d4f8dcde33eaf4c0d7ea406bd6637dfc60149e46560bc24c1590514228aebfbeba23035df53620a390643848ceb4a848e6e873e194155abfb769df3b709a7f325735d0003a8308203 EAP-Message = 0xa43082028c020900b50dced6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd8c31a9cf8f289f12250e26f4639c84 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=138 Cleaning up request 2 ID 0 with timestamp +69 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0xcd8c31a9cf8f289f12250e26f4639c84 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0x4efdc7a65d9102db211286ea4c3cbe37 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x010403a81900f8537e02300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303431353231323835375a170d3039303531353231323835375a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f EAP-Message = 0x6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d962c5440c1a7bf32c6cb7cf58cd4070ab1636d5bf0ca68ebcba4b97ec334a2672535a2ee47eb748a00041f3bc24c445e0c7fe7b1dc4ebcd64135451cd43934da86062a857131028e4a3be090b3d3fb774e5902597fc5c92ca1477d167014f49cd1b8f64b6d3a8e44a10734214fc8afd90dbd5e6 EAP-Message = 0x6b9ae7842a9fd5e9ff345e2a0a2ee39b7843a83ee1c05977ff5f05a8ec2a28515e402ec7e46a689977997d3d7b6b7b993dede03acee50e9b874d0d4fdfed37c0522512e03fa0cc040fd0d21cfacad236701204b05e9b72599e1ed17676c716da4e6907bf79de552365c842e55232bd29147fe17251edff51532e3c8810627e877d3ae0867a0fb3bd3ee712bf0203010001300d06092a864886f70d010105050003820101002ad962118ec199e96e24d6f6126e922ae96d14046ca2d1b4648610c97263f5df1d79e7ff2e5371ac3ca567c3fa98020582d955cc9a8e530910a2bae4772dfb102a1b061637c113cbc44dd22e3411b0c4f88afc2e946ead82 EAP-Message = 0xf7e596c56cb721acd62de2a4a89f772f74f4afac32c719b6280a4a5b29da6104c43e970ace2d6c7dc883b2c3eb9b3415e59b271fe2109460fdf1ab1d359fdc5ac71bcda1f350b6c951a3197cebb1be60f811bfe6b93d709455ee6d3f82e571318ebb2aa63fdd0916f4d93707b569ded3f429a4d7772d54d22274902a4c2338a3a6d269704e39ae5d83444a424c9ef607dd51c7a80157542bd8700e8d6c15bacc6f9032fdd0d7e6eb16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd8c31a9ce88289f12250e26f4639c84 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=470 Cleaning up request 3 ID 0 with timestamp +69 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0xcd8c31a9ce88289f12250e26f4639c84 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204015019800000014616030101061000010201003b6a2b000b3edb3d8cfe2c7f98cccec696da6b9b38b21f0578e81534a5c3648e69c385a881e3071c633be194e036610c9485c0a435a3a3650c6f8410b5f2c651b4e8dfa827bedc6d9b7b7368af7b6ea9b8cc90df5227d46674ee65faff16e9e59aee2ad25d7452c54672464c06016cd4b34572170fd22ec0bc47a1bd330a17a46870694f269d88918e85793dcd68717483fa18bb509b492019f60e16cd467a6fae08e6ef9628e7c7dd32e15edcc6702e0f013c92d8ac953a751b35eeeda81268affd614a0491572dbff57d953a5ee96c2e100ad030a6e66d0ef5278ce1933a3652550c3db81e7169 EAP-Message = 0x5a6b42214104860bf1ff779d53c7369fc901e893cb13b70f1403010001011603010030523195a3c58ba7ffeac0e5c403f0ca3878dca29734948add69ddc734524a39037ac173eccf4d87495bcdc2bc32ee3d86 Message-Authenticator = 0xdef03fe0f2fd1527dad419f0ca4a82cb +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0105004119001403010001011603010030d233d2d55b9a4773b9280a7c9a51eb7bb57d670664b97b90caa2f8b55fc49d00a4eea9079926b55a97ea4e5fd0139e40 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd8c31a9c989289f12250e26f4639c84 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=138 Cleaning up request 4 ID 0 with timestamp +69 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0xcd8c31a9c989289f12250e26f4639c84 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500061900 Message-Authenticator = 0x5f15431a241e9da035a94719d1e153fd +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0106002b190017030100202422b6d3cc58e9c4df6ddb64156b89872d122024724063adbb8dd5d4d59c1dfd Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd8c31a9c88a289f12250e26f4639c84 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=175 Cleaning up request 5 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0xcd8c31a9c88a289f12250e26f4639c84 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0206002b190017030100203b73588928855c05e8404224d308d774c925f454228cd76ac9d9ff8c7a501ad9 Message-Authenticator = 0xdc1cd39179ef119fe82530251f72204d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - tester [peap] Got tunneled request EAP-Message = 0x0206000b01746573746572 server { PEAP: Got tunneled identity of tester PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to tester Sending tunneled request EAP-Message = 0x0206000b01746573746572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "tester" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010700201a0107001b10e3d69f888fd1a1c22ab23fdb0406c09d746573746572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe925397ee9222325c5dc4fd26464f2d4 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700201a0107001b10e3d69f888fd1a1c22ab23fdb0406c09d746573746572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe925397ee9222325c5dc4fd26464f2d4 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0107004b190017030100407c2585d5e3825e8c2a2405ff40a4a1b1bac08fc2db4a7f47db9369554831651a5092924a410547a5aa77723734e88014b3efcf29f2d4727e8a8db9b2cbc0e7f9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd8c31a9cb8b289f12250e26f4639c84 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=239 Cleaning up request 6 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0xcd8c31a9cb8b289f12250e26f4639c84 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207006b190017030100603baa25744d564eb3059d38dce66a6fbc9fc3d266380331153f90a67b079e2c023477c06ad51ea3c0639af5af9e8adea052387c1cc106d093f08bc1913f28228514d90caa0c377b3159424b1759395805f8f2c1455e1d724f66240edd2b30ca23 Message-Authenticator = 0x87c4ccaca90ff6414683bf77e1b9dfb5 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700411a0207003c31f415ae70d8b3ae03bd6f856609f16b1600000000000000001486deed28060aea0af3df3e5f8887229975398b0694667a00746573746572 server { PEAP: Setting User-Name to tester Sending tunneled request EAP-Message = 0x020700411a0207003c31f415ae70d8b3ae03bd6f856609f16b1600000000000000001486deed28060aea0af3df3e5f8887229975398b0694667a00746573746572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "tester" State = 0xe925397ee9222325c5dc4fd26464f2d4 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 65 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for tester with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0108002b19001703010020bc216b00504ff8add69117afc6cc7e928e4240d2bfcebe8be6530eab97bdf092 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd8c31a9ca84289f12250e26f4639c84 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=175 Cleaning up request 7 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0xcd8c31a9ca84289f12250e26f4639c84 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0208002b19001703010020ef084f918baf1609d5265d80d08eff32798f600b5c92db2cb8e274078fbcc824 Message-Authenticator = 0x5699520904f01c53d5352d8738666a1a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> tester attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=125 Cleaning up request 8 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000b01746573746572 Message-Authenticator = 0x3194e7f8f7a958e666638cd3182ddf80 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x010200160410f7612c264c829c4995aa9cda0e9b127c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x78dc58c578de5c52e669b108f8455764 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=138 Cleaning up request 9 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0x78dc58c578de5c52e669b108f8455764 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200060319 Message-Authenticator = 0xa9a0893329cc091115343940f725fcec +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x78dc58c579df4152e669b108f8455764 Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=244 Cleaning up request 10 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0x78dc58c579df4152e669b108f8455764 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0203007019800000006616030100610100005d03014a046f6f7d6aaeb890601ac86bcecc8affe25094a4150fb95cbf3f7e1d160646000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100 Message-Authenticator = 0xe3c10ee0699969c4312d3bf0b58056d6 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 102 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0061], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 075b], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0104040019c000000798160301002a0200002603014a046f71c8aacead425cef78684cae50dc0259c36026fbce1a09cb7e080a6f8c00002f00160301075b0b0007570007540003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303431353231323835395a170d3130303431353231323835395a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c21fdea27ea336dee51d82d37aa2cd6cb5ac428edc9589e722a11dd0b6d2406a3424524f18f4a4ac96cf1fe7efc4181966d8e3feb450d6d77663a5dc055b EAP-Message = 0xb70617d30dec2ade308d5e6530e8a10239e8031b19e63a9e47a910d1001d2467f2698e7bda7440f9836e836ae8cfa0e0a399ba4daecbb10a39e87779c171f508403da72423897f9c29dc234729bc3e65f504a3008281ec186af0b66d3a85556c9155815a827275fdb08bbc88b853df3302f319e3797db5e4c73c35440ac088bb6f844de1f658e38f9d03065f1eb1753f1f366af383b8554dcb18515f8a6bdb218b193d22ecf42b31b5e90360f0c660874b06eceab5ce20164d113703bb519f897fe10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100ade71a6cecf1ac01e6 EAP-Message = 0xb8b60a0d957897b4d4150ad59299f204cae4806c36bb0c3df5dae241cbf61f9301544e29e51adc5836c0fe2c959c80f77ab2bd91e1a1faf7d42993133d836e4dc772edf387cb4972fcbed57654f0ec76218e39e550a45e7b772a5ef589e8f640da93a36de0d1dc9a24c05f46951ab9c0a74eacf63f4f12366007fdbc01e318dea668aabde8b3a27be808375ab6738e15f9c86478624d81b7af3d60ce6e0e2af140488e82c6ebc7876da321fdc5ff8306e02a7d0e2d4f8dcde33eaf4c0d7ea406bd6637dfc60149e46560bc24c1590514228aebfbeba23035df53620a390643848ceb4a848e6e873e194155abfb769df3b709a7f325735d0003a8308203 EAP-Message = 0xa43082028c020900b50dced6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x78dc58c57ad84152e669b108f8455764 Finished request 11. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=138 Cleaning up request 11 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0x78dc58c57ad84152e669b108f8455764 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061900 Message-Authenticator = 0x05c66744945082f28f36c2771a60e3f2 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x010503a81900f8537e02300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303431353231323835375a170d3039303531353231323835375a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f EAP-Message = 0x6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d962c5440c1a7bf32c6cb7cf58cd4070ab1636d5bf0ca68ebcba4b97ec334a2672535a2ee47eb748a00041f3bc24c445e0c7fe7b1dc4ebcd64135451cd43934da86062a857131028e4a3be090b3d3fb774e5902597fc5c92ca1477d167014f49cd1b8f64b6d3a8e44a10734214fc8afd90dbd5e6 EAP-Message = 0x6b9ae7842a9fd5e9ff345e2a0a2ee39b7843a83ee1c05977ff5f05a8ec2a28515e402ec7e46a689977997d3d7b6b7b993dede03acee50e9b874d0d4fdfed37c0522512e03fa0cc040fd0d21cfacad236701204b05e9b72599e1ed17676c716da4e6907bf79de552365c842e55232bd29147fe17251edff51532e3c8810627e877d3ae0867a0fb3bd3ee712bf0203010001300d06092a864886f70d010105050003820101002ad962118ec199e96e24d6f6126e922ae96d14046ca2d1b4648610c97263f5df1d79e7ff2e5371ac3ca567c3fa98020582d955cc9a8e530910a2bae4772dfb102a1b061637c113cbc44dd22e3411b0c4f88afc2e946ead82 EAP-Message = 0xf7e596c56cb721acd62de2a4a89f772f74f4afac32c719b6280a4a5b29da6104c43e970ace2d6c7dc883b2c3eb9b3415e59b271fe2109460fdf1ab1d359fdc5ac71bcda1f350b6c951a3197cebb1be60f811bfe6b93d709455ee6d3f82e571318ebb2aa63fdd0916f4d93707b569ded3f429a4d7772d54d22274902a4c2338a3a6d269704e39ae5d83444a424c9ef607dd51c7a80157542bd8700e8d6c15bacc6f9032fdd0d7e6eb16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x78dc58c57bd94152e669b108f8455764 Finished request 12. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=470 Cleaning up request 12 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0x78dc58c57bd94152e669b108f8455764 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0205015019800000014616030101061000010201004202367899c3b793e58f85eec54ec3d11ea5c6800f075d699049871581144420a8d3dc1f2754eff11d2bf4203b2398b5a7a994b8de84c2f9e3d976e28e8576978d43173d352cfcf5cce2da6374106face22df881f22b3783440ff08496e7c85a180ba55837efc2ce7bc8d2dfb5e6db95b957c6caebf2dd48eee51b2314de51cde52bb1f3578efe428ac32c5a4f1a8263315fd59799e5449c166704227f3d1765891b47808ec9775bfe6863f9a75337c5968f2b81a3dc05f09ceb1151b9875c82f3c663958f578dc2b82c6fe04a949539041875efa0de9eae9e772592e6ae7f1b3d0328b6ad6a3a92 EAP-Message = 0xdd6767afc3d0ffaceeca4952958bf89b71f6e1d7d4b649b51403010001011603010030c258f6ca81c4367137829a379f872c85f15ec4e0ac8f51ed46ac28fb62eb72fa696e0ea9d4e0e443bec9c6535d7bc46a Message-Authenticator = 0x4f3f3f37579e8ad0b7066fa0405493b0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0106004119001403010001011603010030795e90a9ee62aefc345d48a85c3773deb9e5c7ca96666cab97a391a7270d20124acd3d2e60516e1437b69176e43a3f06 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x78dc58c57cda4152e669b108f8455764 Finished request 13. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=138 Cleaning up request 13 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0x78dc58c57cda4152e669b108f8455764 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600061900 Message-Authenticator = 0x0127c630203668e74ce78a8061760d8a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0107002b190017030100209f2268fee846793f5e2d91120ef82714cd39e92edbb90bb6a78247708dc580ec Message-Authenticator = 0x00000000000000000000000000000000 State = 0x78dc58c57ddb4152e669b108f8455764 Finished request 14. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=175 Cleaning up request 14 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0x78dc58c57ddb4152e669b108f8455764 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207002b19001703010020d1323b8745befe8dd0d52860fa045bff328dd0064886b2e1f65f720a8c6903ec Message-Authenticator = 0xd56322919087c0d758cb8ec640899a42 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - tester [peap] Got tunneled request EAP-Message = 0x0207000b01746573746572 server { PEAP: Got tunneled identity of tester PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to tester Sending tunneled request EAP-Message = 0x0207000b01746573746572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "tester" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800201a0108001b10487952190361a4bc6c5211037f944c43746573746572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x64d177e764d96d1b400f4dd37b7bca98 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800201a0108001b10487952190361a4bc6c5211037f944c43746573746572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x64d177e764d96d1b400f4dd37b7bca98 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0108004b19001703010040d219d80fa26576c8ce19ab7a9e891944155f20b7e19366e64b8975cbf8731f837b9dba4205dc568e146fd55941531e0b8d2669ec7dd8a0f2bf4dfe7f8357f2b2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x78dc58c57ed44152e669b108f8455764 Finished request 15. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=239 Cleaning up request 15 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0x78dc58c57ed44152e669b108f8455764 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0208006b19001703010060bc0f8394d7a2889505db5d86be74fcfe859175dcdcbedd71a0c628ea107f34adb0a24bbdf710f0dd7219fea3387b0faa439facdaaf73bbef0b04b0ccf3c974df2cf4239525aa3638a8223a6bce230ab8ca0628a5fcfa3f020b4edf78b2ab0a7a Message-Authenticator = 0xd95188675b4fad312942d9c5f83398af +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800411a0208003c31944d3962585fa4571e78b1701f226610000000000000000026c2cd378ca09641cc901c546d5cb398beb1288fd42726c000746573746572 server { PEAP: Setting User-Name to tester Sending tunneled request EAP-Message = 0x020800411a0208003c31944d3962585fa4571e78b1701f226610000000000000000026c2cd378ca09641cc901c546d5cb398beb1288fd42726c000746573746572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "tester" State = 0x64d177e764d96d1b400f4dd37b7bca98 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 65 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for tester with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0109002b1900170301002060bfbfb66c2bd64e39f20872626195a181c0c08bca0521ea5b49bfac3a094a12 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x78dc58c57fd54152e669b108f8455764 Finished request 16. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=175 Cleaning up request 16 ID 0 with timestamp +74 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0x78dc58c57fd54152e669b108f8455764 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0209002b19001703010020602339290ccce2168a04de6503cc6adcfdbb2e0c274149a39c0980b0c64e6491 Message-Authenticator = 0xaff4f98041cc4d8d802f7e234a36ec41 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> tester attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 17 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 17 Sending Access-Reject of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 17 ID 0 with timestamp +74 Ready to process requests. Scott Sears scott@myemma.com
Scott Sears wrote:
I cannot get all the pieces working together. Laptop->AP->Freeradius->Kerberos.
It's impossible. Kerberos requires a clear-text password to authenticate (or various Kerberos crypto tokens derived from the password). PEAP supplies an MS-CHAP hash, not a clear-text password. So the two are *incompatible*. If you use SecureW2, you can configure Windows to do TTLS+PAP. That will supply a clear-text password in the inner tunnel, which will allow kerberos to work.
I can see this problem has been posted to the list many times,
Kerberos + EAP? I don't recall seeing that very often. Windows + EAP questions happen a lot... Alan DeKok.
On 8/5/09 20:00, Alan DeKok wrote:
Scott Sears wrote:
I cannot get all the pieces working together. Laptop->AP->Freeradius->Kerberos.
It's impossible.
Kerberos requires a clear-text password to authenticate (or various Kerberos crypto tokens derived from the password).
PEAP supplies an MS-CHAP hash, not a clear-text password.
So the two are *incompatible*.
If you use SecureW2, you can configure Windows to do TTLS+PAP. That will supply a clear-text password in the inner tunnel, which will allow kerberos to work.
Really? I would have thought the exchange would be far more complex than just PAP? Surely you can't bootstrap Kerberos like that.
I can see this problem has been posted to the list many times,
Kerberos + EAP? I don't recall seeing that very often.
It's not supported by any Windows supplicants i've come across.
Windows + EAP questions happen a lot...
Has anyone actually got EAP-Kerberos or some other equivalent scheme working with windows ? Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
Arran Cudbard-Bell wrote:
If you use SecureW2, you can configure Windows to do TTLS+PAP. That will supply a clear-text password in the inner tunnel, which will allow kerberos to work.
Really? I would have thought the exchange would be far more complex than just PAP? Surely you can't bootstrap Kerberos like that.
You can't. But you can use a KDC as an authentication oracle. RADIUS: Is this PAP password OK? KDC: yes/no. RADIUS: thanks...
Has anyone actually got EAP-Kerberos or some other equivalent scheme working with windows ?
Ugh. No. Alan DeKok.
On 8/5/09 21:11, Alan DeKok wrote:
Arran Cudbard-Bell wrote:
If you use SecureW2, you can configure Windows to do TTLS+PAP. That will supply a clear-text password in the inner tunnel, which will allow kerberos to work.
Really? I would have thought the exchange would be far more complex than just PAP? Surely you can't bootstrap Kerberos like that.
You can't. But you can use a KDC as an authentication oracle.
RADIUS: Is this PAP password OK? KDC: yes/no.
Does it request a TGT and then see if it can decrypt it ?
RADIUS: thanks...
Yes realised what you were doing :) I suppose it's usefulish...
Has anyone actually got EAP-Kerberos or some other equivalent scheme working with windows ?
Ugh. No.
Didn't think so. If only those Xsupplicant guys managed to get it working on a platform *other* than XP. Maybe people would be more inclined to contribute code to do these neat things *sigh*. I'm going to file this under the *really really cool, but not for another decade* section. -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
Arran Cudbard-Bell wrote:
On 8/5/09 21:11, Alan DeKok wrote:
You can't. But you can use a KDC as an authentication oracle.
RADIUS: Is this PAP password OK? KDC: yes/no.
Does it request a TGT and then see if it can decrypt it ?
Yes, that's the basic process, it also validates the KDC. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Alan, Thank you for your quick and kind response. On May 8, 2009, at 2:00 PM, Alan DeKok wrote:
Scott Sears wrote:
I cannot get all the pieces working together. Laptop->AP->Freeradius->Kerberos.
It's impossible.
Here is the thread which made me think it was possible, and led me to this list. Apparently I've made a mistake, but perhaps you can explain the difference between my goal and the one described in the thread? http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg39522.h... On May 8, 2009, at 2:00 PM, Alan DeKok wrote:
Kerberos requires a clear-text password to authenticate (or various Kerberos crypto tokens derived from the password).
PEAP supplies an MS-CHAP hash, not a clear-text password.
I understand this. I believed that I could set up an encryption tunnel and then send the cleartext securely within tunnel to the KDC. All that being said, here is my last question: Is it *in any way* possible to securely authorize mobile supplicants through a wireless AP to a Freeradius server using a KDC for authentication? Perhaps its doable, but I'm just not on the right track. Thanks again for your time. Scott Sears
Is it *in any way* possible to securely authorize mobile supplicants through a wireless AP to a Freeradius server using a KDC for authentication? Perhaps its doable, but I'm just not on the right track.
EAP-TTLS/PAP. Native Windows supplicant can't do this but SecureW2 does. Ivan Kalik Kalik Informatika ISP
That's did it! I just needed to change settings on the supplicant. My freeradius config was OK. Thank you SO much. On May 8, 2009, at 2:45 PM, Ivan Kalik wrote:
Is it *in any way* possible to securely authorize mobile supplicants through a wireless AP to a Freeradius server using a KDC for authentication? Perhaps its doable, but I'm just not on the right track.
EAP-TTLS/PAP. Native Windows supplicant can't do this but SecureW2 does.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 8/5/09 20:45, Ivan Kalik wrote:
Is it *in any way* possible to securely authorize mobile supplicants through a wireless AP to a Freeradius server using a KDC for authentication? Perhaps its doable, but I'm just not on the right track.
EAP-TTLS/PAP. Native Windows supplicant can't do this but SecureW2 does.
Ahh I get what you're doing. Yes you can use kerberos for authentication but not SSO. Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
Scott Sears wrote:
Here is the thread which made me think it was possible, and led me to this list. Apparently I've made a mistake, but perhaps you can explain the difference between my goal and the one described in the thread?
The difference is you are NOT using the EAP method recommended either in that thread, or in my previous response. The debug log you posted showed MS-CHAP authentication. That is impossible to use with Kerneros.
PEAP supplies an MS-CHAP hash, not a clear-text password.
I understand this. I believed that I could set up an encryption tunnel and then send the cleartext securely within tunnel to the KDC.
Yes... but you didn't do that. The thread you pointed to, and my message, both told you the same thing: use TTLS+PAP. You're not doing that. You won't be able to use Kerberos until you follow the instructions posted here, and in the thread you claimed to have read.
All that being said, here is my last question:
Is it *in any way* possible to securely authorize mobile supplicants through a wireless AP to a Freeradius server using a KDC for authentication? Perhaps its doable, but I'm just not on the right track.
Perhaps you can try reading my messages? I told you how it was possible: Download SecureW2, and use TTLS+PAP. Rather than doing that, you've wasted your time, and mine, by asking "how do I do it". I already told you. Once in that thread, and again in my previous email message. Follow the instructions in the thread, and in my previous email message. I really can't emphasize that enough. Alan DeKok.
Alan, Thank you so much for your time. I truly did read the thread - many times (that's why my config worked perfectly once I changed the setting on the supplicant) and it was and is clear that you are an expert on the subject.... that's why I posted to this list. Those of us who are new to these concepts could not become useful members of the community without your help. You've made my week, and I hope that I can be helpful to someone in this regard in the future. Kindest regards, Scott On May 8, 2009, at 3:07 PM, Alan DeKok wrote:
Scott Sears wrote:
Here is the thread which made me think it was possible, and led me to this list. Apparently I've made a mistake, but perhaps you can explain the difference between my goal and the one described in the thread?
The difference is you are NOT using the EAP method recommended either in that thread, or in my previous response.
The debug log you posted showed MS-CHAP authentication. That is impossible to use with Kerneros.
PEAP supplies an MS-CHAP hash, not a clear-text password.
I understand this. I believed that I could set up an encryption tunnel and then send the cleartext securely within tunnel to the KDC.
Yes... but you didn't do that. The thread you pointed to, and my message, both told you the same thing: use TTLS+PAP.
You're not doing that.
You won't be able to use Kerberos until you follow the instructions posted here, and in the thread you claimed to have read.
All that being said, here is my last question:
Is it *in any way* possible to securely authorize mobile supplicants through a wireless AP to a Freeradius server using a KDC for authentication? Perhaps its doable, but I'm just not on the right track.
Perhaps you can try reading my messages?
I told you how it was possible: Download SecureW2, and use TTLS+PAP.
Rather than doing that, you've wasted your time, and mine, by asking "how do I do it". I already told you. Once in that thread, and again in my previous email message.
Follow the instructions in the thread, and in my previous email message. I really can't emphasize that enough.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello,
I am trying to implement WPA Enterprise / 802.1X, Freeradius and Kerberos. The client is a Linksys running DD-WRT. The Supplicant is Mac OS Laptop. Both are most recent versions of OS.
I can exececute radtest on localhost and authenticate through Freeradius to my KDC. I can get my wireless AP to authenticate through WPA if the user is located in /etc/raddb/users. I cannot get all the pieces working together. Laptop->AP->Freeradius-
Kerberos.
...
server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 ...
Kerberos module can't authenticate mschap requests. Only pap. Ivan Kalik Kalik Informatika ISP
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
Ivan Kalik -
John Dennis -
Scott Sears