Hi List, I have set up Freeadius 2.1.10 to authenticate with ldap. I have a cisco switch and using my Mac Laptop to connect. If I try to connect using ldap credentials the authentication fails, though the same credentials work if I use them with radtest on the localhost If I try to connect using a username defined as clear text in the users file, the authentication succeeds. As I understood that ldap will only accept clear text passwords, I am wondering why the radtest succeeds while connecting from the Mac OS fails, is the Mac OS not sending the password in clear text? I appreciate any help understanding this. Wassim C. Zaarour Systems & Network Engineer NavLink (an AT&T Affiliated company) www.navlink.com ³The information contained in this e-mail is confidential. This e-mail is intended only for the stated addressee. If you are not an addressee, you must not disclose, copy, circulate or in any other way use or rely on the information contained in this e-mail. If you have received this e-mail in error, please inform us immediately and delete it and all copies from your system.²
Wassim Zaarour wrote:
If I try to connect using ldap credentials the authentication fails, though the same credentials work if I use them with radtest on the localhost
Read the debug output to see WHY the user is being rejected. This is documented in the FAQ, README, web pages, "man" page, wiki, and daily on this list.
If I try to connect using a username defined as clear text in the users file, the authentication succeeds.
As I understood that ldap will only accept clear text passwords, I am wondering why the radtest succeeds while connecting from the Mac OS fails, is the Mac OS not sending the password in clear text?
Read the debug output. Alan DeKok.
Thanks Alan, I have read what you mentioned, still can't figure it out, I guess the important part in the debug is: ERROR: No Authenticate method (Auth-Type) found for the request: Rejecting the user I configured the MAC OS TTLS/CHAP (earlier I tried TTLS/EAP and still it doesn't work) I don't understand, the username and password are being supplied and read in clear text and the binding is successful, why the reject ? Wassim C. Zaarour Systems & Network Engineer On 4/19/12 3:08 PM, "Alan DeKok" <aland@deployingradius.com> wrote:
Wassim Zaarour wrote:
If I try to connect using ldap credentials the authentication fails, though the same credentials work if I use them with radtest on the localhost
Read the debug output to see WHY the user is being rejected. This is documented in the FAQ, README, web pages, "man" page, wiki, and daily on this list.
If I try to connect using a username defined as clear text in the users file, the authentication succeeds.
As I understood that ldap will only accept clear text passwords, I am wondering why the radtest succeeds while connecting from the Mac OS fails, is the Mac OS not sending the password in clear text?
Read the debug output.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I have read what you mentioned, still can't figure it out, I guess the important part in the debug is:
ERROR: No Authenticate method (Auth-Type) found for the request: Rejecting the user
yes but we arent mind readers.....the question will be 'why is no auth type found?' and the answer will be in your debug logs.....for some reason you are not sending those to the list...so we are playing 'guess in the dark' - if you want help, then help us alan
On 4/19/12 3:31 PM, "alan buxey" <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I have read what you mentioned, still can't figure it out, I guess the important part in the debug is:
ERROR: No Authenticate method (Auth-Type) found for the request: Rejecting the user
yes but we arent mind readers.....the question will be 'why is no auth type found?' and the answer will be in your debug logs.....for some reason you are not sending those to the list...so we are playing 'guess in the dark' - if you want help, then help us
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan, and thanks for your reply, I don't want to paste the output here coz its large, should I attach it or paste here anyways or?? Wassim.
Wassim Zaarour wrote:
Hi Alan, and thanks for your reply, I don't want to paste the output here coz its large, should I attach it or paste here anyways or??
You can follow instructions, or you can be unsubscribed and banned from the list. When we ask for the debug log TWICE, the response shouldn't be "should I post it?" The response SHOULD be to post it. Just like everyone else does. Daily on this list. Alan DeKok.
On 4/19/12 4:18 PM, "Alan DeKok" <aland@deployingradius.com> wrote:
Wassim Zaarour wrote:
Hi Alan, and thanks for your reply, I don't want to paste the output here coz its large, should I attach it or paste here anyways or??
You can follow instructions, or you can be unsubscribed and banned from the list.
When we ask for the debug log TWICE, the response shouldn't be "should I post it?" The response SHOULD be to post it.
Just like everyone else does.
Daily on this list.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Below the output of radiusd -X Appreciate the help. FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Jul 19 2011 at 1 0:16:18 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.1.8 { require_message_authenticator = no secret = "testing123" shortname = "localhost" } client 192.168.0.0/22 { require_message_authenticator = no secret = "testing123" shortname = "private-network-1" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expirati on expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/m odules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap ldap { server = "192.168.1.40" port = 389 password = "Hayalla5" identity = "" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "o=navbey.com, dc=navbey,dc=com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-U serDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Ne twork rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group- Id conns: 0x134f7b8 Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preproce ss preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_un ique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NA S-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d " header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/r addb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=211, length= 119 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "60-33-4B-9E-BD-AE" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200000701706b Message-Authenticator = 0x9ae593aebf9c52b1e02301b1b14ad375 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 7 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for pk [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> pk [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk) [ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com, dc=navbey,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 192.168.1.40:389, authentication 0 [ldap] bind as /Hayalla5 to 192.168.1.40:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=p k) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user pk authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 211 to 192.168.1.8 port 1645 EAP-Message = 0x01010016041079a9375f2ecae9fbad432dffd46c8a70 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05d7488505d64c198fb22dc79c936aef Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=212, length= 136 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "60-33-4B-9E-BD-AE" Service-Type = Framed-User Framed-MTU = 1500 State = 0x05d7488505d64c198fb22dc79c936aef EAP-Message = 0x020100060315 Message-Authenticator = 0xfce1c51f41d8a8841a47d753a647b272 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for pk [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> pk [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk) [ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com, dc=navbey,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=p k) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user pk authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 212 to 192.168.1.8 port 1645 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05d7488504d55d198fb22dc79c936aef Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=213, length= 294 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "60-33-4B-9E-BD-AE" Service-Type = Framed-User Framed-MTU = 1500 State = 0x05d7488504d55d198fb22dc79c936aef EAP-Message = 0x020200a415800000009a16030100950100009103014f901334c909cf 125f752b6d60c7ab2cd4506453387a9225c1a27ad315372805000056c00ac009c007c008c01 3c014 c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000 60032 0033003800390016001500140013001200110034003a0018001b001a0017001900010100001 2000a 00080006001700180019000b00020100 Message-Authenticator = 0x2b8b499cccf5cdd88941980aaef40146 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 164 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 154 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0095], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 085e], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 213 to 192.168.1.8 port 1645 EAP-Message = 0x0103040015c00000089b160301002a0200002603014f9013280467e2 a9849b1aaca60adb81e33c1f390e8934f4d18cf1902014402700002f00160301085e0b00085 a0008 570003a6308203a23082028aa003020102020101300d06092a864886f70d010105050030819 3310b 3009060355040613024652310f300d060355040813065261646975733112301006035504071 30953 6f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092 a8648 86f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d457 8616d 706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3132303431393035323632305a170d313230363138303532 3632305a307c310b3009060355040613024652310f300d06035504081306526164697573311 53013 060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c652 05365 727665722043657274696669636174653120301e06092a864886f70d010901161161646d696 e4065 78616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010 a0282 010100d8e5bb5cefd0db1624fbbcbba0a02f4d2b23a12f9f0ea9d1f96dc0ef3a08536f4096b 8cb43 4aac77b625bb7610ea5eafdcba502cc3c094f74c16743d6ec1 EAP-Message = 0x6f4a8104cc5b98ea30fb86287bf0906ed458604e63412a6339c8bf25 fd7f627131a6219db5e5d5f56460df027982eb5b1ca3b59a2fd27666fb7016df166162fe720 c659f 959cb04266ced87b083b6641a431d002b996fdb4c342b0205c9d2d70878caebee08fc19402b 6867a f343fe3a43a740bc44c66fcf993bc6c9812377983bcee8f5562d0974abc6142d95c3d582403 fcf5d d9d5403fca88bb28eaec1cddafe9d23d1d17e804eb15da303e169756418be76cb204ce0c8bc be428 ceb75995cd2b0203010001a317301530130603551d25040c300a06082b06010505070301300 d0609 2a864886f70d010105050003820101009e6cc83de144237e09 EAP-Message = 0xce61668125af89da7f9d0dc727464fb50a1a8519ba3eed74c9553738 541642751ece1617a2f1f567741ce6ce7e2bec8a2dd7871058ec5c440fc9342fa040dff416c ddda6 1f48137d54fcf6725f487093947b9a02697e2ebf41962618b94e2a4453a1b43f1eacd51657b 54074 00d2404423f719e9b3779d6936d3b739599586f4ee8138bfac0cce760d17db9072576cea1ae 391b9 5968c7ac2563f4f578a0dbee4750ef50e137a2e998ee6d9e7ea5050688e73a971905e1d468a 04f82 29c7fc1736cf8ee216f942a6a08790e49070f85fad784a5220f2ef9c99b0bd281d6486d5e8f 699c8 43af9d57a10bc1a4a3d57bc470785d8736c7860004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05d7488507d45d198fb22dc79c936aef Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=214, length= 136 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "60-33-4B-9E-BD-AE" Service-Type = Framed-User Framed-MTU = 1500 State = 0x05d7488507d45d198fb22dc79c936aef EAP-Message = 0x020300061500 Message-Authenticator = 0xe77fe59ab7d1664be0a0eac58fc242d1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 214 to 192.168.1.8 port 1645 EAP-Message = 0x0104040015c00000089b00bcccc1285b561d81300d06092a864886f7 0d0101050500308193310b3009060355040613024652310f300d06035504081306526164697 57331 12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c652 0496e 632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312 63024 0603550403131d4578616d706c6520436572746966696361746520417574686f72697479301 e170d 3132303431393035323632305a170d3132303631383035323632305a308193310b300906035 50406 13024652310f300d0603550408130652616469757331123010 EAP-Message = 0x06035504071309536f6d65776865726531153013060355040a130c45 78616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616 d706c 652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417 57468 6f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010 0c200 0de5769708aa73a3affa3ae2581583c4882e26f16a18d443e29db8316192c28b219cbb09705 95267 63db5440029da5f07038fb6a904f36e3a41dc25ee2d693730072613aaff090fd98e30623969 bc0d4 3527de8a6e60ecbcfa6672df1f278419f652471cc787c882a1 EAP-Message = 0x34970210e501a5f008bce3abbcd4de1b5c5da2287cf6af098930a2a4 6f6c4c68f2db00dc8b8289dfb961b00fb1b8cec26b996c69e2f2a4207cf29afc6e1e7a95599 78238 8b5a5b5a10f961d816e101fdf26cf6062274aef2b443a5c60787edcd755a986de269abf78fd e55ea e7f450bca4434e6495b264e6db1bce418c8a417739b3bd52739f9ac134c2c9ed6b7bbf4ed47 9cb33 690203010001a381fb3081f8301d0603551d0e0416041410d684dcfea11dfdc1bb500b75937 3530a a6d64b3081c80603551d230481c03081bd801410d684dcfea11dfdc1bb500b759373530aa6d 64ba1 8199a48196308193310b3009060355040613024652310f300d EAP-Message = 0x060355040813065261646975733112301006035504071309536f6d65 776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a86488 6f70d 010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d7 06c65 20436572746966696361746520417574686f72697479820900bcccc1285b561d81300c06035 51d13 040530030101ff300d06092a864886f70d010105050003820101002d0d028da27788c0e5d36 23cdb 4cf11f09216955fe7493bfa233ec62bb45d3cb9dd71d61a95ca6e1ddb8aa2f8b80fbfcea5b8 b3577 6bc61c9acab1408bc31daf3cf0f27d531819b600d3ca7a7c33 EAP-Message = 0xf4b1017102971b6ff4eedeea Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05d7488506d35d198fb22dc79c936aef Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=215, length= 136 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "60-33-4B-9E-BD-AE" Service-Type = Framed-User Framed-MTU = 1500 State = 0x05d7488506d35d198fb22dc79c936aef EAP-Message = 0x020400061500 Message-Authenticator = 0xc8fc232e0ecdd2755b3a06eb17b5161e # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 215 to 192.168.1.8 port 1645 EAP-Message = 0x010500b915800000089b77cbd7b846662c36009c223bb1dab20d1956 c65d6dfdd68e272a551fae0e5b9066339a0f279041f434256e4aa905eb8dbabc508c2a0771d 29cb0 810ff8a278d32154413350d24a65e9c3cfb9e15e9057d0dce5f2cbd3d523586b6b7f60bf3a6 d92c8 772b862711d539a2412abe6a6c4f79816985453331bc5f8661a99c795b6d6a92fd75d732733 73be4 17324e2b8696ff3d6cb180e1619343b8bf9d39a193cf49a3f008a74e16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05d7488501d25d198fb22dc79c936aef Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=216, length= 468 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "60-33-4B-9E-BD-AE" Service-Type = Framed-User Framed-MTU = 1500 State = 0x05d7488501d25d198fb22dc79c936aef EAP-Message = 0x02050150158000000146160301010610000102010072c5fede7f2e7b 230c06cbaa9d64a82ab40b8f1c00f4eb185fd65ac9b5a5aa77f01f72a924b1c0d64299b8b4c 6f1e6 00315be72327a9309c2c09facb390a9a5152a5a54bb9d70da4bb4a8fff41ee237aebcc66fc1 35060 b52f2ae59e0c7f24145b8a5f9bb835e34cca66ec73caf9d6c846606bee9982f48f3152ba97b d60b8 892409fb4c8705c77cb12e0a49e833a64dfc75dd46720b8d01c58c412f7757fecc911837a30 97e2f edfefd010b380fd1ea933172ffb9b622f31291bcb0ffb3bdc07e7cfd89062c3561ac7a426dc c6c6c 321e728572e43e8c6583a7ed9bdb3f0b77768bc3fab2b362b0 EAP-Message = 0x60c40751cbfa2ce5489cb51da39f2bcde8809cc090d288a814030100 01011603010030a88137a19eb3de41455b95e6cf888d69cfefcdc25a9107413546a9d655282 16b90 1dbf1ffbca796cea189c3be7a33fcb Message-Authenticator = 0x79b14a1f2282941539c8ad3f77eedf74 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 326 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 216 to 192.168.1.8 port 1645 EAP-Message = 0x0106004515800000003b1403010001011603010030d036b958b86f93 12a5340cdc63b90eef649553da5f9186dac246185953519a52464d9f3ec98641caa8a9b66c6 baae4 e4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05d7488500d15d198fb22dc79c936aef Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=217, length= 209 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "60-33-4B-9E-BD-AE" Service-Type = Framed-User Framed-MTU = 1500 State = 0x05d7488500d15d198fb22dc79c936aef EAP-Message = 0x0206004f1580000000451703010040b8ec8ac0db69d05575e41855e4 21b91d518d37f9e86e6d54eec8adac3b5ffb88509ff9ede906d8207dff83440fb7937501f9b 3c9bb 4bf91e4947a7fd59ba4a59 Message-Authenticator = 0xa6f6070865d2788011b84396377516fa # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 79 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 69 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "pk" User-Password = "pascal" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "pk" User-Password = "pascal" FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the u ser Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> pk attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 217 to 192.168.1.8 port 1645 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. Cleaning up request 0 ID 211 with timestamp +41 Cleaning up request 1 ID 212 with timestamp +41 Cleaning up request 2 ID 213 with timestamp +41 Cleaning up request 3 ID 214 with timestamp +41 Cleaning up request 4 ID 215 with timestamp +41 Cleaning up request 5 ID 216 with timestamp +41 Waking up in 1.0 seconds. Cleaning up request 6 ID 217 with timestamp +41 Ready to process requests.
hi, quick look seems to show that you dont have a suitable authorise section in the inner tunnel. the tunnel gets started...your client rejects the default md5 the server sent - and EAP-TTLS gets done...the username/password gets sent but has nothing to go against.... so I suggest you add 'ldap' to the inner-tunnel virtual server (in same way that ldap and LDAP are defined in default server...) alan
Thanks Alan, it worked like a charm!! But it worked using TTLS/PAP, now Windows OS natively supports PEAP, and when I tried it with TTLS/PEAP it didn't authenticate and gave the following debug: I guess from the below what's important is this section . . . [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: pk [mschap] Told to do MS-CHAPv2 for pk with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect . . . Is there a way to configure radius to accept TTLS/PEAP and authenticate with LDAP? Below the full debug log. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=232, length=139 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "host/Lap-Top" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200001101686f73742f4c61702d546f70 Message-Authenticator = 0x393e8f392e9902b158ed1424675efc19 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/Lap-Top", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 17 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for host/Lap-Top [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> host/Lap-Top [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=host/Lap-Top) [ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com, dc=navbey,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 192.168.1.40:389, authentication 0 [ldap] bind as /Hayalla5 to 192.168.1.40:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=host/Lap-Top) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 232 to 192.168.1.8 port 1645 EAP-Message = 0x010100160410fccd1139019e6857ddd78da6b684af3c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd99dee93d99ceace8e5305bc8fdf726b Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=233, length=146 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "host/Lap-Top" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xd99dee93d99ceace8e5305bc8fdf726b EAP-Message = 0x020100060319 Message-Authenticator = 0x80eabf367e08a9bd587fcbf4d36a0003 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/Lap-Top", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for host/Lap-Top [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> host/Lap-Top [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=host/Lap-Top) [ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com, dc=navbey,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=host/Lap-Top) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 233 to 192.168.1.8 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd99dee93d89ff7ce8e5305bc8fdf726b Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=234, length=261 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "host/Lap-Top" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xd99dee93d89ff7ce8e5305bc8fdf726b EAP-Message = 0x0202007919800000006f160301006a0100006603014f90e7644c403354e4e4b15decc0aeb b536d3363eb37876a26f4c3f9b77cb88c000018002f00350005000ac013c014c009c00a0032 003800 13000401000025ff010001000000000c000a0000076c61702d746f70000a000600040017001 8000b00020100 Message-Authenticator = 0xe4a963411850e8b5b37ab847329b06c6 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/Lap-Top", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 121 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 111 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 006a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 234 to 192.168.1.8 port 1645 EAP-Message = 0x0103040019c0000008a216030100310200002d03014f90e754c928c34ff5dbd357df6597e a5e1d524fde068ccc2df5d94c9206ecde00002f000005ff01000100160301085e0b00085a00 085700 03a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310 b3009060355040613024652310f300d06035504081306526164697573311230100603550407 1309536f6d657768657265311530 13060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d01090116116 1646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365 727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3132303431393035323632305a170d313230363138303532363 2305a307c310b3009060355040613024652310f300d06035504081306526164697573311530 130603 55040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c6520536 5727665722043657274696669636174653120301e06092a864886f70d010901161161646d69 6e406578616d706c652e636f6d30 820122300d06092a864886f70d01010105000382010f003082010a0282010100d8e5bb5cefd 0db1624fbbcbba0a02f4d2b23a12f9f0ea9d1f96dc0ef3a08536f4096b8cb434aac77b625bb 7610ea5eafdcba502cc3c094 EAP-Message = 0xf74c16743d6ec16f4a8104cc5b98ea30fb86287bf0906ed458604e63412a6339c8bf25fd7 f627131a6219db5e5d5f56460df027982eb5b1ca3b59a2fd27666fb7016df166162fe720c65 9f959c b04266ced87b083b6641a431d002b996fdb4c342b0205c9d2d70878caebee08fc19402b6867 af343fe3a43a740bc44c66fcf993bc6c9812377983bcee8f5562d0974abc6142d95c3d58240 3fcf5dd9d5403fca88bb28eaec1c ddafe9d23d1d17e804eb15da303e169756418be76cb204ce0c8bcbe428ceb75995cd2b02030 10001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d 010105050003820101009e6c EAP-Message = 0xc83de144237e09ce61668125af89da7f9d0dc727464fb50a1a8519ba3eed74c9553738541 642751ece1617a2f1f567741ce6ce7e2bec8a2dd7871058ec5c440fc9342fa040dff416cddd a61f48 137d54fcf6725f487093947b9a02697e2ebf41962618b94e2a4453a1b43f1eacd51657b5407 400d2404423f719e9b3779d6936d3b739599586f4ee8138bfac0cce760d17db9072576cea1a e391b95968c7ac2563f4f578a0db ee4750ef50e137a2e998ee6d9e7ea5050688e73a971905e1d468a04f8229c7fc1736cf8ee21 6f942a6a08790e49070f85fad784a5220f2ef9c99b0bd281d6486d5e8f699c843af9d57a10b c1a4a3d57bc470785d8736c7 EAP-Message = 0x860004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd99dee93db9ef7ce8e5305bc8fdf726b Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=235, length=146 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "host/Lap-Top" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xd99dee93db9ef7ce8e5305bc8fdf726b EAP-Message = 0x020300061900 Message-Authenticator = 0xbae3ed10c923140fa6dfcfb1231cd7bf # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/Lap-Top", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 235 to 192.168.1.8 port 1645 EAP-Message = 0x010403fc1940a003020102020900bcccc1285b561d81300d06092a864886f70d010105050 0308193310b3009060355040613024652310f300d0603550408130652616469757331123010 060355 04071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e312 0301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406 03550403131d4578616d706c6520 436572746966696361746520417574686f72697479301e170d3132303431393035323632305 a170d3132303631383035323632305a308193310b3009060355040613024652310f300d0603 550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6 520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e63 6f6d31 2630240603550403131d4578616d706c6520436572746966696361746520417574686f72697 47930820122300d06092a864886f70d01010105000382010f003082010a0282010100c2000d e5769708aa73a3affa3ae2581583 c4882e26f16a18d443e29db8316192c28b219cbb097059526763db5440029da5f07038fb6a9 04f36e3a41dc25ee2d693730072613aaff090fd98e30623969bc0d43527de8a6e60ecbcfa66 72df1f278419f652471cc787 EAP-Message = 0xc882a134970210e501a5f008bce3abbcd4de1b5c5da2287cf6af098930a2a46f6c4c68f2d b00dc8b8289dfb961b00fb1b8cec26b996c69e2f2a4207cf29afc6e1e7a95599782388b5a5b 5a10f9 61d816e101fdf26cf6062274aef2b443a5c60787edcd755a986de269abf78fde55eae7f450b ca4434e6495b264e6db1bce418c8a417739b3bd52739f9ac134c2c9ed6b7bbf4ed479cb3369 0203010001a381fb3081f8301d06 03551d0e0416041410d684dcfea11dfdc1bb500b759373530aa6d64b3081c80603551d23048 1c03081bd801410d684dcfea11dfdc1bb500b759373530aa6d64ba18199a48196308193310b 300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d6577686572653 1153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901 161161 646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043657 2746966696361746520417574686f72697479820900bcccc1285b561d81300c0603551d1304 0530030101ff300d06092a864886 f70d010105050003820101002d0d028da27788c0e5d3623cdb4cf11f09216955fe7493bfa23 3ec62bb45d3cb9dd71d61a95ca6e1ddb8aa2f8b80fbfcea5b8b35776bc61c9acab1408bc31d af3cf0f27d531819b600d3ca EAP-Message = 0x7a7c33f4b1017102 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd99dee93da99f7ce8e5305bc8fdf726b Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=236, length=146 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "host/Lap-Top" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xd99dee93da99f7ce8e5305bc8fdf726b EAP-Message = 0x020400061900 Message-Authenticator = 0xe12b82e1fc8c5ed35f4f3591f8f09111 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/Lap-Top", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 236 to 192.168.1.8 port 1645 EAP-Message = 0x010500bc1900971b6ff4eedeea77cbd7b846662c36009c223bb1dab20d1956c65d6dfdd68 e272a551fae0e5b9066339a0f279041f434256e4aa905eb8dbabc508c2a0771d29cb0810ff8 a278d3 2154413350d24a65e9c3cfb9e15e9057d0dce5f2cbd3d523586b6b7f60bf3a6d92c8772b862 711d539a2412abe6a6c4f79816985453331bc5f8661a99c795b6d6a92fd75d73273373be417 324e2b8696ff3d6cb180e1619343 b8bf9d39a193cf49a3f008a74e16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd99dee93dd98f7ce8e5305bc8fdf726b Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=237, length=157 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "host/Lap-Top" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xd99dee93dd98f7ce8e5305bc8fdf726b EAP-Message = 0x0205001119800000000715030100020230 Message-Authenticator = 0x5ce3a9de35758d1c75450df5daaf1374 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/Lap-Top", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 17 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/Lap-Top attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 237 to 192.168.1.8 port 1645 EAP-Message = 0x04050004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.6 seconds. Cleaning up request 0 ID 232 with timestamp +33 Cleaning up request 1 ID 233 with timestamp +33 Cleaning up request 2 ID 234 with timestamp +33 Cleaning up request 3 ID 235 with timestamp +34 Cleaning up request 4 ID 236 with timestamp +34 Waking up in 1.2 seconds. Cleaning up request 5 ID 237 with timestamp +34 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=238, length=119 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200000701706b Message-Authenticator = 0x8172bc6808678b8cc0050e18f292be5b # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 7 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for pk [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> pk [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk) [ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com, dc=navbey,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=pk) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user pk authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 238 to 192.168.1.8 port 1645 EAP-Message = 0x0101001604105907cf652b105257755a0a71aead1043 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf66a7f2df67a38e0e7c49ccf0790122 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=239, length=136 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdf66a7f2df67a38e0e7c49ccf0790122 EAP-Message = 0x020100060319 Message-Authenticator = 0x9e38985bc9352abd749655cef48fcabb # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for pk [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> pk [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk) [ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com, dc=navbey,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=pk) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user pk authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 239 to 192.168.1.8 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf66a7f2de64be8e0e7c49ccf0790122 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=240, length=246 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdf66a7f2de64be8e0e7c49ccf0790122 EAP-Message = 0x0202007419800000006a16030100650100006103014f90e7b4d18bbe342796756b5150e42 2b34b841225b5fbf93254c2ea5f700171000018002f00350005000ac013c014c009c00a0032 003800 13000401000020ff01000100000000070005000002706b000a0006000400170018000b00020 100 Message-Authenticator = 0x83714ddb4c574e351f7e9852ebdf8365 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 116 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 106 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0065], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 240 to 192.168.1.8 port 1645 EAP-Message = 0x0103040019c0000008a216030100310200002d03014f90e7a5e170c65318f315262fbacc1 b091ef134223260cf2d9000702878462600002f000005ff01000100160301085e0b00085a00 085700 03a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310 b3009060355040613024652310f300d06035504081306526164697573311230100603550407 1309536f6d657768657265311530 13060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d01090116116 1646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365 727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3132303431393035323632305a170d313230363138303532363 2305a307c310b3009060355040613024652310f300d06035504081306526164697573311530 130603 55040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c6520536 5727665722043657274696669636174653120301e06092a864886f70d010901161161646d69 6e406578616d706c652e636f6d30 820122300d06092a864886f70d01010105000382010f003082010a0282010100d8e5bb5cefd 0db1624fbbcbba0a02f4d2b23a12f9f0ea9d1f96dc0ef3a08536f4096b8cb434aac77b625bb 7610ea5eafdcba502cc3c094 EAP-Message = 0xf74c16743d6ec16f4a8104cc5b98ea30fb86287bf0906ed458604e63412a6339c8bf25fd7 f627131a6219db5e5d5f56460df027982eb5b1ca3b59a2fd27666fb7016df166162fe720c65 9f959c b04266ced87b083b6641a431d002b996fdb4c342b0205c9d2d70878caebee08fc19402b6867 af343fe3a43a740bc44c66fcf993bc6c9812377983bcee8f5562d0974abc6142d95c3d58240 3fcf5dd9d5403fca88bb28eaec1c ddafe9d23d1d17e804eb15da303e169756418be76cb204ce0c8bcbe428ceb75995cd2b02030 10001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d 010105050003820101009e6c EAP-Message = 0xc83de144237e09ce61668125af89da7f9d0dc727464fb50a1a8519ba3eed74c9553738541 642751ece1617a2f1f567741ce6ce7e2bec8a2dd7871058ec5c440fc9342fa040dff416cddd a61f48 137d54fcf6725f487093947b9a02697e2ebf41962618b94e2a4453a1b43f1eacd51657b5407 400d2404423f719e9b3779d6936d3b739599586f4ee8138bfac0cce760d17db9072576cea1a e391b95968c7ac2563f4f578a0db ee4750ef50e137a2e998ee6d9e7ea5050688e73a971905e1d468a04f8229c7fc1736cf8ee21 6f942a6a08790e49070f85fad784a5220f2ef9c99b0bd281d6486d5e8f699c843af9d57a10b c1a4a3d57bc470785d8736c7 EAP-Message = 0x860004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf66a7f2dd65be8e0e7c49ccf0790122 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=241, length=136 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdf66a7f2dd65be8e0e7c49ccf0790122 EAP-Message = 0x020300061900 Message-Authenticator = 0x6d071271e3593761fab43b275fc890cf # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 241 to 192.168.1.8 port 1645 EAP-Message = 0x010403fc1940a003020102020900bcccc1285b561d81300d06092a864886f70d010105050 0308193310b3009060355040613024652310f300d0603550408130652616469757331123010 060355 04071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e312 0301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406 03550403131d4578616d706c6520 436572746966696361746520417574686f72697479301e170d3132303431393035323632305 a170d3132303631383035323632305a308193310b3009060355040613024652310f300d0603 550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6 520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e63 6f6d31 2630240603550403131d4578616d706c6520436572746966696361746520417574686f72697 47930820122300d06092a864886f70d01010105000382010f003082010a0282010100c2000d e5769708aa73a3affa3ae2581583 c4882e26f16a18d443e29db8316192c28b219cbb097059526763db5440029da5f07038fb6a9 04f36e3a41dc25ee2d693730072613aaff090fd98e30623969bc0d43527de8a6e60ecbcfa66 72df1f278419f652471cc787 EAP-Message = 0xc882a134970210e501a5f008bce3abbcd4de1b5c5da2287cf6af098930a2a46f6c4c68f2d b00dc8b8289dfb961b00fb1b8cec26b996c69e2f2a4207cf29afc6e1e7a95599782388b5a5b 5a10f9 61d816e101fdf26cf6062274aef2b443a5c60787edcd755a986de269abf78fde55eae7f450b ca4434e6495b264e6db1bce418c8a417739b3bd52739f9ac134c2c9ed6b7bbf4ed479cb3369 0203010001a381fb3081f8301d06 03551d0e0416041410d684dcfea11dfdc1bb500b759373530aa6d64b3081c80603551d23048 1c03081bd801410d684dcfea11dfdc1bb500b759373530aa6d64ba18199a48196308193310b 300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d6577686572653 1153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901 161161 646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043657 2746966696361746520417574686f72697479820900bcccc1285b561d81300c0603551d1304 0530030101ff300d06092a864886 f70d010105050003820101002d0d028da27788c0e5d3623cdb4cf11f09216955fe7493bfa23 3ec62bb45d3cb9dd71d61a95ca6e1ddb8aa2f8b80fbfcea5b8b35776bc61c9acab1408bc31d af3cf0f27d531819b600d3ca EAP-Message = 0x7a7c33f4b1017102 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf66a7f2dc62be8e0e7c49ccf0790122 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=242, length=136 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdf66a7f2dc62be8e0e7c49ccf0790122 EAP-Message = 0x020400061900 Message-Authenticator = 0x406d4a98563e0a8815fc113633dc3e8a # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 242 to 192.168.1.8 port 1645 EAP-Message = 0x010500bc1900971b6ff4eedeea77cbd7b846662c36009c223bb1dab20d1956c65d6dfdd68 e272a551fae0e5b9066339a0f279041f434256e4aa905eb8dbabc508c2a0771d29cb0810ff8 a278d3 2154413350d24a65e9c3cfb9e15e9057d0dce5f2cbd3d523586b6b7f60bf3a6d92c8772b862 711d539a2412abe6a6c4f79816985453331bc5f8661a99c795b6d6a92fd75d73273373be417 324e2b8696ff3d6cb180e1619343 b8bf9d39a193cf49a3f008a74e16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf66a7f2db63be8e0e7c49ccf0790122 Finished request 10. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=243, length=468 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdf66a7f2db63be8e0e7c49ccf0790122 EAP-Message = 0x0205015019800000014616030101061000010201007ca92d4c46976b1b4221150302f3368 a83dc071c73eba660f726d5994829e44d05a151ec815b381e2f1eb51e1d7e81f8ac2a797d58 f37c72 a5d30c39f58e74bf270c9e620ca368a702cea648d9a6c858e1bc8f9be8157e00b757e33e7b1 ea20b39cf66fb4fbedaafc981939713c44fc8b997419eb479dff20f0eccb3079e7751e9153a c83d88bba33099f97c582edbc478 1d7f0639d32724524792b4d70ba65ac425016a23804a6df38154970bd73bc17932b394e1328 8de5e45c576d857438404c58e5db2a2665655983c6ad2be802d7429661f6cc331e4184efa28 9cdfa6fff8cd4b32ffcab948 EAP-Message = 0xd35111c89e339e4eb688cec3322076273345f6fd6c1060c51403010001011603010030260 8671e3f152141c25ed7c1fd386d33f3c6c2616d85f988fe98201fd0e76195009450561f33db 115953 d9cc0e0c6aad Message-Authenticator = 0xeddc39b94b6c9df9fa14274a3bd8d18c # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 243 to 192.168.1.8 port 1645 EAP-Message = 0x010600411900140301000101160301003054457c3f14edfe37c380b20c93886c1ff0b063a 823224547618117156a0e9bdc597726c7d28ae5d8de455329b1dca06b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf66a7f2da60be8e0e7c49ccf0790122 Finished request 11. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=244, length=136 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdf66a7f2da60be8e0e7c49ccf0790122 EAP-Message = 0x020600061900 Message-Authenticator = 0x90ac28f0fcfd4d8b13135d7b4f586f9d # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 244 to 192.168.1.8 port 1645 EAP-Message = 0x0107002b19001703010020ef133c0aa7b038aca4ed631f4b2195d48ef9178b0563bcfa3bb a8e9949cfed99 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf66a7f2d961be8e0e7c49ccf0790122 Finished request 12. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=245, length=173 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdf66a7f2d961be8e0e7c49ccf0790122 EAP-Message = 0x0207002b190017030100207a7bde6894f97bb470bde13772156dcb004886d42b2d42e6313 4dea574c74e6d Message-Authenticator = 0x4b4eecc47353757ee17f773ad9151172 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - pk [peap] Got inner identity 'pk' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0207000701706b server { PEAP: Setting User-Name to pk Sending tunneled request EAP-Message = 0x0207000701706b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "pk" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 7 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for pk [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> pk [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk) [ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com, dc=navbey,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=pk) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user pk authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0108001c1a0108001710e3de4c1bb91f06762905e9b9836d9b85706b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcfa04815cfa85281f6375487a35aa0b0 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001c1a0108001710e3de4c1bb91f06762905e9b9836d9b85706b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcfa04815cfa85281f6375487a35aa0b0 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 245 to 192.168.1.8 port 1645 EAP-Message = 0x0108003b19001703010030f42bf53d46e5731b25dc206513c583ac3c3f439bde0a89c3c8d 00aefc27a0b56ce72596f7e08f227542c95bc96cbb520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf66a7f2d86ebe8e0e7c49ccf0790122 Finished request 13. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=246, length=221 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdf66a7f2d86ebe8e0e7c49ccf0790122 EAP-Message = 0x0208005b1900170301005066c6dfd96844df1f54b9abd2cb5769f2ab008a7117dd2ba5c82 3dde826c56926114583d0721d7abf1eae649c62b3925c5dbaac9771b10b03d03b35615f53e7 6e20ca 99343df8e9867526f5826bcb5245 Message-Authenticator = 0x7b7a7a7f5055b2806626ed1c0e64a965 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0208003d1a02080038313441fe526c301512427b1f00e3121ca4000000000000000092d46 9509e834a4e7da586c7e3d50e367c01b7309d1b777d00706b server { PEAP: Setting User-Name to pk Sending tunneled request EAP-Message = 0x0208003d1a02080038313441fe526c301512427b1f00e3121ca4000000000000000092d46 9509e834a4e7da586c7e3d50e367c01b7309d1b777d00706b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "pk" State = 0xcfa04815cfa85281f6375487a35aa0b0 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 61 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for pk [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> pk [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk) [ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com, dc=navbey,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=pk) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user pk authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: pk [mschap] Told to do MS-CHAPv2 for pk with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 246 to 192.168.1.8 port 1645 EAP-Message = 0x0109002b190017030100209b7b6546ac7dd0c6de4ab8352452dc4d5e0ef2a8fa9e346d035 d54f42f5e5617 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf66a7f2d76fbe8e0e7c49ccf0790122 Finished request 14. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=247, length=173 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdf66a7f2d76fbe8e0e7c49ccf0790122 EAP-Message = 0x0209002b19001703010020fdaefbe1bb82e8c918f2aea95051b6bcec4ded07a5388605472 7c83dd0233c9c Message-Authenticator = 0xeb10297e4e0ef47e8c1e7ba7c083ca48 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> pk attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 15 for 1 seconds Going to the next request On 4/19/12 6:53 PM, "alan buxey" <A.L.M.Buxey@lboro.ac.uk> wrote:
hi,
quick look seems to show that you dont have a suitable authorise section in the inner tunnel.
the tunnel gets started...your client rejects the default md5 the server sent - and EAP-TTLS gets done...the username/password gets sent but has nothing to go against.... so I suggest you add
'ldap' to the inner-tunnel virtual server (in same way that ldap and LDAP are defined in default server...)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
alan buxey -
Alan DeKok -
Wassim Zaarour