Wind XP supplicant Domain//Username
My current setup is Freeraidus 2.0.4 connecting to OpenLDAP with PEAP authentication. Currently I have it working with all of our Linux and Mac clients and to an extent our Windows clients. I am trying to make connecting as simple as possible for the user. I can get the Windows clients to work if I uncheck the "Automatically use my Windows logon name and password (and domain if any)" option on the XP supplicant under the configure button for the MSCHAP authentication method. I would like to leave that option checked however when I do so the rlm_ldap fails because it is looking up DOMAIN\5cUSER. I have searched around a found a few leads but most of the deal with authenticating with ActiveDirectory and even if I do try their suggestions it doesn't seem to work. Output is below any suggestions would be greatly appreciated. FreeRADIUS Version 2.0.4, for host x86_64-pc-linux-gnu, built on Jul 20 2009 at 11:25:51 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" user = "freerad" group = "freerad" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "ohlieF8A" nastype = "other" } client 192.168.0.0/16 { require_message_authenticator = no secret = "ohlieF8A" shortname = "private-network-2" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "ohlieF8A" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.pem" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "directory.internal.hustlerturf.com" port = 389 password = "********" identity = "cn=admin,dc=excelhustler,dc=com" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "ou=People,dc=excelhustler,dc=com" filter = "(uid=%u)" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr = "uid" access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = no } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP userPassword mapped to RADIUS User-Password rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnell-Private-Group conns: 0x1da46c0 Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.151 port 10002, id=1, length=156 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 EAP-Message = 0x02010010014c494e55585c7465737431 Message-Authenticator = 0x30e61dfe7f91ae35e8838442098099d5 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 1 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for LINUX\test1 expand: (uid=%u) -> (uid=LINUX\5ctest1) expand: ou=People,dc=excelhustler,dc=com -> ou=People,dc=excelhustler,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to directory.internal.hustlerturf.com:389, authentication 0 rlm_ldap: bind as cn=admin,dc=excelhustler,dc=com/******** to directory.internal.hustlerturf.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=excelhustler,dc=com, with filter (uid=LINUX\5ctest1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.2.151 port 10002 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd1a27d0bd183ebed244722aa89641b1 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10002, id=2, length=238 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0xbd1a27d0bd183ebed244722aa89641b1 EAP-Message = 0x0202005019800000004616030100410100003d03014a772e0aa387d178b5191c130073d49b1b0c63925dc110d4c9c4e45042e69a9d00001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0xe1b23065c3ea3a08b748254dd50c36cd +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 2 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 70 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.2.151 port 10002 EAP-Message = 0x0103040019c0000008bb160301004a0200004603014a772de15710e77e919a91345d791dcbfeccc296ed719f78b4c3cdedcdba11c7209a753776f6bd234c21eb46256816293ea610de552e068e635544cae3f468b5be000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303732383135343032315a170d3130303732383135343032315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c46a5c7395912e933ecd064d1cd85f9f00ae3de23f7af80c64146cb84190 EAP-Message = 0xe363dd63bfd42e2429c79cba72d3ac776dc3a1bb2dc02689f671222e3eaed2e773908c037305a05ca940b3d680e33bb910bbf48a23592f344d96c070e6cbc09696a47341fe95f476811d99a5644347f0e2bfd99fd60f419fca2eee5893b570d298872eea9e989d7957e171c5bb452735f6d19bd6edd8f805e1fa0594b1e203ac1396b520141817452b97c623d4d91be11570fef6835a808eb7fc002fded46cc7da16a38c2f35824681694a09f882a8acdae67909454f193174ba10a6dc102864b85fbbfd7cc81aef3a8e7585c4f62e32f4bfb17bb5aa40d0d9b261cb0151d59a415f0203010001a317301530130603551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d010104050003820101008f71d306c7f12961903f993ff65b7dae4467b2e47749ca159a452c2df21a4edfa42d399198468fc06299bb34de225342dbddce5350c5d2059c39a27d12ef9ad8d9fb175311ed979408567079a7ee83131fee08d8563e0f23eff42aedd229ca26b4552c0c51c5eb07f9e2c54480ac953ce49ad8966d8bc13bf6323b376afa3df580810e8bb69d8f4bdd1f91ac988af96d9f9c8e79a859bb6187bdcbf105413cd9d19ed0f5bb75a3ebb9133e8e20be85d1adb35d6c942f0fda9ae4b1db05e71f7b60c145fa4df1504c6e78169e921a123aee80b3aa33618b52cd4219ba48def5a79bdb7d6dafdc EAP-Message = 0xb04fdd57077b70767f03b4fc Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd1a27d0bc193ebed244722aa89641b1 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10002, id=3, length=164 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0xbd1a27d0bc193ebed244722aa89641b1 EAP-Message = 0x020300061900 Message-Authenticator = 0x6aa33042e799826ed3a040760ea20615 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.2.151 port 10002 EAP-Message = 0x010403fc194054d3b6de88d892967e6b3eb495b00004ab308204a73082038fa003020102020900a5d663c9298e8fb0300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303732383135343032315a170d3039303832373135343032315a308193310b30090603 EAP-Message = 0x55040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c2eb6fff9e49393ed67eaa1054d0fdd7001143a7e27ac045a43b389aef7b32841a63c46321341cd775753a2f0965cb2a1a261abcd28132fbc43f95cb3f484e089b31d50fb1696513ee6239994c889d EAP-Message = 0x6345446eb47b48b3ffbdf8ec416b034615473d60d64aa8504b369688dfc813014b4008ff730b0bf52674d050c9c59d33097b970adadcfab05d90b89ff04ae0d80656d2666339440f54a5ab651feb8da3b4b2d5a5f6f9edb510a9e1d74739d8c58c635836152ca45178cd6e331177b542bc5e877d4968b54da34175e97c89e095c1b34ed6e14c4aab65d7de02030ec56f72e68aaf947f991836014c5aa581bf37aae15d0e4f377ff6e85ae306868bcbe7ff0203010001a381fb3081f8301d0603551d0e04160414f484fb9461975409a48e27d5971133a3b1ac434c3081c80603551d230481c03081bd8014f484fb9461975409a48e27d5971133a3b1ac EAP-Message = 0x434ca18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900a5d663c9298e8fb0300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010039d8d1c6114c9497ecd419f8809e101d081bdc07bf09363da41ef75df1eace30f0cd9258577df16b9a9870a3318c3c652877 EAP-Message = 0xcc4abf6d8be9f208 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd1a27d0bf1e3ebed244722aa89641b1 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10002, id=4, length=164 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0xbd1a27d0bf1e3ebed244722aa89641b1 EAP-Message = 0x020400061900 Message-Authenticator = 0xe3f49e1dc1bd9a7cc2ba09d2cad8d052 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.2.151 port 10002 EAP-Message = 0x010500d51900e06682e06fa176b55d4a8a787748598eaa1eea7fe1d11533451b17faac2c41444e253ad37507bfdfb7b423bc382153641f5b0e67be423aad8df473f529cdeb66265a827cf14b5387861f4ea0bf6091147a7b5a4ee4f1afc85b095ca2697b5f334cf64afdba1235039992e7e01ea7ee74e4fdef141626955ecd6c272c3b2335742c5fa50909249272ea623f1fb0121b61498ad6b8752638808f3d23cbb5219c0d83a335d0c0c685f654b832578256a1fd6298bd27906c1ab639ec6901999887e998a74baf204716030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd1a27d0be1f3ebed244722aa89641b1 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10002, id=5, length=480 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0xbd1a27d0be1f3ebed244722aa89641b1 EAP-Message = 0x02050140198000000136160301010610000102010003bcfe6edc5ac790dd2a536103a4f26d3644bf3b66e991ad039eef82ff27f3512cf07b0eb0fd969447cef83979da1b7721e18e20883a8f975f326bdaea9047f1b0cbf155ca101e3fa14570c25b41bc9c7eb944e97ca54666628b5632a6b30430e4dd0d31a524687eda83272ad2573e2fdc3f46a01b72025a79aac5754c66cf66aa48daf8c073ea112507e2a258404c472c16c2e41b8b7d044356a64d27a632258fe7c3d05fe72094c908984fe5ab9a1da6a3dc407525b18b95feb8877268324ae10ee90f8f0e932a300c1bfea21e91e879c234f04726e56a30e491adcf5cc11ce86f54bd9435492e EAP-Message = 0x59e5cc677765200f2ed65486aeb05e2db0057b8e2f414f25140301000101160301002045c5503fa36fdd40a41380ea90d1e1d0f8f0edee717bdb0cd4b1913cd3096b66 Message-Authenticator = 0x66d3f60b20559169104856b0f96a6474 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 5 length 253 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 310 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 5 to 192.168.2.151 port 10002 EAP-Message = 0x0106003119001403010001011603010020713afd5f53f16037dd03c3e9716b9484f3a9f65070722cb9ccdb3835bb0580d5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd1a27d0b91c3ebed244722aa89641b1 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10002, id=6, length=164 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0xbd1a27d0b91c3ebed244722aa89641b1 EAP-Message = 0x020600061900 Message-Authenticator = 0x446d642e8de6477c7ecd709ebc345d1e +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 6 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.2.151 port 10002 EAP-Message = 0x0107002019001703010015b2999f22d52c31d7b9114e49e8bbecc11adee42c0d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd1a27d0b81d3ebed244722aa89641b1 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10002, id=7, length=197 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0xbd1a27d0b81d3ebed244722aa89641b1 EAP-Message = 0x020700271900170301001c737fd9d39009b1f542b5090f11a8eb437a03dd1a95b09675c132a588 Message-Authenticator = 0x3565f0cea538abec12291a62dbcf5f7b +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 7 length 39 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - LINUX\test1 PEAP: Got tunneled EAP-Message EAP-Message = 0x02070010014c494e55585c7465737431 PEAP: Got tunneled identity of LINUX\test1 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to LINUX\test1 PEAP: Sending tunneled request EAP-Message = 0x02070010014c494e55585c7465737431 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "LINUX\\test1" server inner-tunnel { +- entering group authorize ++[mschap] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 7 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for LINUX\test1 expand: (uid=%u) -> (uid=LINUX\5ctest1) expand: ou=People,dc=excelhustler,dc=com -> ou=People,dc=excelhustler,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=excelhustler,dc=com, with filter (uid=LINUX\5ctest1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x010800251a0108002010a368f3908ef2a9921a8b7821bceeda874c494e55585c7465737431 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe6b55262e6bd4850d1efd72bdd823e7d PEAP: Processing from tunneled session code 0x1de2d40 11 EAP-Message = 0x010800251a0108002010a368f3908ef2a9921a8b7821bceeda874c494e55585c7465737431 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe6b55262e6bd4850d1efd72bdd823e7d PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 7 to 192.168.2.151 port 10002 EAP-Message = 0x0108003c19001703010031c26d17ad11110e31c7be6f94e9639bf457bbb848f0e6f1f40f1c471d706db311b207c6810a712d3bcdc9ea168a1b4d6c09 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd1a27d0bb123ebed244722aa89641b1 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10002, id=8, length=251 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0xbd1a27d0bb123ebed244722aa89641b1 EAP-Message = 0x0208005d190017030100527458ccc1710becb285441acde21dc551281ab103940d3227121369191f3a0a6a82dc58427020a338a06e07e0a87e05f28719ac710a9328dfefaa1646c5913d9e6150bfd3c6d032889a894f00629ecb4f4e88 Message-Authenticator = 0xe284c38150b6530357b2cc2f73c468d2 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 8 length 93 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Got tunneled EAP-Message EAP-Message = 0x020800461a020800413144408d3d7f47d40bd23c9adc870f1ea500000000000000003eb0540d2770229837f2e685c2311f74fa65f01327a32be2004c494e55585c7465737431 PEAP: Setting User-Name to LINUX\test1 PEAP: Sending tunneled request EAP-Message = 0x020800461a020800413144408d3d7f47d40bd23c9adc870f1ea500000000000000003eb0540d2770229837f2e685c2311f74fa65f01327a32be2004c494e55585c7465737431 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "LINUX\\test1" State = 0xe6b55262e6bd4850d1efd72bdd823e7d server inner-tunnel { +- entering group authorize ++[mschap] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 8 length 70 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for LINUX\test1 expand: (uid=%u) -> (uid=LINUX\5ctest1) expand: ou=People,dc=excelhustler,dc=com -> ou=People,dc=excelhustler,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=excelhustler,dc=com, with filter (uid=LINUX\5ctest1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for test1 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [LINUX\\test1/<via Auth-Type = EAP>] (from client private-network-2 port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x1de1930 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 8 to 192.168.2.151 port 10002 EAP-Message = 0x010900261900170301001bb5c8ec4ea7f7075d9002e64849d369c89e24f8269b10e16092fcc6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd1a27d0ba133ebed244722aa89641b1 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10002, id=9, length=196 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0xbd1a27d0ba133ebed244722aa89641b1 EAP-Message = 0x020900261900170301001b4d66b45b673836cc47d4e7f5b03e3adf5d5192b9d90636029b5f52 Message-Authenticator = 0x7484b90d3715780775716007fb7dc660 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 9 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [LINUX\\test1/<via Auth-Type = EAP>] (from client private-network-2 port 1 cli 00:13:e8:b9:8c:b9) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> LINUX\test1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 9 to 192.168.2.151 port 10002 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10003, id=11, length=156 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 EAP-Message = 0x02010010014c494e55585c7465737431 Message-Authenticator = 0xf00d1284aa5548d655b47a1bac769f35 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 1 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for LINUX\test1 expand: (uid=%u) -> (uid=LINUX\5ctest1) expand: ou=People,dc=excelhustler,dc=com -> ou=People,dc=excelhustler,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=excelhustler,dc=com, with filter (uid=LINUX\5ctest1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 11 to 192.168.2.151 port 10003 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1000725f10026b765c42d054796fe3e0 Finished request 9. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10003, id=12, length=238 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0x1000725f10026b765c42d054796fe3e0 EAP-Message = 0x0202005019800000004616030100410100003d03014a772e0b5f4f44389df63a380049523e1427757e2f0e8ba5347208098e3174ce00001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0xbd34cc45c69004c920bebfaedde64341 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 2 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 70 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 12 to 192.168.2.151 port 10003 EAP-Message = 0x0103040019c0000008bb160301004a0200004603014a772de259c8e79cf288f3170a4a34fdc1c2ba91acc7b3c4a29bd1886ed0833f20bdd2d1258b0ae45bc6805ee37aba433832075642210c7cb4fe4c61a45ca17801000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303732383135343032315a170d3130303732383135343032315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c46a5c7395912e933ecd064d1cd85f9f00ae3de23f7af80c64146cb84190 EAP-Message = 0xe363dd63bfd42e2429c79cba72d3ac776dc3a1bb2dc02689f671222e3eaed2e773908c037305a05ca940b3d680e33bb910bbf48a23592f344d96c070e6cbc09696a47341fe95f476811d99a5644347f0e2bfd99fd60f419fca2eee5893b570d298872eea9e989d7957e171c5bb452735f6d19bd6edd8f805e1fa0594b1e203ac1396b520141817452b97c623d4d91be11570fef6835a808eb7fc002fded46cc7da16a38c2f35824681694a09f882a8acdae67909454f193174ba10a6dc102864b85fbbfd7cc81aef3a8e7585c4f62e32f4bfb17bb5aa40d0d9b261cb0151d59a415f0203010001a317301530130603551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d010104050003820101008f71d306c7f12961903f993ff65b7dae4467b2e47749ca159a452c2df21a4edfa42d399198468fc06299bb34de225342dbddce5350c5d2059c39a27d12ef9ad8d9fb175311ed979408567079a7ee83131fee08d8563e0f23eff42aedd229ca26b4552c0c51c5eb07f9e2c54480ac953ce49ad8966d8bc13bf6323b376afa3df580810e8bb69d8f4bdd1f91ac988af96d9f9c8e79a859bb6187bdcbf105413cd9d19ed0f5bb75a3ebb9133e8e20be85d1adb35d6c942f0fda9ae4b1db05e71f7b60c145fa4df1504c6e78169e921a123aee80b3aa33618b52cd4219ba48def5a79bdb7d6dafdc EAP-Message = 0xb04fdd57077b70767f03b4fc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1000725f11036b765c42d054796fe3e0 Finished request 10. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10003, id=13, length=164 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0x1000725f11036b765c42d054796fe3e0 EAP-Message = 0x020300061900 Message-Authenticator = 0x0ac586525ddee0f50523d80d5f1ccfcb +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 13 to 192.168.2.151 port 10003 EAP-Message = 0x010403fc194054d3b6de88d892967e6b3eb495b00004ab308204a73082038fa003020102020900a5d663c9298e8fb0300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303732383135343032315a170d3039303832373135343032315a308193310b30090603 EAP-Message = 0x55040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c2eb6fff9e49393ed67eaa1054d0fdd7001143a7e27ac045a43b389aef7b32841a63c46321341cd775753a2f0965cb2a1a261abcd28132fbc43f95cb3f484e089b31d50fb1696513ee6239994c889d EAP-Message = 0x6345446eb47b48b3ffbdf8ec416b034615473d60d64aa8504b369688dfc813014b4008ff730b0bf52674d050c9c59d33097b970adadcfab05d90b89ff04ae0d80656d2666339440f54a5ab651feb8da3b4b2d5a5f6f9edb510a9e1d74739d8c58c635836152ca45178cd6e331177b542bc5e877d4968b54da34175e97c89e095c1b34ed6e14c4aab65d7de02030ec56f72e68aaf947f991836014c5aa581bf37aae15d0e4f377ff6e85ae306868bcbe7ff0203010001a381fb3081f8301d0603551d0e04160414f484fb9461975409a48e27d5971133a3b1ac434c3081c80603551d230481c03081bd8014f484fb9461975409a48e27d5971133a3b1ac EAP-Message = 0x434ca18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900a5d663c9298e8fb0300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010039d8d1c6114c9497ecd419f8809e101d081bdc07bf09363da41ef75df1eace30f0cd9258577df16b9a9870a3318c3c652877 EAP-Message = 0xcc4abf6d8be9f208 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1000725f12046b765c42d054796fe3e0 Finished request 11. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10003, id=14, length=164 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0x1000725f12046b765c42d054796fe3e0 EAP-Message = 0x020400061900 Message-Authenticator = 0xcfdcb541d6e3a4355eb5afaeb87e4c14 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 14 to 192.168.2.151 port 10003 EAP-Message = 0x010500d51900e06682e06fa176b55d4a8a787748598eaa1eea7fe1d11533451b17faac2c41444e253ad37507bfdfb7b423bc382153641f5b0e67be423aad8df473f529cdeb66265a827cf14b5387861f4ea0bf6091147a7b5a4ee4f1afc85b095ca2697b5f334cf64afdba1235039992e7e01ea7ee74e4fdef141626955ecd6c272c3b2335742c5fa50909249272ea623f1fb0121b61498ad6b8752638808f3d23cbb5219c0d83a335d0c0c685f654b832578256a1fd6298bd27906c1ab639ec6901999887e998a74baf204716030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1000725f13056b765c42d054796fe3e0 Finished request 12. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10003, id=15, length=480 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0x1000725f13056b765c42d054796fe3e0 EAP-Message = 0x020501401980000001361603010106100001020100345d365b87825e49a7aa390d04627c0ef1194ab7cb3d4ab5d172edb3242711d1122343e1031a1a5a62e73db3c5a86b029070d81a6e2c040122d522ad4d195888d0ca8c3813a9b0a4694b81b863baf681776fa7c07498885884f0928058df75ba611ef1211786332bdf3285eaa49eba5c4159a3dc1c6a94631e8b58c7d39eaa1eaa86476c1f3d0d8dec33be9c27f9b1ff039034479017c4727a3c659d2bbcc2ef78da61f253de259e004582b82da7d980cfa7a7bc06363771f6450c2497a60ef43a8bf8547076d73d651d5586dc1756f7eaec4027db70cfb9ed869b7e2a03f4957d8bfa8ceb15b3d8 EAP-Message = 0x00927fd5f0197cf5d6b16dbd05c3e7ab44cc117fad22f02f1403010001011603010020f80dc1cc42782053a99a2243d1df18e31c036d63402e436532debf8fe9ed93cc Message-Authenticator = 0x6fcea68d0057564ded0752c04ef0c0fd +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 5 length 253 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 310 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 15 to 192.168.2.151 port 10003 EAP-Message = 0x01060031190014030100010116030100209ab7d250d58427059024943814681e014d5f060c7ead503c7882dd866dbb4a62 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1000725f14066b765c42d054796fe3e0 Finished request 13. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10003, id=16, length=164 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0x1000725f14066b765c42d054796fe3e0 EAP-Message = 0x020600061900 Message-Authenticator = 0xd1f5823f9c99d02acdfc60567c78f72c +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 6 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 16 to 192.168.2.151 port 10003 EAP-Message = 0x0107002019001703010015ea26434d92ecdfbfdb2220326ef6c3dee696356b40 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1000725f15076b765c42d054796fe3e0 Finished request 14. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10003, id=17, length=197 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0x1000725f15076b765c42d054796fe3e0 EAP-Message = 0x020700271900170301001c55f75b143dea9783948e06e5b21148ef2f447fa06ba8a24e0672cf84 Message-Authenticator = 0xc16e46ee3683ef68ade437712ea6ded6 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 7 length 39 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - LINUX\test1 PEAP: Got tunneled EAP-Message EAP-Message = 0x02070010014c494e55585c7465737431 PEAP: Got tunneled identity of LINUX\test1 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to LINUX\test1 PEAP: Sending tunneled request EAP-Message = 0x02070010014c494e55585c7465737431 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "LINUX\\test1" server inner-tunnel { +- entering group authorize ++[mschap] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 7 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for LINUX\test1 expand: (uid=%u) -> (uid=LINUX\5ctest1) expand: ou=People,dc=excelhustler,dc=com -> ou=People,dc=excelhustler,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=excelhustler,dc=com, with filter (uid=LINUX\5ctest1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x010800251a0108002010181aa22b76d10fbe6a329bdfd7f585dd4c494e55585c7465737431 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2bad37742ba52dd284335b0b93096851 PEAP: Processing from tunneled session code 0x1dbdf90 11 EAP-Message = 0x010800251a0108002010181aa22b76d10fbe6a329bdfd7f585dd4c494e55585c7465737431 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2bad37742ba52dd284335b0b93096851 PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 17 to 192.168.2.151 port 10003 EAP-Message = 0x0108003c19001703010031cf6455ed48efd482d62600917d0ead4ec100f7ed7318dd606a1b162f22cab96ec1f0956639ec905581503e96019a9ed065 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1000725f16086b765c42d054796fe3e0 Finished request 15. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10003, id=18, length=251 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0x1000725f16086b765c42d054796fe3e0 EAP-Message = 0x0208005d190017030100520bc6fe0b2aed4841e2c717c05dda389310be4e43074d4ebca2c6820f836a937e3c6d053fe049a99b0f80a268532161a1f2ce5a24c815df33c05c560d2422948bfaa06ed0f33a1f232de7926b6091b6cd29ed Message-Authenticator = 0xb331a1b177bb51369f9903ea6e5cc76f +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 8 length 93 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Got tunneled EAP-Message EAP-Message = 0x020800461a02080041313d4c5a4317f4cd1b27363013aae1f25300000000000000003871a4fc65ac06c2d69f621df647a94d2a4eab1bda5882db004c494e55585c7465737431 PEAP: Setting User-Name to LINUX\test1 PEAP: Sending tunneled request EAP-Message = 0x020800461a02080041313d4c5a4317f4cd1b27363013aae1f25300000000000000003871a4fc65ac06c2d69f621df647a94d2a4eab1bda5882db004c494e55585c7465737431 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "LINUX\\test1" State = 0x2bad37742ba52dd284335b0b93096851 server inner-tunnel { +- entering group authorize ++[mschap] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 8 length 70 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for LINUX\test1 expand: (uid=%u) -> (uid=LINUX\5ctest1) expand: ou=People,dc=excelhustler,dc=com -> ou=People,dc=excelhustler,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=excelhustler,dc=com, with filter (uid=LINUX\5ctest1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for test1 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [LINUX\\test1/<via Auth-Type = EAP>] (from client private-network-2 port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x1dbdff0 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 18 to 192.168.2.151 port 10003 EAP-Message = 0x010900261900170301001b11332ce4f2c596e0f647b83a5c894ae665c90b0c2a8425f3260c8e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1000725f17096b765c42d054796fe3e0 Finished request 16. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10003, id=19, length=196 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0x1000725f17096b765c42d054796fe3e0 EAP-Message = 0x020900261900170301001bf586818b7529b417d82cc5d925f4e1904983409c2834325c24d200 Message-Authenticator = 0xa8ca7a4fcfaa86f696404e95c2f8ee4b +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 9 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [LINUX\\test1/<via Auth-Type = EAP>] (from client private-network-2 port 1 cli 00:13:e8:b9:8c:b9) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> LINUX\test1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 17 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 17 Sending Access-Reject of id 19 to 192.168.2.151 port 10003 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.7 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10004, id=21, length=156 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 EAP-Message = 0x02010010014c494e55585c7465737431 Message-Authenticator = 0xe812d7788548e10f5519e2b192993b9d +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 1 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for LINUX\test1 expand: (uid=%u) -> (uid=LINUX\5ctest1) expand: ou=People,dc=excelhustler,dc=com -> ou=People,dc=excelhustler,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=excelhustler,dc=com, with filter (uid=LINUX\5ctest1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 21 to 192.168.2.151 port 10004 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5c9aaff15c98b6268a6c68880037d65f Finished request 18. Going to the next request Waking up in 2.1 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10004, id=22, length=238 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0x5c9aaff15c98b6268a6c68880037d65f EAP-Message = 0x0202005019800000004616030100410100003d03014a772e0dc67cdfbe047b85c3dcb9e5e02778cfae851b82677c379829a871566c00001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0xf3a5cd46a4207946dbf86122158d31e8 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 2 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 70 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 22 to 192.168.2.151 port 10004 EAP-Message = 0x0103040019c0000008bb160301004a0200004603014a772de4368fc3d52986512cc24a802e55e1aec895b4fc5d5658dd5b6b712ddc205ed8e001a0925e8bfe5f762db0e5fae6c438df798dfb564a7989134090b10f3f000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303732383135343032315a170d3130303732383135343032315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c46a5c7395912e933ecd064d1cd85f9f00ae3de23f7af80c64146cb84190 EAP-Message = 0xe363dd63bfd42e2429c79cba72d3ac776dc3a1bb2dc02689f671222e3eaed2e773908c037305a05ca940b3d680e33bb910bbf48a23592f344d96c070e6cbc09696a47341fe95f476811d99a5644347f0e2bfd99fd60f419fca2eee5893b570d298872eea9e989d7957e171c5bb452735f6d19bd6edd8f805e1fa0594b1e203ac1396b520141817452b97c623d4d91be11570fef6835a808eb7fc002fded46cc7da16a38c2f35824681694a09f882a8acdae67909454f193174ba10a6dc102864b85fbbfd7cc81aef3a8e7585c4f62e32f4bfb17bb5aa40d0d9b261cb0151d59a415f0203010001a317301530130603551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d010104050003820101008f71d306c7f12961903f993ff65b7dae4467b2e47749ca159a452c2df21a4edfa42d399198468fc06299bb34de225342dbddce5350c5d2059c39a27d12ef9ad8d9fb175311ed979408567079a7ee83131fee08d8563e0f23eff42aedd229ca26b4552c0c51c5eb07f9e2c54480ac953ce49ad8966d8bc13bf6323b376afa3df580810e8bb69d8f4bdd1f91ac988af96d9f9c8e79a859bb6187bdcbf105413cd9d19ed0f5bb75a3ebb9133e8e20be85d1adb35d6c942f0fda9ae4b1db05e71f7b60c145fa4df1504c6e78169e921a123aee80b3aa33618b52cd4219ba48def5a79bdb7d6dafdc EAP-Message = 0xb04fdd57077b70767f03b4fc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5c9aaff15d99b6268a6c68880037d65f Finished request 19. Going to the next request Waking up in 2.1 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10004, id=23, length=164 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0x5c9aaff15d99b6268a6c68880037d65f EAP-Message = 0x020300061900 Message-Authenticator = 0xdc805aa7b4e1b9c5185c16459e1fa75d +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 23 to 192.168.2.151 port 10004 EAP-Message = 0x010403fc194054d3b6de88d892967e6b3eb495b00004ab308204a73082038fa003020102020900a5d663c9298e8fb0300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303732383135343032315a170d3039303832373135343032315a308193310b30090603 EAP-Message = 0x55040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c2eb6fff9e49393ed67eaa1054d0fdd7001143a7e27ac045a43b389aef7b32841a63c46321341cd775753a2f0965cb2a1a261abcd28132fbc43f95cb3f484e089b31d50fb1696513ee6239994c889d EAP-Message = 0x6345446eb47b48b3ffbdf8ec416b034615473d60d64aa8504b369688dfc813014b4008ff730b0bf52674d050c9c59d33097b970adadcfab05d90b89ff04ae0d80656d2666339440f54a5ab651feb8da3b4b2d5a5f6f9edb510a9e1d74739d8c58c635836152ca45178cd6e331177b542bc5e877d4968b54da34175e97c89e095c1b34ed6e14c4aab65d7de02030ec56f72e68aaf947f991836014c5aa581bf37aae15d0e4f377ff6e85ae306868bcbe7ff0203010001a381fb3081f8301d0603551d0e04160414f484fb9461975409a48e27d5971133a3b1ac434c3081c80603551d230481c03081bd8014f484fb9461975409a48e27d5971133a3b1ac EAP-Message = 0x434ca18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900a5d663c9298e8fb0300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010039d8d1c6114c9497ecd419f8809e101d081bdc07bf09363da41ef75df1eace30f0cd9258577df16b9a9870a3318c3c652877 EAP-Message = 0xcc4abf6d8be9f208 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5c9aaff15e9eb6268a6c68880037d65f Finished request 20. Going to the next request Waking up in 2.1 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10004, id=24, length=164 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0x5c9aaff15e9eb6268a6c68880037d65f EAP-Message = 0x020400061900 Message-Authenticator = 0xfee37471422fafe8fa9e1f462f308402 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 24 to 192.168.2.151 port 10004 EAP-Message = 0x010500d51900e06682e06fa176b55d4a8a787748598eaa1eea7fe1d11533451b17faac2c41444e253ad37507bfdfb7b423bc382153641f5b0e67be423aad8df473f529cdeb66265a827cf14b5387861f4ea0bf6091147a7b5a4ee4f1afc85b095ca2697b5f334cf64afdba1235039992e7e01ea7ee74e4fdef141626955ecd6c272c3b2335742c5fa50909249272ea623f1fb0121b61498ad6b8752638808f3d23cbb5219c0d83a335d0c0c685f654b832578256a1fd6298bd27906c1ab639ec6901999887e998a74baf204716030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5c9aaff15f9fb6268a6c68880037d65f Finished request 21. Going to the next request Waking up in 2.1 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10004, id=25, length=480 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0x5c9aaff15f9fb6268a6c68880037d65f EAP-Message = 0x02050140198000000136160301010610000102010007b66382949332a91163b26b074fe7fd99b7dd70d3429dfeac39e79d44cfa482d903fb1fea82de8753af2340b2d7395d25dd0d2a0fef65d075d1e5204c5feaeabf905355ef71ac392490814750f69b222100da81267248447a70239f0dc414820fffc59ba4e1f32d46120a1b6d090d4924c0ee33ef360133e3b3a618f2e59a2e38e63afee4c843fc70290f592dbf1bdd8921a64c40dfa9024eaf50333740a6c282572cbc13467206117161b3252e1830e521d67a062a64752594fb9c3678c80b041a0f94972faaa8e7ccf538ff891e13c554fd0b8003f8d4594c36746e759056a1abf79bd9fc10df EAP-Message = 0xdc26fcc961cf2f3766955041d3ff0dfb5750bf34e2ba310b1403010001011603010020ec5ba6b42022de6c9a857a6867e2c0d88657840d05f6cd3aeb9c08cb55a973ae Message-Authenticator = 0x2126ff488f3f0520f70089e99213f66a +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 5 length 253 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 310 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 25 to 192.168.2.151 port 10004 EAP-Message = 0x010600311900140301000101160301002021eca22f5b0df438670391496204019817af31ccf9b9ba09d5ef1e0bc72542a6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5c9aaff1589cb6268a6c68880037d65f Finished request 22. Going to the next request Waking up in 2.1 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10004, id=26, length=164 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0x5c9aaff1589cb6268a6c68880037d65f EAP-Message = 0x020600061900 Message-Authenticator = 0x59fda3a9e1b134df0b68fb1ad4dc488e +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 6 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 26 to 192.168.2.151 port 10004 EAP-Message = 0x0107002019001703010015238eb713bba53e509541e6f6962180138fa50ad48d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5c9aaff1599db6268a6c68880037d65f Finished request 23. Going to the next request Waking up in 2.1 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10004, id=27, length=197 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0x5c9aaff1599db6268a6c68880037d65f EAP-Message = 0x020700271900170301001cbd99641f2e97b8f8b6c4733c29a1b18e60e7a4db45434e4eb09f954a Message-Authenticator = 0x3bfc85d5e79119058167b440852935f8 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 7 length 39 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - LINUX\test1 PEAP: Got tunneled EAP-Message EAP-Message = 0x02070010014c494e55585c7465737431 PEAP: Got tunneled identity of LINUX\test1 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to LINUX\test1 PEAP: Sending tunneled request EAP-Message = 0x02070010014c494e55585c7465737431 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "LINUX\\test1" server inner-tunnel { +- entering group authorize ++[mschap] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 7 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for LINUX\test1 expand: (uid=%u) -> (uid=LINUX\5ctest1) expand: ou=People,dc=excelhustler,dc=com -> ou=People,dc=excelhustler,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=excelhustler,dc=com, with filter (uid=LINUX\5ctest1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x010800251a01080020109e9536ec642b4bae655f0a59e554cdca4c494e55585c7465737431 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8fa5dc688fadc6ebfe94f831548b3cb4 PEAP: Processing from tunneled session code 0x1dd69f0 11 EAP-Message = 0x010800251a01080020109e9536ec642b4bae655f0a59e554cdca4c494e55585c7465737431 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8fa5dc688fadc6ebfe94f831548b3cb4 PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 27 to 192.168.2.151 port 10004 EAP-Message = 0x0108003c19001703010031b5eaed11e69075c510206a129829d5fa0b9a00e0e75071de04b49a8a1f1515f6f04ce4d37bf2cb6d809cca66b42b381806 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5c9aaff15a92b6268a6c68880037d65f Finished request 24. Going to the next request Waking up in 2.1 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10004, id=28, length=251 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0x5c9aaff15a92b6268a6c68880037d65f EAP-Message = 0x0208005d19001703010052d2b4b0b7431c3b4e01c2cbeb0b7bfc26452e5e348d76f897ea796573fdb29a30f8a741edc9ebb4ee44f6da3597d2704fd253c2221ba1d4dcf99d0be845fba56e63fc1b3c188b9107a225de465dc67f01f69e Message-Authenticator = 0x28baad3a912c6a18076ffee6d6d4446b +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 8 length 93 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Got tunneled EAP-Message EAP-Message = 0x020800461a020800413185dc7fea07f6ef7ff746eb59e78f17760000000000000000807590a4317cb924686984ec30d82a57738cc88c897e3180004c494e55585c7465737431 PEAP: Setting User-Name to LINUX\test1 PEAP: Sending tunneled request EAP-Message = 0x020800461a020800413185dc7fea07f6ef7ff746eb59e78f17760000000000000000807590a4317cb924686984ec30d82a57738cc88c897e3180004c494e55585c7465737431 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "LINUX\\test1" State = 0x8fa5dc688fadc6ebfe94f831548b3cb4 server inner-tunnel { +- entering group authorize ++[mschap] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 8 length 70 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for LINUX\test1 expand: (uid=%u) -> (uid=LINUX\5ctest1) expand: ou=People,dc=excelhustler,dc=com -> ou=People,dc=excelhustler,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=excelhustler,dc=com, with filter (uid=LINUX\5ctest1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for test1 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [LINUX\\test1/<via Auth-Type = EAP>] (from client private-network-2 port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x1dd6680 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 28 to 192.168.2.151 port 10004 EAP-Message = 0x010900261900170301001bc3570c2e3433ff1dfcbfcce52348664f94ae2ec412eec02c68b19a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5c9aaff15b93b6268a6c68880037d65f Finished request 25. Going to the next request Waking up in 2.0 seconds. rad_recv: Access-Request packet from host 192.168.2.151 port 10004, id=29, length=196 User-Name = "LINUX\\test1" Called-Station-Id = "00:23:68:0f:7a:90" Calling-Station-Id = "00:13:e8:b9:8c:b9" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 192.168.2.151 NAS-Identifier = "AP-51xx" Vendor-388-Attr-2 = 0x657863656c656170 State = 0x5c9aaff15b93b6268a6c68880037d65f EAP-Message = 0x020900261900170301001b534e55ceb744ccb3ba5c500e6896234c5941523ecda7b34e289e0d Message-Authenticator = 0x859d6bcd5df76246dc339b04047c507b +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 9 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [LINUX\\test1/<via Auth-Type = EAP>] (from client private-network-2 port 1 cli 00:13:e8:b9:8c:b9) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> LINUX\test1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 26 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 26 Sending Access-Reject of id 29 to 192.168.2.151 port 10004 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1.0 seconds. Cleaning up request 0 ID 1 with timestamp +12 Cleaning up request 1 ID 2 with timestamp +12 Cleaning up request 2 ID 3 with timestamp +12 Cleaning up request 3 ID 4 with timestamp +12 Cleaning up request 4 ID 5 with timestamp +12 Cleaning up request 5 ID 6 with timestamp +12 Cleaning up request 6 ID 7 with timestamp +12 Cleaning up request 7 ID 8 with timestamp +12 Waking up in 1.0 seconds. Cleaning up request 8 ID 9 with timestamp +12 Waking up in 0.1 seconds. Cleaning up request 9 ID 11 with timestamp +13 Cleaning up request 10 ID 12 with timestamp +13 Cleaning up request 11 ID 13 with timestamp +13 Cleaning up request 12 ID 14 with timestamp +13 Cleaning up request 13 ID 15 with timestamp +13 Cleaning up request 14 ID 16 with timestamp +13 Cleaning up request 15 ID 17 with timestamp +13 Cleaning up request 16 ID 18 with timestamp +13 Waking up in 1.0 seconds. Cleaning up request 17 ID 19 with timestamp +13 Waking up in 0.5 seconds. Cleaning up request 18 ID 21 with timestamp +15 Cleaning up request 19 ID 22 with timestamp +15 Cleaning up request 20 ID 23 with timestamp +15 Cleaning up request 21 ID 24 with timestamp +15 Cleaning up request 22 ID 25 with timestamp +15 Cleaning up request 23 ID 26 with timestamp +15 Cleaning up request 24 ID 27 with timestamp +15 Cleaning up request 25 ID 28 with timestamp +15 Waking up in 1.0 seconds. Cleaning up request 26 ID 29 with timestamp +15 Ready to process requests. -- Mark
hi, hoping that their password for their PC account is the same as you have in LDAP or AD... hwta you need to do is enable the nt fix stuff in the mschap module etc - and then ,when doing auth, use the stripped username, dont use the mschap:username etc - this will be a plain user name without the domain part. best idea? ensure they;ve configured their machine correctly rather than hacking up the authentication server just because you can - or else you'll be a slave to fixing up things for every future wierdnedd that comes your way. (use .Net, powershell, VB or even C to write a small 'setup tool' for your Wireless that configures the profile correctly and drops the cert required into place - let the RADIUS server do what it does as it should) alan
On 08/03/2009 03:16 PM, Alan Buxey wrote:
hi,
hoping that their password for their PC account is the same as you have in LDAP or AD... hwta you need to do is enable the nt fix stuff in the mschap module etc - and then ,when doing auth, use the stripped username, dont use the mschap:username etc - this will be a plain user name without the domain part.
Passwords are the same. I believe I did set the with_ntdomain_hack as shown below. How would I go about checking which user name I am using when doing auth? Module: Instantiating mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes } When I set the with_ntdomain_hack = yes in Preprocess instead of in mschap I did run into the issue of the username used to authenticate was different from that used to authorize. I have since turned that off as suggested by by may people on the mailing list. How do I tell which user name I am using for auth? (do you mean authorize or authenticate when you use abbreviate as auth?) Also how do I specify one or the other to use for auth? -- Mark Saner System Administrator Hustler Turf Equipment msaner@hustlerturf.com IS ext. 192 Per ext. 205 (620)327-1205 www.hustlerturf.com
I would like to leave that option checked however when I do so the rlm_ldap fails because it is looking up DOMAIN\5cUSER. I have searched around a found a few leads but most of the deal with authenticating with ActiveDirectory and even if I do try their suggestions it doesn't seem to work. Output is below any suggestions would be greatly appreciated.
...
filter = "(uid=%u)"
... Put ldap filter back to what it was. Enable ntdomain in inner-tunnel. Create local realm LINUX in proxy.conf: realm LINUX { } Ivan Kalik Kalik Informatika ISP
On 08/03/2009 04:13 PM, Ivan Kalik wrote:
...
filter = "(uid=%u)"
...
Put ldap filter back to what it was. Enable ntdomain in inner-tunnel. Create local realm LINUX in proxy.conf:
realm LINUX { }
Ivan Kalik Kalik Informatika ISP
Thanks Ivan this worked great. -- Mark Saner System Administrator Hustler Turf Equipment msaner@hustlerturf.com IS ext. 192 Per ext. 205 (620)327-1205 www.hustlerturf.com
participants (3)
-
Alan Buxey -
Ivan Kalik -
Mark Saner