Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Hi I configure Freeradius 2.1.3 how it describes in http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO but it doesn't work. here is debug output: FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu, built on Dec 8 2008 at 16:00:08 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client 10.6.0.0/16 { require_message_authenticator = no secret = "secret" shortname = "cisco" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.6.0.86 port 1645, id=123, length=155 User-Name = "SPB.IMB.RU\\trubnikov" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-C3-81-2A-16" Calling-Station-Id = "00-11-25-45-BB-9A" EAP-Message = 0x02020019015350422e494d422e52555c747275626e696b6f76 Message-Authenticator = 0xca609e950b9d1b6e044b7b1e35ece327 NAS-Port-Type = Ethernet NAS-Port = 50020 NAS-IP-Address = 10.6.0.86 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 25 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 123 to 10.6.0.86 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c8a80f59c899961300b089b526f445b Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.6.0.86 port 1645, id=124, length=228 User-Name = "SPB.IMB.RU\\trubnikov" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-C3-81-2A-16" Calling-Station-Id = "00-11-25-45-BB-9A" EAP-Message = 0x0203005019800000004616030100410100003d03014994289f6e90304c75136fa081c24849e67c260665de87b51c9522d501063e5000001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0xc5b019218bd1efacc9eb8657720601d4 NAS-Port-Type = Ethernet NAS-Port = 50020 State = 0x9c8a80f59c899961300b089b526f445b NAS-IP-Address = 10.6.0.86 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 124 to 10.6.0.86 port 1645 EAP-Message = 0x0104040019c00000089b160301002a020000260301499428a3397c48ef2bf058423bf7bdf3f533b0e82d1d2323c12b36198d9554ff00000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303231323132353633385a170d3130303231323132353633385a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100be607ef369a0c5d803e13ed311e4ce6722607bd2b51a05394de4dcaaf45d4b2e0bae9e001a76dfac328a9e85beea2a32a40504b3fe3d3b9f51a76eac7999 EAP-Message = 0x457c18dc35beb05d700d0f0149de5709341a4c9b873c1001a74516e6594bf82b1fa72e2e09b4e32e4e3dc4a420f648506461e877942742347e42ea0d48614badf4866a4226b63fa2fcd8bc0f980544c4d04405ee96e5e656041e720eb92483ee20c26b2b82b840c3c33e6b05b9ba947e940e7a5a0efd802a9046d67232300932bd7eeaa16e6887768c4836819d0dba80eed0612cdeeb282c680df57f65cc27ab9f56dd53420b9219d72d0f735e9a97d8aa755b7bf3402bfcc011ec6cc276fbf125db0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010086ca73bda33dac167f EAP-Message = 0x80bc8fd2e714597d56198a94b45dcecbe3bd868c88fe759344759cf4a200205eeaedc663550feb4d86c7856d1cf6de9c8d87e2e35abd54eb2056b8c6c52e16ec95d4b58ff41bdbdcd85157c0bcafb01db3bab55e704d8a4bb3a23db7bde2721b3145ad4a0375616b008cf3cfb3f44eb8a8b2e3988c7a003f925f5fb3265b94844486254b2a6fe9e116e06a45a7b8c7e43a141dbbad2b91c0d767de58cc82bfa86f648d47049f4ac425137e83cfb8af113e12dcd0e9ac4c7f41d8d61c9e3b9cc5249d173c308c56d09c0fb504590e2fc4fdfa45f57703738925c24ba72feb69d05e4f4dbe0491c3c2216bd8fe7540b4a490cf2ed4f13f360004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c8a80f59d8e9961300b089b526f445b Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.6.0.86 port 1645, id=125, length=154 User-Name = "SPB.IMB.RU\\trubnikov" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-C3-81-2A-16" Calling-Station-Id = "00-11-25-45-BB-9A" EAP-Message = 0x020400061900 Message-Authenticator = 0x0e848ffd6bb8351f5ef907ebde5b7874 NAS-Port-Type = Ethernet NAS-Port = 50020 State = 0x9c8a80f59d8e9961300b089b526f445b NAS-IP-Address = 10.6.0.86 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 125 to 10.6.0.86 port 1645 EAP-Message = 0x010503fc194000adc70b5be0044ad3300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303231323132353633385a170d3130303231323132353633385a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d597421324695f36aae1a4ae9647c315c17da1da6caaa82a1028db432f0951f98af8947a591c0f77cfb99dd948e217f540840d7b9a1bfd31059173f700f582d017b9da6ff4f0b4c168def0b87dec3281d066ed8a6711431b92fe65234f5dfab96205f8f933b107fb283c79e4530e9f EAP-Message = 0x2db2999043968b3d4d1081804b5896d30be16a0bc958a3b9d91aeff3075d36aa8d93758bfd86770e6647af75f60600b95e675eaffdb0b55c8e08aa5b56f970d6120ee85db50ae37b5c020eee094f81e8c8b25c9ee5e817365a7c88173b46479bd45b42896894321e147b319e9cac56cebc7e0c883a44d8662842068281cedf9f2226d45fb9551ff7eac9231c9e0647e8a50203010001a381fb3081f8301d0603551d0e0416041455460e5d2216933d47b1213dcba48130590f3f803081c80603551d230481c03081bd801455460e5d2216933d47b1213dcba48130590f3f80a18199a48196308193310b3009060355040613024652310f300d06035504 EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900adc70b5be0044ad3300c0603551d13040530030101ff300d06092a864886f70d010105050003820101000ca4fa0b2aeffd6f41b81c005b44979fb69bb157f76d01da7df39102b54c920862d6e184047adde5178e98f2b8d635dd9be7eae5e2b39640a7d5164cbd3f2cb1f080ea6b8b852b39e603151bb38ab0d744eb EAP-Message = 0xa0d53927f55728a7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c8a80f59e8f9961300b089b526f445b Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.6.0.86 port 1645, id=126, length=154 User-Name = "SPB.IMB.RU\\trubnikov" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-C3-81-2A-16" Calling-Station-Id = "00-11-25-45-BB-9A" EAP-Message = 0x020500061900 Message-Authenticator = 0x16385baf4cb2818e88325444881d1247 NAS-Port-Type = Ethernet NAS-Port = 50020 State = 0x9c8a80f59e8f9961300b089b526f445b NAS-IP-Address = 10.6.0.86 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 126 to 10.6.0.86 port 1645 EAP-Message = 0x010600b51900aa0831430c97a13773e7deac05ec51fcbd0f3d4126c04ed338ec3d6213a156682ba77e3840cbd0b30bbcb2e14c5e2103a1b6bfa11381916245226510c11d083385ac4f08c37e80267304e623ad73a104b26a124f324eff7d42ef6cf02f8bfd456664c793bd4cf1e2e8cda3f565a40decd9f9ba557d9f6933cf5d710a395e11e0d6654a5da345c48f4e91eeab7174a64912a5495e04a0b82daf07bbb9af7db00c0f5452738d1616030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c8a80f59f8c9961300b089b526f445b Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.6.0.86 port 1645, id=127, length=470 User-Name = "SPB.IMB.RU\\trubnikov" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-C3-81-2A-16" Calling-Station-Id = "00-11-25-45-BB-9A" EAP-Message = 0x02060140198000000136160301010610000102010078a20bd953aea703502943c0e100284b5c866240b1d05afbf17f5c83411c651a86d18f15491f2b28be61f0fc2ca5ae927f11607777fed0c96e089fc07acf3f31ac8add249b45fafc690a0e4fb6cea1aad9041c188e602fa171ee2a5054ff7a0d38ba2d06dc5766d04f1b16f7bfd5c886a424b2298b745098be9446996003741f308da494612bc0f0cedc9d8c472390a2a3d90d3ba9495a9d2c2776de2badbf9cfcfa5a2e4262d3ed54094bec0b61a83912fa6134ed1b22ec63fa039f6c93b976df06dad786cf1a38164cdb645ce07d75a640d2f49da9c5987f1deafd07ac91c3722cecdea9459600 EAP-Message = 0x29d5d86f8e2440200273e63839ac3a263bdd90dc7aa1005d1403010001011603010020facefc49020de52c0a23b0d8fdbbe5912ab3268be088aa6c4dea17a9c8e91ab9 Message-Authenticator = 0xf6aecb8339699f0c4fe8e16a5e63ead0 NAS-Port-Type = Ethernet NAS-Port = 50020 State = 0x9c8a80f59f8c9961300b089b526f445b NAS-IP-Address = 10.6.0.86 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 127 to 10.6.0.86 port 1645 EAP-Message = 0x0107003119001403010001011603010020e49a8d4b1fd41d9c02ec41a3b101afe07da0b4e9635fde3e11cb6b0c9c979c07 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c8a80f5988d9961300b089b526f445b Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.6.0.86 port 1645, id=128, length=154 User-Name = "SPB.IMB.RU\\trubnikov" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-C3-81-2A-16" Calling-Station-Id = "00-11-25-45-BB-9A" EAP-Message = 0x020700061900 Message-Authenticator = 0x0db67edd1af97688be40d5c86c800a5e NAS-Port-Type = Ethernet NAS-Port = 50020 State = 0x9c8a80f5988d9961300b089b526f445b NAS-IP-Address = 10.6.0.86 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 128 to 10.6.0.86 port 1645 EAP-Message = 0x0108002019001703010015a20163ee50d59c13086db8efb27fdb8847cd1ba680 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c8a80f599829961300b089b526f445b Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.6.0.86 port 1645, id=129, length=196 User-Name = "SPB.IMB.RU\\trubnikov" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-C3-81-2A-16" Calling-Station-Id = "00-11-25-45-BB-9A" EAP-Message = 0x020800301900170301002522a3717e23f4deab80a11045682aca6e40f14811082939e96a5afde4c52730cb4fc2263852 Message-Authenticator = 0xc32ec3ed44e0fd447b981ddffff6cf5c NAS-Port-Type = Ethernet NAS-Port = 50020 State = 0x9c8a80f599829961300b089b526f445b NAS-IP-Address = 10.6.0.86 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 48 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - SPB.IMB.RU\trubnikov [peap] Got tunneled request EAP-Message = 0x02080019015350422e494d422e52555c747275626e696b6f76 server { PEAP: Got tunneled identity of SPB.IMB.RU\trubnikov PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to SPB.IMB.RU\trubnikov Sending tunneled request EAP-Message = 0x02080019015350422e494d422e52555c747275626e696b6f76 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "SPB.IMB.RU\\trubnikov" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 25 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0109002e1a0109002910ecbf829566172500625bf7620a4f36795350422e494d422e52555c747275626e696b6f76 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x49749f5a497d85df4b8501b130a3e04c [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0109002e1a0109002910ecbf829566172500625bf7620a4f36795350422e494d422e52555c747275626e696b6f76 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x49749f5a497d85df4b8501b130a3e04c [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 129 to 10.6.0.86 port 1645 EAP-Message = 0x010900451900170301003ae178bf20a442a8ff436523b002959ace4150be491e8556ec798a439ef98a4b92c28e69dd1717e1e27fbe0081f057d5adc31304e15be33f58af79 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c8a80f59a839961300b089b526f445b Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.6.0.86 port 1645, id=130, length=250 User-Name = "SPB.IMB.RU\\trubnikov" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-C3-81-2A-16" Calling-Station-Id = "00-11-25-45-BB-9A" EAP-Message = 0x020900661900170301005b17cfadd420103a62807796ebc81cccc17ba868a0b32728ff8bd1be18aecfc4f8ee7032778a54581ecd13584dba8f36928343485c3718fbe3d96aba19ba1b9ece6a082e8a44ae4d9633e5ee1a2b24a4804836cfcc5f49c7456b9fd4 Message-Authenticator = 0x42701fb6beac1b74efafc2943d30f102 NAS-Port-Type = Ethernet NAS-Port = 50020 State = 0x9c8a80f59a839961300b089b526f445b NAS-IP-Address = 10.6.0.86 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 102 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0209004f1a0209004a3183289583fd8f07645a9e0b401989b0aa00000000000000005b2390610fbbb0a33313369bf434352cf94105042703b5e0005350422e494d422e52555c747275626e696b6f76 server { PEAP: Setting User-Name to SPB.IMB.RU\trubnikov Sending tunneled request EAP-Message = 0x0209004f1a0209004a3183289583fd8f07645a9e0b401989b0aa00000000000000005b2390610fbbb0a33313369bf434352cf94105042703b5e0005350422e494d422e52555c747275626e696b6f76 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "SPB.IMB.RU\\trubnikov" State = 0x49749f5a497d85df4b8501b130a3e04c server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 79 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for trubnikov with NT-Password [mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=SPB.IMB.RU [mschap] expand: --username=%{mschap:User-Name} -> --username=trubnikov [mschap] mschap2: ec [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=9bb858a0208cb30a [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=5b2390610fbbb0a33313369bf434352cf94105042703b5e0 Exec-Program output: NT_KEY: E5E69707F927B4D612960B8BE48C7887 Exec-Program-Wait: plaintext: NT_KEY: E5E69707F927B4D612960B8BE48C7887 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00331a0309002e533d45423936393838454632313731423530383032373337324435444239463534333937393336394337 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x49749f5a487e85df4b8501b130a3e04c [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00331a0309002e533d45423936393838454632313731423530383032373337324435444239463534333937393336394337 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x49749f5a487e85df4b8501b130a3e04c [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 130 to 10.6.0.86 port 1645 EAP-Message = 0x010a004a1900170301003f7201bd50ad95ad02eed7b8c10e950ce1d0858a8d2e64401635f1f270813682833ee111b5a1eb2db22fd25daf6a8fea82236d0ff920182b9e3325150deefeeb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c8a80f59b809961300b089b526f445b Finished request 7. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 123 with timestamp +51 Cleaning up request 1 ID 124 with timestamp +51 Cleaning up request 2 ID 125 with timestamp +51 Cleaning up request 3 ID 126 with timestamp +51 Cleaning up request 4 ID 127 with timestamp +51 Cleaning up request 5 ID 128 with timestamp +51 Cleaning up request 6 ID 129 with timestamp +51 Cleaning up request 7 ID 130 with timestamp +51 Ready to process requests.
Andrey.Trubnikov@unicreditgroup.ru wrote:
Hi I configure Freeradius 2.1.3 how it describes in http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO but it doesn't work. ... Sending Access-Challenge of id 130 to 10.6.0.86 port 1645 EAP-Message = 0x010a004a1900170301003f7201bd50ad95ad02eed7b8c10e950ce1d0858a8d2e64401635f1f270813682833ee111b5a1eb2db22fd25daf6a8fea82236d0ff920182b9e3325150deefeeb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c8a80f59b809961300b089b526f445b Finished request 7. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 123 with timestamp +51
Read "eap.conf". Complete documentation is there. Alan DeKok.
I have exactly the same problem with Fedora 9 and 10 only. It works perfectly fine in Fedora 8 with the exact same configuration. I have spent hours trying to fix this, and could not figure it out. Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org ] On Behalf Of Andrey.Trubnikov@unicreditgroup.ru Sent: Thursday, February 12, 2009 8:58 AM To: freeradius-users@lists.freeradius.org Subject: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem Hi I configure Freeradius 2.1.3 how it describes in http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO but it doesn't work. here is debug output: FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu, built on Dec 8 2008 at 16:00:08 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client 10.6.0.0/16 { require_message_authenticator = no secret = "secret" shortname = "cisco" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.6.0.86 port 1645, id=123, length=155 User-Name = "SPB.IMB.RU\\trubnikov" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-C3-81-2A-16" Calling-Station-Id = "00-11-25-45-BB-9A" EAP-Message = 0x02020019015350422e494d422e52555c747275626e696b6f76 Message-Authenticator = 0xca609e950b9d1b6e044b7b1e35ece327 NAS-Port-Type = Ethernet NAS-Port = 50020 NAS-IP-Address = 10.6.0.86 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 25 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 123 to 10.6.0.86 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c8a80f59c899961300b089b526f445b Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.6.0.86 port 1645, id=124, length=228 User-Name = "SPB.IMB.RU\\trubnikov" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-C3-81-2A-16" Calling-Station-Id = "00-11-25-45-BB-9A" EAP-Message = 0x0203005019800000004616030100410100003d03014994289f6e90304c75136fa081c24849 e67c260665de87b51c9522d501063e5000001600040005000a00090064006200030006001300 1200630100 Message-Authenticator = 0xc5b019218bd1efacc9eb8657720601d4 NAS-Port-Type = Ethernet NAS-Port = 50020 State = 0x9c8a80f59c899961300b089b526f445b NAS-IP-Address = 10.6.0.86 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 124 to 10.6.0.86 port 1645 EAP-Message = 0x0104040019c00000089b160301002a020000260301499428a3397c48ef2bf058423bf7bdf3 f533b0e82d1d2323c12b36198d9554ff00000400160301085e0b00085a0008570003a6308203 a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355 040613024652310f300d060355040813065261646975733112301006035504071309536f6d65 776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886 f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d457861 6d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303231323132353633385a170d3130303231323132353633385a307c310b30 09060355040613024652310f300d0603550408130652616469757331153013060355040a130c 4578616d706c6520496e632e312330210603550403131a4578616d706c652053657276657220 43657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d 706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a028201 0100be607ef369a0c5d803e13ed311e4ce6722607bd2b51a05394de4dcaaf45d4b2e0bae9e00 1a76dfac328a9e85beea2a32a40504b3fe3d3b9f51a76eac7999 EAP-Message = 0x457c18dc35beb05d700d0f0149de5709341a4c9b873c1001a74516e6594bf82b1fa72e2e09 b4e32e4e3dc4a420f648506461e877942742347e42ea0d48614badf4866a4226b63fa2fcd8bc 0f980544c4d04405ee96e5e656041e720eb92483ee20c26b2b82b840c3c33e6b05b9ba947e94 0e7a5a0efd802a9046d67232300932bd7eeaa16e6887768c4836819d0dba80eed0612cdeeb28 2c680df57f65cc27ab9f56dd53420b9219d72d0f735e9a97d8aa755b7bf3402bfcc011ec6cc2 76fbf125db0203010001a317301530130603551d25040c300a06082b06010505070301300d06 092a864886f70d0101040500038201010086ca73bda33dac167f EAP-Message = 0x80bc8fd2e714597d56198a94b45dcecbe3bd868c88fe759344759cf4a200205eeaedc66355 0feb4d86c7856d1cf6de9c8d87e2e35abd54eb2056b8c6c52e16ec95d4b58ff41bdbdcd85157 c0bcafb01db3bab55e704d8a4bb3a23db7bde2721b3145ad4a0375616b008cf3cfb3f44eb8a8 b2e3988c7a003f925f5fb3265b94844486254b2a6fe9e116e06a45a7b8c7e43a141dbbad2b91 c0d767de58cc82bfa86f648d47049f4ac425137e83cfb8af113e12dcd0e9ac4c7f41d8d61c9e 3b9cc5249d173c308c56d09c0fb504590e2fc4fdfa45f57703738925c24ba72feb69d05e4f4d be0491c3c2216bd8fe7540b4a490cf2ed4f13f360004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c8a80f59d8e9961300b089b526f445b Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.6.0.86 port 1645, id=125, length=154 User-Name = "SPB.IMB.RU\\trubnikov" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-C3-81-2A-16" Calling-Station-Id = "00-11-25-45-BB-9A" EAP-Message = 0x020400061900 Message-Authenticator = 0x0e848ffd6bb8351f5ef907ebde5b7874 NAS-Port-Type = Ethernet NAS-Port = 50020 State = 0x9c8a80f59d8e9961300b089b526f445b NAS-IP-Address = 10.6.0.86 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 125 to 10.6.0.86 port 1645 EAP-Message = 0x010503fc194000adc70b5be0044ad3300d06092a864886f70d0101050500308193310b3009 060355040613024652310f300d06035504081306526164697573311230100603550407130953 6f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a 864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d 4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303231 323132353633385a170d3130303231323132353633385a308193310b30090603550406130246 52310f300d060355040813065261646975733112301006035504 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120 301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603 550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122 300d06092a864886f70d01010105000382010f003082010a0282010100d597421324695f36aa e1a4ae9647c315c17da1da6caaa82a1028db432f0951f98af8947a591c0f77cfb99dd948e217 f540840d7b9a1bfd31059173f700f582d017b9da6ff4f0b4c168def0b87dec3281d066ed8a67 11431b92fe65234f5dfab96205f8f933b107fb283c79e4530e9f EAP-Message = 0x2db2999043968b3d4d1081804b5896d30be16a0bc958a3b9d91aeff3075d36aa8d93758bfd 86770e6647af75f60600b95e675eaffdb0b55c8e08aa5b56f970d6120ee85db50ae37b5c020e ee094f81e8c8b25c9ee5e817365a7c88173b46479bd45b42896894321e147b319e9cac56cebc 7e0c883a44d8662842068281cedf9f2226d45fb9551ff7eac9231c9e0647e8a50203010001a3 81fb3081f8301d0603551d0e0416041455460e5d2216933d47b1213dcba48130590f3f803081 c80603551d230481c03081bd801455460e5d2216933d47b1213dcba48130590f3f80a18199a4 8196308193310b3009060355040613024652310f300d06035504 EAP-Message = 0x0813065261646975733112301006035504071309536f6d6577686572653115301306035504 0a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e40 6578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963 61746520417574686f72697479820900adc70b5be0044ad3300c0603551d13040530030101ff 300d06092a864886f70d010105050003820101000ca4fa0b2aeffd6f41b81c005b44979fb69b b157f76d01da7df39102b54c920862d6e184047adde5178e98f2b8d635dd9be7eae5e2b39640 a7d5164cbd3f2cb1f080ea6b8b852b39e603151bb38ab0d744eb EAP-Message = 0xa0d53927f55728a7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c8a80f59e8f9961300b089b526f445b Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.6.0.86 port 1645, id=126, length=154 User-Name = "SPB.IMB.RU\\trubnikov" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-C3-81-2A-16" Calling-Station-Id = "00-11-25-45-BB-9A" EAP-Message = 0x020500061900 Message-Authenticator = 0x16385baf4cb2818e88325444881d1247 NAS-Port-Type = Ethernet NAS-Port = 50020 State = 0x9c8a80f59e8f9961300b089b526f445b NAS-IP-Address = 10.6.0.86 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 126 to 10.6.0.86 port 1645 EAP-Message = 0x010600b51900aa0831430c97a13773e7deac05ec51fcbd0f3d4126c04ed338ec3d6213a156 682ba77e3840cbd0b30bbcb2e14c5e2103a1b6bfa11381916245226510c11d083385ac4f08c3 7e80267304e623ad73a104b26a124f324eff7d42ef6cf02f8bfd456664c793bd4cf1e2e8cda3 f565a40decd9f9ba557d9f6933cf5d710a395e11e0d6654a5da345c48f4e91eeab7174a64912 a5495e04a0b82daf07bbb9af7db00c0f5452738d1616030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c8a80f59f8c9961300b089b526f445b Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.6.0.86 port 1645, id=127, length=470 User-Name = "SPB.IMB.RU\\trubnikov" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-C3-81-2A-16" Calling-Station-Id = "00-11-25-45-BB-9A" EAP-Message = 0x02060140198000000136160301010610000102010078a20bd953aea703502943c0e100284b 5c866240b1d05afbf17f5c83411c651a86d18f15491f2b28be61f0fc2ca5ae927f11607777fe d0c96e089fc07acf3f31ac8add249b45fafc690a0e4fb6cea1aad9041c188e602fa171ee2a50 54ff7a0d38ba2d06dc5766d04f1b16f7bfd5c886a424b2298b745098be9446996003741f308d a494612bc0f0cedc9d8c472390a2a3d90d3ba9495a9d2c2776de2badbf9cfcfa5a2e4262d3ed 54094bec0b61a83912fa6134ed1b22ec63fa039f6c93b976df06dad786cf1a38164cdb645ce0 7d75a640d2f49da9c5987f1deafd07ac91c3722cecdea9459600 EAP-Message = 0x29d5d86f8e2440200273e63839ac3a263bdd90dc7aa1005d1403010001011603010020face fc49020de52c0a23b0d8fdbbe5912ab3268be088aa6c4dea17a9c8e91ab9 Message-Authenticator = 0xf6aecb8339699f0c4fe8e16a5e63ead0 NAS-Port-Type = Ethernet NAS-Port = 50020 State = 0x9c8a80f59f8c9961300b089b526f445b NAS-IP-Address = 10.6.0.86 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 127 to 10.6.0.86 port 1645 EAP-Message = 0x0107003119001403010001011603010020e49a8d4b1fd41d9c02ec41a3b101afe07da0b4e9 635fde3e11cb6b0c9c979c07 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c8a80f5988d9961300b089b526f445b Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.6.0.86 port 1645, id=128, length=154 User-Name = "SPB.IMB.RU\\trubnikov" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-C3-81-2A-16" Calling-Station-Id = "00-11-25-45-BB-9A" EAP-Message = 0x020700061900 Message-Authenticator = 0x0db67edd1af97688be40d5c86c800a5e NAS-Port-Type = Ethernet NAS-Port = 50020 State = 0x9c8a80f5988d9961300b089b526f445b NAS-IP-Address = 10.6.0.86 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 128 to 10.6.0.86 port 1645 EAP-Message = 0x0108002019001703010015a20163ee50d59c13086db8efb27fdb8847cd1ba680 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c8a80f599829961300b089b526f445b Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.6.0.86 port 1645, id=129, length=196 User-Name = "SPB.IMB.RU\\trubnikov" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-C3-81-2A-16" Calling-Station-Id = "00-11-25-45-BB-9A" EAP-Message = 0x020800301900170301002522a3717e23f4deab80a11045682aca6e40f14811082939e96a5a fde4c52730cb4fc2263852 Message-Authenticator = 0xc32ec3ed44e0fd447b981ddffff6cf5c NAS-Port-Type = Ethernet NAS-Port = 50020 State = 0x9c8a80f599829961300b089b526f445b NAS-IP-Address = 10.6.0.86 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 48 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - SPB.IMB.RU\trubnikov [peap] Got tunneled request EAP-Message = 0x02080019015350422e494d422e52555c747275626e696b6f76 server { PEAP: Got tunneled identity of SPB.IMB.RU\trubnikov PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to SPB.IMB.RU\trubnikov Sending tunneled request EAP-Message = 0x02080019015350422e494d422e52555c747275626e696b6f76 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "SPB.IMB.RU\\trubnikov" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 25 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0109002e1a0109002910ecbf829566172500625bf7620a4f36795350422e494d422e52555c 747275626e696b6f76 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x49749f5a497d85df4b8501b130a3e04c [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0109002e1a0109002910ecbf829566172500625bf7620a4f36795350422e494d422e52555c 747275626e696b6f76 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x49749f5a497d85df4b8501b130a3e04c [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 129 to 10.6.0.86 port 1645 EAP-Message = 0x010900451900170301003ae178bf20a442a8ff436523b002959ace4150be491e8556ec798a 439ef98a4b92c28e69dd1717e1e27fbe0081f057d5adc31304e15be33f58af79 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c8a80f59a839961300b089b526f445b Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.6.0.86 port 1645, id=130, length=250 User-Name = "SPB.IMB.RU\\trubnikov" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-C3-81-2A-16" Calling-Station-Id = "00-11-25-45-BB-9A" EAP-Message = 0x020900661900170301005b17cfadd420103a62807796ebc81cccc17ba868a0b32728ff8bd1 be18aecfc4f8ee7032778a54581ecd13584dba8f36928343485c3718fbe3d96aba19ba1b9ece 6a082e8a44ae4d9633e5ee1a2b24a4804836cfcc5f49c7456b9fd4 Message-Authenticator = 0x42701fb6beac1b74efafc2943d30f102 NAS-Port-Type = Ethernet NAS-Port = 50020 State = 0x9c8a80f59a839961300b089b526f445b NAS-IP-Address = 10.6.0.86 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 102 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0209004f1a0209004a3183289583fd8f07645a9e0b401989b0aa00000000000000005b2390 610fbbb0a33313369bf434352cf94105042703b5e0005350422e494d422e52555c747275626e 696b6f76 server { PEAP: Setting User-Name to SPB.IMB.RU\trubnikov Sending tunneled request EAP-Message = 0x0209004f1a0209004a3183289583fd8f07645a9e0b401989b0aa00000000000000005b2390 610fbbb0a33313369bf434352cf94105042703b5e0005350422e494d422e52555c747275626e 696b6f76 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "SPB.IMB.RU\\trubnikov" State = 0x49749f5a497d85df4b8501b130a3e04c server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "SPB.IMB.RU\trubnikov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 79 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for trubnikov with NT-Password [mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=SPB.IMB.RU [mschap] expand: --username=%{mschap:User-Name} -> --username=trubnikov [mschap] mschap2: ec [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=9bb858a0208cb30a [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=5b2390610fbbb0a33313369bf434352cf94105042703b5e0 Exec-Program output: NT_KEY: E5E69707F927B4D612960B8BE48C7887 Exec-Program-Wait: plaintext: NT_KEY: E5E69707F927B4D612960B8BE48C7887 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00331a0309002e533d4542393639383845463231373142353038303237333732443544 4239463534333937393336394337 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x49749f5a487e85df4b8501b130a3e04c [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00331a0309002e533d4542393639383845463231373142353038303237333732443544 4239463534333937393336394337 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x49749f5a487e85df4b8501b130a3e04c [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 130 to 10.6.0.86 port 1645 EAP-Message = 0x010a004a1900170301003f7201bd50ad95ad02eed7b8c10e950ce1d0858a8d2e64401635f1 f270813682833ee111b5a1eb2db22fd25daf6a8fea82236d0ff920182b9e3325150deefeeb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c8a80f59b809961300b089b526f445b Finished request 7. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 123 with timestamp +51 Cleaning up request 1 ID 124 with timestamp +51 Cleaning up request 2 ID 125 with timestamp +51 Cleaning up request 3 ID 126 with timestamp +51 Cleaning up request 4 ID 127 with timestamp +51 Cleaning up request 5 ID 128 with timestamp +51 Cleaning up request 6 ID 129 with timestamp +51 Cleaning up request 7 ID 130 with timestamp +51 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 12, 2009, at 8:06 PM, Casartello, Thomas wrote:
I have exactly the same problem with Fedora 9 and 10 only. It works perfectly fine in Fedora 8 with the exact same configuration. I have spent hours trying to fix this, and could not figure it out.
Check the versions of your samba packages. I'm running Debian and the exact same FreeRADIUS configuration works with 3.0.24 (stable) but fails with 3.2.5 (testing). The failure is such that the mschap module returns success, but the very last EAP- MSCHAPv2 challenge sent by the server causes the supplicant (both Windows and OSX) to bail. There's apparently something wrong with the NT_KEY returned by ntlm_auth... Mike Loosbrock Bethel University Network Services 651-638-6723
Mike Loosbrock wrote:
Check the versions of your samba packages.
I'm running Debian and the exact same FreeRADIUS configuration works with 3.0.24 (stable) but fails with 3.2.5 (testing). The failure is such that the mschap module returns success, but the very last EAP-MSCHAPv2 challenge sent by the server causes the supplicant (both Windows and OSX) to bail. There's apparently something wrong with the NT_KEY returned by ntlm_auth...
Ouch. Samba 3.2.8 is out, so that might fix the issue. If not, we'll have to raise it as a bug with the Samba people. Alan DeKok.
Yeah that's got to be it. Fedora 8 uses 3.0.34 while fedora 10 uses 3.2.8. I'll have to try it with the old version of samba. I'll post back if it works. Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: Friday, February 13, 2009 4:18 PM To: FreeRadius users mailing list Subject: Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem Mike Loosbrock wrote:
Check the versions of your samba packages.
I'm running Debian and the exact same FreeRADIUS configuration works with 3.0.24 (stable) but fails with 3.2.5 (testing). The failure is such that the mschap module returns success, but the very last EAP-MSCHAPv2 challenge sent by the server causes the supplicant (both Windows and OSX) to bail. There's apparently something wrong with the NT_KEY returned by ntlm_auth...
Ouch. Samba 3.2.8 is out, so that might fix the issue. If not, we'll have to raise it as a bug with the Samba people. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok I can confirm it now. I went back to samba 3.0.34 on my Fedora 10 machine and it now works. It's definitely a samba 3.2 issue. Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org ] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Monday, February 16, 2009 11:04 AM To: FreeRadius users mailing list Subject: Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem Hi,
Yeah that's got to be it. Fedora 8 uses 3.0.34 while fedora 10 uses 3.2.8. I'll have to try it with the old version of samba. I'll post back if it works.
is this a confirmation that ntlm_auth doesnt work with samba 3.2.8 and , therefore, with FC10 ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Both Fedora 9 and 10. Fedora jumped up to the samba 3.2 line with version 9. If you want it to work in 9 or 10 you have to use an older version of samba. Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org ] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Monday, February 16, 2009 11:04 AM To: FreeRadius users mailing list Subject: Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem Hi,
Yeah that's got to be it. Fedora 8 uses 3.0.34 while fedora 10 uses 3.2.8. I'll have to try it with the old version of samba. I'll post back if it works.
is this a confirmation that ntlm_auth doesnt work with samba 3.2.8 and , therefore, with FC10 ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Andrey.Trubnikov@unicreditgroup.ru -
Casartello, Thomas -
Mike Loosbrock