Logging ntlm authentication
Hi, I've got freeradius 2.1.7 setup on a CentOS system working as an AAA server for our WPA Enterprise based wireless network with clients successfully authenticating using PEAP and TTLS. Now to my question, I've configured linelog to log certain attributes but I also want it to log either the Exec-Program output of ntlm_auth or the peap reply value for the MS-CHAP-Error attribute but so far I've been unsuccessful in doing this. Is this possible? if so can anybody give me any pointers? Regards, Sion
Sion wrote:
I've got freeradius 2.1.7 setup on a CentOS system working as an AAA server for our WPA Enterprise based wireless network with clients successfully authenticating using PEAP and TTLS. Now to my question, I've configured linelog to log certain attributes but I also want it to log either the Exec-Program output of ntlm_auth or the peap reply value for the MS-CHAP-Error attribute but so far I've been unsuccessful in doing this. Is this possible? if so can anybody give me any pointers?
You can't log the ntlm_auth output. If it's important for you, write a shell script wrapper around the problem. For MS-CHAP-Error, it's just an attribute. You can log it, just like any other attribute. Alan DeKok.
On Fri, Sep 3, 2010 at 11:47 AM, Alan DeKok <aland@deployingradius.com> wrote:
Sion wrote:
I've got freeradius 2.1.7 setup on a CentOS system working as an AAA server for our WPA Enterprise based wireless network with clients successfully authenticating using PEAP and TTLS. Now to my question, I've configured linelog to log certain attributes but I also want it to log either the Exec-Program output of ntlm_auth or the peap reply value for the MS-CHAP-Error attribute but so far I've been unsuccessful in doing this. Is this possible? if so can anybody give me any pointers?
You can't log the ntlm_auth output. If it's important for you, write a shell script wrapper around the problem.
For MS-CHAP-Error, it's just an attribute. You can log it, just like any other attribute.
That's what I thought, but it my linelog log it shows it being empty. I've tried putting 'linelog' in the post-auth sections of both the default and inner-tunnel virtual servers but no joy. Am I missing something obvious here? If it helps, my linelog config is as follows linelog { filename = ${logdir}/linelog format = "%S\t%{reply:Packet-Type}\t%{User-Name}\t%{Calling-Station-Id}\t%{Called-Station-Id}\t%{NAS-Identifier}\t%{Packet-Src-IP-Address}\t%{reply:Reply-Message}\t%{MS-CHAP-Error}\t%{reply:Tunnel-Type} %{reply:Tunnel-Private-Group-Id}" }
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sion wrote:
That's what I thought, but it my linelog log it shows it being empty.
The MS-CHAP-Error is in the reply.
I've tried putting 'linelog' in the post-auth sections of both the default and inner-tunnel virtual servers but no joy. Am I missing something obvious here?
See the "Post-Auth-Type Reject" block, too. Alan DeKok.
On Fri, Sep 3, 2010 at 12:58 PM, Alan DeKok <aland@deployingradius.com> wrote:
Sion wrote:
That's what I thought, but it my linelog log it shows it being empty.
The MS-CHAP-Error is in the reply.
I've tried putting 'linelog' in the post-auth sections of both the default and inner-tunnel virtual servers but no joy. Am I missing something obvious here?
See the "Post-Auth-Type Reject" block, too.
Still no luck I'm afraid. Here's the output of radiusd -X in case it helps: rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=9, length=181 User-Name = "anonymous" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x0205000e01616e6f6e796d6f7573 Message-Authenticator = 0xe0aee197f906702cbcedda8c6fce7ab1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 9 to 192.168.196.13 port 32768 EAP-Message = 0x010600061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70163a6b70102318926cb2671448dd5c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=10, length=312 User-Name = "anonymous" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x0206007f19800000007516030100700100006c03014c80fc7750fabd6450dcb77c4605cbaab73a3c1e43bf175cfcee437c8275d0e1000018002f00350005000ac013c014c009c00a00320038001300040100002b00000017001500001264617573657268656c706465736b74657374000a0006000400170018000b00020100 State = 0x70163a6b70102318926cb2671448dd5c Message-Authenticator = 0x1b3669861698384d471a2c44b8a9fda0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 127 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 117 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0070], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 06e5], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 10 to 192.168.196.13 port 32768 EAP-Message = 0x0107040019c000000722160301002a0200002603014c80fc77269f43ae3e8f7344872f86f6066a22b315bdeaa4d71d1033ca071d7200002f0016030106e50b0006e10006de0003c1308203bd30820326a0030201020210571735f114d0297747dec8e1dc855028300d06092a864886f70d01010505003081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e311930 EAP-Message = 0x1706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d301e170d3037303932383030303030305a170d3130303932373233353935395a3081d231293027060355040a132063656e7472616c69617330312e696e7465726e616c2e757769632e61632e756b313b3039060355040b1332476f20746f2068747470733a2f2f7777772e7468617774652e636f6d2f7265706f7369746f72792f696e6465782e68746d6c31223020060355040b13195468617774652053534c31323320636572746966696361746531193017060355040b1310446f6d EAP-Message = 0x61696e2056616c696461746564312930270603550403132063656e7472616c69617330312e696e7465726e616c2e757769632e61632e756b30819f300d06092a864886f70d010101050003818d0030818902818100bea4ab1bcde08208fc9823ce022556c90f5c3bfdc79c0a9ae2ba2aa110017a67c67fbd2fbd1e6304853e51cc8f7b3ce4d5ad36b6a420d028b7902935c9d14eb0f880839faf3509f1b23be0c6820e60e8dd4e35b1f3f6b57df2655f379468e63958406874dd2a19700be6638c73cc20eccb85863be0dcd8af40386f900835c88b0203010001a3819f30819c300c0603551d130101ff0402300030390603551d1f04323030302ea02c EAP-Message = 0xa02a8628687474703a2f2f63726c2e7468617774652e636f6d2f54686177746553657276657243412e63726c301d0603551d250416301406082b0601050507030106082b06010505070302303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300d06092a864886f70d0101050500038181002f4b29c37eb54ba62bd16de5c09a6f3f258c10fd90177df8f37186799e2ba3832bed398f85c2623d5568257c3df4225e49c4327704d7ec1393ee5e03ce7e5a53ae45e6d58b6752212544ea79baef771d921f39169dba3c0a219fea40fef8422456026a51942acbcb90d677 EAP-Message = 0x323d4fe9cf449ea6dc0def99 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70163a6b71112318926cb2671448dd5c Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=11, length=191 User-Name = "anonymous" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020700061900 State = 0x70163a6b71112318926cb2671448dd5c Message-Authenticator = 0x3f0536adc88567e3fa2e7d68e8e685a1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 11 to 192.168.196.13 port 32768 EAP-Message = 0x010803321900b2abee6bd1b7966fef000317308203133082027ca003020102020101300d06092a864886f70d01010405003081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3119301706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d301e170d39 EAP-Message = 0x36303830313030303030305a170d3230313233313233353935395a3081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3119301706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d30819f300d06092a864886f70d010101050003818d003081890281 EAP-Message = 0x8100d3a4506ec8ff566be6cf5db6ea0c687547a2aac2da8425fca8f44751da85b5207494861e0f75c9e90861f5066d306e151902e952c062db4d999ee26a0c4438cdfebee3640970c5feb16b29b62f49c83bd427042510972fe7906dc0284299d74c43dec3f5216d549f5dc358e1c0e4d95bb0b8dcb47bdf363ac2b5662212d6870d0203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810007fa4c695cfb95cc46ee85834d21308ecad9a86f491ae6da51e360706c846111a11ac8483e59437d4f953da18bb70b62987a758add884e4e9e40dba8cc3274b96f0dc6e3b3440bd98a6f9a299b99 EAP-Message = 0x18283bd1e340289a5a3cd5b5e7201b8bcaa4ab8de951d9e24c2c59a9dab9b2751bf642f2efc7f218f989bca3ff8a232e704716030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70163a6b721e2318926cb2671448dd5c Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=12, length=393 User-Name = "anonymous" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020800d01980000000c616030100861000008200807f5ca792ca8945089c0a2b67189c4d8de67a35f4e0082ca10d5e39027cd248d3678879a0f9cc4b777993417be8ea1687e656c4e4dea6be0f8f523ef29df4c7f682ad83ddc3bb05f04463a2274720e393a61c5038a66c1b62848a0ae51515d86d21b5b29558ce7bf129764cfcfe38e4e82a6b8c6a67034add9b51844257af2e481403010001011603010030cc3bfd1b203852f6ef64ac8b1cf56dade3f27dd1b4e578c2287f9dec49fff5bf265106af0619f4fc139b7ceab9c7fce9 State = 0x70163a6b721e2318926cb2671448dd5c Message-Authenticator = 0xd3605cae4d3cdfcdb79fb31c4f77efaf +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 12 to 192.168.196.13 port 32768 EAP-Message = 0x01090041190014030100010116030100306d3b466552376c524f9d57acb4ef59fa8a5a82a64f242ad92194e8f1193b8f3fc3d1cbc55ad95dc6a4505a0e370e8389 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70163a6b731f2318926cb2671448dd5c Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=13, length=191 User-Name = "anonymous" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020900061900 State = 0x70163a6b731f2318926cb2671448dd5c Message-Authenticator = 0x1f53ab50f68ee7219c995d840f27876e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 13 to 192.168.196.13 port 32768 EAP-Message = 0x010a002b19001703010020d6d3ddbda2e15f5002501e18123dbf29e2f931ccce9e84466e3fcf5c38c4982b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70163a6b741c2318926cb2671448dd5c Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=14, length=244 User-Name = "anonymous" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020a003b190017030100303767555210c29944d549c0315be418183880d41e3b10753f2347ac68077538c53f95356c3d6e1ccfbbe46691ef85acdd State = 0x70163a6b741c2318926cb2671448dd5c Message-Authenticator = 0x38b94b464c83b45da9b75001bb686fb7 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 59 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - daUserHelpdeskTest [peap] Got tunneled request EAP-Message = 0x020a00170164615573657248656c706465736b54657374 server { PEAP: Got tunneled identity of daUserHelpdeskTest PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to daUserHelpdeskTest Sending tunneled request EAP-Message = 0x020a00170164615573657248656c706465736b54657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "daUserHelpdeskTest" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "daUserHelpdeskTest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 10 length 23 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010b002c1a010b002710acc43b6824a7b4882f1607c4f3f414ac64615573657248656c706465736b54657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1e88ea081e83f0086516d1bfc3ff692c [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010b002c1a010b002710acc43b6824a7b4882f1607c4f3f414ac64615573657248656c706465736b54657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1e88ea081e83f0086516d1bfc3ff692c [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 14 to 192.168.196.13 port 32768 EAP-Message = 0x010b004b190017030100409cbd93fb082834e5312d9e4e7e07b2fadc35f17d03ba94d6b4488d36a02ced807b1c816ed7ecd17c09f0e46b6db0a303330d4cba7a3ebdf7a4488bf7ec9fe660 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70163a6b751d2318926cb2671448dd5c Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=15, length=292 User-Name = "anonymous" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020b006b19001703010060564c96a98610ddca81ab047cf49040cc25bbec1f15e7836a3ff4254b1b43391111bacebf925796803af1497774f5a869381948a58b170923920058e7776cc3a6e4c83132066f73a23e8b0f4106f7b9136f48fc8f7a1b5222bbe64ebc64dae94d State = 0x70163a6b751d2318926cb2671448dd5c Message-Authenticator = 0x8a5a9caddddcc8d8fef955471ac2c224 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 11 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020b004d1a020b004831ff6a3ce5d8969159b5028c63dcbdce3a0000000000000000119ada0d77457f3cf74b7aac600d9ac29c970352419456d90064615573657248656c706465736b54657374 server { PEAP: Setting User-Name to daUserHelpdeskTest Sending tunneled request EAP-Message = 0x020b004d1a020b004831ff6a3ce5d8969159b5028c63dcbdce3a0000000000000000119ada0d77457f3cf74b7aac600d9ac29c970352419456d90064615573657248656c706465736b54657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "daUserHelpdeskTest" State = 0x1e88ea081e83f0086516d1bfc3ff692c Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "daUserHelpdeskTest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 11 length 77 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for daUserHelpdeskTest with NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: %{User-Name:-None} -> daUserHelpdeskTest [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=daUserHelpdeskTest [mschap] mschap2: ac [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=99630d7d1b70ccb6 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=119ada0d77457f3cf74b7aac600d9ac29c970352419456d9 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\013E=691 R=1" EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\013E=691 R=1" EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 15 to 192.168.196.13 port 32768 EAP-Message = 0x010c002b19001703010020e2ecfa9fe8a4bab6e0d189ee4afc63838d3039becf8c75642a188987d9f7efd4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70163a6b761a2318926cb2671448dd5c Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=16, length=228 User-Name = "anonymous" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020c002b19001703010020afeb09438ae8736bd4545752ecc17e1b5de36e4b8ca31c95fa6617432d9080d4 State = 0x70163a6b761a2318926cb2671448dd5c Message-Authenticator = 0x80361a22f6d1ad6492ba21f97229c16c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 12 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> anonymous attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated [testlinelog] expand: /var/log/radius/testlinelog -> /var/log/radius/testlinelog [testlinelog] expand: %S %{reply:Packet-Type} %{User-Name} %{Calling-Station-Id} %{Called-Station-Id} %{NAS-Identifier} %{Packet-Src-IP-Address} %{reply:Reply-Message} %{reply:MS-CHAP-Error} %{reply:Tunnel-Type} %{reply:Tunnel-Private-Group-Id} -> 2010-09-03 14:47:35 Access-Reject anonymous 00-1B-77-94-57-72 00-0B-85-6D-BA-C0:eduroam llwacA105 192.168.196.13 ++[testlinelog] returns ok Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 16 to 192.168.196.13 port 32768 EAP-Message = 0x040c0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. Cleaning up request 0 ID 9 with timestamp +14 Cleaning up request 1 ID 10 with timestamp +14 Cleaning up request 2 ID 11 with timestamp +14 Cleaning up request 3 ID 12 with timestamp +14 Cleaning up request 4 ID 13 with timestamp +14 Cleaning up request 5 ID 14 with timestamp +14 Cleaning up request 6 ID 15 with timestamp +14 Waking up in 1.0 seconds. Cleaning up request 7 ID 16 with timestamp +14 Ready to process requests.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Sep 3, 2010 at 3:32 PM, Alan DeKok <aland@deployingradius.com> wrote:
Sion wrote:
Still no luck I'm afraid. Here's the output of radiusd -X in case it helps:
Reading it helps.
The MS-CHAP-Error is in the "inner-tunnel" virtual server. You are trying to log it in the "default" virtual server.
That was one of the first things I did after reading the debug output originally - I've got 'linelog' in the post-auth section of the "inner-tunnel" in addition to the "default" virtual server. If I take linelog completely out of the default virtual server so that it's only defined in the post-auth of the inner-tunnel no log is generated at all.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sion wrote:
That was one of the first things I did after reading the debug output originally - I've got 'linelog' in the post-auth section of the "inner-tunnel" in addition to the "default" virtual server.
The post-auth section of "inner-tunnel" isn't used, unfortunately.
If I take linelog completely out of the default virtual server so that it's only defined in the post-auth of the inner-tunnel no log is generated at all.
$ man unlang You can use the inner-tunnel config to update the outer attributes, and then log them in the outer virtual server. Alan DeKok.
On Fri, Sep 3, 2010 at 4:25 PM, Alan DeKok <aland@deployingradius.com> wrote:
Sion wrote:
That was one of the first things I did after reading the debug output originally - I've got 'linelog' in the post-auth section of the "inner-tunnel" in addition to the "default" virtual server.
The post-auth section of "inner-tunnel" isn't used, unfortunately.
Ahh ok, that explains it.
If I take linelog completely out of the default virtual server so that it's only defined in the post-auth of the inner-tunnel no log is generated at all.
$ man unlang
You can use the inner-tunnel config to update the outer attributes, and then log them in the outer virtual server.
This had actually crossed my mind but I had tried testing this in the post-auth section as well. What section should I do this in? Would something like this work? update outer { MS-CHAP-Error = "%{reply:MS-CHAP-Error}" }
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sion wrote:
This had actually crossed my mind but I had tried testing this in the post-auth section as well.
What section should I do this in? Would something like this work?
update outer { MS-CHAP-Error = "%{reply:MS-CHAP-Error}" }
You need to refer to a *list*: outer.reply, or outer.control. See "man unlang", which has examples. Alan DeKok.
On Fri, Sep 3, 2010 at 10:30 PM, Alan DeKok <aland@deployingradius.com> wrote:
Sion wrote:
This had actually crossed my mind but I had tried testing this in the post-auth section as well.
What section should I do this in? Would something like this work?
update outer { MS-CHAP-Error = "%{reply:MS-CHAP-Error}" }
You need to refer to a *list*: outer.reply, or outer.control. See "man unlang", which has examples.
Thanks for the pointers, in the inner-tunnel virtual server I've changed the 'eap' line in the authenticate section to the following: Auth-Type EAP { eap update outer.control { MS-CHAP-Error = "%{reply:MS-CHAP-Error}" } } I've also tried outer.reply, but I'm still not seeing it show up in my logs.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mon, Sep 6, 2010 at 12:54 PM, Alan DeKok <aland@deployingradius.com> wrote:
Sion wrote:
I've also tried outer.reply, but I'm still not seeing it show up in my logs.
<sigh> And the debug log says... ?
rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=113, length=175 User-Name = "cc0086" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x0203000b01636330303836 Message-Authenticator = 0xfad76efcaaae1711153d00e8b66be682 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 113 to 192.168.196.13 port 32768 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd901d8ccd9404e11d6b7c064faf8b1f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=114, length=297 User-Name = "cc0086" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x0204007319800000006916030100640100006003014c84aaed46f925dbf010684571f2a65f8665099d1535eb4dafd7b34ccf5c382c000018002f00350005000ac013c014c009c00a00320038001300040100001f0000000b0009000006636330303836000a0006000400170018000b00020100 State = 0xcd901d8ccd9404e11d6b7c064faf8b1f Message-Authenticator = 0x723f90602e22add50d84204eb9c29fbb +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 115 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 105 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0064], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 06e5], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 114 to 192.168.196.13 port 32768 EAP-Message = 0x0105040019c000000722160301002a0200002603014c84aaeabbefb79f979e0bc448a7508f277b89b07cd68280544ad5af8234c25d00002f0016030106e50b0006e10006de0003c1308203bd30820326a0030201020210571735f114d0297747dec8e1dc855028300d06092a864886f70d01010505003081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e311930 EAP-Message = 0x1706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d301e170d3037303932383030303030305a170d3130303932373233353935395a3081d231293027060355040a132063656e7472616c69617330312e696e7465726e616c2e757769632e61632e756b313b3039060355040b1332476f20746f2068747470733a2f2f7777772e7468617774652e636f6d2f7265706f7369746f72792f696e6465782e68746d6c31223020060355040b13195468617774652053534c31323320636572746966696361746531193017060355040b1310446f6d EAP-Message = 0x61696e2056616c696461746564312930270603550403132063656e7472616c69617330312e696e7465726e616c2e757769632e61632e756b30819f300d06092a864886f70d010101050003818d0030818902818100bea4ab1bcde08208fc9823ce022556c90f5c3bfdc79c0a9ae2ba2aa110017a67c67fbd2fbd1e6304853e51cc8f7b3ce4d5ad36b6a420d028b7902935c9d14eb0f880839faf3509f1b23be0c6820e60e8dd4e35b1f3f6b57df2655f379468e63958406874dd2a19700be6638c73cc20eccb85863be0dcd8af40386f900835c88b0203010001a3819f30819c300c0603551d130101ff0402300030390603551d1f04323030302ea02c EAP-Message = 0xa02a8628687474703a2f2f63726c2e7468617774652e636f6d2f54686177746553657276657243412e63726c301d0603551d250416301406082b0601050507030106082b06010505070302303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300d06092a864886f70d0101050500038181002f4b29c37eb54ba62bd16de5c09a6f3f258c10fd90177df8f37186799e2ba3832bed398f85c2623d5568257c3df4225e49c4327704d7ec1393ee5e03ce7e5a53ae45e6d58b6752212544ea79baef771d921f39169dba3c0a219fea40fef8422456026a51942acbcb90d677 EAP-Message = 0x323d4fe9cf449ea6dc0def99 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd901d8ccc9504e11d6b7c064faf8b1f Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=115, length=188 User-Name = "cc0086" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020500061900 State = 0xcd901d8ccc9504e11d6b7c064faf8b1f Message-Authenticator = 0x5f2a4775f7523e28fdc4a11f71f87c46 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 115 to 192.168.196.13 port 32768 EAP-Message = 0x010603321900b2abee6bd1b7966fef000317308203133082027ca003020102020101300d06092a864886f70d01010405003081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3119301706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d301e170d39 EAP-Message = 0x36303830313030303030305a170d3230313233313233353935395a3081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3119301706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d30819f300d06092a864886f70d010101050003818d003081890281 EAP-Message = 0x8100d3a4506ec8ff566be6cf5db6ea0c687547a2aac2da8425fca8f44751da85b5207494861e0f75c9e90861f5066d306e151902e952c062db4d999ee26a0c4438cdfebee3640970c5feb16b29b62f49c83bd427042510972fe7906dc0284299d74c43dec3f5216d549f5dc358e1c0e4d95bb0b8dcb47bdf363ac2b5662212d6870d0203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810007fa4c695cfb95cc46ee85834d21308ecad9a86f491ae6da51e360706c846111a11ac8483e59437d4f953da18bb70b62987a758add884e4e9e40dba8cc3274b96f0dc6e3b3440bd98a6f9a299b99 EAP-Message = 0x18283bd1e340289a5a3cd5b5e7201b8bcaa4ab8de951d9e24c2c59a9dab9b2751bf642f2efc7f218f989bca3ff8a232e704716030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd901d8ccf9604e11d6b7c064faf8b1f Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=116, length=390 User-Name = "cc0086" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020600d01980000000c6160301008610000082008093cef56e526dc8b390fac8cbe14d42b058bdf1f449a9c84ef8963a17f673c87c266231e2452377abf4b62f47ab87f21c08ff5b37c978df65dc2d650b92b646fa2df83fc87d60a05d0fb12cd632408c95849f19eeea78037685018463ed491c1f61a26590b03639a4edf5be80083b938ad3141c54f34e93ffda247cc27d68e16f14030100010116030100309a8e34a5520a23ef7fffa50009c9fa90a1c38b3e7515b2650b2f2b2a77570063ace6d5bc2d931992283c5f0bf3ff33d0 State = 0xcd901d8ccf9604e11d6b7c064faf8b1f Message-Authenticator = 0xac104a34afffac97df350e54c4175593 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 116 to 192.168.196.13 port 32768 EAP-Message = 0x010700411900140301000101160301003044a5568519b90fc4f025402fba4d748c554186ad5fe16e5222b5a6697cc48c24961ce6376c7b771c9b6a337e0d47700a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd901d8cce9704e11d6b7c064faf8b1f Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=117, length=188 User-Name = "cc0086" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020700061900 State = 0xcd901d8cce9704e11d6b7c064faf8b1f Message-Authenticator = 0xf2deda649560b5cdfc1b28b03cb37304 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 117 to 192.168.196.13 port 32768 EAP-Message = 0x0108002b19001703010020aa320f1d031012a0ec51ec99585bc62c72a3bb786e053e80aed6daa644ec2cae Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd901d8cc99804e11d6b7c064faf8b1f Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=118, length=225 User-Name = "cc0086" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x0208002b19001703010020c2e8be5361c10411cadf5f701b6de7446814f8b7903ac77bbda1c316b4c1109c State = 0xcd901d8cc99804e11d6b7c064faf8b1f Message-Authenticator = 0xcf4cacaadd8e256aa927a8a06156d459 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - cc0086 [peap] Got tunneled request EAP-Message = 0x0208000b01636330303836 server { PEAP: Got tunneled identity of cc0086 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to cc0086 Sending tunneled request EAP-Message = 0x0208000b01636330303836 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "cc0086" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group EAP {...} expand: %{reply:MS-CHAP-Error} -> ++[outer.control] returns reject [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900201a0109001b10bb9e7492a6bc73d959be9d902d7078bc636330303836 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x30652915306c3399cd1bddd466afcc03 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900201a0109001b10bb9e7492a6bc73d959be9d902d7078bc636330303836 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x30652915306c3399cd1bddd466afcc03 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 118 to 192.168.196.13 port 32768 EAP-Message = 0x0109004b190017030100401213bdb66fec8786c2ab048f0d729335d1a60bb7acea3150fa728d019f3fcd9a3f1464c301eb2437265a3daed8380523c6befa216915bc6b7843be09551a6038 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd901d8cc89904e11d6b7c064faf8b1f Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=119, length=289 User-Name = "cc0086" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x0209006b190017030100606a82d39c737d6a30e594e2c787d1073c23a24c3d5f1db005caaf72f2416199902efc72ca3c0ef4443030910f7523fd335b79600d5cfdf952a7da1b1ab9e06dcead14e078053d7337c8ebe9b7caa440c1052a78c903d0ff4cfe5e3595274d8060 State = 0xcd901d8cc89904e11d6b7c064faf8b1f Message-Authenticator = 0xdf7b0162c26571a79f0b2a6670c7c289 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900411a0209003c31378805df2ace774051ee17d8f0bfe5670000000000000000b2be976261221bc6be689240cbfd3adba42fd0aa01d3e83800636330303836 server { PEAP: Setting User-Name to cc0086 Sending tunneled request EAP-Message = 0x020900411a0209003c31378805df2ace774051ee17d8f0bfe5670000000000000000b2be976261221bc6be689240cbfd3adba42fd0aa01d3e83800636330303836 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "cc0086" State = 0x30652915306c3399cd1bddd466afcc03 Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 65 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group EAP {...} expand: %{reply:MS-CHAP-Error} -> ++[outer.control] returns reject [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for cc0086 with NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: %{User-Name:-None} -> cc0086 [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=cc0086 [mschap] mschap2: bb [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=3b6854cde18f868d [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=b2be976261221bc6be689240cbfd3adba42fd0aa01d3e838 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 119 to 192.168.196.13 port 32768 EAP-Message = 0x010a002b190017030100200887b3d6f1a7645507824e43d00bcec006de93ac841e5e28c531d69324a9e9b2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd901d8ccb9a04e11d6b7c064faf8b1f Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=120, length=225 User-Name = "cc0086" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020a002b190017030100208fbe14e5d82d8325e5e12f19bfd63620fb14f4082357311d9bedba574eb14dca State = 0xcd901d8ccb9a04e11d6b7c064faf8b1f Message-Authenticator = 0xe0d14b40638deb9cb37b71ea21685c5e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cc0086", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> cc0086 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated [testlinelog] expand: /var/log/radius/testlinelog -> /var/log/radius/testlinelog [testlinelog] expand: %S %{reply:Packet-Type} %{User-Name} %{Calling-Station-Id} %{Called-Station-Id} %{NAS-Identifier} %{Packet-Src-IP-Address} %{reply:Reply-Message} %{reply:MS-CHAP-Error} %{MS-CHAP-Error}%{reply:Tunnel-Type} %{reply:Tunnel-Private-Group-Id} -> 2010-09-06 09:48:42 Access-Reject cc0086 00-1B-77-94-57-72 00-0B-85-6D-BA-C0:eduroam llwacA105 192.168.196.13 ++[testlinelog] returns ok Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 120 to 192.168.196.13 port 32768 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Sep 7, 2010 at 8:45 AM, Alan DeKok <aland@deployingradius.com> wrote:
Sion wrote:
On Mon, Sep 6, 2010 at 12:54 PM, Alan DeKok <aland@deployingradius.com> wrote:
Sion wrote:
I've also tried outer.reply, but I'm still not seeing it show up in my logs. <sigh> And the debug log says... ?
Just set "use_tunneled_reply = yes"
That had already been set, this is my peap config: peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" }
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--On Tuesday, September 07, 2010 14:11:42 +0100 Sion <mleasd@gmail.com> wrote:
On Tue, Sep 7, 2010 at 8:45 AM, Alan DeKok <aland@deployingradius.com> wrote:
Sion wrote:
On Mon, Sep 6, 2010 at 12:54 PM, Alan DeKok <aland@deployingradius.com> wrote:
Sion wrote:
I've also tried outer.reply, but I'm still not seeing it show up in my logs. <sigh> And the debug log says... ?
Just set "use_tunneled_reply = yes"
That had already been set, this is my peap config:
peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" }
Hi, Something like the below should copy the messge to the outer tunnel, but it seems the next packet sent is a Challenge, not reject/accept. Therefore the message does not persist until reject/accept time. authenticate { Auth-Type MS-CHAP { eduroamlocalmschap { reject = 1 } if (reject) { update outer.reply { MS-CHAP-Error := "%{reply:MS-CHAP-Error}" } reject = return } } ... } -James -- James J J Hooper University of Bristol http://www.wireless.bristol.ac.uk --
but it seems the next packet sent is a Challenge, not reject/accept. Therefore the message does not persist until reject/accept time.
Hmm.. It seems I've heard that before: http://lists.cistron.nl/pipermail/freeradius-users/2009-August/msg00326.html
Garber, Neal wrote:
but it seems the next packet sent is a Challenge, not reject/accept. Therefore the message does not persist until reject/accept time.
Hmm.. It seems I've heard that before:
http://lists.cistron.nl/pipermail/freeradius-users/2009-August/msg00326.html
Fixed in 2.1.9. Alan DeKok.
Fixed in 2.1.9.
Great (I guess missed that in the change log). Was the change to eliminate the extra round trip? If so, would you accept a patch to set Module-Failure-Message upon failure of ntlm_auth in rlm_mschap (as was originally implemented in the fix for bug 398 in v1.1.4)? Thanks Alan.
Garber, Neal wrote:
Fixed in 2.1.9.
Great (I guess missed that in the change log). Was the change to eliminate the extra round trip?
IIRC, it was to remember replies better. When the inner tunnel returns accept and the outer sends a challenge... remember the accept for later.
If so, would you accept a patch to set Module-Failure-Message upon failure of ntlm_auth in rlm_mschap (as was originally implemented in the fix for bug 398 in v1.1.4)?
I'll take a look... I'd like to get some feedback on the pre-release of 2.1.10, especially the changes to the proxy code. Alan DeKok.
On Tue, 2010-09-07 at 21:19 +0200, Alan DeKok wrote:
I'd like to get some feedback on the pre-release of 2.1.10, especially the changes to the proxy code.
We have been running 3 servers with 2.1.10 (taken from git a while ago) for some time with no problems. They act as a proxy, receiving requests from wireless lan controllers and (mostly) proxying them on to MS IAS. Is there any particular change that you wanted feedback on? John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
John Horne wrote:
We have been running 3 servers with 2.1.10 (taken from git a while ago)
The proxy change went in August 4.
for some time with no problems. They act as a proxy, receiving requests from wireless lan controllers and (mostly) proxying them on to MS IAS. Is there any particular change that you wanted feedback on?
What happens when a home server is marked zombie / dead. Previously, if *one* request didn't get a response, the home server was marked "zombie". If the proxy then received a response, the home server was marked "alive". i.e. if a proxy was sending packets for realm A && B to a home server, and the home server was responding only for realm A and not B... then the home server could be marked zombie / alive / zombie / alive in quick sequence. It now keeps track of recent replies. If the home server is responding for realm A, then it will always be marked "alive", even if it's not responding for realm B. The home server is marked as "zombie" only when it receives *no* replies for a period of time. I hope that explanation makes sense... Alan DeKok.
On Tue, 2010-09-07 at 22:26 +0200, Alan DeKok wrote:
John Horne wrote:
We have been running 3 servers with 2.1.10 (taken from git a while ago)
The proxy change went in August 4.
Ah. Our versions date back to June. I'll see about upgrading them to a later 2.1.10 version. (Hopefully that will be tomorrow.) John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
On Tue, 2010-09-07 at 22:26 +0200, Alan DeKok wrote:
John Horne wrote:
We have been running 3 servers with 2.1.10 (taken from git a while ago)
The proxy change went in August 4.
for some time with no problems. They act as a proxy, receiving requests from wireless lan controllers and (mostly) proxying them on to MS IAS. Is there any particular change that you wanted feedback on?
What happens when a home server is marked zombie / dead. Previously, if *one* request didn't get a response, the home server was marked "zombie". If the proxy then received a response, the home server was marked "alive".
i.e. if a proxy was sending packets for realm A && B to a home server, and the home server was responding only for realm A and not B... then the home server could be marked zombie / alive / zombie / alive in quick sequence.
It now keeps track of recent replies. If the home server is responding for realm A, then it will always be marked "alive", even if it's not responding for realm B.
The home server is marked as "zombie" only when it receives *no* replies for a period of time.
I hope that explanation makes sense...
We don't have that exact scenario, but, for whatever reason, we were seeing the home servers being marked dead/zombie extremely frequently - usually every few minutes. With the later git version (dated 1 September in the changelog file) we are seeing much fewer changes of the home servers being marked dead/zombie. From your description above I suspect this is what you were aiming for. A simple count of messages in our (daily) log files shows: grep -c dead radius.log.1 (yesterday, 24 hours) 416 grep -c Proxy: radius.log.1 1859 grep -c dead radius.log (today, 12 hours) 34 grep -c Proxy: radius.log 154 Unless we have had a sudden change in our home servers, and/or network, (we haven't) the numbers do indicate that the freeradius code is now less 'aggressive' in marking a home server dead/zombie. (Our numbers are still probably high compared to other sites; we are still investigating the cause of the problem.) John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
John Horne wrote:
We don't have that exact scenario, but, for whatever reason, we were seeing the home servers being marked dead/zombie extremely frequently - usually every few minutes.
Network packet loss, etc. ...
With the later git version (dated 1 September in the changelog file) we are seeing much fewer changes of the home servers being marked dead/zombie. From your description above I suspect this is what you were aiming for.
A simple count of messages in our (daily) log files shows:
Nice.
Unless we have had a sudden change in our home servers, and/or network, (we haven't) the numbers do indicate that the freeradius code is now less 'aggressive' in marking a home server dead/zombie.
That's good to hear, thanks. Alan DeKok.
I'll take a look...
Thanks.
I'd like to get some feedback on the pre-release of 2.1.10, especially the changes to the proxy code.
I'll download the latest 2.1.10 tomorrow; unfortunately, I won't have a chance to test it until next week. Also, we don't use proxying, at the moment, but I will report any issues I find with other areas.
IIRC, it was to remember replies better. When the inner tunnel returns accept and the outer sends a challenge... remember the accept for later.
I just cloned and built the latest 2.1.10 to do some testing. I did a PEAP-MSCHAPv2 authentication, with bad credentials, using eapol_test. What I found seems to indicate the problem I was referring to still exists in 2.1.10 (probably because I wasn't clear enough in describing the issue). It seems that after ntlm_auth fails, it sends the EAP failure via an Access-Challenge. Then, after it receives the response in the next Access-Request, it sends Access-Reject. This is how it behaved prior to 2.1.9 also (this is what I meant by "extra round trip" in a previous post). The problem is that any information stored in an attribute, after the ntlm_auth failure, will not survive the subsequent Access-Challenge, Access-Request. I can post the debug output if you'd like to see it. When I originally discovered this, I suggested storing the ntlm_auth output in the eap handler so it could be saved in Module-Failure-Message when the response to the EAP failure is received. Is there a better approach? If you tell me your preference, I'd be willing to create a patch.. Thanks for your time Alan.
Garber, Neal wrote:
I just cloned and built the latest 2.1.10 to do some testing. I did a PEAP-MSCHAPv2 authentication, with bad credentials, using eapol_test. What I found seems to indicate the problem I was referring to still exists in 2.1.10 (probably because I wasn't clear enough in describing the issue).
OK.
It seems that after ntlm_auth fails, it sends the EAP failure via an Access-Challenge. Then, after it receives the response in the next Access-Request, it sends Access-Reject. This is how it behaved prior to 2.1.9 also (this is what I meant by "extra round trip" in a previous post). The problem is that any information stored in an attribute, after the ntlm_auth failure, will not survive the subsequent Access-Challenge, Access-Request. I can post the debug output if you'd like to see it.
Hmm... OK. The issue appears to be that the tunneled reply is saved for Access-Accept, but not Access-Reject.
When I originally discovered this, I suggested storing the ntlm_auth output in the eap handler so it could be saved in Module-Failure-Message when the response to the EAP failure is received. Is there a better approach? If you tell me your preference, I'd be willing to create a patch..
See "accept_vps" in rlm_eap_peap/*. Something similar needs to be done for reject, and for TTLS. Alan DeKok.
Hmm... OK. The issue appears to be that the tunneled reply is saved for Access-Accept, but not Access-Reject. See "accept_vps" in rlm_eap_peap/*. Something similar needs to be done for reject, and for TTLS.
You are a gentleman and a scholar! I have made the changes as you suggested for PEAP and tested PEAP-MSCHAPv2. It works! I am now able to log the output from ntlm_auth and MS-CHAP-Error. I'm also excited about the improved TLS logging in 2.1.10. I will add the code for TTLS now. Unfortunately, I don't have a way to test that as I don't believe eapol_test supports TTLS and we don't use it. I suppose someone else can test it once I upload the patch (which I will do after I make the TTLS changes). Thanks again Alan.
Garber, Neal wrote:
You are a gentleman and a scholar! I have made the changes as you suggested for PEAP and tested PEAP-MSCHAPv2. It works! I am now able to log the output from ntlm_auth and MS-CHAP-Error. I'm also excited about the improved TLS logging in 2.1.10.
:)
I will add the code for TTLS now. Unfortunately, I don't have a way to test that as I don't believe eapol_test supports TTLS and we don't use it. I suppose someone else can test it once I upload the patch (which I will do after I make the TTLS changes).
Uh... eapol-test supports TTLS. See the FreeRADIUS source: src/tests/eap-ttls-*.conf Alan DeKok.
Hi, Could you please summarize what you did to log the output from ntlm_auth and MS_CHAP-Error? Even with configuration snippet will be greatly appreciated! Thanks, Schilling On Wed, Sep 8, 2010 at 5:02 PM, Garber, Neal <Neal.Garber@iberdrolausa.com> wrote:
Hmm... OK. The issue appears to be that the tunneled reply is saved for Access-Accept, but not Access-Reject. See "accept_vps" in rlm_eap_peap/*. Something similar needs to be done for reject, and for TTLS.
You are a gentleman and a scholar! I have made the changes as you suggested for PEAP and tested PEAP-MSCHAPv2. It works! I am now able to log the output from ntlm_auth and MS-CHAP-Error. I'm also excited about the improved TLS logging in 2.1.10.
I will add the code for TTLS now. Unfortunately, I don't have a way to test that as I don't believe eapol_test supports TTLS and we don't use it. I suppose someone else can test it once I upload the patch (which I will do after I make the TTLS changes).
Thanks again Alan.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Could you please summarize what you did to log the output from ntlm_auth and MS_CHAP-Error?
Sure. I should mention that other options are available now that didn't exist when I created the solution below... I have a PERL script that runs during authorize that obtains user/group or machine/container permissions for the NAS in question from XML files to determine whether the entity is authorized and it creates a Log-Data reply attribute containing all non-sensitive request attributes. This is then written to syslog during post-auth by another PERL script. Our help desk and others use a .Net application that I wrote to display/filter the data from the current or past log files in a grid control. The log contains specifics of the request, authorization and authentication results/messages and reply attributes. Does that answer your question?
Thanks. Could you please share the perl scripts and the corresponding configuration in radiusd.conf like authorize and post-auth section related to these logs? Schilling On Wed, Nov 10, 2010 at 10:04 PM, Garber, Neal <Neal.Garber@iberdrolausa.com> wrote:
Could you please summarize what you did to log the output from ntlm_auth and MS_CHAP-Error?
Sure. I should mention that other options are available now that didn't exist when I created the solution below...
I have a PERL script that runs during authorize that obtains user/group or machine/container permissions for the NAS in question from XML files to determine whether the entity is authorized and it creates a Log-Data reply attribute containing all non-sensitive request attributes. This is then written to syslog during post-auth by another PERL script.
Our help desk and others use a .Net application that I wrote to display/filter the data from the current or past log files in a grid control. The log contains specifics of the request, authorization and authentication results/messages and reply attributes.
Does that answer your question?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Could you please share the perl scripts and the corresponding configuration in radiusd.conf like authorize and post-auth section related to these logs?
Unfortunately, I would need to get a release from my company as the code belongs to them. I cannot post it at this time. You may want to look at the linelog module (depending upon what version of FR you are running). If you're not familiar with perl, that might be easier for you to implement.
participants (6)
-
Alan DeKok -
Garber, Neal -
James J J Hooper -
John Horne -
schilling -
Sion