PEAP with Windows supplicant, Automatically use my windows credentials
Hello, I've configured a PEAP with the Windows SP3 supplicant with freeradius 2.1.3, and the authentication succeeds when "Automatically use my windows logon name and password (and domain if any)" is unselected, which forces a manual logon. However, when "Automatically use my ..." is selected with the same user name/domain, the authentication fails. May I have some insight into any issue(s) on how to resolve this? Here is the debug log for the failed request: Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2 Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL. Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring. Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 0 length 23 Wed Dec 17 09:07:24 2008 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns updated Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...} Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP Identity Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type md5 Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns handled Wed Dec 17 09:07:24 2008 : Debug: Sending Access-Challenge packet to host 10.12.18.4 port 1812, id=120, length=0 Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x01010016041090013f5c9305706c9dc6340df1142df1 Wed Dec 17 09:07:24 2008 : Debug: Message-Authenticator = 0x00000000000000000000000000000000 Wed Dec 17 09:07:24 2008 : Debug: State = 0xd0cf07f0d0ce03f56f2a90dc8079ccda Wed Dec 17 09:07:24 2008 : Debug: Finished request 0. Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2 Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL. Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring. Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 1 length 6 Wed Dec 17 09:07:24 2008 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns updated Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...} Wed Dec 17 09:07:24 2008 : Debug: [eap] Request found, released from the list Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP NAK Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP-NAK asked for EAP-Type/peap Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type tls Wed Dec 17 09:07:24 2008 : Debug: [tls] Initiate Wed Dec 17 09:07:24 2008 : Debug: [tls] Start returned 1 Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns handled Wed Dec 17 09:07:24 2008 : Debug: Sending Access-Challenge packet to host 10.12.18.4 port 1812, id=121, length=0 Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x010200061920 Wed Dec 17 09:07:24 2008 : Debug: Message-Authenticator = 0x00000000000000000000000000000000 Wed Dec 17 09:07:24 2008 : Debug: State = 0xd0cf07f0d1cd1ef56f2a90dc8079ccda Wed Dec 17 09:07:24 2008 : Debug: Finished request 1. Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2 Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL. Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring. Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 2 length 80 Wed Dec 17 09:07:24 2008 : Debug: [eap] Continuing tunnel setup. Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns ok Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...} Wed Dec 17 09:07:24 2008 : Debug: [eap] Request found, released from the list Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP/peap Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type peap Wed Dec 17 09:07:24 2008 : Debug: [peap] processing EAP-TLS Wed Dec 17 09:07:24 2008 : Debug: [peap] Length Included Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_verify returned 11 Wed Dec 17 09:07:24 2008 : Debug: [peap] (other): before/accept initialization Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: before/accept initialization Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 read client hello A Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 write server hello A Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 write certificate A Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 write server done A Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 flush data Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_process returned 13 Wed Dec 17 09:07:24 2008 : Debug: [peap] EAPTLS_HANDLED Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns handled Wed Dec 17 09:07:24 2008 : Debug: Sending Access-Challenge packet to host 10.12.18.4 port 1812, id=122, length=0 Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x0103040019c00000072c160301002a020000260301494923bcedc987028a2352b84271936aea53e99fb623ca257536e883442ea95c0000040016030106ef0b0006eb0006e80002cb308202c7308202300205122935480a300d06092a864886f70d01010505003081b8310b3009060355040613025553310b300906035504081302434f311430120603550407130b576573746d696e73746572312b3029060355040a132254697070696e67506f696e7420496e632c204469766973696f6e206f662033436f6d31173015060355040b130e53656c66205369676e6564204341311730150603550403130e546f70206c6576656c20436572743127302506 Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x092a864886f70d01090116187461636d61696c4074697070696e67706f696e742e636f6d301e170d3038313231353135323635305a170d3333313230393135323635305a30819a310b3009060355040613025553310b300906035504081302434f311430120603550407130b576573746d696e73746572310d300b060355040a130433436f6d31153013060355040b130c54697070696e67506f696e7431193017060355040313106a6967356e70732e747077352e636f6d3127302506092a864886f70d01090116187461636d61696c4074697070696e67706f696e742e636f6d30819f300d06092a864886f70d010101050003818d00308189028181 Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x00dd03f09559ddc6ea8bc0a9206d40657f7d12b2f29f283bd0d84eb2904e2720592bb18ec971bfc20f93916df7dcfd35848be2946eb2683ae6fd3ff715e95f33594ec1888038961f2561389160afa4c1ef47e3f88e935340b19ec897d4b599f927b9d878e386267b573dba0ed413a1431d63ee4e7fe9dd70f055b8d2521a9e3ad90203010001300d06092a864886f70d010105050003818100509c6044c7e7d3b2d9a7fb62c035a65361dcb0ba148aaadfd1272a65f267f913b210faf39afa24658788cb651bce6f704a528e4e63d2613de5c967dc2d904f70852412e2371a556fa69194d4f16bddf641c1397c0947ebd36b851b8d57add0f78335d369 Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x67c9080e362b607959f63dcd7f5fd80b46f31faa05b59853d8541166000417308204133082037ca003020102020900f90e79cfb7d27aab300d06092a864886f70d01010505003081b8310b3009060355040613025553310b300906035504081302434f311430120603550407130b576573746d696e73746572312b3029060355040a132254697070696e67506f696e7420496e632c204469766973696f6e206f662033436f6d31173015060355040b130e53656c66205369676e6564204341311730150603550403130e546f70206c6576656c20436572743127302506092a864886f70d01090116187461636d61696c4074697070696e67706f696e74 Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x2e636f6d301e170d30383132 Wed Dec 17 09:07:24 2008 : Debug: Message-Authenticator = 0x00000000000000000000000000000000 Wed Dec 17 09:07:24 2008 : Debug: State = 0xd0cf07f0d2cc1ef56f2a90dc8079ccda Wed Dec 17 09:07:24 2008 : Debug: Finished request 2. Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2 Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL. Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring. Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 3 length 6 Wed Dec 17 09:07:24 2008 : Debug: [eap] Continuing tunnel setup. Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns ok Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...} Wed Dec 17 09:07:24 2008 : Debug: [eap] Request found, released from the list Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP/peap Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type peap Wed Dec 17 09:07:24 2008 : Debug: [peap] processing EAP-TLS Wed Dec 17 09:07:24 2008 : Debug: [peap] Received TLS ACK Wed Dec 17 09:07:24 2008 : Debug: [peap] ACK handshake fragment handler Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_verify returned 1 Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_process returned 13 Wed Dec 17 09:07:24 2008 : Debug: [peap] EAPTLS_HANDLED Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns handled Wed Dec 17 09:07:24 2008 : Debug: Sending Access-Challenge packet to host 10.12.18.4 port 1812, id=123, length=0 Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x0104033c190031353135323634395a170d3333313230393135323634395a3081b8310b3009060355040613025553310b300906035504081302434f311430120603550407130b576573746d696e73746572312b3029060355040a132254697070696e67506f696e7420496e632c204469766973696f6e206f662033436f6d31173015060355040b130e53656c66205369676e6564204341311730150603550403130e546f70206c6576656c20436572743127302506092a864886f70d01090116187461636d61696c4074697070696e67706f696e742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100f2d90d0838cf63 Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x4d183710d46cfc788f079ffc59ce0a3009acca61148dcc9051e40bd73a175cfcb9f8de7eabe56d45aa18e32a7d37d7659d98362853f2c210fb4c440f0275d2ce8aac8ca7b0ab55079af4b0ac72a32bc2e12a15624417ac8b9aa7a8cfbd50c501d039eb85e9f34eae97a89da8bebbcaccabaeb4b82c175ba58b0203010001a38201213082011d301d0603551d0e041604143e3c0f897946ed4d56f53c5eafa4c3313648c8de3081ed0603551d230481e53081e280143e3c0f897946ed4d56f53c5eafa4c3313648c8dea181bea481bb3081b8310b3009060355040613025553310b300906035504081302434f311430120603550407130b576573746d69 Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x6e73746572312b3029060355040a132254697070696e67506f696e7420496e632c204469766973696f6e206f662033436f6d31173015060355040b130e53656c66205369676e6564204341311730150603550403130e546f70206c6576656c20436572743127302506092a864886f70d01090116187461636d61696c4074697070696e67706f696e742e636f6d820900f90e79cfb7d27aab300c0603551d13040530030101ff300d06092a864886f70d0101050500038181002b6008a9eb5028afb1f6aff39e7488b9dcb5200691065670c2d984d3f8a1111603dc17fabd80051fc81837d4617951d9a684c4f5b5e6d065c89b58348c144582c5166e1b Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x4488dbe4da43d384404835ce3e3b7d985c02c1a476ac1f65fc0874553af77c4f62ad840a40ccc26bb55fc2859a0347241a56ed096ebc6c081de2d60216030100040e000000 Wed Dec 17 09:07:24 2008 : Debug: Message-Authenticator = 0x00000000000000000000000000000000 Wed Dec 17 09:07:24 2008 : Debug: State = 0xd0cf07f0d3cb1ef56f2a90dc8079ccda Wed Dec 17 09:07:24 2008 : Debug: Finished request 3. Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2 Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL. Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring. Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 4 length 192 Wed Dec 17 09:07:24 2008 : Debug: [eap] Continuing tunnel setup. Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns ok Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...} Wed Dec 17 09:07:24 2008 : Debug: [eap] Request found, released from the list Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP/peap Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type peap Wed Dec 17 09:07:24 2008 : Debug: [peap] processing EAP-TLS Wed Dec 17 09:07:24 2008 : Debug: [peap] Length Included Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_verify returned 11 Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 read client key exchange A Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 read finished A Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 write change cipher spec A Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 write finished A Wed Dec 17 09:07:24 2008 : Debug: [peap] TLS_accept: SSLv3 flush data Wed Dec 17 09:07:24 2008 : Debug: [peap] (other): SSL negotiation finished successfully Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_process returned 13 Wed Dec 17 09:07:24 2008 : Debug: [peap] EAPTLS_HANDLED Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns handled Hello, I've configured a PEAP with the Windows SP3 supplicant with freeradius 2.1.3, and the authentication succeeds when "Automatically use my windows logon name and password (and domain if any)" is unselected, which forces a manual logon. However, when "Automatically use my ..." is selected with the same user name/domain, the authentication fails. May I have some insight into any issue(s) on how to resolve this? Here is the debug log for the failed request: Wed Dec 17 09:07:24 2008 : Debug: Sending Access-Challenge packet to host 10.12.18.4 port 1812, id=124, length=0 Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x0105003119001403010001011603010020b483b6c6e83bf8a59f0ee6e6ad24591bc46e1e77319dacdc1a29479e8c664888 Wed Dec 17 09:07:24 2008 : Debug: Message-Authenticator = 0x00000000000000000000000000000000 Wed Dec 17 09:07:24 2008 : Debug: State = 0xd0cf07f0d4ca1ef56f2a90dc8079ccda Wed Dec 17 09:07:24 2008 : Debug: Finished request 4. Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2 Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL. Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring. Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 5 length 6 Wed Dec 17 09:07:24 2008 : Debug: [eap] Continuing tunnel setup. Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns ok Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...} Wed Dec 17 09:07:24 2008 : Debug: [eap] Request found, released from the list Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP/peap Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type peap Wed Dec 17 09:07:24 2008 : Debug: [peap] processing EAP-TLS Wed Dec 17 09:07:24 2008 : Debug: [peap] Received TLS ACK Wed Dec 17 09:07:24 2008 : Debug: [peap] ACK handshake is finished Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_verify returned 3 Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_process returned 3 Wed Dec 17 09:07:24 2008 : Debug: [peap] EAPTLS_SUCCESS Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns handled Wed Dec 17 09:07:24 2008 : Debug: Sending Access-Challenge packet to host 10.12.18.4 port 1812, id=125, length=0 Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x01060020190017030100159a18b32d1ce86335fa6dae97724c1bd44689df8454 Wed Dec 17 09:07:24 2008 : Debug: Message-Authenticator = 0x00000000000000000000000000000000 Wed Dec 17 09:07:24 2008 : Debug: State = 0xd0cf07f0d5c91ef56f2a90dc8079ccda Wed Dec 17 09:07:24 2008 : Debug: Finished request 5. Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2 Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL. Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring. Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 6 length 46 Wed Dec 17 09:07:24 2008 : Debug: [eap] Continuing tunnel setup. Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns ok Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...} Wed Dec 17 09:07:24 2008 : Debug: [eap] Request found, released from the list Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP/peap Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type peap Wed Dec 17 09:07:24 2008 : Debug: [peap] processing EAP-TLS Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_verify returned 7 Wed Dec 17 09:07:24 2008 : Debug: [peap] Done initial handshake Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_process returned 7 Wed Dec 17 09:07:24 2008 : Debug: [peap] EAPTLS_OK Wed Dec 17 09:07:24 2008 : Debug: [peap] Session established. Decoding tunneled attributes. Wed Dec 17 09:07:24 2008 : Debug: [peap] Identity - TPW5\administrator Wed Dec 17 09:07:24 2008 : Debug: +- entering group authorize {...} Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2 Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL. Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring. Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 6 length 23 Wed Dec 17 09:07:24 2008 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns updated Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...} Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP Identity Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type mschapv2 Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns handled Wed Dec 17 09:07:24 2008 : Debug: [peap] Got tunneled Access-Challenge Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns handled Wed Dec 17 09:07:24 2008 : Debug: Sending Access-Challenge packet to host 10.12.18.4 port 1812, id=126, length=0 Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x010700431900170301003811ae41236e0a12fe5eeebc960c1f43fa29230d104856932a1007ce0b69a15a2a6ab8c8ffc8cc7f299de595c6450ce1c411633de75c334f1a Wed Dec 17 09:07:24 2008 : Debug: Message-Authenticator = 0x00000000000000000000000000000000 Wed Dec 17 09:07:24 2008 : Debug: State = 0xd0cf07f0d6c81ef56f2a90dc8079ccda Wed Dec 17 09:07:24 2008 : Debug: Finished request 6. Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2 Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL. Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring. Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 7 length 100 Wed Dec 17 09:07:24 2008 : Debug: [eap] Continuing tunnel setup. Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns ok Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...} Wed Dec 17 09:07:24 2008 : Debug: [eap] Request found, released from the list Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP/peap Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type peap Wed Dec 17 09:07:24 2008 : Debug: [peap] processing EAP-TLS Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_verify returned 7 Wed Dec 17 09:07:24 2008 : Debug: [peap] Done initial handshake Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_process returned 7 Wed Dec 17 09:07:24 2008 : Debug: [peap] EAPTLS_OK Wed Dec 17 09:07:24 2008 : Debug: [peap] Session established. Decoding tunneled attributes. Wed Dec 17 09:07:24 2008 : Debug: [peap] EAP type mschapv2 Wed Dec 17 09:07:24 2008 : Debug: +- entering group authorize {...} Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2 Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL. Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring. Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 7 length 77 Wed Dec 17 09:07:24 2008 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns updated Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...} Wed Dec 17 09:07:24 2008 : Debug: [eap] Request found, released from the list Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP/mschapv2 Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type mschapv2 Wed Dec 17 09:07:24 2008 : Debug: [mschapv2] +- entering group MS-CHAP {...} Wed Dec 17 09:07:24 2008 : Debug: [mschap] No Cleartext-Password configured. Cannot create LM-Password. Wed Dec 17 09:07:24 2008 : Debug: [mschap] No Cleartext-Password configured. Cannot create NT-Password. Wed Dec 17 09:07:24 2008 : Debug: [mschap] Told to do MS-CHAPv2 for administrator with NT-Password Wed Dec 17 09:07:24 2008 : Debug: [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details Wed Dec 17 09:07:24 2008 : Debug: [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-%{mschap:User-Name}}} -> --username=administrator Wed Dec 17 09:07:24 2008 : Debug: [mschap] mschap2: e0 Wed Dec 17 09:07:24 2008 : Debug: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=469478f224b67ca3 Wed Dec 17 09:07:24 2008 : Debug: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=c2abbe21274fad45cdcbf7db8de7de2a5be037e56415b6bc Wed Dec 17 09:07:24 2008 : Debug: [mschap] External script failed. Wed Dec 17 09:07:24 2008 : Debug: [mschap] FAILED: MS-CHAP2-Response is incorrect Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns reject Wed Dec 17 09:07:24 2008 : Debug: [eap] Freeing handler Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns reject Wed Dec 17 09:07:24 2008 : Debug: Failed to authenticate the user. Wed Dec 17 09:07:24 2008 : Debug: [peap] Tunneled authentication was rejected. Wed Dec 17 09:07:24 2008 : Debug: [peap] FAILURE Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns handled Wed Dec 17 09:07:24 2008 : Debug: Sending Access-Challenge packet to host 10.12.18.4 port 1812, id=127, length=0 Wed Dec 17 09:07:24 2008 : Debug: EAP-Message = 0x010800261900170301001b902fbf59b723a82af254f787d0adeb8f35a0e9dac511954bb0ef19 Wed Dec 17 09:07:24 2008 : Debug: Message-Authenticator = 0x00000000000000000000000000000000 Wed Dec 17 09:07:24 2008 : Debug: State = 0xd0cf07f0d7c71ef56f2a90dc8079ccda Wed Dec 17 09:07:24 2008 : Debug: Finished request 7. Wed Dec 17 09:07:24 2008 : Debug: expand: %{debug:2} -> 2 Wed Dec 17 09:07:24 2008 : Debug: ++[control] returns notfound Wed Dec 17 09:07:24 2008 : Debug: ++[preprocess] returns ok Wed Dec 17 09:07:24 2008 : Debug: ++[chap] returns noop Wed Dec 17 09:07:24 2008 : Debug: ++[mschap] returns noop Wed Dec 17 09:07:24 2008 : Debug: [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. Wed Dec 17 09:07:24 2008 : Debug: ++[realmpercent] returns noop Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Found realm "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Stripped-User-Name = "administrator" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Adding Realm = "tpw5" Wed Dec 17 09:07:24 2008 : Debug: [ntdomain] Authentication realm is LOCAL. Wed Dec 17 09:07:24 2008 : Debug: ++[ntdomain] returns ok Wed Dec 17 09:07:24 2008 : Debug: [suffix] Request already proxied. Ignoring. Wed Dec 17 09:07:24 2008 : Debug: ++[suffix] returns ok Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP packet type response id 8 length 38 Wed Dec 17 09:07:24 2008 : Debug: [eap] Continuing tunnel setup. Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns ok Wed Dec 17 09:07:24 2008 : Debug: ++[files] returns noop Wed Dec 17 09:07:24 2008 : Debug: Found Auth-Type = EAP Wed Dec 17 09:07:24 2008 : Debug: +- entering group authenticate {...} Wed Dec 17 09:07:24 2008 : Debug: [eap] Request found, released from the list Wed Dec 17 09:07:24 2008 : Debug: [eap] EAP/peap Wed Dec 17 09:07:24 2008 : Debug: [eap] processing type peap Wed Dec 17 09:07:24 2008 : Debug: [peap] processing EAP-TLS Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_verify returned 7 Wed Dec 17 09:07:24 2008 : Debug: [peap] Done initial handshake Wed Dec 17 09:07:24 2008 : Debug: [peap] eaptls_process returned 7 Wed Dec 17 09:07:24 2008 : Debug: [peap] EAPTLS_OK Wed Dec 17 09:07:24 2008 : Debug: [peap] Session established. Decoding tunneled attributes. Wed Dec 17 09:07:24 2008 : Debug: [peap] Received EAP-TLV response. Wed Dec 17 09:07:24 2008 : Debug: [peap] Had sent TLV failure. User was rejected earlier in this session. Wed Dec 17 09:07:24 2008 : Debug: [eap] Handler failed in EAP/peap Wed Dec 17 09:07:24 2008 : Debug: [eap] Failed in EAP select Wed Dec 17 09:07:24 2008 : Debug: ++[eap] returns invalid Wed Dec 17 09:07:24 2008 : Debug: Failed to authenticate the user. Wed Dec 17 09:07:24 2008 : Debug: Using Post-Auth-Type Reject Wed Dec 17 09:07:24 2008 : Debug: +- entering group REJECT {...} Wed Dec 17 09:07:24 2008 : Debug: ++[jradius] returns noop Wed Dec 17 09:07:24 2008 : Debug: Delaying reject of request 8 for 1 seconds Wed Dec 17 09:07:25 2008 : Debug: Sending delayed reject for request 8 Wed Dec 17 09:07:25 2008 : Debug: Sending Access-Reject packet to host 10.12.18.4 port 1812, id=128, length=0 Wed Dec 17 09:07:25 2008 : Debug: EAP-Message = 0x04080004 Wed Dec 17 09:07:25 2008 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
I've configured a PEAP with the Windows SP3 supplicant with freeradius 2.1.3, and the authentication succeeds when "Automatically use my windows logon name and password (and domain if any)" is unselected, which forces a manual logon. However, when "Automatically use my ..." is selected with the same user name/domain, the authentication fails.
How same is "the same user name/domain"? Post the debug of the good attempt. Please use radiusd -X. We don't need to see "Wed Dec 17 09:07:24 2008 : Debug:" in front of every line. Ivan Kalik Kalik Informatika ISP
Ivan, Here is the radiusd -X output: Thanks main { prefix = "/usr" localstatedir = "/var" logdir = "/usr/local/jboss/server/zzjbossserver/log" libdir = "/usr/lib" radacctdir = "/usr/local/jboss/server/zzjbossserver/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = no } } client 10.12.18.4 { require_message_authenticator = no secret = "zz" shortname = "3750" } client 127.0.0.1 { require_message_authenticator = no secret = "zz" shortname = "example" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = yes dead_time = 100 wake_all_if_all_dead = no } realm example { authhost = LOCAL accthost = LOCAL } realm tpw5.com { authhost = LOCAL accthost = LOCAL } realm tpw5 { authhost = LOCAL accthost = LOCAL } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr } radiusd: #### Loading Virtual Servers #### modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "crypt" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = yes require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/sudo /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-%{mschap:User-Name}}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/usr/local/jboss/server/zzjbossserver/log/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/opt/zz/current/radius/raddb/port_1812/cert_privkey.key" certificate_file = "/opt/zz/current/radius/raddb/port_1812/cert_certificate.pem" CA_file = "/opt/zz/current/radius/raddb/port_1812/cert_ca_cert.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = yes } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Linked to module rlm_ldap Module: Instantiating tpw5.com ldap tpw5.com { server = "10.12.19.12" port = 3268 password = "password" identity = "Administrator@tpw5.com" net_timeout = 10 timeout = 20 timelimit = 20 tls_mode = no start_tls = no tls_require_cert = "allow" basedn = "CN=Users,DC=tpw5,DC=com" filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/opt/zz/current/radius/raddb/port_1812/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute tpw5.com-Ldap-Group rlm_ldap: Registering ldap_groupcmp for tpw5.com-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name tpw5.com rlm_ldap: reading ldap<->radius mappings from file /opt/zz/current/radius/raddb/port_1812/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x9db9aa0 Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/opt/zz/current/radius/raddb/port_1812/huntgroups" hints = "/opt/zz/current/radius/raddb/port_1812/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating realmpercent realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = yes } Module: Instantiating ntdomain realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = yes } Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/opt/zz/current/radius/raddb/port_1812/users" acctusersfile = "/opt/zz/current/radius/raddb/port_1812/acct_users" preproxy_usersfile = "/opt/zz/current/radius/raddb/port_1812/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/usr/local/jboss/server/zzjbossserver/log/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/usr/local/jboss/server/zzjbossserver/log/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_jradius radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1812 } Listening on authentication address * port 1812 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=100, length=126 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" EAP-Message = 0x0200001701545057355c61646d696e6973747261746f72 Message-Authenticator = 0x06f820c71907e184080fd19cd6e84fd0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 0 length 23 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 100 to 10.12.18.4 port 1812 EAP-Message = 0x0101001604105ad65c5e373632a60f58c8699b2db79e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ccc7ea76ccd7ad3e72180cc6356312d Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=101, length=127 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" State = 0x6ccc7ea76ccd7ad3e72180cc6356312d EAP-Message = 0x020100060319 Message-Authenticator = 0x2c9415792a87d0100d36482b8e227326 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 101 to 10.12.18.4 port 1812 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ccc7ea76dce67d3e72180cc6356312d Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=102, length=201 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" State = 0x6ccc7ea76dce67d3e72180cc6356312d EAP-Message = 0x0202005019800000004616030100410100003d030149497fc0589d066d3182d4e06110415db7e9cce189ba524ed9da5a2b90466e9400001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x1b286efae0fc2cac4e562d2c8b06225f +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 2 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 06ef], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 102 to 10.12.18.4 port 1812 EAP-Message = EAP-Message = EAP-Message = EAP-Message = EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ccc7ea76ecf67d3e72180cc6356312d Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=103, length=127 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" State = 0x6ccc7ea76ecf67d3e72180cc6356312d EAP-Message = 0x020300061900 Message-Authenticator = 0xf25c9f0d7a0c9a2a5873708bddf1901f +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 103 to 10.12.18.4 port 1812 EAP-Message = EAP-Message = EAP-Message = EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ccc7ea76fc867d3e72180cc6356312d Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=104, length=313 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" State = 0x6ccc7ea76fc867d3e72180cc6356312d EAP-Message = Message-Authenticator = +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 4 length 192 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 182 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 104 to 10.12.18.4 port 1812 EAP-Message = 0x0105003119001403010001011603010020a1ba5949221dd59f2e8453311aec9c6c1d2e60cff4a6b017df386d2fa527f2c7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ccc7ea768c967d3e72180cc6356312d Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=105, length=127 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" State = 0x6ccc7ea768c967d3e72180cc6356312d EAP-Message = 0x020500061900 Message-Authenticator = 0x1de51ad1c24ebe21f7be45e6177e6693 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 105 to 10.12.18.4 port 1812 EAP-Message = 0x0106002019001703010015772e7cc1d5e3d2757502d491ac6a9ecbcb24c165c4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ccc7ea769ca67d3e72180cc6356312d Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=106, length=167 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" State = 0x6ccc7ea769ca67d3e72180cc6356312d EAP-Message = 0x0206002e190017030100230e1c053c3bcebe8892859e8bbfac2208ed26c7cf5f2f9c25627c2c0115038d12e7392f Message-Authenticator = 0xdd0722594d8f86b0139a64ac045cc96a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 6 length 46 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - TPW5\administrator [peap] Got tunneled request EAP-Message = 0x0206001701545057355c61646d696e6973747261746f72 server { PEAP: Got tunneled identity of TPW5\administrator PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to TPW5\administrator Sending tunneled request EAP-Message = 0x0206001701545057355c61646d696e6973747261746f72 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "TPW5\\administrator" NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" server { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 6 length 23 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server [peap] Got tunneled reply code 11 EAP-Message = 0x0107002c1a010700271094f96e94ba4375f4d745f33741fac11e545057355c61646d696e6973747261746f72 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd40b48fbd47ae4a573dddc94033f1de [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0107002c1a010700271094f96e94ba4375f4d745f33741fac11e545057355c61646d696e6973747261746f72 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd40b48fbd47ae4a573dddc94033f1de [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 106 to 10.12.18.4 port 1812 EAP-Message = 0x01070043190017030100387cd98b9fe8e33bc0bc8dbbf8a2f139fd27cc793f0241af4a18afa6962c75c5183a63822faa5bf18b3d9460cf6a05071729ea6565ea039db5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ccc7ea76acb67d3e72180cc6356312d Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=107, length=221 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" State = 0x6ccc7ea76acb67d3e72180cc6356312d EAP-Message = 0x0207006419001703010059f5d5f237a8b1b6a12ce80c36564ceed7ea4b77a2e021c87ab5c01015f679ab43a21c96092d0eb36c944690044e81504bf30d9a0ff0dcd6c5d5a6c036b298245967f69705f3c87d2ca8481b02cf79f3053546eeb7e09a5467ee Message-Authenticator = 0x80fc39ba54f43c51ba004c1d30942c56 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 7 length 100 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0207004d1a020700483182563e83f60fc3886ae6a29eeaa3353c0000000000000000edfe77fdefdc346cfcb795de77c1bfb7e882075da213a53200545057355c61646d696e6973747261746f72 server { PEAP: Setting User-Name to TPW5\administrator Sending tunneled request EAP-Message = 0x0207004d1a020700483182563e83f60fc3886ae6a29eeaa3353c0000000000000000edfe77fdefdc346cfcb795de77c1bfb7e882075da213a53200545057355c61646d696e6973747261746f72 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "TPW5\\administrator" State = 0xbd40b48fbd47ae4a573dddc94033f1de NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" server { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 7 length 77 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for administrator with NT-Password [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-%{mschap:User-Name}}} -> --username=administrator [mschap] mschap2: 94 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=c92aee56ea24cca3 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=edfe77fdefdc346cfcb795de77c1bfb7e882075da213a532 Exec-Program output: NT_KEY: 0B31E07CE9C3855E7B73F3A94ED21EB5 Exec-Program-Wait: plaintext: NT_KEY: 0B31E07CE9C3855E7B73F3A94ED21EB5 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server [peap] Got tunneled reply code 11 EAP-Message = 0x010800331a0307002e533d30353238303737363038373744463839323931393436433734384142333131334443383345423534 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd40b48fbc48ae4a573dddc94033f1de [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800331a0307002e533d30353238303737363038373744463839323931393436433734384142333131334443383345423534 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd40b48fbc48ae4a573dddc94033f1de [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 107 to 10.12.18.4 port 1812 EAP-Message = 0x0108004a1900170301003fa21a6406b72762e386f075bc1c01d6b83e271b811a3b126616dff52b1befad49d665e40cf12309fcf4c0675abd66826102e54fdfa02f4f5b9dc78fba4be828 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ccc7ea76bc467d3e72180cc6356312d Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=108, length=150 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" State = 0x6ccc7ea76bc467d3e72180cc6356312d EAP-Message = 0x0208001d190017030100123215a25025b2f991889e532eab1acc707509 Message-Authenticator = 0x4ad3f4a678eb190c4ba1f842ab5c4b31 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 8 length 29 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800061a03 server { PEAP: Setting User-Name to TPW5\administrator Sending tunneled request EAP-Message = 0x020800061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "TPW5\\administrator" State = 0xbd40b48fbc48ae4a573dddc94033f1de NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" server { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 8 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok [peap] Got tunneled reply code 2 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "administrator" Session-Timeout := 900 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "100" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "administrator" Session-Timeout := 900 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "100" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] returns handled Sending Access-Challenge of id 108 to 10.12.18.4 port 1812 EAP-Message = 0x010900261900170301001b80018f7d29f8c5f428c963bc1a2fb0d9eb4a5635fe3dd9ccecdee9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ccc7ea764c567d3e72180cc6356312d Finished request 8. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=109, length=159 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" State = 0x6ccc7ea764c567d3e72180cc6356312d EAP-Message = 0x020900261900170301001b5c1ed2599bd67049afbec5788577faf4dd886681d22bf37c1188f0 Message-Authenticator = 0x86a410ea19f9df8d6d6b7a4bfd926745 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 9 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept rlm_eap_tls: add_reply failed to create attribute EAP-MSK: Invalid octet string "" for attribute name "EAP-MSK" rlm_eap_tls: add_reply failed to create attribute EAP-EMSK: Invalid octet string "" for attribute name "EAP-EMSK" [eap] Freeing handler ++[eap] returns ok Sending Access-Accept of id 109 to 10.12.18.4 port 1812 User-Name = "administrator" MS-MPPE-Recv-Key = 0x829a5f395e0ba2e486cf04409ee945b8d3b68e65b40b207b9117722222d890e2 MS-MPPE-Send-Key = 0x4680664366c2b27dd92f9b94d0d00a289f409040fcfc3d26d4e8500e8bd41cbc EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 Session-Timeout := 900 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "100" Finished request 9. Going to the next request ________________________________ From: "tnt@kalik.net" <tnt@kalik.net> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Wednesday, December 17, 2008 3:06:27 PM Subject: Re: PEAP with Windows supplicant, Automatically use my windows credentials
I've configured a PEAP with the Windows SP3 supplicant with freeradius 2.1.3, and the authentication succeeds when "Automatically use my windows logon name and password (and domain if any)" is unselected, which forces a manual logon. However, when "Automatically use my ..." is selected with the same user name/domain, the authentication fails.
How same is "the same user name/domain"? Post the debug of the good attempt. Please use radiusd -X. We don't need to see "Wed Dec 17 09:07:24 2008 : Debug:" in front of every line. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-%{mschap:User-Name}}} -> --username=administrator [mschap] mschap2: 94 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=c92aee56ea24cca3 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=edfe77fdefdc346cfcb795de77c1bfb7e882075da213a532 Exec-Program output: NT_KEY: 0B31E07CE9C3855E7B73F3A94ED21EB5 Exec-Program-Wait: plaintext: NT_KEY: 0B31E07CE9C3855E7B73F3A94ED21EB5 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success
Password is different. Ivan Kalik Kalik Informatika ISP
participants (2)
-
splintered thoughts -
tnt@kalik.net