PEAP Machine Authentication
Hi, I'm trying to set a PEAP Authentication with the rlm_mschap.c / cli_netlogon.c hacks provided by M. Griego. The user auth still working (as before), but the computer still not... (a copy of the debug log. is in attachement) According to the log, the rlm_mschap seems to be effective, but is there any way to check that the samba patch is effective too ? I use a "patched" FR 1.0.5 and a "patched" samba-3.0.20b,1 under FreeBSD 5.3-RELEASE Regards, Jeremy Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/eap.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/local/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain:-DEFAULTDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Initializing the thread pool... thread: start_servers = 5 thread: max_servers = 32 thread: min_spare_servers = 3 thread: max_spare_servers = 10 thread: max_requests_per_server = 0 thread: cleanup_delay = 5 Thread spawned new child 1. Total threads in pool: 1 Thread spawned new child 2. Total threads in pool: 2 Thread spawned new child 3. Total threads in pool: 3 Thread spawned new child 4. Total threads in pool: 4 Thread spawned new child 5. Total threads in pool: 5 Thread pool initialized Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. Thread 1 waiting to be assigned a request Thread 2 waiting to be assigned a request Thread 3 waiting to be assigned a request Thread 4 waiting to be assigned a request Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=78, length=183 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" State = 0x63444a5a8824a6668f0c4039b3fa9564 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020900261900170301001bbd4f0d6e5bb61569a12d5f373e1a1b958fda7a867f0e888ecf9134 Message-Authenticator = 0x56fb29e69b4914d39ba20bf387f680a8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_eap: EAP packet type response id 9 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=80, length=148 --- Walking the entire request list --- Sending Access-Reject of id 78 to 192.168.0.241:6001 Waking up in 3 seconds... Thread 2 got semaphore Thread 2 handling request 1, (1 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202001501686f73742f6a632d706f727461626c65 Message-Authenticator = 0xdcb1aa29004ed8c0024d87e5ae730392 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 rlm_eap: EAP packet type response id 2 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 80 to 192.168.0.241:6001 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb1370512c2134397d46167c90c436dfc Finished request 1 Going to the next request Thread 2 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=82, length=148 Waking up in 3 seconds... Thread 3 got semaphore Thread 3 handling request 2, (1 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204001501686f73742f6a632d706f727461626c65 Message-Authenticator = 0x86b9014b85796c9dad0ee194a308342f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 rlm_eap: EAP packet type response id 4 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 82 to 192.168.0.241:6001 EAP-Message = 0x010500061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb2415a16262a21ddc793ddd7df3e6b56 Finished request 2 Going to the next request Thread 3 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=83, length=225 Waking up in 3 seconds... Thread 4 got semaphore Thread 4 handling request 3, (1 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" State = 0xb2415a16262a21ddc793ddd7df3e6b56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0205005019800000004616030100410100003d03014378cfdf419830adfee6d61196470d31ef4e27c9898752991ac8d739c98c90dd00001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x7e1132c1cf086ce6fd6699bd8d559d4a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 rlm_eap: EAP packet type response id 5 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0673], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 83 to 192.168.0.241:6001 EAP-Message = 0x0106040a19c0000006d0160301004a0200004603014378cdc09fd9d6bf139a736e9f28b1ee378a37c033684e5329bfccace641f47720633e88e73cf68f278ff6b4036ba430bb6646bcead57546ca1c7d1320bd6c4a4200040016030106730b00066f00066c0002bd308202b930820222a003020102020900be3106f507d71918300d06092a864886f70d0101040500308194310b3009060355040613024652310e300c060355040814055268f46e65310d300b060355040713044c796f6e3111300f060355040a13086169726d6564697331133011060355040b130a42656c6c652d49736c6531193017060355040313106169726d6564697320526f6f EAP-Message = 0x742043413123302106092a864886f70d01090116146a636c757a656c406169726d656469732e636f6d301e170d3035313032303132313831315a170d3135313031393132313831315a30818e310b3009060355040613024652310e300c060355040814055268f46e65310d300b060355040713044c796f6e3111300f060355040a13086169726d6564697331133011060355040b130a42656c6c652d49736c65311330110603550403130a62656c6c652d69736c653123302106092a864886f70d01090116146a636c757a656c406169726d656469732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100e96c634b36c0 EAP-Message = 0xb0321b71e7442429893b4f9fe4fbd898bb02b4b835e08d2817a1034b660fdc78b2791378a0a1f9fa02b2bed298ad533d42d1b3126d78d4dcd5a6d107d47f0bc22aef392058f031bac8b4edb37c39e69a015265dd1455ce837daab1ab7cc81de8e02326445f4acf588d96cb84645e6189a2a94011527c757dbc450203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181006c3f5d76916ad642dcca36faf2738ffcad7677dc7966034adfcacaf4c4a44b9dc3bb784e290a02cc4c053fcedc1c2cf4f52f47ea0b033c6b31707538ad26173050d708ca7e0f04702307a5940d5169115c54 EAP-Message = 0x3de460d50b5cc424668ce8fbad1264b18579ae6c6903747d260e42d4e377f936df8b6a3c89e24e21d26bbb0e53520003a9308203a53082030ea003020102020900be3106f507d71917300d06092a864886f70d0101040500308194310b3009060355040613024652310e300c060355040814055268f46e65310d300b060355040713044c796f6e3111300f060355040a13086169726d6564697331133011060355040b130a42656c6c652d49736c6531193017060355040313106169726d6564697320526f6f742043413123302106092a864886f70d01090116146a636c757a656c406169726d656469732e636f6d301e170d30353130323031323138 EAP-Message = 0x31305a170d3135313031393132313831305a30819431 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x727295dacda7c4f03237c3e2890645bb Finished request 3 Going to the next request Thread 4 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=84, length=151 Waking up in 3 seconds... Thread 5 got semaphore Thread 5 handling request 4, (1 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" State = 0x727295dacda7c4f03237c3e2890645bb Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600061900 Message-Authenticator = 0x59143a9a0ec6bad4aa8fc684fc8d07d4 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 84 to 192.168.0.241:6001 EAP-Message = 0x010702d619000b3009060355040613024652310e300c060355040814055268f46e65310d300b060355040713044c796f6e3111300f060355040a13086169726d6564697331133011060355040b130a42656c6c652d49736c6531193017060355040313106169726d6564697320526f6f742043413123302106092a864886f70d01090116146a636c757a656c406169726d656469732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100de286538dbd149fea2e50c3e5c30c15653cac0230d8355c5b28b44860ff55e2e7619d5d5e993962f4e4ee86e9e372596fe8b14e8c8d1e2b07b3859f727b5e9a04f54b61d2f4491 EAP-Message = 0x9397aecca6b0f3499b45e9bd59df7a8ca2c701b8abd4d0363df7d26e4d957d8119dfaff924400da8e6cc71c983523fae2305fb923d48c927d70203010001a381fc3081f9301d0603551d0e0416041422306b5a55f8204218e5cfdcb6be96997eb143a93081c90603551d230481c13081be801422306b5a55f8204218e5cfdcb6be96997eb143a9a1819aa48197308194310b3009060355040613024652310e300c060355040814055268f46e65310d300b060355040713044c796f6e3111300f060355040a13086169726d6564697331133011060355040b130a42656c6c652d49736c6531193017060355040313106169726d6564697320526f6f7420 EAP-Message = 0x43413123302106092a864886f70d01090116146a636c757a656c406169726d656469732e636f6d820900be3106f507d71917300c0603551d13040530030101ff300d06092a864886f70d010104050003818100764f77d21ba3622c6b4dbf8f8ae3811fa3ca529c9296af0864fead9056512831a52a5d2a433c972c160a1fec8e697afccb3fb0f1a97cc7f66be6a00fd49623c3223c02b43130fdeb8e2cf17a33d7b543ad539993a815ea3306c833e2e2ebb3daae5b7d86a83861e836557fadfe54330b5e5e0ac9ea7c010c4ef63d96eca402ba16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe6854d631d98ad8078f595437b699ed5 Finished request 4 Going to the next request Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=85, length=337 Waking up in 3 seconds... Thread 1 got semaphore Thread 1 handling request 5, (2 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" State = 0xe6854d631d98ad8078f595437b699ed5 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020700c01980000000b616030100861000008200801457e62cff8615490eed4e0665ffb7133c3a2ae72fef6eb6a9d041a692979ec242b93f3fea9f7582479097249260c4c0000e297afeb2aff0cb764e5199ab788354cd8fb9e283eb4b769f8e866c65de9e324401b69024c1621c078ec2733981ad6f3d50d2aa89d4bc1becb7ef481416e0f43279020a2984b36f69e7635d1172bf1403010001011603010020e09b95b93a29e33826fd6e9525dae4b614ae1c03724484b97299e4ac0f57f9bf Message-Authenticator = 0x91f11375ef42bb822e45e6165f37ac0e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 rlm_eap: EAP packet type response id 7 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 5 modcall: group authenticate returns handled for request 5 Sending Access-Challenge of id 85 to 192.168.0.241:6001 EAP-Message = 0x01080031190014030100010116030100209fc7116835f0ad29133a81d3d568b3aba897607858bba130f077538ea9dac86a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd5cba207907eb608a7ee5fcf484e8efd Finished request 5 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=86, length=151 Waking up in 3 seconds... Thread 2 got semaphore Thread 2 handling request 6, (2 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" State = 0xd5cba207907eb608a7ee5fcf484e8efd Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800061900 Message-Authenticator = 0x0c15a09ec13c9eb95faab11fcc7af68e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 rlm_eap: EAP packet type response id 8 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 86 to 192.168.0.241:6001 EAP-Message = 0x01090020190017030100152a5280ecf8347a21ee80a3b9676dfb0eb75e798bce Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4202ad4ac8fcc2cd7198fc3716666451 Finished request 6 Going to the next request Thread 2 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=87, length=189 Waking up in 3 seconds... Thread 3 got semaphore Thread 3 handling request 7, (2 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" State = 0x4202ad4ac8fcc2cd7198fc3716666451 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0209002c190017030100215a4e16cf9683342f73c4850aa16470f58f918fad8b21ca3946157af835e1d7034a Message-Authenticator = 0x0eb5e8e55449b200cdd28e2a11c52a3a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 rlm_eap: EAP packet type response id 9 length 44 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - host/portable rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x0209001501686f73742f6a632d706f727461626c65 PEAP: Got tunneled identity of host/portable PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to host/portable PEAP: Sending tunneled request EAP-Message = 0x0209001501686f73742f6a632d706f727461626c65 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/portable" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 rlm_eap: EAP packet type response id 9 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 7 modcall: group authenticate returns handled for request 7 PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x010a002a1a010a002510bf42800e91ddf6bfe5155eb643e8bf54686f73742f6a632d706f727461626c65 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd41587fcd15cf9a726e2e859d35310f1 PEAP: Processing from tunneled session code 0x81951c0 11 EAP-Message = 0x010a002a1a010a002510bf42800e91ddf6bfe5155eb643e8bf54686f73742f6a632d706f727461626c65 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd41587fcd15cf9a726e2e859d35310f1 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 7 modcall: group authenticate returns handled for request 7 Sending Access-Challenge of id 87 to 192.168.0.241:6001 EAP-Message = 0x010a00411900170301003676b1c5b2f7bab5bab11766300da96cccfa4d23076b6812ed6e0eb9938df2274a70569cca9911185283330ae5569bfea386e8cf914978 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7947de392fecc9fcd50a38604fcbefe9 Finished request 7 Going to the next request Thread 3 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=88, length=243 Waking up in 3 seconds... Thread 4 got semaphore Thread 4 handling request 8, (2 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" State = 0x7947de392fecc9fcd50a38604fcbefe9 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a0062190017030100571584c7104c035d46872460ac212f4a12a31bd3d29fef43aabdc520f419e98d318932baa71b0ae64ac3e134c01ab2f3fd096f8bbe0becb6f60e778b093391a5fb1b50f9393b59f37731e3da9f3579d40d9f7ba36fe64f0b Message-Authenticator = 0x19bb8e5ba237a8e9605a55b66b80de62 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 rlm_eap: EAP packet type response id 10 length 98 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020a004b1a020a00463100f954a333e2d02d0ba5ac5e7b2929ec000000000000000015b13ebd33dcf6d1b4c4c22cdf1b2eb9e1db8821c003b26400686f73742f6a632d706f727461626c65 PEAP: Setting User-Name to host/portable PEAP: Adding old state with d4 15 PEAP: Sending tunneled request EAP-Message = 0x020a004b1a020a00463100f954a333e2d02d0ba5ac5e7b2929ec000000000000000015b13ebd33dcf6d1b4c4c22cdf1b2eb9e1db8821c003b26400686f73742f6a632d706f727461626c65 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/portable" State = 0xd41587fcd15cf9a726e2e859d35310f1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 rlm_eap: EAP packet type response id 10 length 75 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 8 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/portable with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' rlm_mschap: setting NT-Domain to same as machine name radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: bf radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/local/bin/ntlm_auth --request-nt-key --username=portable$ --domain=portable --challenge=df40e8392de543b7 --nt-response=15b13ebd33dcf6d1b4c4c22cdf1b2eb9e1db8821c003b264' Exec-Program: /usr/local/bin/ntlm_auth --request-nt-key --username=portable$ --domain=portable --challenge=df40e8392de543b7 --nt-response=15b13ebd33dcf6d1b4c4c22cdf1b2eb9e1db8821c003b264 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 8 modcall: group Auth-Type returns reject for request 8 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 8 modcall: group authenticate returns reject for request 8 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\nE=691 R=1" EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x8195280 3 MS-CHAP-Error = "\nE=691 R=1" EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 8 modcall: group authenticate returns handled for request 8 Sending Access-Challenge of id 88 to 192.168.0.241:6001 EAP-Message = 0x010b00261900170301001bf03c106f745ae7e8df43eebd86e1be9651f19be2cad5ec89778e98 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3acf7124cf49bb8a96cb38a5b1cbf543 Finished request 8 Going to the next request Thread 4 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=89, length=183 Waking up in 3 seconds... Thread 5 got semaphore Thread 5 handling request 9, (2 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" State = 0x3acf7124cf49bb8a96cb38a5b1cbf543 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b00261900170301001ba0d84d961a8c8810ba0963241386597ec460318e3f2af1d0559b05 Message-Authenticator = 0x9f5299f265c8eb3c68a210a7dc54782e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 rlm_eap: EAP packet type response id 11 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 modcall: group authorize returns updated for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 9 modcall: group authenticate returns invalid for request 9 auth: Failed to validate the user. Delaying request 9 for 1 seconds Finished request 9 Going to the next request Thread 5 waiting to be assigned a request
Is your machine truly a member of your AD domain? If so, it's not sending a fully qualified domain name for some reason. Therefore the code is setting the domain to the same as the machine name. I've only ever seen Windows send *just* the machine name without the domain name when the machine was standalone (not a domain member). --Mike Jérémy Cluzel wrote:
Hi,
I'm trying to set a PEAP Authentication with the rlm_mschap.c / cli_netlogon.c hacks provided by M. Griego. The user auth still working (as before), but the computer still not... (a copy of the debug log. is in attachement)
According to the log, the rlm_mschap seems to be effective, but is there any way to check that the samba patch is effective too ?
I use a "patched" FR 1.0.5 and a "patched" samba-3.0.20b,1 under FreeBSD 5.3-RELEASE
Regards,
Jeremy
------------------------------------------------------------------------
Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/eap.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/local/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain:-DEFAULTDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Initializing the thread pool... thread: start_servers = 5 thread: max_servers = 32 thread: min_spare_servers = 3 thread: max_spare_servers = 10 thread: max_requests_per_server = 0 thread: cleanup_delay = 5 Thread spawned new child 1. Total threads in pool: 1 Thread spawned new child 2. Total threads in pool: 2 Thread spawned new child 3. Total threads in pool: 3 Thread spawned new child 4. Total threads in pool: 4 Thread spawned new child 5. Total threads in pool: 5 Thread pool initialized Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. Thread 1 waiting to be assigned a request Thread 2 waiting to be assigned a request Thread 3 waiting to be assigned a request Thread 4 waiting to be assigned a request Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=78, length=183 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" State = 0x63444a5a8824a6668f0c4039b3fa9564 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020900261900170301001bbd4f0d6e5bb61569a12d5f373e1a1b958fda7a867f0e888ecf9134 Message-Authenticator = 0x56fb29e69b4914d39ba20bf387f680a8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_eap: EAP packet type response id 9 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=80, length=148 --- Walking the entire request list --- Sending Access-Reject of id 78 to 192.168.0.241:6001 Waking up in 3 seconds... Thread 2 got semaphore Thread 2 handling request 1, (1 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202001501686f73742f6a632d706f727461626c65 Message-Authenticator = 0xdcb1aa29004ed8c0024d87e5ae730392 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 rlm_eap: EAP packet type response id 2 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 80 to 192.168.0.241:6001 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb1370512c2134397d46167c90c436dfc Finished request 1 Going to the next request Thread 2 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=82, length=148 Waking up in 3 seconds... Thread 3 got semaphore Thread 3 handling request 2, (1 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204001501686f73742f6a632d706f727461626c65 Message-Authenticator = 0x86b9014b85796c9dad0ee194a308342f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 rlm_eap: EAP packet type response id 4 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 82 to 192.168.0.241:6001 EAP-Message = 0x010500061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb2415a16262a21ddc793ddd7df3e6b56 Finished request 2 Going to the next request Thread 3 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=83, length=225 Waking up in 3 seconds... Thread 4 got semaphore Thread 4 handling request 3, (1 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" State = 0xb2415a16262a21ddc793ddd7df3e6b56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0205005019800000004616030100410100003d03014378cfdf419830adfee6d61196470d31ef4e27c9898752991ac8d739c98c90dd00001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x7e1132c1cf086ce6fd6699bd8d559d4a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 rlm_eap: EAP packet type response id 5 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0673], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 83 to 192.168.0.241:6001 EAP-Message = 0x0106040a19c0000006d0160301004a0200004603014378cdc09fd9d6bf139a736e9f28b1ee378a37c033684e5329bfccace641f47720633e88e73cf68f278ff6b4036ba430bb6646bcead57546ca1c7d1320bd6c4a4200040016030106730b00066f00066c0002bd308202b930820222a003020102020900be3106f507d71918300d06092a864886f70d0101040500308194310b3009060355040613024652310e300c060355040814055268f46e65310d300b060355040713044c796f6e3111300f060355040a13086169726d6564697331133011060355040b130a42656c6c652d49736c6531193017060355040313106169726d6564697320526f6f EAP-Message = 0x742043413123302106092a864886f70d01090116146a636c757a656c406169726d656469732e636f6d301e170d3035313032303132313831315a170d3135313031393132313831315a30818e310b3009060355040613024652310e300c060355040814055268f46e65310d300b060355040713044c796f6e3111300f060355040a13086169726d6564697331133011060355040b130a42656c6c652d49736c65311330110603550403130a62656c6c652d69736c653123302106092a864886f70d01090116146a636c757a656c406169726d656469732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100e96c634b36c0 EAP-Message = 0xb0321b71e7442429893b4f9fe4fbd898bb02b4b835e08d2817a1034b660fdc78b2791378a0a1f9fa02b2bed298ad533d42d1b3126d78d4dcd5a6d107d47f0bc22aef392058f031bac8b4edb37c39e69a015265dd1455ce837daab1ab7cc81de8e02326445f4acf588d96cb84645e6189a2a94011527c757dbc450203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181006c3f5d76916ad642dcca36faf2738ffcad7677dc7966034adfcacaf4c4a44b9dc3bb784e290a02cc4c053fcedc1c2cf4f52f47ea0b033c6b31707538ad26173050d708ca7e0f04702307a5940d5169115c54 EAP-Message = 0x3de460d50b5cc424668ce8fbad1264b18579ae6c6903747d260e42d4e377f936df8b6a3c89e24e21d26bbb0e53520003a9308203a53082030ea003020102020900be3106f507d71917300d06092a864886f70d0101040500308194310b3009060355040613024652310e300c060355040814055268f46e65310d300b060355040713044c796f6e3111300f060355040a13086169726d6564697331133011060355040b130a42656c6c652d49736c6531193017060355040313106169726d6564697320526f6f742043413123302106092a864886f70d01090116146a636c757a656c406169726d656469732e636f6d301e170d30353130323031323138 EAP-Message = 0x31305a170d3135313031393132313831305a30819431 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x727295dacda7c4f03237c3e2890645bb Finished request 3 Going to the next request Thread 4 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=84, length=151 Waking up in 3 seconds... Thread 5 got semaphore Thread 5 handling request 4, (1 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" State = 0x727295dacda7c4f03237c3e2890645bb Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600061900 Message-Authenticator = 0x59143a9a0ec6bad4aa8fc684fc8d07d4 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 84 to 192.168.0.241:6001 EAP-Message = 0x010702d619000b3009060355040613024652310e300c060355040814055268f46e65310d300b060355040713044c796f6e3111300f060355040a13086169726d6564697331133011060355040b130a42656c6c652d49736c6531193017060355040313106169726d6564697320526f6f742043413123302106092a864886f70d01090116146a636c757a656c406169726d656469732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100de286538dbd149fea2e50c3e5c30c15653cac0230d8355c5b28b44860ff55e2e7619d5d5e993962f4e4ee86e9e372596fe8b14e8c8d1e2b07b3859f727b5e9a04f54b61d2f4491 EAP-Message = 0x9397aecca6b0f3499b45e9bd59df7a8ca2c701b8abd4d0363df7d26e4d957d8119dfaff924400da8e6cc71c983523fae2305fb923d48c927d70203010001a381fc3081f9301d0603551d0e0416041422306b5a55f8204218e5cfdcb6be96997eb143a93081c90603551d230481c13081be801422306b5a55f8204218e5cfdcb6be96997eb143a9a1819aa48197308194310b3009060355040613024652310e300c060355040814055268f46e65310d300b060355040713044c796f6e3111300f060355040a13086169726d6564697331133011060355040b130a42656c6c652d49736c6531193017060355040313106169726d6564697320526f6f7420 EAP-Message = 0x43413123302106092a864886f70d01090116146a636c757a656c406169726d656469732e636f6d820900be3106f507d71917300c0603551d13040530030101ff300d06092a864886f70d010104050003818100764f77d21ba3622c6b4dbf8f8ae3811fa3ca529c9296af0864fead9056512831a52a5d2a433c972c160a1fec8e697afccb3fb0f1a97cc7f66be6a00fd49623c3223c02b43130fdeb8e2cf17a33d7b543ad539993a815ea3306c833e2e2ebb3daae5b7d86a83861e836557fadfe54330b5e5e0ac9ea7c010c4ef63d96eca402ba16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe6854d631d98ad8078f595437b699ed5 Finished request 4 Going to the next request Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=85, length=337 Waking up in 3 seconds... Thread 1 got semaphore Thread 1 handling request 5, (2 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" State = 0xe6854d631d98ad8078f595437b699ed5 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020700c01980000000b616030100861000008200801457e62cff8615490eed4e0665ffb7133c3a2ae72fef6eb6a9d041a692979ec242b93f3fea9f7582479097249260c4c0000e297afeb2aff0cb764e5199ab788354cd8fb9e283eb4b769f8e866c65de9e324401b69024c1621c078ec2733981ad6f3d50d2aa89d4bc1becb7ef481416e0f43279020a2984b36f69e7635d1172bf1403010001011603010020e09b95b93a29e33826fd6e9525dae4b614ae1c03724484b97299e4ac0f57f9bf Message-Authenticator = 0x91f11375ef42bb822e45e6165f37ac0e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 rlm_eap: EAP packet type response id 7 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 5 modcall: group authenticate returns handled for request 5 Sending Access-Challenge of id 85 to 192.168.0.241:6001 EAP-Message = 0x01080031190014030100010116030100209fc7116835f0ad29133a81d3d568b3aba897607858bba130f077538ea9dac86a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd5cba207907eb608a7ee5fcf484e8efd Finished request 5 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=86, length=151 Waking up in 3 seconds... Thread 2 got semaphore Thread 2 handling request 6, (2 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" State = 0xd5cba207907eb608a7ee5fcf484e8efd Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800061900 Message-Authenticator = 0x0c15a09ec13c9eb95faab11fcc7af68e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 rlm_eap: EAP packet type response id 8 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 86 to 192.168.0.241:6001 EAP-Message = 0x01090020190017030100152a5280ecf8347a21ee80a3b9676dfb0eb75e798bce Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4202ad4ac8fcc2cd7198fc3716666451 Finished request 6 Going to the next request Thread 2 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=87, length=189 Waking up in 3 seconds... Thread 3 got semaphore Thread 3 handling request 7, (2 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" State = 0x4202ad4ac8fcc2cd7198fc3716666451 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0209002c190017030100215a4e16cf9683342f73c4850aa16470f58f918fad8b21ca3946157af835e1d7034a Message-Authenticator = 0x0eb5e8e55449b200cdd28e2a11c52a3a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 rlm_eap: EAP packet type response id 9 length 44 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - host/portable rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x0209001501686f73742f6a632d706f727461626c65 PEAP: Got tunneled identity of host/portable PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to host/portable PEAP: Sending tunneled request EAP-Message = 0x0209001501686f73742f6a632d706f727461626c65 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/portable" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 rlm_eap: EAP packet type response id 9 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 7 modcall: group authenticate returns handled for request 7 PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x010a002a1a010a002510bf42800e91ddf6bfe5155eb643e8bf54686f73742f6a632d706f727461626c65 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd41587fcd15cf9a726e2e859d35310f1 PEAP: Processing from tunneled session code 0x81951c0 11 EAP-Message = 0x010a002a1a010a002510bf42800e91ddf6bfe5155eb643e8bf54686f73742f6a632d706f727461626c65 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd41587fcd15cf9a726e2e859d35310f1 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 7 modcall: group authenticate returns handled for request 7 Sending Access-Challenge of id 87 to 192.168.0.241:6001 EAP-Message = 0x010a00411900170301003676b1c5b2f7bab5bab11766300da96cccfa4d23076b6812ed6e0eb9938df2274a70569cca9911185283330ae5569bfea386e8cf914978 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7947de392fecc9fcd50a38604fcbefe9 Finished request 7 Going to the next request Thread 3 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=88, length=243 Waking up in 3 seconds... Thread 4 got semaphore Thread 4 handling request 8, (2 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" State = 0x7947de392fecc9fcd50a38604fcbefe9 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a0062190017030100571584c7104c035d46872460ac212f4a12a31bd3d29fef43aabdc520f419e98d318932baa71b0ae64ac3e134c01ab2f3fd096f8bbe0becb6f60e778b093391a5fb1b50f9393b59f37731e3da9f3579d40d9f7ba36fe64f0b Message-Authenticator = 0x19bb8e5ba237a8e9605a55b66b80de62 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 rlm_eap: EAP packet type response id 10 length 98 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020a004b1a020a00463100f954a333e2d02d0ba5ac5e7b2929ec000000000000000015b13ebd33dcf6d1b4c4c22cdf1b2eb9e1db8821c003b26400686f73742f6a632d706f727461626c65 PEAP: Setting User-Name to host/portable PEAP: Adding old state with d4 15 PEAP: Sending tunneled request EAP-Message = 0x020a004b1a020a00463100f954a333e2d02d0ba5ac5e7b2929ec000000000000000015b13ebd33dcf6d1b4c4c22cdf1b2eb9e1db8821c003b26400686f73742f6a632d706f727461626c65 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/portable" State = 0xd41587fcd15cf9a726e2e859d35310f1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 rlm_eap: EAP packet type response id 10 length 75 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 8 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/portable with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' rlm_mschap: setting NT-Domain to same as machine name radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: bf radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/local/bin/ntlm_auth --request-nt-key --username=portable$ --domain=portable --challenge=df40e8392de543b7 --nt-response=15b13ebd33dcf6d1b4c4c22cdf1b2eb9e1db8821c003b264' Exec-Program: /usr/local/bin/ntlm_auth --request-nt-key --username=portable$ --domain=portable --challenge=df40e8392de543b7 --nt-response=15b13ebd33dcf6d1b4c4c22cdf1b2eb9e1db8821c003b264 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 8 modcall: group Auth-Type returns reject for request 8 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 8 modcall: group authenticate returns reject for request 8 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\nE=691 R=1" EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x8195280 3 MS-CHAP-Error = "\nE=691 R=1" EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 8 modcall: group authenticate returns handled for request 8 Sending Access-Challenge of id 88 to 192.168.0.241:6001 EAP-Message = 0x010b00261900170301001bf03c106f745ae7e8df43eebd86e1be9651f19be2cad5ec89778e98 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3acf7124cf49bb8a96cb38a5b1cbf543 Finished request 8 Going to the next request Thread 4 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=89, length=183 Waking up in 3 seconds... Thread 5 got semaphore Thread 5 handling request 9, (2 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" State = 0x3acf7124cf49bb8a96cb38a5b1cbf543 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b00261900170301001ba0d84d961a8c8810ba0963241386597ec460318e3f2af1d0559b05 Message-Authenticator = 0x9f5299f265c8eb3c68a210a7dc54782e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 rlm_eap: EAP packet type response id 11 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 modcall: group authorize returns updated for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 9 modcall: group authenticate returns invalid for request 9 auth: Failed to validate the user. Delaying request 9 for 1 seconds Finished request 9 Going to the next request Thread 5 waiting to be assigned a request
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Jérémy Cluzel -
Michael Griego