Hello everyone. I'm trying to use FreeRADIUS 2.2.0 on Fedora 19 to authenticate Wi-Fi clients (Windows 7) against a MS Active Directory domain (Windows Server 2008 R2). The access point is a MikroTik RouterOS v5.11. I've already joined the FreeRADIUS machine into my AD domain and both 'wbinfo -a' and 'ntlm_auth' can successfully authenticate domain users. Then, I've followed the instructions on the Wiki for FreeRADIUS 2.x and set up the server accordingly. However, 'radiusd -X' tells that the Windows clients didn't reply the request and there's a url to the Wiki, explaining why it couldn't finish. The root and the client (self-signed) certificates are already installed on a test client, and I think I've created them following the recommended way (as told in README file on raddb/certs). I've checked the comments on raddb/eap.conf, but I'm not sure what to do next. Is there some way to make the Windows clients trust the request? The 'radiusd -X' output follows: FreeRADIUS Version 2.2.0, for host i686-redhat-linux-gnu, built on Feb 14 2013 at 18:27:55 Copyright (C) 1999-2012 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/cache including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/dhcp_sqlippool including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/radrelay including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm MYDOMAIN { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.10.92 { require_message_authenticator = no secret = "testing123" shortname = "192.168.10.92" } client 192.168.10.94 { require_message_authenticator = no secret = "testing123" shortname = "192.168.10.94" } client 192.168.10.95 { require_message_authenticator = no secret = "testing123" shortname = "192.168.10.95" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf modules { Module: Creating Auth-Type = ntlm_auth Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Instantiating module "ntlm_auth" from file /etc/raddb/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/raddb/huntgroups reading pairlist file /etc/raddb/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Instantiating module "ntdomain" from file /etc/raddb/modules/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } reading pairlist file /etc/raddb/users reading pairlist file /etc/raddb/acct_users reading pairlist file /etc/raddb/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 44612 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ rad_recv: Access-Request packet from host 192.168.10.92 port 36028, id=76, length=262 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "host/WORKSTATION.MYDOMAIN.LOCAL" Acct-Session-Id = "82a0000d" Acct-Multi-Session-Id = "02-0C-42-6A-44-6C-F0-7B-CB-42-28-7E-82-A0-00-00-00-00-00-0D" Calling-Station-Id = "F0-7B-CB-42-28-7E" Called-Station-Id = "02-0C-42-6A-44-6C:CORP-WiFi" EAP-Message = 0x0201001e01686f73742f434f5449414e2e52494f534f46542e4c4f43414c Message-Authenticator = 0x31f444f7ce3c94af50d7c7b4a06f5722 NAS-Identifier = "MikroTik" Mikrotik-Realm = "MYDOMAIN" NAS-IP-Address = 192.168.10.92 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/WORKSTATION.MYDOMAIN.LOCAL", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/WORKSTATION.MYDOMAIN.LOCAL", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 1 length 30 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 76 to 192.168.10.92 port 36028 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb43ea5ebb43cbce8a490d8f312508be4 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.10.92 port 32862, id=77, length=355 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "host/WORKSTATION.MYDOMAIN.LOCAL" State = 0xb43ea5ebb43cbce8a490d8f312508be4 Acct-Session-Id = "82a0000d" Acct-Multi-Session-Id = "02-0C-42-6A-44-6C-F0-7B-CB-42-28-7E-82-A0-00-00-00-00-00-0D" Calling-Station-Id = "F0-7B-CB-42-28-7E" Called-Station-Id = "02-0C-42-6A-44-6C:CORP-WiFi" EAP-Message = 0x0202006919800000005f160301005a0100005603015260450c82c8023e5b9a1dfad11d801781ee3b6bf74b2b4f1cd0be7f49ca8e11000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 Message-Authenticator = 0x568404fff20064c7e21b1a1d317ef843 NAS-Identifier = "MikroTik" Mikrotik-Realm = "MYDOMAIN" NAS-IP-Address = 192.168.10.92 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/WORKSTATION.MYDOMAIN.LOCAL", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/WORKSTATION.MYDOMAIN.LOCAL", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 2 length 105 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 95 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 77 to 192.168.10.92 port 32862 EAP-Message = 0x0103040019c0000008a216030100310200002d03015260450ee0bea0b9257af2e18386eb9dc7c3e596222be5c5ebeb5370ddd74d8700002f000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3133313031363134323630335a170d3133313231353134323630335a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100dfd4dbdf0a174a6c3f82037cdd6074e625292d93f3739a3e51f0c61dab2ada7d047e5710360d4f16f7bd757cdd00d0b3934f27bbce66bf EAP-Message = 0xc4900fb83181037c138a7714ea79097b27bce6d19cb2786feb0eb892474b973ecfe7564f9f6952b4c33b5c60349000c27111746c5037f0b6f59395ae429a8fcfd1631b1d62d0d8e1bf50e65bf2f0140576954d284b742eaaba994fb602b78b3e972ced578c9800a88a357ebd4888e57d45bd504b3ce0d7565b11e3a1f654c8150626cd369d3282359ba545fb2ed6094b919f3fd46e2d21de9975bb830f845961a54c7f027016c83e3036e5d4989e544cf294590e91c4a3bff91915f485d5aeae062ae57d53314c6e890203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101009905 EAP-Message = 0x17bc693fcc992e1f7e096f2a92dff11892528c21f255b81752ee0c2a7d80461841e598a42ca069bbc4e197ade15cde2c74c7336bb401c7d7a6a2fc2665ece8b508de62989cd220d166fe82cef9b168b864ce820240df1feea527d81a0c2a630d6c27a74084c2de0c19619045d97d9b46a86b06ff01382853294cf41ab38a3782000eb240ee0c767f1e95254f7d6eda7f1eb660c6a8a28193996b6fcc427c8b625729335207b16f53686ff29831a0c4cf193954a07f55b6f39fae2c9c2856bab77054d40d3d8e1e10b58c87e359d68b5a136c228d47386b94e24f904b770bae180b52c43e44fee7d59f23fd62b3db90b4080e2d9d745a9bfc3072392906 EAP-Message = 0x260004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb43ea5ebb53dbce8a490d8f312508be4 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.10.92 port 50212, id=78, length=256 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "host/WORKSTATION.MYDOMAIN.LOCAL" State = 0xb43ea5ebb53dbce8a490d8f312508be4 Acct-Session-Id = "82a0000d" Acct-Multi-Session-Id = "02-0C-42-6A-44-6C-F0-7B-CB-42-28-7E-82-A0-00-00-00-00-00-0D" Calling-Station-Id = "F0-7B-CB-42-28-7E" Called-Station-Id = "02-0C-42-6A-44-6C:CORP-WiFi" EAP-Message = 0x020300061900 Message-Authenticator = 0xcf9ce2da7e06592890d17f3dbfe2bd0b NAS-Identifier = "MikroTik" Mikrotik-Realm = "MYDOMAIN" NAS-IP-Address = 192.168.10.92 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/WORKSTATION.MYDOMAIN.LOCAL", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/WORKSTATION.MYDOMAIN.LOCAL", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 78 to 192.168.10.92 port 50212 EAP-Message = 0x010403fc1940a003020102020900f00855f5890659fb300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3133313031363138353833365a170d3133313231353138353833365a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c96110649b28ac82b044de690142d712aee8354822cb050e32d669792d1c3283fb68197cf8d374300b5ceada09f640273241be4656338666a1cdcc234a82e63969ef5c082fec72b1958642177b688dce612dc2219186773d302d1b12d7f8b19f1535d3a70cf7c60d EAP-Message = 0x39afe1b15c614b73ca066307bbae35f641a323052846ce1f29e0e3b69cfcea3a1c02e652bbe062b581d01237d5138533e9bb573146db5c226bd43af9ef67afbc89a027d4e1da1eb2cda2317bf8fb29333c4060862a73e112b6013cf874b8ce8aa20fbb0fcd109a5d369b7435bb1caafae7802eff878b08c5c760d0d9466ad1736fc1a43a63f94f20a0b8e30a46fdd8d80f0e9c6216b5c6210203010001a381fb3081f8301d0603551d0e041604141052c1e60010fdedf84e0d39878e265608eb034e3081c80603551d230481c03081bd80141052c1e60010fdedf84e0d39878e265608eb034ea18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900f00855f5890659fb300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100b1b00cc10559119faf542edd0d6ce5d2db5338dc81e55fe41c76348f6f84562a13f4278dc881a1ca024e57f72e02c8c0341db67eb4c18f898695abe0f4dcc6a5100036ef2ad41612c15ccb EAP-Message = 0xb3388ab4c8799870 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb43ea5ebb63abce8a490d8f312508be4 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.10.92 port 45199, id=79, length=256 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "host/WORKSTATION.MYDOMAIN.LOCAL" State = 0xb43ea5ebb63abce8a490d8f312508be4 Acct-Session-Id = "82a0000d" Acct-Multi-Session-Id = "02-0C-42-6A-44-6C-F0-7B-CB-42-28-7E-82-A0-00-00-00-00-00-0D" Calling-Station-Id = "F0-7B-CB-42-28-7E" Called-Station-Id = "02-0C-42-6A-44-6C:CORP-WiFi" EAP-Message = 0x020400061900 Message-Authenticator = 0x697378bb0e1376f1314eb49334139908 NAS-Identifier = "MikroTik" Mikrotik-Realm = "MYDOMAIN" NAS-IP-Address = 192.168.10.92 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/WORKSTATION.MYDOMAIN.LOCAL", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/WORKSTATION.MYDOMAIN.LOCAL", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 79 to 192.168.10.92 port 45199 EAP-Message = 0x010500bc19000b99343f8be5bbbac504b964b7278214ef92146e2b531d6bb346fd4d3f3db01f2bbaf06338eebc4f3f95dd05afbde1bfea561612bcc0f38cf033161a29d8d3d153be349292571cda0fb68aaeb1f8d7b8a00433092281110715db379edfdcb52afb132d4eaad24bd8a76d8ecf4377dd24cfc4484d64966f87c601d5644f65791eb42b66ab4419db5c27e3649e81d4993dddf34b71b6339b6730dfd68cbad45e6f9daeb2704ae46a9331ca454e4016030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb43ea5ebb73bbce8a490d8f312508be4 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.10.92 port 59033, id=80, length=256 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "host/WORKSTATION.MYDOMAIN.LOCAL" State = 0xb43ea5ebb73bbce8a490d8f312508be4 Acct-Session-Id = "82a0000d" Acct-Multi-Session-Id = "02-0C-42-6A-44-6C-F0-7B-CB-42-28-7E-82-A0-00-00-00-00-00-0D" Calling-Station-Id = "F0-7B-CB-42-28-7E" Called-Station-Id = "02-0C-42-6A-44-6C:CORP-WiFi" EAP-Message = 0x020500061900 Message-Authenticator = 0xe471ede46d42d0a95cb4d67975c7d7a3 NAS-Identifier = "MikroTik" Mikrotik-Realm = "MYDOMAIN" NAS-IP-Address = 192.168.10.92 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/WORKSTATION.MYDOMAIN.LOCAL", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/WORKSTATION.MYDOMAIN.LOCAL", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 80 to 192.168.10.92 port 59033 EAP-Message = 0x010600061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb43ea5ebb038bce8a490d8f312508be4 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.10.92 port 35895, id=81, length=256 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "MYDOMAIN\\domainuser" Acct-Session-Id = "82a0000e" Acct-Multi-Session-Id = "02-0C-42-6A-44-6C-F0-7B-CB-42-28-7E-82-A0-00-00-00-00-00-0E" Calling-Station-Id = "F0-7B-CB-42-28-7E" Called-Station-Id = "02-0C-42-6A-44-6C:CORP-WiFi" EAP-Message = 0x0201001b0152494f534f46545c6761627269656c2e636f7469616e Message-Authenticator = 0x3dee545b5b2331b44c04e4b80a7fc4f3 NAS-Identifier = "MikroTik" Mikrotik-Realm = "MYDOMAIN" NAS-IP-Address = 192.168.10.92 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MYDOMAIN\domainuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "MYDOMAIN" for User-Name = "MYDOMAIN\domainuser" [ntdomain] Found realm "MYDOMAIN" [ntdomain] Adding Stripped-User-Name = "domainuser" [ntdomain] Adding Realm = "MYDOMAIN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 1 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 81 to 192.168.10.92 port 35895 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac18ae1dac1ab77e24f513d206b33409 Finished request 5. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 192.168.10.92 port 54020, id=82, length=352 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "MYDOMAIN\\domainuser" State = 0xac18ae1dac1ab77e24f513d206b33409 Acct-Session-Id = "82a0000e" Acct-Multi-Session-Id = "02-0C-42-6A-44-6C-F0-7B-CB-42-28-7E-82-A0-00-00-00-00-00-0E" Calling-Station-Id = "F0-7B-CB-42-28-7E" Called-Station-Id = "02-0C-42-6A-44-6C:CORP-WiFi" EAP-Message = 0x0202006919800000005f160301005a0100005603015260450c0c7365e7b420a507dea053bea8d97f928dbc9719c628bedb2a3062c4000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 Message-Authenticator = 0xcc87280fc3a3ed09d352553e603427ce NAS-Identifier = "MikroTik" Mikrotik-Realm = "MYDOMAIN" NAS-IP-Address = 192.168.10.92 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MYDOMAIN\domainuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "MYDOMAIN" for User-Name = "MYDOMAIN\domainuser" [ntdomain] Found realm "MYDOMAIN" [ntdomain] Adding Stripped-User-Name = "domainuser" [ntdomain] Adding Realm = "MYDOMAIN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 2 length 105 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 95 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 82 to 192.168.10.92 port 54020 EAP-Message = 0x0103040019c0000008a216030100310200002d03015260450f0d4e9065556cf917c4e98598c14754ed8e52f9eb9950b8d043cab2fe00002f000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3133313031363134323630335a170d3133313231353134323630335a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100dfd4dbdf0a174a6c3f82037cdd6074e625292d93f3739a3e51f0c61dab2ada7d047e5710360d4f16f7bd757cdd00d0b3934f27bbce66bf EAP-Message = 0xc4900fb83181037c138a7714ea79097b27bce6d19cb2786feb0eb892474b973ecfe7564f9f6952b4c33b5c60349000c27111746c5037f0b6f59395ae429a8fcfd1631b1d62d0d8e1bf50e65bf2f0140576954d284b742eaaba994fb602b78b3e972ced578c9800a88a357ebd4888e57d45bd504b3ce0d7565b11e3a1f654c8150626cd369d3282359ba545fb2ed6094b919f3fd46e2d21de9975bb830f845961a54c7f027016c83e3036e5d4989e544cf294590e91c4a3bff91915f485d5aeae062ae57d53314c6e890203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101009905 EAP-Message = 0x17bc693fcc992e1f7e096f2a92dff11892528c21f255b81752ee0c2a7d80461841e598a42ca069bbc4e197ade15cde2c74c7336bb401c7d7a6a2fc2665ece8b508de62989cd220d166fe82cef9b168b864ce820240df1feea527d81a0c2a630d6c27a74084c2de0c19619045d97d9b46a86b06ff01382853294cf41ab38a3782000eb240ee0c767f1e95254f7d6eda7f1eb660c6a8a28193996b6fcc427c8b625729335207b16f53686ff29831a0c4cf193954a07f55b6f39fae2c9c2856bab77054d40d3d8e1e10b58c87e359d68b5a136c228d47386b94e24f904b770bae180b52c43e44fee7d59f23fd62b3db90b4080e2d9d745a9bfc3072392906 EAP-Message = 0x260004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac18ae1dad1bb77e24f513d206b33409 Finished request 6. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 192.168.10.92 port 54346, id=83, length=253 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "MYDOMAIN\\domainuser" State = 0xac18ae1dad1bb77e24f513d206b33409 Acct-Session-Id = "82a0000e" Acct-Multi-Session-Id = "02-0C-42-6A-44-6C-F0-7B-CB-42-28-7E-82-A0-00-00-00-00-00-0E" Calling-Station-Id = "F0-7B-CB-42-28-7E" Called-Station-Id = "02-0C-42-6A-44-6C:CORP-WiFi" EAP-Message = 0x020300061900 Message-Authenticator = 0x61a87acdb9c5c971007e9121502a8aff NAS-Identifier = "MikroTik" Mikrotik-Realm = "MYDOMAIN" NAS-IP-Address = 192.168.10.92 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MYDOMAIN\domainuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "MYDOMAIN" for User-Name = "MYDOMAIN\domainuser" [ntdomain] Found realm "MYDOMAIN" [ntdomain] Adding Stripped-User-Name = "domainuser" [ntdomain] Adding Realm = "MYDOMAIN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 83 to 192.168.10.92 port 54346 EAP-Message = 0x010403fc1940a003020102020900f00855f5890659fb300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3133313031363138353833365a170d3133313231353138353833365a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c96110649b28ac82b044de690142d712aee8354822cb050e32d669792d1c3283fb68197cf8d374300b5ceada09f640273241be4656338666a1cdcc234a82e63969ef5c082fec72b1958642177b688dce612dc2219186773d302d1b12d7f8b19f1535d3a70cf7c60d EAP-Message = 0x39afe1b15c614b73ca066307bbae35f641a323052846ce1f29e0e3b69cfcea3a1c02e652bbe062b581d01237d5138533e9bb573146db5c226bd43af9ef67afbc89a027d4e1da1eb2cda2317bf8fb29333c4060862a73e112b6013cf874b8ce8aa20fbb0fcd109a5d369b7435bb1caafae7802eff878b08c5c760d0d9466ad1736fc1a43a63f94f20a0b8e30a46fdd8d80f0e9c6216b5c6210203010001a381fb3081f8301d0603551d0e041604141052c1e60010fdedf84e0d39878e265608eb034e3081c80603551d230481c03081bd80141052c1e60010fdedf84e0d39878e265608eb034ea18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900f00855f5890659fb300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100b1b00cc10559119faf542edd0d6ce5d2db5338dc81e55fe41c76348f6f84562a13f4278dc881a1ca024e57f72e02c8c0341db67eb4c18f898695abe0f4dcc6a5100036ef2ad41612c15ccb EAP-Message = 0xb3388ab4c8799870 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac18ae1dae1cb77e24f513d206b33409 Finished request 7. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 192.168.10.92 port 34882, id=84, length=253 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "MYDOMAIN\\domainuser" State = 0xac18ae1dae1cb77e24f513d206b33409 Acct-Session-Id = "82a0000e" Acct-Multi-Session-Id = "02-0C-42-6A-44-6C-F0-7B-CB-42-28-7E-82-A0-00-00-00-00-00-0E" Calling-Station-Id = "F0-7B-CB-42-28-7E" Called-Station-Id = "02-0C-42-6A-44-6C:CORP-WiFi" EAP-Message = 0x020400061900 Message-Authenticator = 0xca1ae53f11c24a576535b3fa85897aff NAS-Identifier = "MikroTik" Mikrotik-Realm = "MYDOMAIN" NAS-IP-Address = 192.168.10.92 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MYDOMAIN\domainuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "MYDOMAIN" for User-Name = "MYDOMAIN\domainuser" [ntdomain] Found realm "MYDOMAIN" [ntdomain] Adding Stripped-User-Name = "domainuser" [ntdomain] Adding Realm = "MYDOMAIN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 84 to 192.168.10.92 port 34882 EAP-Message = 0x010500bc19000b99343f8be5bbbac504b964b7278214ef92146e2b531d6bb346fd4d3f3db01f2bbaf06338eebc4f3f95dd05afbde1bfea561612bcc0f38cf033161a29d8d3d153be349292571cda0fb68aaeb1f8d7b8a00433092281110715db379edfdcb52afb132d4eaad24bd8a76d8ecf4377dd24cfc4484d64966f87c601d5644f65791eb42b66ab4419db5c27e3649e81d4993dddf34b71b6339b6730dfd68cbad45e6f9daeb2704ae46a9331ca454e4016030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac18ae1daf1db77e24f513d206b33409 Finished request 8. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 192.168.10.92 port 46831, id=85, length=253 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "MYDOMAIN\\domainuser" State = 0xac18ae1daf1db77e24f513d206b33409 Acct-Session-Id = "82a0000e" Acct-Multi-Session-Id = "02-0C-42-6A-44-6C-F0-7B-CB-42-28-7E-82-A0-00-00-00-00-00-0E" Calling-Station-Id = "F0-7B-CB-42-28-7E" Called-Station-Id = "02-0C-42-6A-44-6C:CORP-WiFi" EAP-Message = 0x020500061900 Message-Authenticator = 0xc12066f7e555aa8b79ae1f0104deaaec NAS-Identifier = "MikroTik" Mikrotik-Realm = "MYDOMAIN" NAS-IP-Address = 192.168.10.92 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MYDOMAIN\domainuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "MYDOMAIN" for User-Name = "MYDOMAIN\domainuser" [ntdomain] Found realm "MYDOMAIN" [ntdomain] Adding Stripped-User-Name = "domainuser" [ntdomain] Adding Realm = "MYDOMAIN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 85 to 192.168.10.92 port 46831 EAP-Message = 0x010600061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac18ae1da81eb77e24f513d206b33409 Finished request 9. Going to the next request Waking up in 4.2 seconds. Cleaning up request 0 ID 76 with timestamp +19 Cleaning up request 1 ID 77 with timestamp +19 Cleaning up request 2 ID 78 with timestamp +19 Cleaning up request 3 ID 79 with timestamp +19 Cleaning up request 4 ID 80 with timestamp +19 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xb43ea5ebb038bce8 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Waking up in 0.5 seconds. Cleaning up request 5 ID 81 with timestamp +19 Cleaning up request 6 ID 82 with timestamp +20 Cleaning up request 7 ID 83 with timestamp +20 Cleaning up request 8 ID 84 with timestamp +20 Cleaning up request 9 ID 85 with timestamp +20 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xac18ae1da81eb77e did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests.
Bruno de Paula Larini wrote:
I'm trying to use FreeRADIUS 2.2.0 on Fedora 19 to authenticate Wi-Fi clients (Windows 7) against a MS Active Directory domain (Windows Server 2008 R2). The access point is a MikroTik RouterOS v5.11. I've already joined the FreeRADIUS machine into my AD domain and both 'wbinfo -a' and 'ntlm_auth' can successfully authenticate domain users. Then, I've followed the instructions on the Wiki for FreeRADIUS 2.x and set up the server accordingly.
That all seems fine.
However, 'radiusd -X' tells that the Windows clients didn't reply the request and there's a url to the Wiki, explaining why it couldn't finish. The root and the client (self-signed) certificates are already installed on a test client, and I think I've created them following the recommended way (as told in README file on raddb/certs). I've checked the comments on raddb/eap.conf, but I'm not sure what to do next.
Is there some way to make the Windows clients trust the request?
http://deployingradius.com/ Read the 4-step HOWTO on the bottom of the page. It details a step-by-step process to getting EAP to work on Windows machines. It WILL work. If the Windows box just stops the EAP session... the content on the Wiki page describes what to do. There really isn't anything else which can fix the problem. Alan DeKok.
participants (2)
-
Alan DeKok -
Bruno de Paula Larini