falling back to local auth and not ads
My freeradius server seems to be falling back to local authentication rather than piping it out to our ADS server. If I create a local user on the radius box authentication is successful. Can anyone please help with this? All relevant info I can think of is below. Samba connection works fine, I've joined the linux box (red hat 6.2) to the domain. Kinit connection runs fine. Edited Testparm results are: Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = workgroup realm = INTERNAL.DOMAIN.CO.UK server string = server01 interfaces = 10.1.3.9/24 security = ADS client NTLMv2 auth = Yes log level = 1 winbind:5 auth:3 load printers = No idmap uid = 10000-45000 idmap gid = 10000-45000 winbind use default domain = Yes cups options = raw net ads lookup dcs shows a domain controller chgrp radiusd /var/lib/samba/winbindd_privileged/ has been run ntlm_auth -username give result: NT_STATUS_OK: Success (0x0) cropped debug output: Ready to process requests. rad_recv: Access-Request packet from host 10.1.1.22 port 1812, id=50, length=152 NAS-IP-Address = 10.1.1.22 NAS-Port = 50001 Cisco-NAS-Port = "FastEthernet0/1" NAS-Port-Type = Ethernet User-Name = "sm18818" Called-Station-Id = "00-16-47-F7-32-41" Calling-Station-Id = "00-24-54-42-86-04" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200000c01736d3138383138 Message-Authenticator = 0xa49f7bb9beab7a89b485841f3a600993 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "sm18818", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 0 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair NAS-Port-Type = Ethernet rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Calling-Station-Id = 00-24-54-42-86-04 rlm_perl: Added pair Called-Station-Id = 00-16-47-F7-32-41 rlm_perl: Added pair Cisco-NAS-Port = FastEthernet0/1 rlm_perl: Added pair Message-Authenticator = 0xa49f7bb9beab7a89b485841f3a600993 rlm_perl: Added pair User-Name = sm18818 rlm_perl: Added pair EAP-Message = 0x0200000c01736d3138383138 rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 10.1.1.22 rlm_perl: Added pair NAS-Port = 50001 rlm_perl: Added pair Framed-MTU = 1500 rlm_perl: Added pair Auth-Type = EAP ++[packetfence] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 50 to 10.1.1.22 port 1812 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7c7cc4a17c7ddd7defb2c24478e29151 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.1.22 port 1812, id=51, length=263 NAS-IP-Address = 10.1.1.22 NAS-Port = 50001 Cisco-NAS-Port = "FastEthernet0/1" NAS-Port-Type = Ethernet User-Name = "sm18818" Called-Station-Id = "00-16-47-F7-32-41" Calling-Station-Id = "00-24-54-42-86-04" Service-Type = Framed-User Framed-MTU = 1500 State = 0x7c7cc4a17c7ddd7defb2c24478e29151 EAP-Message = 0x0201006919800000005f160301005a0100005603014f9017be440f4cbc99f67ffe587f648545f74cc832daa9e43857f7ce7ac48e42000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 Message-Authenticator = 0xaae583362e9a580324ffe1459a30e524 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "sm18818", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 1 length 105 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 95 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0419], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 51 to 10.1.1.22 port 1812 EAP-Message = 0x0102040019c00000045d16030100310200002d03014f90179057e896056f57af82c6f54e60041737802441091408cb5086b96cb93500002f000005ff0100010016030104190b00041500041200040f3082040b308202f3a0030201020209008457e87e4346de7f300d06092a864886f70d010105050030819b310b30090603550406130247423110300e06035504080c07436172646966663110300e06035504070c074361726469666631283026060355040a0c1f43617264696666204d6574726f706f6c6974616e20556e697665727369747931293027060355040b0c204c69627261727920616e6420496e666f726d6174696f6e20536572766963 EAP-Message = 0x65733113301106035504030c0a68616c6c736e61633031301e170d3132303431363138303930385a170d3133303431363138303930385a30819b310b30090603550406130247423110300e06035504080c07436172646966663110300e06035504070c074361726469666631283026060355040a0c1f43617264696666204d6574726f706f6c6974616e20556e697665727369747931293027060355040b0c204c69627261727920616e6420496e666f726d6174696f6e2053657276696365733113301106035504030c0a68616c6c736e6163303130820122300d06092a864886f70d01010105000382010f003082010a0282010100be9c9265f0fd69 EAP-Message = 0x36b44a273f0b3bf8aafa36904d3dec8d392bc1bc9d52c73cd83c34fc418e4ae116847ed462411d54e7f78d586e53c05e5a59a08327cdafdebd2d06fe22a08ffabab004fefdde1b2b005a2d17c114b5b262122f8ff5d3ae89b2b3debd83a134a3c504f57c0e46cdc201d51b343a8243167b95478d92c2b2289e6516219bda5daf1b64d2599512f41a35cc1cb749cecc637e905880e7794ae637e1f52bc9d62e8a73444ffe0e164888574d9afdb7ab3ee30c09296a6d299337796d36644d00f6a5725ff2e05381d12ba1fdd37075cd56a6b7e13e51d671aaa3aacf6f0cbf7f0f90e75e22369e426c2a530ab0abb6162582d6b3ec4adeb354e53102030100 EAP-Message = 0x01a350304e301d0603551d0e041604146cb125f0ea10521b328b7ae014a2680c058ca7bc301f0603551d230418301680146cb125f0ea10521b328b7ae014a2680c058ca7bc300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010084c2453f7ee7c9659c6278e51bdcda9489b9df1721271447e78c69ea94edf9a1c90a83fd14af61ced01dfe7a931363afcd4bf2ad4c563bd5200454356c3973f8233f6ebc5a8e8fec1cdfc7a46b317ec65a5b105c644b81d435480a8386267d9975db81f918a400fe1fea57f82219834c44288970bf3b5ff40ce9089dc99e432d706e765e204fab9cbc7a6dfa88c793788441371df26d EAP-Message = 0x1966ce6ceb1e56b79c80e9ab Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7c7cc4a17d7edd7defb2c24478e29151 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.1.22 port 1812, id=52, length=164 NAS-IP-Address = 10.1.1.22 NAS-Port = 50001 Cisco-NAS-Port = "FastEthernet0/1" NAS-Port-Type = Ethernet User-Name = "sm18818" Called-Station-Id = "00-16-47-F7-32-41" Calling-Station-Id = "00-24-54-42-86-04" Service-Type = Framed-User Framed-MTU = 1500 State = 0x7c7cc4a17d7edd7defb2c24478e29151 EAP-Message = 0x020200061900 Message-Authenticator = 0x7e4e96be86285da30bea39583ab60700 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "sm18818", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 52 to 10.1.1.22 port 1812 EAP-Message = 0x0103006d1900ae27f7c48f8dcf1d47327fc08f9f1a9a004fd376c1a4c491331b2e554c6458a40bebde6444da9b525372d9c44920937aa26393222d460bc64bd1d007021531016d5d96796972e15d25eced794837a6d77d98a5d1b7b3c128d3c895de9e9e16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7c7cc4a17e7fdd7defb2c24478e29151 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.1.22 port 1812, id=53, length=496 NAS-IP-Address = 10.1.1.22 NAS-Port = 50001 Cisco-NAS-Port = "FastEthernet0/1" NAS-Port-Type = Ethernet User-Name = "sm18818" Called-Station-Id = "00-16-47-F7-32-41" Calling-Station-Id = "00-24-54-42-86-04" Service-Type = Framed-User Framed-MTU = 1500 State = 0x7c7cc4a17e7fdd7defb2c24478e29151 EAP-Message = 0x0203015019800000014616030101061000010201004c7788a8a2f60c69bf9dd1c9a0a777de1a7b45ffc7efaded554f9ae7daa57bed28006e3af36fb6e48e325bba393c7ed30f62ee242f8bca8584f3982bf43879642f227025425044a0061a487781d4243d9b731719172f21056fba514a7ffe85becb7d4870d2d7b00940113a9a4a47bdbc087223f615f6643f9fee1c07f4c7b8ce849b605cf2d6e945295161f02014a91b90c95ae5419079252793bf3e1578e9d4a9891a73554201221bccfcbbecf2b658344db323b32aed8c7a74057abc15d8aa5edb9c3dd6cfd20de84639ebaa5bb1e78bfbf02d19cd2ca596e0a72bf4612f9a58c681473dbee4f5 EAP-Message = 0xd6d80708035534d6f9a4a296d5f67a220426e485c4796430140301000101160301003086ff2b333a990ad6876caba4e9b6f806f8a437681f6db738596d4c80963e7941f7016f3bf845cd94fb15f5f5c5fe452f Message-Authenticator = 0x21930395cd5e71160ca4bf8c1125df8e server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "sm18818", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 3 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 53 to 10.1.1.22 port 1812 EAP-Message = 0x01040041190014030100010116030100301a7416c5a68d27374ed4739350a51eae93d8baede52b057347c665cabff9410f7dab4d72795b54891b15e6ed2dd0d780 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7c7cc4a17f78dd7defb2c24478e29151 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.1.22 port 1812, id=54, length=164 NAS-IP-Address = 10.1.1.22 NAS-Port = 50001 Cisco-NAS-Port = "FastEthernet0/1" NAS-Port-Type = Ethernet User-Name = "sm18818" Called-Station-Id = "00-16-47-F7-32-41" Calling-Station-Id = "00-24-54-42-86-04" Service-Type = Framed-User Framed-MTU = 1500 State = 0x7c7cc4a17f78dd7defb2c24478e29151 EAP-Message = 0x020400061900 Message-Authenticator = 0x7f354427c0059d1a5fc0a89e7fac88f1 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "sm18818", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 54 to 10.1.1.22 port 1812 EAP-Message = 0x0105002b190017030100207698c92d6973a15e192ae19cecef7a29e6ccd5f32f64f713e4f5497216d6f371 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7c7cc4a17879dd7defb2c24478e29151 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.1.1.22 port 1812, id=55, length=201 NAS-IP-Address = 10.1.1.22 NAS-Port = 50001 Cisco-NAS-Port = "FastEthernet0/1" NAS-Port-Type = Ethernet User-Name = "sm18818" Called-Station-Id = "00-16-47-F7-32-41" Calling-Station-Id = "00-24-54-42-86-04" Service-Type = Framed-User Framed-MTU = 1500 State = 0x7c7cc4a17879dd7defb2c24478e29151 EAP-Message = 0x0205002b1900170301002095f189b1ea8c30d31387e9a79add21fc2b07b4e7e86205b38772a041b99a6b00 Message-Authenticator = 0x3fa49fa72ae68063e5edc7c76c1a23c5 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "sm18818", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 5 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - sm18818 [peap] Got inner identity 'sm18818' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0205000c01736d3138383138 server packetfence { [peap] Setting User-Name to sm18818 Sending tunneled request EAP-Message = 0x0205000c01736d3138383138 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "sm18818" NAS-IP-Address = 10.1.1.22 NAS-Port = 50001 Cisco-NAS-Port = "FastEthernet0/1" NAS-Port-Type = Ethernet Called-Station-Id = "00-16-47-F7-32-41" Calling-Station-Id = "00-24-54-42-86-04" Service-Type = Framed-User Framed-MTU = 1500 server packetfence-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence-tunnel +- entering group authorize {...} [suffix] No '@' in User-Name = "sm18818", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server packetfence-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010600211a0106001c10b6f046e50b7952e6e797acb2dcd7b773736d3138383138 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9920660299267c474e5f7c2e3011a1e5 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010600211a0106001c10b6f046e50b7952e6e797acb2dcd7b773736d3138383138 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9920660299267c474e5f7c2e3011a1e5 [peap] Got tunneled Access-Challenge ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 55 to 10.1.1.22 port 1812 EAP-Message = 0x0106004b190017030100404ae4ff24a485244baabe8642914ae553c53877050c4ac566f444c764f938c4bbb924e13de5c7f90c50d5d89d5e0322b2f7e54eec93a9b6ef170863282b669f90 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7c7cc4a1797add7defb2c24478e29151 Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.1.1.22 port 1812, id=56, length=265 NAS-IP-Address = 10.1.1.22 NAS-Port = 50001 Cisco-NAS-Port = "FastEthernet0/1" NAS-Port-Type = Ethernet User-Name = "sm18818" Called-Station-Id = "00-16-47-F7-32-41" Calling-Station-Id = "00-24-54-42-86-04" Service-Type = Framed-User Framed-MTU = 1500 State = 0x7c7cc4a1797add7defb2c24478e29151 EAP-Message = 0x0206006b1900170301006024a871b68d472e9b2fb927c48ee8eec1927e26d0c995f1d33b245e2aaedf10d0850fe337c1fbeca10935879e64a3ca65c75159b07b567d9bca49128ad5d4abe9c7069dcb9c32575274cd9e383e7c4b93dd49018d352297f3253b5831d997b660 Message-Authenticator = 0x19cf5c1dc655bdbc50918cb01e71cfd0 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "sm18818", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 6 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020600421a0206003d31b49f7150ff84c15725200ff871377c240000000000000000b1ce20b6cca5c3e86e219ec24aef13ee2e4c12825e87e18a00736d3138383138 server packetfence { [peap] Setting User-Name to sm18818 Sending tunneled request EAP-Message = 0x020600421a0206003d31b49f7150ff84c15725200ff871377c240000000000000000b1ce20b6cca5c3e86e219ec24aef13ee2e4c12825e87e18a00736d3138383138 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "sm18818" State = 0x9920660299267c474e5f7c2e3011a1e5 NAS-IP-Address = 10.1.1.22 NAS-Port = 50001 Cisco-NAS-Port = "FastEthernet0/1" NAS-Port-Type = Ethernet Called-Station-Id = "00-16-47-F7-32-41" Calling-Station-Id = "00-24-54-42-86-04" Service-Type = Framed-User Framed-MTU = 1500 server packetfence-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence-tunnel +- entering group authorize {...} [suffix] No '@' in User-Name = "sm18818", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 66 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: sm18818 [mschap] Told to do MS-CHAPv2 for sm18818 with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [sm18818] (from client 10.1.1.22 port 50001 cli 00-24-54-42-86-04 via TLS tunnel) } # server packetfence-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 56 to 10.1.1.22 port 1812 EAP-Message = 0x0107002b1900170301002083d13929a4b17d457d0978cbdf96feaf9b3d0291f181a38ab1d60377f0333d2a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7c7cc4a17a7bdd7defb2c24478e29151 Finished request 6. Going to the next request Cheers, Andi ________________________________
From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o'r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
Morris, Andi wrote:
My freeradius server seems to be falling back to local authentication rather than piping it out to our ADS server. If I create a local user on the radius box authentication is successful. Can anyone please help with this? All relevant info I can think of is below.
You haven't configured the MSCHAP module to use AD. See my web site: http://deployingradius.com/documents/configuration/active_directory.html Alan DeKok.
On Tue, Apr 24, 2012 at 09:24:42AM +0000, Morris, Andi wrote:
My freeradius server seems to be falling back to local authentication rather than piping it out to our ADS server. If I create a local user on the radius box authentication is successful. Can anyone please help with this? All relevant info I can think of is below.
Initial guess - you've set MS-CHAP-Use-NTLM-Auth = Yes somewhere (check for broken entries in your users file, etc), so mschap isn't even trying to call ntlm_auth.
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: sm18818 [mschap] Told to do MS-CHAPv2 for sm18818 with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect
Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Thanks Alan, Great website! I've been through all the steps on that and I get an Access-Accept when running the radtest against MSCHAP at the end, however when I connect from a supplicant I'm still seeing the following in the debug output. " [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: sm18818 [mschap] Told to do MS-CHAPv2 for sm18818 with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect" Matthew, The only thing in my users file is: DEFAULT EAP-Message !* "", Auth-Type := Accept This was a pre-packaged setup of freeradius, I've not knowingly put MS-CHAP-Use-NTLM-Auth = Yes somewhere, although I will look around and see what I can find. -----Original Message----- From: freeradius-users-bounces+amorris=cardiffmet.ac.uk@lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk@lists.freeradius.org] On Behalf Of Matthew Newton Sent: 24 April 2012 10:54 To: FreeRadius users mailing list Subject: Re: falling back to local auth and not ads On Tue, Apr 24, 2012 at 09:24:42AM +0000, Morris, Andi wrote:
My freeradius server seems to be falling back to local authentication rather than piping it out to our ADS server. If I create a local user on the radius box authentication is successful. Can anyone please help with this? All relevant info I can think of is below.
Initial guess - you've set MS-CHAP-Use-NTLM-Auth = Yes somewhere (check for broken entries in your users file, etc), so mschap isn't even trying to call ntlm_auth.
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: sm18818 [mschap] Told to do MS-CHAPv2 for sm18818 with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect
Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________ From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
Hi, On Tue, Apr 24, 2012 at 11:03:00AM +0000, Morris, Andi wrote:
I've been through all the steps on that and I get an Access-Accept when running the radtest against MSCHAP at the end, however when I connect from a supplicant I'm still seeing the following in the debug output.
" [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password.
Full debug output from radiusd -X is needed otherwise we're all guessing what's up. Have you got 'eap' configured in your inner tunnel (sites-enabled/inner-tunnel, likely)? When you're using a supplicant, you'll be doing EAP, which means that you need eap in both the outer and the inner - the inner eap then internally calls mschap to then call ntlm_auth. I'm guessing you followed all of Alan's web page, including the section at the bottom about configuring ntlm_auth in the mschap module (not the 'exec mschap' bit) - the ntlm_auth in mschap is essential for EAP-MSCHAP to work, whereas plain mschap (or TTLS/MS-CHAP) uses the exec variant.
The only thing in my users file is: DEFAULT EAP-Message !* "", Auth-Type := Accept
OK I misread - I thought you'd said it was working, and then stopped, not that it wasn't working to begin with...
This was a pre-packaged setup of freeradius, I've not knowingly put MS-CHAP-Use-NTLM-Auth = Yes somewhere, although I will look around and see what I can find.
Don't bother, if you've never added it - it shouldn't be there. Matthew
-----Original Message----- From: freeradius-users-bounces+amorris=cardiffmet.ac.uk@lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk@lists.freeradius.org] On Behalf Of Matthew Newton Sent: 24 April 2012 10:54 To: FreeRadius users mailing list Subject: Re: falling back to local auth and not ads
n Tue, Apr 24, 2012 at 09:24:42AM +0000, Morris, Andi wrote:
My freeradius server seems to be falling back to local authentication rather than piping it out to our ADS server. If I create a local user on the radius box authentication is successful. Can anyone please help with this? All relevant info I can think of is below.
Initial guess - you've set MS-CHAP-Use-NTLM-Auth = Yes somewhere (check for broken entries in your users file, etc), so mschap isn't even trying to call ntlm_auth.
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: sm18818 [mschap] Told to do MS-CHAPv2 for sm18818 with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________
From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Morris, Andi wrote:
Great website! I've been through all the steps on that and I get an Access-Accept when running the radtest against MSCHAP at the end, however when I connect from a supplicant I'm still seeing the following in the debug output.
If you follow the instructions on the web site, then it will work.
The only thing in my users file is: DEFAULT EAP-Message !* "", Auth-Type := Accept
The web site does NOT say to do this. Do you understand what it does? It tries to bypass all authentication! Follow the web site. Don't do *more* changes than the web site says. It *will* work. The web site contains DETAILED descriptions of what to configure, what to test, and what to do when the tests don't work. It's clear you're *not* following the web site. If you were, you would be saying which step you tried, which ones worked, and which test failed. Alan DeKok.
OK, that entry in the users file was in as part of the prebuild package. I will have to check why that is there with the guys that make the package. For the moment I have commented it out so that it truly reflects the config on your website. I have been through the steps again and found that final radtest shows an access-reject and the debug shows: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Now presumably this is because there is nothing in the users file (by putting the DEFAULT EAP-Message !* "", Auth-Type := Accept back the access-request is accepted). The website says to delete the previous test entry, so now I am left with nothing in the users file. Is this correct? Cheers, Andi -----Original Message----- From: freeradius-users-bounces+amorris=cardiffmet.ac.uk@lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 24 April 2012 12:41 To: FreeRadius users mailing list Subject: Re: falling back to local auth and not ads Morris, Andi wrote:
Great website! I've been through all the steps on that and I get an Access-Accept when running the radtest against MSCHAP at the end, however when I connect from a supplicant I'm still seeing the following in the debug output.
If you follow the instructions on the web site, then it will work.
The only thing in my users file is: DEFAULT EAP-Message !* "", Auth-Type := Accept
The web site does NOT say to do this. Do you understand what it does? It tries to bypass all authentication! Follow the web site. Don't do *more* changes than the web site says. It *will* work. The web site contains DETAILED descriptions of what to configure, what to test, and what to do when the tests don't work. It's clear you're *not* following the web site. If you were, you would be saying which step you tried, which ones worked, and which test failed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________ From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
Morris, Andi wrote:
I have been through the steps again and found that final radtest shows an access-reject and the debug shows: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user.
Then you didn't follow the guide. I really can't be any more clear.
Now presumably this is because there is nothing in the users file (by putting the DEFAULT EAP-Message !* "", Auth-Type := Accept back the access-request is accepted). The website says to delete the previous test entry, so now I am left with nothing in the users file. Is this correct?
No. It's because you didn't follow the guide. My previous message described what you should be doing. You're not doing it. Alan DeKok.
Hi,
I have been through the steps again and found that final radtest shows an access-reject and the debug shows: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user.
this is still with this prebuilt package? I would say theres all kinds of things wrong with that package and you'd be best off working with just a fresh copy of FreeRADIUS built direct from source.... for one thing, it works straight out of the box once you've added a source of authentication (ie added an entry in users file or configured the ntlm_auth) ERROR: No authenticate method (Auth-Type) means that you dont have the required handler present to deal with the request. it worked before as you had a HUGE bodge in the users file saying that if the request wasnt EAP then just accept...no matter what! :-| you CANNOT (thankfully!) just blindly accept all EAP - there has to be a 2-way communication of trust and the setting up of crypto keys etc. to work with EAP and MSCHAP without EAP you will need to ensure the required modules are enabled and configured...so you're looking at eg mschap module and ntlm_auth module. alan
Thanks Alan, I've looked further into the documentation of the pre-build package, and as far as I can tell that entry is required, so that non-EAP requests still get accepted, but the device gets put into the captive-portal. I will seek further clarification on this through them directly. Thanks for your help, Andi -----Original Message----- From: freeradius-users-bounces+amorris=cardiffmet.ac.uk@lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk@lists.freeradius.org] On Behalf Of alan buxey Sent: 24 April 2012 13:39 To: FreeRadius users mailing list Subject: Re: falling back to local auth and not ads Hi,
I have been through the steps again and found that final radtest shows an access-reject and the debug shows: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user.
this is still with this prebuilt package? I would say theres all kinds of things wrong with that package and you'd be best off working with just a fresh copy of FreeRADIUS built direct from source.... for one thing, it works straight out of the box once you've added a source of authentication (ie added an entry in users file or configured the ntlm_auth) ERROR: No authenticate method (Auth-Type) means that you dont have the required handler present to deal with the request. it worked before as you had a HUGE bodge in the users file saying that if the request wasnt EAP then just accept...no matter what! :-| you CANNOT (thankfully!) just blindly accept all EAP - there has to be a 2-way communication of trust and the setting up of crypto keys etc. to work with EAP and MSCHAP without EAP you will need to ensure the required modules are enabled and configured...so you're looking at eg mschap module and ntlm_auth module. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________ From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
Just to clear this up, with the help of the people on the here and the PacketFence list the problem has now been resolved. There was a file called mschap.bkp in /etc/raddb/modules/ which once removed the requests went through as expected. The entry to allow all non-eap requests through in the users file is necessary for the purpose of the package so that devices authenticating using Mac-Authentication, or similar are allowed through. Cheers for the help everyone, Andi -----Original Message----- From: freeradius-users-bounces+amorris=cardiffmet.ac.uk@lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk@lists.freeradius.org] On Behalf Of Morris, Andi Sent: 24 April 2012 14:03 To: FreeRadius users mailing list Subject: RE: falling back to local auth and not ads Thanks Alan, I've looked further into the documentation of the pre-build package, and as far as I can tell that entry is required, so that non-EAP requests still get accepted, but the device gets put into the captive-portal. I will seek further clarification on this through them directly. Thanks for your help, Andi -----Original Message----- From: freeradius-users-bounces+amorris=cardiffmet.ac.uk@lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk@lists.freeradius.org] On Behalf Of alan buxey Sent: 24 April 2012 13:39 To: FreeRadius users mailing list Subject: Re: falling back to local auth and not ads Hi,
I have been through the steps again and found that final radtest shows an access-reject and the debug shows: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user.
this is still with this prebuilt package? I would say theres all kinds of things wrong with that package and you'd be best off working with just a fresh copy of FreeRADIUS built direct from source.... for one thing, it works straight out of the box once you've added a source of authentication (ie added an entry in users file or configured the ntlm_auth) ERROR: No authenticate method (Auth-Type) means that you dont have the required handler present to deal with the request. it worked before as you had a HUGE bodge in the users file saying that if the request wasnt EAP then just accept...no matter what! :-| you CANNOT (thankfully!) just blindly accept all EAP - there has to be a 2-way communication of trust and the setting up of crypto keys etc. to work with EAP and MSCHAP without EAP you will need to ensure the required modules are enabled and configured...so you're looking at eg mschap module and ntlm_auth module. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________ From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
alan buxey -
Alan DeKok -
Matthew Newton -
Morris, Andi