The last piece of the puzzle - XP host authentication
After my first install of FR (2.1.10) I quickly got into a twisty maze of config files, all different. I resolved, after quite a bit of research and poking around, to wipe the install clean and start over. Which I did. So now I've got, by carefully following the help pages on the site, the ability to login and enable on my switches using our Active Directory credentials, and the ability to do port authorization using the same credentials - provided that the user information is cached on the workstation of course. I generated the certificates and installed the root cert on the clients and they appear to be working correctly. I'm really quite happy with the results so far. What I'm looking for now is the last step, authenticating the hosts so that AD users whose credentials haven't been cached can still log in and then port authorize. Like the man says, other people are doing it so I know it's not impossible. What seems to be happening from reading the debug is that domain/user requests are coming in using EAP, doing the TLS interchange, then using MSCHAPv2 to verify the credentials. The host requests, on the other hand, do the TLS side but never seem to progress to the mschap portion. I've gone mildly crosseyed reading the debugs but I don't see where it is that I've gone wrong. I'm very new to RADIUS but I've been doing Linux and Windows for a while so I know that this *should* work. The configuration is: AD 2008 with a Slackware Linux server running the lastest Samba and Kerberos as well as obviously FR. The client is a Windows XP box with the latest service pack. Below is a mildly sanitized copy of radiusd -X with both failed machine logins (LP-0010 is the host) and a successful user (myuser) login. Thanks for having a look at this. =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.04.18 15:25:43 =~=~=~=~=~=~=~=~=~=~=~= rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=190, length=237 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "host/LP-0010.myorg.org" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" EAP-Message = 0x0201001b01686f73742f4c502d303031302e70666663752e6f7267 Message-Authenticator = 0x9b19fa15e960a41e27e211d8f1b33a10 # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:26:38 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL [suffix] Found realm "NULL" [suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 1 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 176 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 190 to 192.168.999.7 port 4815 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4f47b7a34f45aeed84d0f0a572607961 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=191, length=315 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "host/LP-0010.myorg.org" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0x4f47b7a34f45aeed84d0f0a572607961 EAP-Message = 0x0202005719800000004d16030100480100004403014dac90982dabda3d66a5f26d5da94e79cd801480e05dc321acbf9a30f85fe45000001600040005000a0009006400620003000600130012006301000005ff01000100 Message-Authenticator = 0xc430c8a708ade14f4e3e71aefbaba831 # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:26:38 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL [suffix] Found realm "NULL" [suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 2 length 87 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 77 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0048], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0883], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 191 to 192.168.999.7 port 4815 EAP-Message = 0x0103040019c0000008c0160301002a0200002603014dac906e63451b67f59266bd8f3c0b11c93f0e91e1379a7c5fef9506ed97dcf30000040016030108830b00087f00087c0003b5308203b130820299a003020102020102300d06092a864886f70d010104050030819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e7066 EAP-Message = 0x6663752e6f7267301e170d3131303431383136313132345a170d3132303431373136313132345a308183310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311c301a060355040a1313506f6c69636520616e64204669726520464355311a3018060355040313116d6966666c696e2e70666663752e6f72673123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ad3cc6d602bac5213757cd07b59881ae01cfb16ce8f0affd755a2e2ea0dbcd1a60fb5142fe4288b48b96c07498e569 EAP-Message = 0xab2601b42a73a161b0e171d2957d082cabffde39e5e6e9058e958f7b32349efb8765425bc3822ad39287bef9cb5b67369f886d1439c1876e15f057c6a329a52d2f9e23625678497d6945485768447b5903a84a9b2c6c6287291b1b60366ae4e3f0809c8d38f24ea9c040692c2bbd117eeda78fac45695a9e3b8b4a85b3b7fa9f8c7a19d7ad77fe40dbf573c6c573866f926d1a9ca4391ad47d1489526504ea76893c1a39b033ec72a59cad35f9a8e749a0259e787c03cec0df7d7c7763565afeafd06f450afdc881115dcb2f77f3fdb5cb0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405 EAP-Message = 0x000382010100cd1bcf97d2ab9635403f1732591d98606e95cc939882656b198bf7b7bf585e159f950e7db747b25720ea1e4b05d91fa6a8bc7b367ed21d749731a803f726438a4942d49bb298322f278163435b6ec5ef9f810f5195ab021dd0aac53cc53494cccf30e6ed6186e9d32cd9cd41c2953173a01e7a7c82998ac7bf0f30451887dd5c0b8750d8bd6afac032a70eab0ea2704f277a0067f102b9e5ad68f9723a3ad65e439f90b782e5cdf2c2a21e5e1ac9ebf1e0d4fdeb370dec3538bd91f4cb925c2b52639e4fcd260462a10b54dc5e04e4110a94bd9fe6a3fe16b28abfb3370aa23b378d60f6fbf461f0e22ce4d988603f88b160210ed7a1e8 EAP-Message = 0xcdc08eb134ef355d3f0004c1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4f47b7a34e44aeed84d0f0a572607961 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=192, length=234 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "host/LP-0010.myorg.org" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0x4f47b7a34e44aeed84d0f0a572607961 EAP-Message = 0x020300061900 Message-Authenticator = 0x68ae528241948aee7a09919d712b4b26 # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:26:38 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL [suffix] Found realm "NULL" [suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 192 to 192.168.999.7 port 4815 EAP-Message = 0x010403fc1940308204bd308203a5a003020102020900ad8d39f4fcae271a300d06092a864886f70d010105050030819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f7267301e170d3131303431383136313132345a170d3132303431373136313132345a30819a310b3009060355040613025553311530 EAP-Message = 0x130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e43cf5fcf5abf3d6beec6062d1709cd3ccf6bd5d6ba2f54c0f9ec9fa708defdaec3974d3315737519d86b114191dcda2811b89e9b8d2d7ca7ea04002c8c934cde3d550d3bf018f1583026bab19a4a38c5ae5 EAP-Message = 0xa53548a0a1652dc0908a9e06f58d9c473ec7ec55fcefa9c443311684ad6e9dd09ea14cb3d9fcb04a2429f9d1995c062f5b215658143eafdd0116334b0f1849cfef9a24579ea1d6ca31421f52b70d9d00a961408f747f2f2066231124d83c63c3c8b1d69b6f4b5ea50588b2f33b8a40ba8781455db36472bd9b4e85f81f1b82ebf326cd3ac504eb2dea1c5a9e7496f485a62d63d11bead3a4b79ce85453d6617c8b8fca4e1d3e5bb0c68c041c948f0203010001a38201023081ff301d0603551d0e041604146fb361c7649ba640bdf6ea8870cac051daeb9a9e3081cf0603551d230481c73081c480146fb361c7649ba640bdf6ea8870cac051daeb9a9e EAP-Message = 0xa181a0a4819d30819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f7267820900ad8d39f4fcae271a300c0603551d13040530030101ff300d06092a864886f70d010105050003820101008584a10eba26e3bac7f3a37b0250a525185f77e4cbe920d0d0e3a617dfe22e62954eb79a73d781e27f55c5e1b7 EAP-Message = 0x3c6900c0e5fd63fc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4f47b7a34d43aeed84d0f0a572607961 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=193, length=234 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "host/LP-0010.myorg.org" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0x4f47b7a34d43aeed84d0f0a572607961 EAP-Message = 0x020400061900 Message-Authenticator = 0x8eb6e8c023218ae06d7e860ea6207ee4 # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:26:38 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL [suffix] Found realm "NULL" [suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 193 to 192.168.999.7 port 4815 EAP-Message = 0x010500da190000e668530fe5cdedf1fff694c02a985e9dbdaaaaf9915bb3b297c4ddf1ee0601670f0ad3a6b34f9b5959d25b8624147171fc575436a01288e78f2d4344841dd5307a83e6c1d553dbc0731016c4bb35ef324e49b727ccfe896f56ef9603188886b9cf2c7423c77fd441bfa16636772db885276f42a39801d6a334fc20074352933ff6cecfa79ed4b11493ed5a2db327e4b421c3c7fac2f636766698ba79a0cef62a2413ad01d9c31ff9599414e30b6d9d974f2d5430117e202bda0b60bbd6c920c65f7ed6bd1e87e7513d9f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4f47b7a34c42aeed84d0f0a572607961 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=194, length=234 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "host/LP-0010.myorg.org" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0x4f47b7a34c42aeed84d0f0a572607961 EAP-Message = 0x020500061900 Message-Authenticator = 0xc3110d80e879e2d17c0e27c3579b7ffa # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:26:38 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL [suffix] Found realm "NULL" [suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 194 to 192.168.999.7 port 4815 EAP-Message = 0x010600061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4f47b7a34b41aeed84d0f0a572607961 Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=195, length=221 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "myorg\\myuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" EAP-Message = 0x020100130150464643555c69732d61646d696e Message-Authenticator = 0x499c467deab737e75c9aeb71373291f0 # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:26:38 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "myorg\myuser" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 1 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 176 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 195 to 192.168.999.7 port 4815 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d92c46b3d90dd76a0f8adddfc0e8388 Finished request 11. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=196, length=307 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "myorg\\myuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0x3d92c46b3d90dd76a0f8adddfc0e8388 EAP-Message = 0x0202005719800000004d16030100480100004403014dac9098bb5794a6b42e6acdac8cc80598817ec40f55e96ca15c25849e70539f00001600040005000a0009006400620003000600130012006301000005ff01000100 Message-Authenticator = 0x432a5b1dba6a2d810a407f4446ec9607 # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:26:38 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "myorg\myuser" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 2 length 87 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 77 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0048], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0883], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 196 to 192.168.999.7 port 4815 EAP-Message = 0x0103040019c0000008c0160301002a0200002603014dac906ee7a8c363c834c5e2a9317a2844710cf666f003ae6244e933862998960000040016030108830b00087f00087c0003b5308203b130820299a003020102020102300d06092a864886f70d010104050030819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e7066 EAP-Message = 0x6663752e6f7267301e170d3131303431383136313132345a170d3132303431373136313132345a308183310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311c301a060355040a1313506f6c69636520616e64204669726520464355311a3018060355040313116d6966666c696e2e70666663752e6f72673123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ad3cc6d602bac5213757cd07b59881ae01cfb16ce8f0affd755a2e2ea0dbcd1a60fb5142fe4288b48b96c07498e569 EAP-Message = 0xab2601b42a73a161b0e171d2957d082cabffde39e5e6e9058e958f7b32349efb8765425bc3822ad39287bef9cb5b67369f886d1439c1876e15f057c6a329a52d2f9e23625678497d6945485768447b5903a84a9b2c6c6287291b1b60366ae4e3f0809c8d38f24ea9c040692c2bbd117eeda78fac45695a9e3b8b4a85b3b7fa9f8c7a19d7ad77fe40dbf573c6c573866f926d1a9ca4391ad47d1489526504ea76893c1a39b033ec72a59cad35f9a8e749a0259e787c03cec0df7d7c7763565afeafd06f450afdc881115dcb2f77f3fdb5cb0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405 EAP-Message = 0x000382010100cd1bcf97d2ab9635403f1732591d98606e95cc939882656b198bf7b7bf585e159f950e7db747b25720ea1e4b05d91fa6a8bc7b367ed21d749731a803f726438a4942d49bb298322f278163435b6ec5ef9f810f5195ab021dd0aac53cc53494cccf30e6ed6186e9d32cd9cd41c2953173a01e7a7c82998ac7bf0f30451887dd5c0b8750d8bd6afac032a70eab0ea2704f277a0067f102b9e5ad68f9723a3ad65e439f90b782e5cdf2c2a21e5e1ac9ebf1e0d4fdeb370dec3538bd91f4cb925c2b52639e4fcd260462a10b54dc5e04e4110a94bd9fe6a3fe16b28abfb3370aa23b378d60f6fbf461f0e22ce4d988603f88b160210ed7a1e8 EAP-Message = 0xcdc08eb134ef355d3f0004c1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d92c46b3c91dd76a0f8adddfc0e8388 Finished request 12. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=197, length=226 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "myorg\\myuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0x3d92c46b3c91dd76a0f8adddfc0e8388 EAP-Message = 0x020300061900 Message-Authenticator = 0x62380d61685d98ab29fbcaf67d069608 # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:26:38 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "myorg\myuser" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 197 to 192.168.999.7 port 4815 EAP-Message = 0x010403fc1940308204bd308203a5a003020102020900ad8d39f4fcae271a300d06092a864886f70d010105050030819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f7267301e170d3131303431383136313132345a170d3132303431373136313132345a30819a310b3009060355040613025553311530 EAP-Message = 0x130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e43cf5fcf5abf3d6beec6062d1709cd3ccf6bd5d6ba2f54c0f9ec9fa708defdaec3974d3315737519d86b114191dcda2811b89e9b8d2d7ca7ea04002c8c934cde3d550d3bf018f1583026bab19a4a38c5ae5 EAP-Message = 0xa53548a0a1652dc0908a9e06f58d9c473ec7ec55fcefa9c443311684ad6e9dd09ea14cb3d9fcb04a2429f9d1995c062f5b215658143eafdd0116334b0f1849cfef9a24579ea1d6ca31421f52b70d9d00a961408f747f2f2066231124d83c63c3c8b1d69b6f4b5ea50588b2f33b8a40ba8781455db36472bd9b4e85f81f1b82ebf326cd3ac504eb2dea1c5a9e7496f485a62d63d11bead3a4b79ce85453d6617c8b8fca4e1d3e5bb0c68c041c948f0203010001a38201023081ff301d0603551d0e041604146fb361c7649ba640bdf6ea8870cac051daeb9a9e3081cf0603551d230481c73081c480146fb361c7649ba640bdf6ea8870cac051daeb9a9e EAP-Message = 0xa181a0a4819d30819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f7267820900ad8d39f4fcae271a300c0603551d13040530030101ff300d06092a864886f70d010105050003820101008584a10eba26e3bac7f3a37b0250a525185f77e4cbe920d0d0e3a617dfe22e62954eb79a73d781e27f55c5e1b7 EAP-Message = 0x3c6900c0e5fd63fc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d92c46b3f96dd76a0f8adddfc0e8388 Finished request 13. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=198, length=226 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "myorg\\myuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0x3d92c46b3f96dd76a0f8adddfc0e8388 EAP-Message = 0x020400061900 Message-Authenticator = 0xbe92f79b327d12d9b52860a6da585020 # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:26:38 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "myorg\myuser" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 198 to 192.168.999.7 port 4815 EAP-Message = 0x010500da190000e668530fe5cdedf1fff694c02a985e9dbdaaaaf9915bb3b297c4ddf1ee0601670f0ad3a6b34f9b5959d25b8624147171fc575436a01288e78f2d4344841dd5307a83e6c1d553dbc0731016c4bb35ef324e49b727ccfe896f56ef9603188886b9cf2c7423c77fd441bfa16636772db885276f42a39801d6a334fc20074352933ff6cecfa79ed4b11493ed5a2db327e4b421c3c7fac2f636766698ba79a0cef62a2413ad01d9c31ff9599414e30b6d9d974f2d5430117e202bda0b60bbd6c920c65f7ed6bd1e87e7513d9f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d92c46b3e97dd76a0f8adddfc0e8388 Finished request 14. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=199, length=542 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "myorg\\myuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0x3d92c46b3e97dd76a0f8adddfc0e8388 EAP-Message = 0x0205014019800000013616030101061000010201006f3085720008d8d84e3e49acdfdb2edec1b2139b24961fe1b740b3dfa7dd3876317b31dc7d7dcf506c896db4e566f7b6f55a1a825b3008c0c636394b3632598f21c2007deeae355a9dd4620a77497b690af33e80ceee1858d0c7e22c4127351a232ebf2945cb67c1453d7821c0fbe4c43ab16dd9ee4548b47b88543d6446c937607906643e5e493cdf71cf314ce118067defa2699f3f526d434fd35738d7ceea27c5c81dbe467121ae4c0211b01125ae5cd69c1fa072b55555cc88ba5ef88d36b5dffd61f3910d33d03ae34a98f6cdf8464450246091f0476ba2f23fa508cbb5fd6d8af78bcb8340 EAP-Message = 0xb20cc9d052c17e90a85a712c54bbccc60db4d3b1143c0def1403010001011603010020c2a4b53b6f7ae074212b6efafa58fca2e7159d0ec9ad7fb722fd656cee822266 Message-Authenticator = 0xc4d2b44c19f412c19124768f90452aeb # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:26:38 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "myorg\myuser" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 199 to 192.168.999.7 port 4815 EAP-Message = 0x010600311900140301000101160301002011bb05ad7601c21b044169fdeaeb8b742d8c77b1f3a0e1d6aa0ca99275d8e4fd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d92c46b3994dd76a0f8adddfc0e8388 Finished request 15. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=200, length=226 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "myorg\\myuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0x3d92c46b3994dd76a0f8adddfc0e8388 EAP-Message = 0x020600061900 Message-Authenticator = 0x1441f574c8d8fe4deb67ac4c93b1c97b # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:26:38 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "myorg\myuser" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 200 to 192.168.999.7 port 4815 EAP-Message = 0x0107002019001703010015438cdf4b76ee410201b7404f9201ba2ab57b21c23e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d92c46b3895dd76a0f8adddfc0e8388 Finished request 16. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=201, length=262 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "myorg\\myuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0x3d92c46b3895dd76a0f8adddfc0e8388 EAP-Message = 0x0207002a1900170301001ffd2903eef345b285a1ea830ae034d81b0c82d07536e6d1910d73f6ca91ae35 Message-Authenticator = 0xfc42b5e789ca1adf1799d547666a52df # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:26:38 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "myorg\myuser" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 7 length 42 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - myorg\myuser [peap] Got inner identity 'myorg\myuser' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x020700130150464643555c69732d61646d696e server { PEAP: Setting User-Name to myorg\myuser Sending tunneled request EAP-Message = 0x020700130150464643555c69732d61646d696e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "myorg\\myuser" server inner-tunnel { # Executing section authorize from file /etc//raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "myorg\myuser" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 7 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800281a01080023104f51f22477b092be11ff22d4cd5c6abd50464643555c69732d61646d696e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x151e107415160ab1898b0ca5f8a4a93e [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800281a01080023104f51f22477b092be11ff22d4cd5c6abd50464643555c69732d61646d696e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x151e107415160ab1898b0ca5f8a4a93e [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 201 to 192.168.999.7 port 4815 EAP-Message = 0x0108003f19001703010034c0b213ed0ee5b7a85bc3b1a2795bbd8fa105c03e75258645b4842b0e0a65cdec603d3a4db1b16449aad6f7fde592a34c05cb2746 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d92c46b3b9add76a0f8adddfc0e8388 Finished request 17. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=202, length=316 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "myorg\\myuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0x3d92c46b3b9add76a0f8adddfc0e8388 EAP-Message = 0x0208006019001703010055e80d55e2567140412faecb44f85ce51c49c6ce3e2c3e8b73ba60ed0b7cf182f53da766607dfe9d409a74fb5275d5bb81ed88c916b8fa6afb2e28282a9c177cc338508dcc51ddb71938d39fd37e23e8e43ecf831f15 Message-Authenticator = 0x89540286b863857c3664ed55104b225d # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:26:38 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "myorg\myuser" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 8 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800491a0208004431eae3cd7d62cb47eca74974d095ae9da70000000000000000dfeddce5e49617ac7128b51bef69ce9e271abaa6ac3b7dae0050464643555c69732d61646d696e server { PEAP: Setting User-Name to myorg\myuser Sending tunneled request EAP-Message = 0x020800491a0208004431eae3cd7d62cb47eca74974d095ae9da70000000000000000dfeddce5e49617ac7128b51bef69ce9e271abaa6ac3b7dae0050464643555c69732d61646d696e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "myorg\\myuser" State = 0x151e107415160ab1898b0ca5f8a4a93e server inner-tunnel { # Executing section authorize from file /etc//raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "myorg\myuser" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 8 length 73 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc//raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: myuser [mschap] Told to do MS-CHAPv2 for myuser with NT-Password [mschap] expand: %{Stripped-User-Name} -> myorg\myuser [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=myorg\myuser [mschap] mschap2: 4f [mschap] Creating challenge hash with username: myuser [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=82b995da529436e0 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=dfeddce5e49617ac7128b51bef69ce9e271abaa6ac3b7dae Exec-Program output: NT_KEY: 1BAAAFEF1E3822F616E15241938525DC Exec-Program-Wait: plaintext: NT_KEY: 1BAAAFEF1E3822F616E15241938525DC Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d36443436343830433435353933413732323439383332373641363141323339374233313539413132 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x151e107414170ab1898b0ca5f8a4a93e [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d36443436343830433435353933413732323439383332373641363141323339374233313539413132 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x151e107414170ab1898b0ca5f8a4a93e [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 202 to 192.168.999.7 port 4815 EAP-Message = 0x0109004a1900170301003f4f528fe339896d23fe771e1f9f7fe77d6b4d695277a8f1585ff0cf3e256516785532dc7dfd9aaa3c8c7b940757cb6ecbe2d743c5e381501f2ba957eb8ee213 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d92c46b3a9bdd76a0f8adddfc0e8388 Finished request 18. Going to the next request Waking up in 4.2 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=203, length=249 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "myorg\\myuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0x3d92c46b3a9bdd76a0f8adddfc0e8388 EAP-Message = 0x0209001d19001703010012c68330f131d90e4af9f81e2a224a8c358e08 Message-Authenticator = 0x3a7b6a277e150a15ef3f5951c1b9c313 # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:26:38 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "myorg\myuser" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 9 length 29 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { PEAP: Setting User-Name to myorg\myuser Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "myorg\\myuser" State = 0x151e107414170ab1898b0ca5f8a4a93e server inner-tunnel { # Executing section authorize from file /etc//raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "myorg\myuser" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc//raddb/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x9e6cb700b77e844276069b269d3c1b37 MS-MPPE-Recv-Key = 0xc82905aec792709a3642047a3d62838d EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "myorg\\myuser" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x9e6cb700b77e844276069b269d3c1b37 MS-MPPE-Recv-Key = 0xc82905aec792709a3642047a3d62838d EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "myorg\\myuser" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 203 to 192.168.999.7 port 4815 EAP-Message = 0x010a00261900170301001b207b604ded7004ba0319fd90d80c86b17cdf338926b80d306d8521 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d92c46b3598dd76a0f8adddfc0e8388 Finished request 19. Going to the next request Waking up in 4.2 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=204, length=258 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "myorg\\myuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0x3d92c46b3598dd76a0f8adddfc0e8388 EAP-Message = 0x020a00261900170301001b989382337853c33578978735c0d8632c85d97f0a686d6f3a70597b Message-Authenticator = 0xe244ae36d26ee73331bd16e5a793bd0a # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:26:38 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "myorg\myuser" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 10 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc//raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 204 to 192.168.999.7 port 4815 MS-MPPE-Recv-Key = 0xb5a4c3987e6371edff7724448002a092d5ad569107fbabc158e48b9b1fb43373 MS-MPPE-Send-Key = 0xef43cb62397ba7304927b0679072f3289ff3bf10e1ec22b8789fea4d2c608490 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "myorg\\myuser" Finished request 20. Going to the next request Waking up in 4.2 seconds. Cleaning up request 6 ID 190 with timestamp +439 Cleaning up request 7 ID 191 with timestamp +439 Cleaning up request 8 ID 192 with timestamp +439 Cleaning up request 9 ID 193 with timestamp +439 Cleaning up request 10 ID 194 with timestamp +439 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x4f47b7a34b41aeed did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Waking up in 0.2 seconds. Cleaning up request 11 ID 195 with timestamp +439 Cleaning up request 12 ID 196 with timestamp +439 Cleaning up request 13 ID 197 with timestamp +439 Cleaning up request 14 ID 198 with timestamp +439 Waking up in 0.1 seconds. Cleaning up request 15 ID 199 with timestamp +439 Waking up in 0.1 seconds. Cleaning up request 16 ID 200 with timestamp +439 Cleaning up request 17 ID 201 with timestamp +439 Cleaning up request 18 ID 202 with timestamp +439 Cleaning up request 19 ID 203 with timestamp +439 Cleaning up request 20 ID 204 with timestamp +439 Ready to process requests. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=205, length=237 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "host/LP-0010.myorg.org" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" EAP-Message = 0x020b001b01686f73742f4c502d303031302e70666663752e6f7267 Message-Authenticator = 0x3f05cfc6636623f2cfe8900c91dd38b5 # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:27:04 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL [suffix] Found realm "NULL" [suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 11 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 176 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 205 to 192.168.999.7 port 4815 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x010c00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaab75260aabb4bbc8e4a8681cc46cd51 Finished request 21. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=206, length=315 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "host/LP-0010.myorg.org" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0xaab75260aabb4bbc8e4a8681cc46cd51 EAP-Message = 0x020c005719800000004d16030100480100004403014dac90b3dbf3a100e9cc156249c13486d33b8d5f8cd231a33e07d153b72fb80200001600040005000a0009006400620003000600130012006301000005ff01000100 Message-Authenticator = 0xf19c20fbafcc270b34c45415b946fd6b # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:27:04 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL [suffix] Found realm "NULL" [suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 12 length 87 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 77 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0048], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0883], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 206 to 192.168.999.7 port 4815 EAP-Message = 0x010d040019c0000008c0160301002a0200002603014dac9088e0ca376ad4cff92b3b099dccd4c9469795ef1a8703b5201389c5771c0000040016030108830b00087f00087c0003b5308203b130820299a003020102020102300d06092a864886f70d010104050030819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e7066 EAP-Message = 0x6663752e6f7267301e170d3131303431383136313132345a170d3132303431373136313132345a308183310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311c301a060355040a1313506f6c69636520616e64204669726520464355311a3018060355040313116d6966666c696e2e70666663752e6f72673123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ad3cc6d602bac5213757cd07b59881ae01cfb16ce8f0affd755a2e2ea0dbcd1a60fb5142fe4288b48b96c07498e569 EAP-Message = 0xab2601b42a73a161b0e171d2957d082cabffde39e5e6e9058e958f7b32349efb8765425bc3822ad39287bef9cb5b67369f886d1439c1876e15f057c6a329a52d2f9e23625678497d6945485768447b5903a84a9b2c6c6287291b1b60366ae4e3f0809c8d38f24ea9c040692c2bbd117eeda78fac45695a9e3b8b4a85b3b7fa9f8c7a19d7ad77fe40dbf573c6c573866f926d1a9ca4391ad47d1489526504ea76893c1a39b033ec72a59cad35f9a8e749a0259e787c03cec0df7d7c7763565afeafd06f450afdc881115dcb2f77f3fdb5cb0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405 EAP-Message = 0x000382010100cd1bcf97d2ab9635403f1732591d98606e95cc939882656b198bf7b7bf585e159f950e7db747b25720ea1e4b05d91fa6a8bc7b367ed21d749731a803f726438a4942d49bb298322f278163435b6ec5ef9f810f5195ab021dd0aac53cc53494cccf30e6ed6186e9d32cd9cd41c2953173a01e7a7c82998ac7bf0f30451887dd5c0b8750d8bd6afac032a70eab0ea2704f277a0067f102b9e5ad68f9723a3ad65e439f90b782e5cdf2c2a21e5e1ac9ebf1e0d4fdeb370dec3538bd91f4cb925c2b52639e4fcd260462a10b54dc5e04e4110a94bd9fe6a3fe16b28abfb3370aa23b378d60f6fbf461f0e22ce4d988603f88b160210ed7a1e8 EAP-Message = 0xcdc08eb134ef355d3f0004c1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaab75260abba4bbc8e4a8681cc46cd51 Finished request 22. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=207, length=234 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "host/LP-0010.myorg.org" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0xaab75260abba4bbc8e4a8681cc46cd51 EAP-Message = 0x020d00061900 Message-Authenticator = 0x7ba4454596896d7ff8ba0314a9c3d05e # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:27:04 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL [suffix] Found realm "NULL" [suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 13 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 207 to 192.168.999.7 port 4815 EAP-Message = 0x010e03fc1940308204bd308203a5a003020102020900ad8d39f4fcae271a300d06092a864886f70d010105050030819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f7267301e170d3131303431383136313132345a170d3132303431373136313132345a30819a310b3009060355040613025553311530 EAP-Message = 0x130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e43cf5fcf5abf3d6beec6062d1709cd3ccf6bd5d6ba2f54c0f9ec9fa708defdaec3974d3315737519d86b114191dcda2811b89e9b8d2d7ca7ea04002c8c934cde3d550d3bf018f1583026bab19a4a38c5ae5 EAP-Message = 0xa53548a0a1652dc0908a9e06f58d9c473ec7ec55fcefa9c443311684ad6e9dd09ea14cb3d9fcb04a2429f9d1995c062f5b215658143eafdd0116334b0f1849cfef9a24579ea1d6ca31421f52b70d9d00a961408f747f2f2066231124d83c63c3c8b1d69b6f4b5ea50588b2f33b8a40ba8781455db36472bd9b4e85f81f1b82ebf326cd3ac504eb2dea1c5a9e7496f485a62d63d11bead3a4b79ce85453d6617c8b8fca4e1d3e5bb0c68c041c948f0203010001a38201023081ff301d0603551d0e041604146fb361c7649ba640bdf6ea8870cac051daeb9a9e3081cf0603551d230481c73081c480146fb361c7649ba640bdf6ea8870cac051daeb9a9e EAP-Message = 0xa181a0a4819d30819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f7267820900ad8d39f4fcae271a300c0603551d13040530030101ff300d06092a864886f70d010105050003820101008584a10eba26e3bac7f3a37b0250a525185f77e4cbe920d0d0e3a617dfe22e62954eb79a73d781e27f55c5e1b7 EAP-Message = 0x3c6900c0e5fd63fc Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaab75260a8b94bbc8e4a8681cc46cd51 Finished request 23. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=208, length=234 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "host/LP-0010.myorg.org" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0xaab75260a8b94bbc8e4a8681cc46cd51 EAP-Message = 0x020e00061900 Message-Authenticator = 0xc294987d5f65ce57c6fb1a37ba5b158d # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:27:04 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL [suffix] Found realm "NULL" [suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 14 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 208 to 192.168.999.7 port 4815 EAP-Message = 0x010f00da190000e668530fe5cdedf1fff694c02a985e9dbdaaaaf9915bb3b297c4ddf1ee0601670f0ad3a6b34f9b5959d25b8624147171fc575436a01288e78f2d4344841dd5307a83e6c1d553dbc0731016c4bb35ef324e49b727ccfe896f56ef9603188886b9cf2c7423c77fd441bfa16636772db885276f42a39801d6a334fc20074352933ff6cecfa79ed4b11493ed5a2db327e4b421c3c7fac2f636766698ba79a0cef62a2413ad01d9c31ff9599414e30b6d9d974f2d5430117e202bda0b60bbd6c920c65f7ed6bd1e87e7513d9f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaab75260a9b84bbc8e4a8681cc46cd51 Finished request 24. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=209, length=234 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "host/LP-0010.myorg.org" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0xaab75260a9b84bbc8e4a8681cc46cd51 EAP-Message = 0x020f00061900 Message-Authenticator = 0x22fb3754a0bb3845bde16f0734b7ff6a # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:27:04 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL [suffix] Found realm "NULL" [suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 15 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 209 to 192.168.999.7 port 4815 EAP-Message = 0x011000061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaab75260aea74bbc8e4a8681cc46cd51 Finished request 25. Going to the next request Waking up in 4.8 seconds. Cleaning up request 21 ID 205 with timestamp +465 Cleaning up request 22 ID 206 with timestamp +465 Cleaning up request 23 ID 207 with timestamp +465 Cleaning up request 24 ID 208 with timestamp +465 Cleaning up request 25 ID 209 with timestamp +465 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xaab75260aea74bbc did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=210, length=237 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "host/LP-0010.myorg.org" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" EAP-Message = 0x0201001b01686f73742f4c502d303031302e70666663752e6f7267 Message-Authenticator = 0x7f18b5ce40762fc7ce1336cd53901e5e # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:28:03 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL [suffix] Found realm "NULL" [suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 1 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 176 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 210 to 192.168.999.7 port 4815 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5fa5dbd85fa7c2ccdff397606527fb6f Finished request 26. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=211, length=315 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "host/LP-0010.myorg.org" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0x5fa5dbd85fa7c2ccdff397606527fb6f EAP-Message = 0x0202005719800000004d16030100480100004403014dac90edd5d5ae7aeae2db199e6027cd395ca67651fa8010563678a47f88f5de00001600040005000a0009006400620003000600130012006301000005ff01000100 Message-Authenticator = 0xdf0705f30f8684c3201167c51a249414 # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:28:03 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL [suffix] Found realm "NULL" [suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 2 length 87 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 77 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0048], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0883], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 211 to 192.168.999.7 port 4815 EAP-Message = 0x0103040019c0000008c0160301002a0200002603014dac90c37120de69c11067791b75cad05959a3ab5ceaf8cc0d64f51ed3f833600000040016030108830b00087f00087c0003b5308203b130820299a003020102020102300d06092a864886f70d010104050030819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e7066 EAP-Message = 0x6663752e6f7267301e170d3131303431383136313132345a170d3132303431373136313132345a308183310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311c301a060355040a1313506f6c69636520616e64204669726520464355311a3018060355040313116d6966666c696e2e70666663752e6f72673123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ad3cc6d602bac5213757cd07b59881ae01cfb16ce8f0affd755a2e2ea0dbcd1a60fb5142fe4288b48b96c07498e569 EAP-Message = 0xab2601b42a73a161b0e171d2957d082cabffde39e5e6e9058e958f7b32349efb8765425bc3822ad39287bef9cb5b67369f886d1439c1876e15f057c6a329a52d2f9e23625678497d6945485768447b5903a84a9b2c6c6287291b1b60366ae4e3f0809c8d38f24ea9c040692c2bbd117eeda78fac45695a9e3b8b4a85b3b7fa9f8c7a19d7ad77fe40dbf573c6c573866f926d1a9ca4391ad47d1489526504ea76893c1a39b033ec72a59cad35f9a8e749a0259e787c03cec0df7d7c7763565afeafd06f450afdc881115dcb2f77f3fdb5cb0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405 EAP-Message = 0x000382010100cd1bcf97d2ab9635403f1732591d98606e95cc939882656b198bf7b7bf585e159f950e7db747b25720ea1e4b05d91fa6a8bc7b367ed21d749731a803f726438a4942d49bb298322f278163435b6ec5ef9f810f5195ab021dd0aac53cc53494cccf30e6ed6186e9d32cd9cd41c2953173a01e7a7c82998ac7bf0f30451887dd5c0b8750d8bd6afac032a70eab0ea2704f277a0067f102b9e5ad68f9723a3ad65e439f90b782e5cdf2c2a21e5e1ac9ebf1e0d4fdeb370dec3538bd91f4cb925c2b52639e4fcd260462a10b54dc5e04e4110a94bd9fe6a3fe16b28abfb3370aa23b378d60f6fbf461f0e22ce4d988603f88b160210ed7a1e8 EAP-Message = 0xcdc08eb134ef355d3f0004c1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5fa5dbd85ea6c2ccdff397606527fb6f Finished request 27. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=212, length=234 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "host/LP-0010.myorg.org" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0x5fa5dbd85ea6c2ccdff397606527fb6f EAP-Message = 0x020300061900 Message-Authenticator = 0x08975501af22ecabb6af227dd54fd96e # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:28:03 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL [suffix] Found realm "NULL" [suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 212 to 192.168.999.7 port 4815 EAP-Message = 0x010403fc1940308204bd308203a5a003020102020900ad8d39f4fcae271a300d06092a864886f70d010105050030819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f7267301e170d3131303431383136313132345a170d3132303431373136313132345a30819a310b3009060355040613025553311530 EAP-Message = 0x130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e43cf5fcf5abf3d6beec6062d1709cd3ccf6bd5d6ba2f54c0f9ec9fa708defdaec3974d3315737519d86b114191dcda2811b89e9b8d2d7ca7ea04002c8c934cde3d550d3bf018f1583026bab19a4a38c5ae5 EAP-Message = 0xa53548a0a1652dc0908a9e06f58d9c473ec7ec55fcefa9c443311684ad6e9dd09ea14cb3d9fcb04a2429f9d1995c062f5b215658143eafdd0116334b0f1849cfef9a24579ea1d6ca31421f52b70d9d00a961408f747f2f2066231124d83c63c3c8b1d69b6f4b5ea50588b2f33b8a40ba8781455db36472bd9b4e85f81f1b82ebf326cd3ac504eb2dea1c5a9e7496f485a62d63d11bead3a4b79ce85453d6617c8b8fca4e1d3e5bb0c68c041c948f0203010001a38201023081ff301d0603551d0e041604146fb361c7649ba640bdf6ea8870cac051daeb9a9e3081cf0603551d230481c73081c480146fb361c7649ba640bdf6ea8870cac051daeb9a9e EAP-Message = 0xa181a0a4819d30819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f7267820900ad8d39f4fcae271a300c0603551d13040530030101ff300d06092a864886f70d010105050003820101008584a10eba26e3bac7f3a37b0250a525185f77e4cbe920d0d0e3a617dfe22e62954eb79a73d781e27f55c5e1b7 EAP-Message = 0x3c6900c0e5fd63fc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5fa5dbd85da1c2ccdff397606527fb6f Finished request 28. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=213, length=234 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "host/LP-0010.myorg.org" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0x5fa5dbd85da1c2ccdff397606527fb6f EAP-Message = 0x020400061900 Message-Authenticator = 0x2879f66153ca0f29f077d7ee441341e6 # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:28:03 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL [suffix] Found realm "NULL" [suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 213 to 192.168.999.7 port 4815 EAP-Message = 0x010500da190000e668530fe5cdedf1fff694c02a985e9dbdaaaaf9915bb3b297c4ddf1ee0601670f0ad3a6b34f9b5959d25b8624147171fc575436a01288e78f2d4344841dd5307a83e6c1d553dbc0731016c4bb35ef324e49b727ccfe896f56ef9603188886b9cf2c7423c77fd441bfa16636772db885276f42a39801d6a334fc20074352933ff6cecfa79ed4b11493ed5a2db327e4b421c3c7fac2f636766698ba79a0cef62a2413ad01d9c31ff9599414e30b6d9d974f2d5430117e202bda0b60bbd6c920c65f7ed6bd1e87e7513d9f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5fa5dbd85ca0c2ccdff397606527fb6f Finished request 29. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=214, length=234 Framed-MTU = 1480 NAS-IP-Address = 192.168.999.7 NAS-Identifier = "myorg-bnew" User-Name = "host/LP-0010.myorg.org" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 61 NAS-Port-Type = Ethernet NAS-Port-Id = "C13" Called-Station-Id = "00-19-bb-a7-7e-43" Calling-Station-Id = "00-1b-78-b5-f7-a0" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" State = 0x5fa5dbd85ca0c2ccdff397606527fb6f EAP-Message = 0x020500061900 Message-Authenticator = 0x3b40bb8b2b7e40c2b99ea8b4202b9c17 # Executing section authorize from file /etc//raddb/sites-enabled/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418 [auth_log] expand: %t -> Mon Apr 18 15:28:03 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL [suffix] Found realm "NULL" [suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc//raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 214 to 192.168.999.7 port 4815 EAP-Message = 0x010600061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5fa5dbd85ba3c2ccdff397606527fb6f Finished request 30. Going to the next request Waking up in 4.8 seconds. Cleaning up request 26 ID 210 with timestamp +524 Cleaning up request 27 ID 211 with timestamp +524 Cleaning up request 28 ID 212 with timestamp +524 Cleaning up request 29 ID 213 with timestamp +524 Waking up in 0.1 seconds. Cleaning up request 30 ID 214 with timestamp +524 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x5fa5dbd85ba3c2cc did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests. This E-mail, along with any attachments, is considered confidential and may well be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail or call 215-931-0300 / 800-228-8801 and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your cooperation.
hi, your User-Name is going from a sane value 'host/LP-0010.myorg.org' to just '/LP-0010.myorg.org' - are you playing around with hints? you dont need to remove the host/ part - in fact, messing with the User-Name will cause EAP to break...especially when a windows machine is involved. if you are authing against AD then you actually need to keep the entry as host/LP-0010.myorg.org - the ntlm_auth part should deal with it... the required '$' ending will be there :-) alan
-----Original Message----- From: freeradius-users-bounces+eastb=pffcu.org@lists.freeradius.org [mailto:freeradius-users- bounces+eastb=pffcu.org@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Monday, April 18, 2011 3:54 PM To: FreeRadius users mailing list Subject: Re: The last piece of the puzzle - XP host authentication
hi,
your User-Name is going from a sane value 'host/LP-0010.myorg.org' to just '/LP-0010.myorg.org' - are you playing around with hints? you dont need to remove the host/ part - in fact, messing with the User-Name will cause EAP to break...especially when a windows machine is involved. if you are authing against AD then you actually need to keep the entry as host/LP-0010.myorg.org - the ntlm_auth part should deal with it... the required '$' ending will be there :-)
Right you are, I forgot to back that out from my experimentation: :/etc/raddb# diff hints ../raddb.clean/hints 36d35 < DEFAULT Prefix == "host", Strip-User-Name = Yes You know, looking at other changes I've made I've just realized I need to take a step back. Specifically, I could not get "ntdomain" working, so I had turned on nt_domain_hack. I've turned it back off, so now login/enable authentication is working but port auth is not. I'm going to have to work on that some more. Dammit. -- be XIV: After the year 2015, there will be no airplane crashes. There will be no takeoffs either, because electronics will occupy 100 percent of every airplane's weight. This E-mail, along with any attachments, is considered confidential and may well be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail or call 215-931-0300 / 800-228-8801 and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your cooperation.
On 04/18/2011 08:39 PM, East, Bill wrote:
Like the man says, other people are doing it so I know it's not impossible. What seems to be happening from reading the debug is that domain/user requests are coming in using EAP, doing the TLS interchange, then using MSCHAPv2 to verify the credentials. The host requests, on the other hand, do the TLS side but never seem to progress to the mschap portion. I've gone mildly crosseyed reading the debugs but I don't see where it is that I've gone wrong. I'm very new to RADIUS but I've been doing Linux and Windows for a while so I know that this *should* work.
Have you made sure that your root cert is present in the right stores - remember windows clients have both machine and per-user cert stores. Machine auth requires it be in the machine store.
The configuration is: AD 2008 with a Slackware Linux server running the lastest Samba and Kerberos as well as obviously FR. The client is a Windows XP box with the latest service pack. Below is a mildly sanitized copy of radiusd -X with both failed machine logins (LP-0010 is the host) and a successful user (myuser) login.
Couple of points: the debug is actually quite mangled. The indenting has all gone away, making it really hard to follow, and you've chopped the top off where FreeRADIUS starts and prints out the config, meaning some vital info is absent. Also, it only looks sanitised; much of the data you *think* you've removed is actually contained again inside the hex of the EAP-Message packets, so it's basically pointless. If you don't want to reveal sensitive data, create a test user. So given the mangling this is a guess, but as Alan says you're apparently manglnig the usernames, which will definitely break things; but to my eye, it looks like it's failing earlier than that, as the the certificate exchange bit, implying the issue I note above. On the subject of mangling usernames - if you want to deal with all 3 of: domain\user user host/name.domain.com ...you can use the following: %{mschap:User-Name} ...and the mschap module will strip them all into the right form. Specifically, when you configure your ntlm_auth helper line in raddb/modules/mschap, I recommend it read: ntlm_auth = "... --username=%{mschap:User-Name} ..." HTH
-----Original Message----- From: freeradius-users-bounces+eastb=pffcu.org@lists.freeradius.org [mailto:freeradius-users- bounces+eastb=pffcu.org@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Tuesday, April 19, 2011 4:38 AM To: freeradius-users@lists.freeradius.org Subject: Re: The last piece of the puzzle - XP host authentication Have you made sure that your root cert is present in the right stores - remember windows clients have both machine and per-user cert stores. Machine auth requires it be in the machine store.
Bah, I should have known that. It's fixed, now.
The configuration is: AD 2008 with a Slackware Linux server running the lastest Samba and Kerberos as well as obviously FR. The client is a Windows XP box with the latest service pack. Below is a mildly sanitized copy of radiusd -X with both failed machine logins (LP-0010 is the host) and a successful user (myuser) login.
Couple of points: the debug is actually quite mangled. The indenting has all gone away, making it really hard to follow, and you've chopped the top off where FreeRADIUS starts and prints out the config, meaning some vital info is absent.
I shouldn't have clipped the top, if I post a full debug again I'll fix that. As for the formatting, I'm not sure where that's going, I'm copying from putty to gvim and out to Outlook. I know where I'd put my money for making unwanted changes to text, though.
Also, it only looks sanitised; much of the data you *think* you've removed is actually contained again inside the hex of the EAP-Message packets, so it's basically pointless. If you don't want to reveal sensitive data, create a test user.
Makes sense, but at least folks googling for basic information such as my org name won't have it all set out for them on a platter.
So given the mangling this is a guess, but as Alan says you're apparently manglnig the usernames, which will definitely break things; but to my eye, it looks like it's failing earlier than that, as the the certificate exchange bit, implying the issue I note above.
On the subject of mangling usernames - if you want to deal with all 3 of:
domain\user user host/name.domain.com
...you can use the following:
%{mschap:User-Name}
...and the mschap module will strip them all into the right form. Specifically, when you configure your ntlm_auth helper line in raddb/modules/mschap, I recommend it read:
ntlm_auth = "... --username=%{mschap:User-Name} ..."
Aha! This looks highly promising. I've got the syntax right in mschap now, I think, but the challenge is still being created strangely (or is it supposed to look like that?) [mschapv2] # Executing group from file /etc//raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/LP-0010.pffcu.org [mschap] Told to do MS-CHAPv2 for host/LP-0010.pffcu.org with NT-Password [mschap] expand: %{mschap:User-Name} -> LP-0010$ [mschap] expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}} -> --username=LP-0010$ [mschap] mschap2: ac [mschap] Creating challenge hash with username: host/LP-0010.pffcu.org [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=cc01b9d88b911c44 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=0a186dec8193bed90f305cabfc6f48f5a3621c58672b98a8 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) I appreciate your help with this This E-mail, along with any attachments, is considered confidential and may well be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail or call 215-931-0300 / 800-228-8801 and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your cooperation.
On 19/04/11 14:59, East, Bill wrote:
Have you made sure that your root cert is present in the right stores - remember windows clients have both machine and per-user cert stores. Machine auth requires it be in the machine store.
Bah, I should have known that. It's fixed, now.
Cool
This looks highly promising.
I've got the syntax right in mschap now, I think, but the challenge is still being created strangely (or is it supposed to look like that?)
[mschapv2] # Executing group from file /etc//raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/LP-0010.pffcu.org [mschap] Told to do MS-CHAPv2 for host/LP-0010.pffcu.org with NT-Password [mschap] expand: %{mschap:User-Name} -> LP-0010$ [mschap] expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}} -> --username=LP-0010$ [mschap] mschap2: ac [mschap] Creating challenge hash with username: host/LP-0010.pffcu.org [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=cc01b9d88b911c44 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=0a186dec8193bed90f305cabfc6f48f5a3621c58672b98a8
This all looks right (I have spent a distressing amount of time looking at MS-CHAP blobs this last week)
Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
...but obviously this didn't work. What version of Samba do you have? Some (much) older versions didn't permit machine account login via ntlm_auth.
-----Original Message----- From: freeradius-users-bounces+eastb=pffcu.org@lists.freeradius.org [mailto:freeradius-users- bounces+eastb=pffcu.org@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Tuesday, April 19, 2011 11:15 AM To: freeradius-users@lists.freeradius.org Subject: Re: The last piece of the puzzle - XP host authentication
On 19/04/11 14:59, East, Bill wrote:
Have you made sure that your root cert is present in the right stores - remember windows clients have both machine and per-user cert stores. Machine auth requires it be in the machine store.
Bah, I should have known that. It's fixed, now.
Cool
This looks highly promising.
I've got the syntax right in mschap now, I think, but the challenge is still being created strangely (or is it supposed to look like that?)
[mschapv2] # Executing group from file /etc//raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/LP-0010.pffcu.org [mschap] Told to do MS-CHAPv2 for host/LP-0010.pffcu.org with NT-Password [mschap] expand: %{mschap:User-Name} -> LP-0010$ [mschap] expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}} -> -- username=LP-0010$ [mschap] mschap2: ac [mschap] Creating challenge hash with username: host/LP-0010.pffcu.org [mschap] expand: --challenge=%{mschap:Challenge:-00} -> -- challenge=cc01b9d88b911c44 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt- response=0a186dec8193bed90f305cabfc6f48f5a3621c58672b98a8
This all looks right (I have spent a distressing amount of time looking at MS-CHAP blobs this last week)
Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
...but obviously this didn't work.
What version of Samba do you have? Some (much) older versions didn't permit machine account login via ntlm_auth.
Latest and greatest, 3.5.8. I'm wondering if this is the "loopback checking" issue from KB896861 and others. Since the hash is for "host/machinename"... I can modify the registry on my domain controller but I'm going to have to wait for our maintenance window to restart the damn thing. This E-mail, along with any attachments, is considered confidential and may well be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail or call 215-931-0300 / 800-228-8801 and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your cooperation.
On 04/19/2011 04:41 PM, East, Bill wrote:
-----Original Message----- From: freeradius-users-bounces+eastb=pffcu.org@lists.freeradius.org [mailto:freeradius-users- bounces+eastb=pffcu.org@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Tuesday, April 19, 2011 11:15 AM To: freeradius-users@lists.freeradius.org Subject: Re: The last piece of the puzzle - XP host authentication
On 19/04/11 14:59, East, Bill wrote:
Have you made sure that your root cert is present in the right stores - remember windows clients have both machine and per-user cert stores. Machine auth requires it be in the machine store.
Bah, I should have known that. It's fixed, now.
Cool
This looks highly promising.
I've got the syntax right in mschap now, I think, but the challenge is still being created strangely (or is it supposed to look like that?)
[mschapv2] # Executing group from file /etc//raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/LP-0010.pffcu.org [mschap] Told to do MS-CHAPv2 for host/LP-0010.pffcu.org with NT-Password [mschap] expand: %{mschap:User-Name} -> LP-0010$ [mschap] expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}} -> -- username=LP-0010$ [mschap] mschap2: ac [mschap] Creating challenge hash with username: host/LP-0010.pffcu.org [mschap] expand: --challenge=%{mschap:Challenge:-00} -> -- challenge=cc01b9d88b911c44 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt- response=0a186dec8193bed90f305cabfc6f48f5a3621c58672b98a8
This all looks right (I have spent a distressing amount of time looking at MS-CHAP blobs this last week)
Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
...but obviously this didn't work.
What version of Samba do you have? Some (much) older versions didn't permit machine account login via ntlm_auth.
Latest and greatest, 3.5.8.
I'm wondering if this is the "loopback checking" issue from KB896861 and others. Since the hash is for "host/machinename"... I can modify the registry on my domain controller but I'm going to have to wait for our maintenance window to restart the damn thing.
I doubt that's it. We don't have that problem with machine auth. But maybe it's worth a try. The other alternative is to do something like: smbcontrol winbind debug 10 ...then have a look in /var/log/samba. The debug logs can be very, very chatty but it might give some idea of why the machine account is failing to auth. I guess there's no possibility the machine account password is wrong or out-of-sync? There is an entry in your domain for: samaccountname=LP-0010$ ...that's all valid and correct, right? <rant follows ;o> In fact the mschap response is calculated and checked against host$, and the "real" SAM account name of the machines are host$ - it's never been clear to me, given that, why the machines give their EAP-Identity as host/name.domain.com. It's a dumb thing to do on a number of levels, not least using the machines own (often incorrect) idea of it's DNS name in authentication that typically takes place on a link before IP is active....
participants (3)
-
Alan Buxey -
East, Bill -
Phil Mayers