Re: PEAP w/ freeradius to LDAP storing ntPassword not working - resolved
I am able to have peap/mschpv2 work with ldap nt hash. radtest -t mschap will not work for peap/mschapv2, the real windows supplicant, wireless access point will work. The format in ldap is not relevant, w/ or w/o the preceding 0x will work. The configuration I changed from default are the following clients.conf to add testing AP ip and secret eap.conf to add the real certificate thing etc. modules/ldap to add the ldap proxy account information. site-enabled/inner-tunnel - uncomment the ldap line in authorize authorize { # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap } Now whenever I try to have a virtual server for another instance, then it will have the same error as before. Then I copied the site-enabled/default content and put them within the virtual server, it's working again. I then try to reduce to the minimum necessary configuration, the following is for the virtual server to work server ldap_ntpassword_1814 { listen { type = auth ipaddr = * port = 1814 } listen { ipaddr = * port = 1815 type = acct } authorize { eap { ok = return } } authenticate { eap } } Thanks, Schilling On Fri, Nov 5, 2010 at 7:12 AM, schilling <schilling2006@gmail.com> wrote:
I asked the ldap admin to change the format of the ntPassword to prepend with 0x, now radius -X get the right hash, but it still have no "known good" password was found in LDAP. Nevertheless, the authorization is ok. What is the right format to put in our ldap ntPassword attribute? Should I ignore the error and focus on the Auth-Type error?
I will reinstall 2.1.0 with all default, and try it again.
Thanks,
Schilling
[ldap] looking for check items in directory... [ldap] ntPassword -> NT-Password == 0x771cfdfe02a8c15e15b3e0e4974602fa [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user sding authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok
On Thu, Nov 4, 2010 at 11:10 PM, Alan DeKok <aland@deployingradius.com> wrote:
schilling wrote:
Found Auth-Type = EAP WARNING: Unknown value specified for Auth-Type. Cannot perform requested action.
You have edited the default configuration and broken it. Don't do that.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
schilling wrote:
Now whenever I try to have a virtual server for another instance, then it will have the same error as before.
Then that virtual server is configured incorrectly.
Then I copied the site-enabled/default content and put them within the virtual server, it's working again.
The default configuration works.
I then try to reduce to the minimum necessary configuration,
Why? Just... why do people do this?
the following is for the virtual server to work
No. It won't work because LDAP is never used to find the "known good" password. I have no idea what you're doing, but the server is definitely misconfigured. Alan DeKok.
Here is my radiusd -X output of a assumed successful login with peap. Would you please see whether this is working? Yes, the default with one ldap line commented out in site-enabled/inner-tunnel works. But it will not work once I have a virtual server in the radiusd.conf. The debug is done with default radius.configuration with only the following addition: I could add all the uncommented lines in site-enabled/default to this virtual server instance, I just want to see what exactly is my previous issue, so I reduced to minimum "working" configure I thought. Well, may be not. ###sding server ldap_ntpassword_1814 { listen { type = auth ipaddr = * port = 1814 } listen { ipaddr = * port = 1815 type = acct } authorize { eap { ok = return } } authenticate { eap } } ###sding FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Nov 5 2010 at 10:45:49 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /home/sding/opt/etc/raddb/radiusd.conf including configuration file /home/sding/opt/etc/raddb/proxy.conf including configuration file /home/sding/opt/etc/raddb/clients.conf including files in directory /home/sding/opt/etc/raddb/modules/ including configuration file /home/sding/opt/etc/raddb/modules/acct_unique including configuration file /home/sding/opt/etc/raddb/modules/always including configuration file /home/sding/opt/etc/raddb/modules/attr_filter including configuration file /home/sding/opt/etc/raddb/modules/attr_rewrite including configuration file /home/sding/opt/etc/raddb/modules/chap including configuration file /home/sding/opt/etc/raddb/modules/checkval including configuration file /home/sding/opt/etc/raddb/modules/counter including configuration file /home/sding/opt/etc/raddb/modules/cui including configuration file /home/sding/opt/etc/raddb/modules/detail including configuration file /home/sding/opt/etc/raddb/modules/detail.example.com including configuration file /home/sding/opt/etc/raddb/modules/detail.log including configuration file /home/sding/opt/etc/raddb/modules/digest including configuration file /home/sding/opt/etc/raddb/modules/dynamic_clients including configuration file /home/sding/opt/etc/raddb/modules/echo including configuration file /home/sding/opt/etc/raddb/modules/etc_group including configuration file /home/sding/opt/etc/raddb/modules/exec including configuration file /home/sding/opt/etc/raddb/modules/expiration including configuration file /home/sding/opt/etc/raddb/modules/expr including configuration file /home/sding/opt/etc/raddb/modules/files including configuration file /home/sding/opt/etc/raddb/modules/inner-eap including configuration file /home/sding/opt/etc/raddb/modules/ippool including configuration file /home/sding/opt/etc/raddb/modules/krb5 including configuration file /home/sding/opt/etc/raddb/modules/ldap including configuration file /home/sding/opt/etc/raddb/modules/linelog including configuration file /home/sding/opt/etc/raddb/modules/logintime including configuration file /home/sding/opt/etc/raddb/modules/mac2ip including configuration file /home/sding/opt/etc/raddb/modules/mac2vlan including configuration file /home/sding/opt/etc/raddb/modules/mschap including configuration file /home/sding/opt/etc/raddb/modules/ntlm_auth including configuration file /home/sding/opt/etc/raddb/modules/opendirectory including configuration file /home/sding/opt/etc/raddb/modules/otp including configuration file /home/sding/opt/etc/raddb/modules/pam including configuration file /home/sding/opt/etc/raddb/modules/pap including configuration file /home/sding/opt/etc/raddb/modules/passwd including configuration file /home/sding/opt/etc/raddb/modules/perl including configuration file /home/sding/opt/etc/raddb/modules/policy including configuration file /home/sding/opt/etc/raddb/modules/preprocess including configuration file /home/sding/opt/etc/raddb/modules/radutmp including configuration file /home/sding/opt/etc/raddb/modules/realm including configuration file /home/sding/opt/etc/raddb/modules/smbpasswd including configuration file /home/sding/opt/etc/raddb/modules/smsotp including configuration file /home/sding/opt/etc/raddb/modules/sql_log including configuration file /home/sding/opt/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /home/sding/opt/etc/raddb/modules/sradutmp including configuration file /home/sding/opt/etc/raddb/modules/unix including configuration file /home/sding/opt/etc/raddb/modules/wimax including configuration file /home/sding/opt/etc/raddb/eap.conf including configuration file /home/sding/opt/etc/raddb/policy.conf including files in directory /home/sding/opt/etc/raddb/sites-enabled/ including configuration file /home/sding/opt/etc/raddb/sites-enabled/default including configuration file /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel including configuration file /home/sding/opt/etc/raddb/sites-enabled/control-socket main { allow_core_dumps = no } including dictionary file /home/sding/opt/etc/raddb/dictionary main { prefix = "/home/sding/opt/" localstatedir = "/home/sding/opt//var" logdir = "/home/sding/opt//var/log/radius" libdir = "/home/sding/opt//lib" radacctdir = "/home/sding/opt//var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/home/sding/opt//var/run/radiusd/radiusd.pid" checkrad = "/home/sding/opt//sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 128.186.252.11/32 { require_message_authenticator = no secret = "cisco" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /home/sding/opt/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /home/sding/opt/etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /home/sding/opt/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /home/sding/opt/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server ldap_ntpassword_1814 { # from file /home/sding/opt/etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /home/sding/opt/etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/home/sding/opt/etc/raddb/certs" pem_file_type = yes private_key_file = "/home/sding/opt/etc/raddb/certs/auth1_comodo/auth1.key" certificate_file = "/home/sding/opt/etc/raddb/certs/auth1_comodo/server.crt" CA_file = "/home/sding/opt/etc/raddb/certs/auth1_comodo/ca-chain.crt" private_key_password = "thismykey" dh_file = "/home/sding/opt/etc/raddb/certs/dh" random_file = "/home/sding/opt/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/home/sding/opt/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load } # modules } # server server inner-tunnel { # from file /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /home/sding/opt/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /home/sding/opt/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /home/sding/opt/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /home/sding/opt/etc/raddb/modules/unix unix { radwtmp = "/home/sding/opt//var/log/radius/radwtmp" } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /home/sding/opt/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /home/sding/opt/etc/raddb/modules/files files { usersfile = "/home/sding/opt/etc/raddb/users" acctusersfile = "/home/sding/opt/etc/raddb/acct_users" preproxy_usersfile = "/home/sding/opt/etc/raddb/preproxy_users" compat = "no" } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /home/sding/opt/etc/raddb/modules/ldap ldap { server = "mds.fsu.edu" port = 389 password = "myldappassword" identity = "cn=radius-proxy-proxy,ou=proxy-users,dc=fsu,dc=edu" net_timeout = 10 timeout = 20 timelimit = 20 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = yes require_cert = "allow" } basedn = "dc=fsu,dc=edu" filter = "(&(uid=%u)(!(uid=lib-guest*)))" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/home/sding/opt/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /home/sding/opt/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x8921338 Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /home/sding/opt/etc/raddb/modules/radutmp radutmp { filename = "/home/sding/opt//var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /home/sding/opt/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/home/sding/opt/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /home/sding/opt/etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /home/sding/opt/etc/raddb/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /home/sding/opt/etc/raddb/modules/preprocess preprocess { huntgroups = "/home/sding/opt/etc/raddb/huntgroups" hints = "/home/sding/opt/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /home/sding/opt/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /home/sding/opt/etc/raddb/modules/detail detail { detailfile = "/home/sding/opt//var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /home/sding/opt/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/home/sding/opt/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/home/sding/opt//var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = * port = 1814 } listen { type = "acct" ipaddr = * port = 1815 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /home/sding/opt//var/run/radiusd/radiusd.sock Listening on authentication address * port 1814 as server ldap_ntpassword_1814 Listening on accounting address * port 1815 as server ldap_ntpassword_1814 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Ready to process requests. rad_recv: Access-Request packet from host 128.186.252.11 port 32858, id=194, length=160 User-Name = "sding" NAS-IP-Address = 128.186.252.11 NAS-Port = 129 Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem" Calling-Station-Id = "00-12-F0-71-28-BF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps/1Mbps 802.11g" EAP-Message = 0x0212000a017364696e67 Message-Authenticator = 0x6325d4e08e1c07cc15e8712dda27d62c server ldap_ntpassword_1814 { # Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 18 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = EAP # Executing group from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled } # server ldap_ntpassword_1814 Sending Access-Challenge of id 194 to 128.186.252.11 port 32858 EAP-Message = 0x0113001604102ef8be1d90b4bc9af75abe1eaa422223 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2516ecdd2505e83ff725017e0433f9f6 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 128.186.252.11 port 32858, id=195, length=174 User-Name = "sding" NAS-IP-Address = 128.186.252.11 NAS-Port = 129 Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem" Calling-Station-Id = "00-12-F0-71-28-BF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps/1Mbps 802.11g" EAP-Message = 0x021300060319 State = 0x2516ecdd2505e83ff725017e0433f9f6 Message-Authenticator = 0x8ae90ed63d19f2dc17a87e9ad06e0d4e server ldap_ntpassword_1814 { # Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 19 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = EAP # Executing group from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled } # server ldap_ntpassword_1814 Sending Access-Challenge of id 195 to 128.186.252.11 port 32858 EAP-Message = 0x011400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2516ecdd2402f53ff725017e0433f9f6 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 128.186.252.11 port 32858, id=196, length=255 User-Name = "sding" NAS-IP-Address = 128.186.252.11 NAS-Port = 129 Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem" Calling-Station-Id = "00-12-F0-71-28-BF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps/1Mbps 802.11g" EAP-Message = 0x0214005719800000004d16030100480100004403014cd46491a50af6b476d0c2b26cfc35c55a1678008ac04c723fd6776ef30a701c00001600040005000a0009006400620003000600130012006301000005ff01000100 State = 0x2516ecdd2402f53ff725017e0433f9f6 Message-Authenticator = 0xf8c4e70699e5fcac0fc7afb6aa376f00 server ldap_ntpassword_1814 { # Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 20 length 87 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 77 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0048], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0f33], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server ldap_ntpassword_1814 Sending Access-Challenge of id 196 to 128.186.252.11 port 32858 EAP-Message = 0x0115040019c000000f7716030100310200002d03014cd464915a9a5028d668f9e09aec880896aee600806fb58d92a740bc9aacca01000004000005ff010001001603010f330b000f2f000f2c00063f3082063b30820523a0030201020210635b024dc9d1dc5f3c2f4cedba800fd9300d06092a864886f70d0101050500308193310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311b3019060355 EAP-Message = 0x0403131255544e202d2044415441436f727020534743301e170d3130313032383030303030305a170d3132313032373233353935395a30820125310b3009060355040613025553310e300c0603550411130533323330363110300e06035504081307466c6f72696461311430120603550407130b54616c6c616861737365653121301f06035504091318466c6f7269646120537461746520556e6976657273697479312830260603550409131f363130304320556e69766572736974792043656e746572204d5320323632303121301f060355040a1318466c6f7269646120537461746520556e6976657273697479310c300a060355040b1303495453 EAP-Message = 0x312b3029060355040b1322486f7374656420627920466c6f7269646120537461746520556e697665727369747931173015060355040b130e436f6d6f646f205347432053534c311a30180603550403131161757468312e6974732e6673752e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100ab48c2c53dd239f0ea7125f2bc75a3a15f52fa3ad4b3b67e93a56eb1e56ecf0b10b444019144f5a1fef9eafe655be434d8603478738e93ed5feba81be470a12dc93913afc0eff1ab2752a74c2d30bd6b9b0a3adabd0d59fb068054b505b3dde7b14f994c2c20c4f01b2e7b2b9c035d2ca37d439b876b66600040 EAP-Message = 0xc58ddc05812f05704d364e7b9e2f1d62a56f8344a3b2113418268b38ec5ebbf8b14fc21f21306d4fdafd636d6045e5e2b092d740f7a2ee4c817c06082bdb2e32fb5d1ead99d4488011197c0f8c30e1afe77a5d1728a4a787f2615f999e2d96eca34f1a13cf7c9bccedfb653abe32aa3f6ca2cd74a0d3a3a1d3d0baff57f101263688dc171f9b0203010001a38201f4308201f0301f0603551d230418301680145332d1b3cf7ffae0f1a05d854e92d29e451db44f301d0603551d0e0416041430953498d738b06c6795237e557027279a818ac8300e0603551d0f0101ff0404030205a0300c0603551d130101ff0402300030340603551d25042d302b06 EAP-Message = 0x082b0601050507030106082b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2516ecdd2703f53ff725017e0433f9f6 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 128.186.252.11 port 32858, id=197, length=174 User-Name = "sding" NAS-IP-Address = 128.186.252.11 NAS-Port = 129 Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem" Calling-Station-Id = "00-12-F0-71-28-BF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps/1Mbps 802.11g" EAP-Message = 0x021500061900 State = 0x2516ecdd2703f53ff725017e0433f9f6 Message-Authenticator = 0x3228b80a3cb9c9ca4538fed5447936c8 server ldap_ntpassword_1814 { # Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 21 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server ldap_ntpassword_1814 Sending Access-Challenge of id 197 to 128.186.252.11 port 32858 EAP-Message = 0x011603fc194006010505070302060a2b0601040182370a030306096086480186f842040130460603551d20043f303d303b060c2b06010401b2310102010304302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e636f6d2f435053306d0603551d1f046630643031a02fa02d862b687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f55544e2d44415441436f72705347432e63726c302fa02da02b8629687474703a2f2f63726c2e636f6d6f646f2e6e65742f55544e2d44415441436f72705347432e63726c306e06082b0601050507010104623060303806082b06010505073002862c68747470 EAP-Message = 0x3a2f2f6372742e636f6d6f646f63612e636f6d2f55544e416464547275737453474343412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d30330603551d11042c302a821161757468312e6974732e6673752e65647582157777772e61757468312e6974732e6673752e656475300d06092a864886f70d010105050003820101000e3d408868bc72069780fa6defb4507c3785d09cce4093609c9aec78f7d54575ac9d46d4d728042655c04e71cf1702a022a8162f0e141efcec52b29d8281777d2f320deee2192ecf40bd8f71a229491ea7b5759f8d5cd34553d90d2169abed2a19a6c3109f7b EAP-Message = 0x72d353eaccd921343a3616d0da0f87a72821b4f3e76e9ea1e74de473d65f67ee30885cbc6666dd0895f71a171259b2784eb5cacd8cdbf95ea642fd35e6a96faae97659f923b096bbb8ee85227f245139f484a3f53b6a63c5e24ca8dc0828dae91decea8245cf4916652bcc7275ff5aacbcfc7576b490371e6d6c30332137ecd528fd736ed2b30659a6d741c715c3b07cb577b69d90ec944ad1520004aa308204a63082038ea003020102021046eaf096054cc5e3fa65ea6e9f42c664300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d4164 EAP-Message = 0x6454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3035303630373038303931305a170d3230303533303130343833385a308193310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311b30190603550403131255544e202d2044415441436f72702053474330820122300d0609 EAP-Message = 0x2a864886f70d0101 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2516ecdd2600f53ff725017e0433f9f6 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 128.186.252.11 port 32858, id=198, length=174 User-Name = "sding" NAS-IP-Address = 128.186.252.11 NAS-Port = 129 Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem" Calling-Station-Id = "00-12-F0-71-28-BF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps/1Mbps 802.11g" EAP-Message = 0x021600061900 State = 0x2516ecdd2600f53ff725017e0433f9f6 Message-Authenticator = 0x75a884e84b7d44bdc02ab17107d67d8e server ldap_ntpassword_1814 { # Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 22 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server ldap_ntpassword_1814 Sending Access-Challenge of id 198 to 128.186.252.11 port 32858 EAP-Message = 0x011703fc19400105000382010f003082010a0282010100dfee5810a22b6e55c48ebf2e4609e7e0080f2e2b7a13941bbdf6b6808e650593001ebcafe20f8e190d1247ecacada3fa2e70f8de6efb5642159e2e5cef23de21b9057627190f4fd6c39cb4be941963f2a6110aeb53489cbef2293b16e81aa04ca6c9f4185968c070f25300c05e5082a5566f36f94ae04486a04d4ed6476e494acb67d7a6c405b98e1ef4fcffcde736e09c056cb2332215d0b4e0cc17c0b2c0f4fe323f292a957bd8f2a74e0f547ca10d80b30903c1ff5cdd5e9a3ebcaebc478a6aae71ca1fb12ab85f42050bec4630d1720bcae9566df5efdf78be61bab2a5ae044cbca8ac69 EAP-Message = 0x1597bdefebb48cbf35f8d4c3d1280e5c3a9f7018332077c4a2af0203010001a382011730820113301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e041604145332d1b3cf7ffae0f1a05d854e92d29e451db44f300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff30200603551d2504193017060a2b0601040182370a030306096086480186f842040130110603551d20040a300830060604551d2000307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f416464547275737445787465726e616c4341526f6f EAP-Message = 0x742e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f416464547275737445787465726e616c4341526f6f742e63726c300d06092a864886f70d0101050500038201010063869210b113fa37be8e2ab61b8a43f55cae0e14dff769407fbf1a710009d8bfd4244abfe093ff01d80bc60fec7e479cb05df77c149dfcc03392845bd283f452e2225874fc431b3fa7a358da03fdbcf03ae4edcc12bbc9b9ae7b04a00472bfe9de2dd2a751660073d2bd7eaa9e53967d69b2183e8ead56507ef7d5b0ff396265828c9657c38ff760f6c28d3487fc4f43e5dbbf1caaf686cde6df113f8d07f76d8313c038883960a17e30e1e3 EAP-Message = 0x883ea4bb636f2ce98a682cee9669ac0461e14f4e0e9d724cf67938c8c748696f940f74b4bcc8cf574db97571960d8a060bebddd0f03c7dc62e98466a38c702b5c8b8b26575deda9008b677b8530025cb47ca735f00043a308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d323030 EAP-Message = 0x3533303130343833 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2516ecdd2101f53ff725017e0433f9f6 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 128.186.252.11 port 32858, id=199, length=174 User-Name = "sding" NAS-IP-Address = 128.186.252.11 NAS-Port = 129 Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem" Calling-Station-Id = "00-12-F0-71-28-BF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps/1Mbps 802.11g" EAP-Message = 0x021700061900 State = 0x2516ecdd2101f53ff725017e0433f9f6 Message-Authenticator = 0x602e32ae1208f2087ad641fe019857e1 server ldap_ntpassword_1814 { # Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 23 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server ldap_ntpassword_1814 Sending Access-Challenge of id 199 to 128.186.252.11 port 32858 EAP-Message = 0x0118039b1900385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61 EAP-Message = 0xaa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7 EAP-Message = 0xfac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e7 EAP-Message = 0x24adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e860416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2516ecdd200ef53ff725017e0433f9f6 Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 128.186.252.11 port 32858, id=200, length=490 User-Name = "sding" NAS-IP-Address = 128.186.252.11 NAS-Port = 129 Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem" Calling-Station-Id = "00-12-F0-71-28-BF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps/1Mbps 802.11g" EAP-Message = 0x02180140198000000136160301010610000102010092fbf1bfd8994b61145cfdcb1e041bc16c1e7d8322531a34fb8331b5ca4594cc0c19455b77850f623fd592f095c2f3513d29c40f9f4fac639a7db0cd1bc0d6dacc8684878554b6b78cce88d5adab5ff474ae9dac9b3160a1b13564b0d51ccf0eb6236869855dd98383f5e30320c33d11f0648c25fa089b4c09c36a0a7d59be37f1972da54426123693c810867f191c624a41854a0220cc3c9f88db74c6fe2f66dbcbfb7213867323f00f102483c702144303dd1069e6614400e5abbe3eb9b4c8fa0aefdaae5ff54d24a95f033a214ebc557b97e6869e4de56b3e5decc6d69074fd9e4ff0452fc4a2 EAP-Message = 0x10211da47763f075340e04bf32712bee9467dc21e6ff3b67140301000101160301002099d74861733826cd6aad89f228c70bf4f525679c4d30399bfcf0bcf6c59ec511 State = 0x2516ecdd200ef53ff725017e0433f9f6 Message-Authenticator = 0x49fd3a179bb372aab9ed098457dda985 server ldap_ntpassword_1814 { # Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 24 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server ldap_ntpassword_1814 Sending Access-Challenge of id 200 to 128.186.252.11 port 32858 EAP-Message = 0x0119003119001403010001011603010020f4c3f8a68d0a868a15204aa51ac3f69ce9a3ff3cf98ca7ec345df74c9c510fb3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2516ecdd230ff53ff725017e0433f9f6 Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 128.186.252.11 port 32858, id=201, length=174 User-Name = "sding" NAS-IP-Address = 128.186.252.11 NAS-Port = 129 Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem" Calling-Station-Id = "00-12-F0-71-28-BF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps/1Mbps 802.11g" EAP-Message = 0x021900061900 State = 0x2516ecdd230ff53ff725017e0433f9f6 Message-Authenticator = 0x85f2af6e5ee959f4cfa4853858daa3bc server ldap_ntpassword_1814 { # Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 25 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled } # server ldap_ntpassword_1814 Sending Access-Challenge of id 201 to 128.186.252.11 port 32858 EAP-Message = 0x011a0020190017030100153bfe5b4672f9906b8d9f501b8e0af76113ab2664db Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2516ecdd220cf53ff725017e0433f9f6 Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 128.186.252.11 port 32858, id=202, length=201 User-Name = "sding" NAS-IP-Address = 128.186.252.11 NAS-Port = 129 Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem" Calling-Station-Id = "00-12-F0-71-28-BF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps/2Mbps 802.11g" EAP-Message = 0x021a002119001703010016add00124077c7f90e7b1c301ade6745cbde84f9a8055 State = 0x2516ecdd220cf53ff725017e0433f9f6 Message-Authenticator = 0x6ad93d080a0c4e906efc8cd44b95f901 server ldap_ntpassword_1814 { # Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 26 length 33 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - sding [peap] Got inner identity 'sding' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x021a000a017364696e67 server ldap_ntpassword_1814 { PEAP: Setting User-Name to sding Sending tunneled request EAP-Message = 0x021a000a017364696e67 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "sding" server inner-tunnel { # Executing section authorize from file /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "sding", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 26 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for sding [ldap] expand: (&(uid=%u)(!(uid=lib-guest*))) -> (&(uid=sding)(!(uid=lib-guest*))) [ldap] expand: dc=fsu,dc=edu -> dc=fsu,dc=edu [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to mds.fsu.edu:389, authentication 0 [ldap] starting TLS [ldap] bind as cn=radius-prox-proxyy,ou=proxy-users,dc=fsu,dc=edu/myldappassword to mds.fsu.edu:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=fsu,dc=edu, with filter (&(uid=sding)(!(uid=lib-guest*))) [ldap] looking for check items in directory... [ldap] ntPassword -> NT-Password == 0x771cfdfe02a8c15e15b3e0e4974602fa [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user sding authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x011b001f1a011b001a10baa17901364e16a41979ac9f01e5ff587364696e67 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa541e25fa55af8f7552608e9adf7407a [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x011b001f1a011b001a10baa17901364e16a41979ac9f01e5ff587364696e67 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa541e25fa55af8f7552608e9adf7407a [peap] Got tunneled Access-Challenge ++[eap] returns handled } # server ldap_ntpassword_1814 Sending Access-Challenge of id 202 to 128.186.252.11 port 32858 EAP-Message = 0x011b00361900170301002b08b2e211c843e5ce2b9da00b328fc3596a5981d5a681c8946e6d0309c09d973cca6989a04b2d668e90697d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2516ecdd2d0df53ff725017e0433f9f6 Finished request 8. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 128.186.252.11 port 32858, id=203, length=255 User-Name = "sding" NAS-IP-Address = 128.186.252.11 NAS-Port = 129 Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem" Calling-Station-Id = "00-12-F0-71-28-BF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps/2Mbps 802.11g" EAP-Message = 0x021b00571900170301004c97aa80c8bf5582084343c4a0bec2db428fd24b095d4d74e3ff47136def8f975cefe31f87108b3332772041ff7b9ca1bc5b7d7392447ae0e08ef9d18096fd4faeb5d3f7fc84330c28379a2d2d State = 0x2516ecdd2d0df53ff725017e0433f9f6 Message-Authenticator = 0x698f7f3cd67f4dc5a34b9576a4997c83 server ldap_ntpassword_1814 { # Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 27 length 87 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x021b00401a021b003b31948b918bc9d0b5fffe13788bf68bcca300000000000000007d31e18645e434394acf384df2a9525de9cb328a11d0abca007364696e67 server ldap_ntpassword_1814 { PEAP: Setting User-Name to sding Sending tunneled request EAP-Message = 0x021b00401a021b003b31948b918bc9d0b5fffe13788bf68bcca300000000000000007d31e18645e434394acf384df2a9525de9cb328a11d0abca007364696e67 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "sding" State = 0xa541e25fa55af8f7552608e9adf7407a server inner-tunnel { # Executing section authorize from file /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "sding", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 27 length 64 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for sding [ldap] expand: (&(uid=%u)(!(uid=lib-guest*))) -> (&(uid=sding)(!(uid=lib-guest*))) [ldap] expand: dc=fsu,dc=edu -> dc=fsu,dc=edu [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=fsu,dc=edu, with filter (&(uid=sding)(!(uid=lib-guest*))) [ldap] looking for check items in directory... [ldap] ntPassword -> NT-Password == 0x771cfdfe02a8c15e15b3e0e4974602fa [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user sding authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] Creating challenge hash with username: sding [mschap] Told to do MS-CHAPv2 for sding with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x011c00331a031b002e533d46444232423030313131304437413334363846414130324646304144344635334139424431373546 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa541e25fa45df8f7552608e9adf7407a [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x011c00331a031b002e533d46444232423030313131304437413334363846414130324646304144344635334139424431373546 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa541e25fa45df8f7552608e9adf7407a [peap] Got tunneled Access-Challenge ++[eap] returns handled } # server ldap_ntpassword_1814 Sending Access-Challenge of id 203 to 128.186.252.11 port 32858 EAP-Message = 0x011c004a1900170301003f961fdc7894fb72d8849f34a008f09cba27e1c376a916e0f902d223bd19fa71f006a0d19fa03b0b036d5703d1f87b284c484682012f01e3819c7ec8d5b3496d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2516ecdd2c0af53ff725017e0433f9f6 Finished request 9. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 128.186.252.11 port 32858, id=204, length=197 User-Name = "sding" NAS-IP-Address = 128.186.252.11 NAS-Port = 129 Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem" Calling-Station-Id = "00-12-F0-71-28-BF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps/2Mbps 802.11g" EAP-Message = 0x021c001d19001703010012121b6a01d5062bd9054cc2b8b5b6e48872ff State = 0x2516ecdd2c0af53ff725017e0433f9f6 Message-Authenticator = 0x9e2ccf188feea2fe205634d658c905ee server ldap_ntpassword_1814 { # Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 28 length 29 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x021c00061a03 server ldap_ntpassword_1814 { PEAP: Setting User-Name to sding Sending tunneled request EAP-Message = 0x021c00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "sding" State = 0xa541e25fa45df8f7552608e9adf7407a server inner-tunnel { # Executing section authorize from file /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "sding", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 28 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for sding [ldap] expand: (&(uid=%u)(!(uid=lib-guest*))) -> (&(uid=sding)(!(uid=lib-guest*))) [ldap] expand: dc=fsu,dc=edu -> dc=fsu,dc=edu [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=fsu,dc=edu, with filter (&(uid=sding)(!(uid=lib-guest*))) [ldap] looking for check items in directory... [ldap] ntPassword -> NT-Password == 0x771cfdfe02a8c15e15b3e0e4974602fa [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user sding authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xaf4d3e14de752dd67eafa3fd0435fa66 MS-MPPE-Recv-Key = 0x963e38f3cb3e0b4d2666e67b6583c56d EAP-Message = 0x031c0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "sding" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xaf4d3e14de752dd67eafa3fd0435fa66 MS-MPPE-Recv-Key = 0x963e38f3cb3e0b4d2666e67b6583c56d EAP-Message = 0x031c0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "sding" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled } # server ldap_ntpassword_1814 Sending Access-Challenge of id 204 to 128.186.252.11 port 32858 EAP-Message = 0x011d00261900170301001bd7d04ac183c1619da026c60fe9164f872bc825a60167c33a7f37f9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2516ecdd2f0bf53ff725017e0433f9f6 Finished request 10. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 128.186.252.11 port 32858, id=205, length=206 User-Name = "sding" NAS-IP-Address = 128.186.252.11 NAS-Port = 129 Called-Station-Id = "00-0F-7D-04-CC-92:fsusecurem" Calling-Station-Id = "00-12-F0-71-28-BF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps/2Mbps 802.11g" EAP-Message = 0x021d00261900170301001b07890dc451e45c0291b3616a524d5b632a2875608c5ac01117ea91 State = 0x2516ecdd2f0bf53ff725017e0433f9f6 Message-Authenticator = 0x0d3c0e26663bc23a5c405ac793eccb88 server ldap_ntpassword_1814 { # Executing section authorize from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authorize {...} [eap] EAP packet type response id 29 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /home/sding/opt/etc/raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok WARNING: Empty post-auth section. Using default return values. } # server ldap_ntpassword_1814 Sending Access-Accept of id 205 to 128.186.252.11 port 32858 MS-MPPE-Recv-Key = 0x22e1319dea63f4410fe3ad33363dcca198536b1464c72ec70b83a73a1e1b0fab MS-MPPE-Send-Key = 0x9656612e871bcba6fe5057864962efd2fd0653971462962d4583b94a0216d3b8 EAP-Message = 0x031d0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "sding" Finished request 11. Going to the next request Waking up in 4.6 seconds. Cleaning up request 0 ID 194 with timestamp +12 Cleaning up request 1 ID 195 with timestamp +12 Cleaning up request 2 ID 196 with timestamp +12 Cleaning up request 3 ID 197 with timestamp +12 Cleaning up request 4 ID 198 with timestamp +12 Cleaning up request 5 ID 199 with timestamp +12 Cleaning up request 6 ID 200 with timestamp +12 Cleaning up request 7 ID 201 with timestamp +12 Waking up in 0.1 seconds. Cleaning up request 8 ID 202 with timestamp +12 Cleaning up request 9 ID 203 with timestamp +12 Cleaning up request 10 ID 204 with timestamp +13 Cleaning up request 11 ID 205 with timestamp +13 Ready to process requests. On Sat, Nov 6, 2010 at 6:39 AM, Alan DeKok <aland@deployingradius.com> wrote:
schilling wrote:
Now whenever I try to have a virtual server for another instance, then it will have the same error as before.
Then that virtual server is configured incorrectly.
Then I copied the site-enabled/default content and put them within the virtual server, it's working again.
The default configuration works.
I then try to reduce to the minimum necessary configuration,
Why? Just... why do people do this?
the following is for the virtual server to work
No. It won't work because LDAP is never used to find the "known good" password.
I have no idea what you're doing, but the server is definitely misconfigured.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
schilling wrote:
Here is my radiusd -X output of a assumed successful login with peap. Would you please see whether this is working? Yes, the default with one ldap line commented out in site-enabled/inner-tunnel works. But it will not work once I have a virtual server in the radiusd.conf.
I don't think it's quite that simple.
The debug is done with default radius.configuration with only the following addition: I could add all the uncommented lines in site-enabled/default to this virtual server instance, I just want to see what exactly is my previous issue, so I reduced to minimum "working" configure I thought. Well, may be not.
Exactly. It's not about "commenting or uncomment lines". It's about understanding how the server works. If you don't understand it, you will remain confused, and you will not be able to solve the issue. ...
Sending Access-Accept of id 205 to 128.186.252.11 port 32858 MS-MPPE-Recv-Key = 0x22e1319dea63f4410fe3ad33363dcca198536b1464c72ec70b83a73a1e1b0fab MS-MPPE-Send-Key = 0x9656612e871bcba6fe5057864962efd2fd0653971462962d4583b94a0216d3b8 EAP-Message = 0x031d0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "sding"
So... it works. If the user doesn't get online, blame the AP. Alan DeKok.
participants (2)
-
Alan DeKok -
schilling