Am 18.12.2013 10:54, schrieb Hubert Kupper:
Am 18.12.2013 10:16, schrieb Olivier Beytrison:
On 18.12.2013 09:56, Hubert Kupper wrote:
Bingo. You are right. When I use ldaps the ldap bind was successful now. With FR 2.x on OpenSuse 12.3 ldap and ldaps work both. Good news !
(9) ldap : Added eDirectory password in check items as Cleartext-Password = pwddummy Is that the password you used to test the authentication ?
(9) mschap : Creating challenge hash with username: dumm (9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password (9) mschap : FAILED: MS-CHAP2-Response is incorrect (9) [mschap] = reject It looks like you provided the wrong password.
Olivier no, I used "pwddummy" only in my posting. In my tests I used the right password for the testuser dumm. With our other FR servers, the testuser and password works fine!
Hubert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ok, I resetted the password for user dumm and tried it again. Here is the output:
Listening on auth address * port 1812 as server default Listening on acct address * port 1813 as server default Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel Opening new proxy address * port 1814 Listening on proxy address * port 1814 Ready to process requests rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=172, length=213 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020200090164756d6d Message-Authenticator = 0x19d1460f5e754fa9589131e27aa1631b (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) ? if (!User-Name) (0) ? if (!User-Name) -> FALSE (0) ? if (User-Name != "%{tolower:%{User-Name}}") (0) expand: "%{tolower:%{User-Name}}" -> 'dumm' (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) ? if (User-Name =~ / /) (0) ? if (User-Name =~ / /) -> FALSE (0) ? if (User-Name =~ /@.*@/ ) (0) ? if (User-Name =~ /@.*@/ ) -> FALSE (0) ? if (User-Name =~ /\\.\\./ ) (0) ? if (User-Name =~ /\\.\\./ ) -> FALSE (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) ? if (User-Name =~ /\\.$/) (0) ? if (User-Name =~ /\\.$/) -> FALSE (0) ? if (User-Name =~ /@\\./) (0) ? if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "dumm", looking up realm NULL (0) suffix : Found realm "NULL" (0) suffix : Adding Stripped-User-Name = "dumm" (0) suffix : Adding Realm = "NULL" (0) suffix : Authentication realm is LOCAL (0) [suffix] = ok (0) eap : EAP packet type response id 2 length 9 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Peer sent Identity (1) (0) eap : Calling eap_peap to process EAP data (0) eap_peap : Flushing SSL sessions (of #0) (0) eap_peap : Initiate (0) eap_peap : Start returned 1 (0) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfa867997d (0) [eap] = handled (0) } # authenticate = handled Sending Access-Challenge of id 172 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfa867997d12828dafc6890954 (0) Finished request 0. Waking up in 0.3 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=173, length=327 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x0203006919800000005f160301005a01000056030152b1966ea0268f428ae5f5a4c8c1c0d1b6ad2fa9945b4b8f9d132cce1a818aec000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 State = 0xa86480cfa867997d12828dafc6890954 Message-Authenticator = 0xb4bdc760cfea245ec3ae498b0e0303a8 (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) ? if (!User-Name) (1) ? if (!User-Name) -> FALSE (1) ? if (User-Name != "%{tolower:%{User-Name}}") (1) expand: "%{tolower:%{User-Name}}" -> 'dumm' (1) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (1) ? if (User-Name =~ / /) (1) ? if (User-Name =~ / /) -> FALSE (1) ? if (User-Name =~ /@.*@/ ) (1) ? if (User-Name =~ /@.*@/ ) -> FALSE (1) ? if (User-Name =~ /\\.\\./ ) (1) ? if (User-Name =~ /\\.\\./ ) -> FALSE (1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) ? if (User-Name =~ /\\.$/) (1) ? if (User-Name =~ /\\.$/) -> FALSE (1) ? if (User-Name =~ /@\\./) (1) ? if (User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "dumm", looking up realm NULL (1) suffix : Found realm "NULL" (1) suffix : Adding Stripped-User-Name = "dumm" (1) suffix : Adding Realm = "NULL" (1) suffix : Authentication realm is LOCAL (1) [suffix] = ok (1) eap : EAP packet type response id 3 length 105 (1) eap : Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = EAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0xa86480cfa867997d (1) eap : Finished EAP session with state 0xa86480cfa867997d (1) eap : Previous EAP request found for state 0xa86480cfa867997d, released from the list (1) eap : Peer sent PEAP (25) (1) eap : EAP PEAP (25) (1) eap : Calling eap_peap to process EAP data (1) eap_peap : processing EAP-TLS TLS Length 95 (1) eap_peap : Length Included (1) eap_peap : eaptls_verify returned 11 (1) eap_peap : (other): before/accept initialization (1) eap_peap : TLS_accept: before/accept initialization (1) eap_peap : <<< TLS 1.0 Handshake [length 005a], ClientHello (1) eap_peap : TLS_accept: SSLv3 read client hello A (1) eap_peap : >>> TLS 1.0 Handshake [length 0051], ServerHello (1) eap_peap : TLS_accept: SSLv3 write server hello A (1) eap_peap : >>> TLS 1.0 Handshake [length 12e2], Certificate (1) eap_peap : TLS_accept: SSLv3 write certificate A (1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap : TLS_accept: SSLv3 write server done A (1) eap_peap : TLS_accept: SSLv3 flush data (1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (1) eap_peap : eaptls_process returned 13 (1) eap_peap : FR_TLS_HANDLED (1) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfa960997d (1) [eap] = handled (1) } # authenticate = handled Sending Access-Challenge of id 173 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfa960997d12828dafc6890954 (1) Finished request 1. Waking up in 0.3 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=174, length=228 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020400061900 State = 0xa86480cfa960997d12828dafc6890954 Message-Authenticator = 0xbce2adf33028b31939f2dadd25dc21a6 (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) ? if (!User-Name) (2) ? if (!User-Name) -> FALSE (2) ? if (User-Name != "%{tolower:%{User-Name}}") (2) expand: "%{tolower:%{User-Name}}" -> 'dumm' (2) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (2) ? if (User-Name =~ / /) (2) ? if (User-Name =~ / /) -> FALSE (2) ? if (User-Name =~ /@.*@/ ) (2) ? if (User-Name =~ /@.*@/ ) -> FALSE (2) ? if (User-Name =~ /\\.\\./ ) (2) ? if (User-Name =~ /\\.\\./ ) -> FALSE (2) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (2) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) ? if (User-Name =~ /\\.$/) (2) ? if (User-Name =~ /\\.$/) -> FALSE (2) ? if (User-Name =~ /@\\./) (2) ? if (User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "dumm", looking up realm NULL (2) suffix : Found realm "NULL" (2) suffix : Adding Stripped-User-Name = "dumm" (2) suffix : Adding Realm = "NULL" (2) suffix : Authentication realm is LOCAL (2) [suffix] = ok (2) eap : EAP packet type response id 4 length 6 (2) eap : Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0xa86480cfa960997d (2) eap : Finished EAP session with state 0xa86480cfa960997d (2) eap : Previous EAP request found for state 0xa86480cfa960997d, released from the list (2) eap : Peer sent PEAP (25) (2) eap : EAP PEAP (25) (2) eap : Calling eap_peap to process EAP data (2) eap_peap : processing EAP-TLS (2) eap_peap : Received TLS ACK (2) eap_peap : Received TLS ACK (2) eap_peap : ACK handshake fragment handler (2) eap_peap : eaptls_verify returned 1 (2) eap_peap : eaptls_process returned 13 (2) eap_peap : FR_TLS_HANDLED (2) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfaa61997d (2) [eap] = handled (2) } # authenticate = handled Sending Access-Challenge of id 174 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfaa61997d12828dafc6890954 (2) Finished request 2. Waking up in 0.3 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=175, length=228 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020500061900 State = 0xa86480cfaa61997d12828dafc6890954 Message-Authenticator = 0x6424ccb720f6e6d11e217657449ec5b1 (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) filter_username filter_username { (3) ? if (!User-Name) (3) ? if (!User-Name) -> FALSE (3) ? if (User-Name != "%{tolower:%{User-Name}}") (3) expand: "%{tolower:%{User-Name}}" -> 'dumm' (3) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (3) ? if (User-Name =~ / /) (3) ? if (User-Name =~ / /) -> FALSE (3) ? if (User-Name =~ /@.*@/ ) (3) ? if (User-Name =~ /@.*@/ ) -> FALSE (3) ? if (User-Name =~ /\\.\\./ ) (3) ? if (User-Name =~ /\\.\\./ ) -> FALSE (3) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (3) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (3) ? if (User-Name =~ /\\.$/) (3) ? if (User-Name =~ /\\.$/) -> FALSE (3) ? if (User-Name =~ /@\\./) (3) ? if (User-Name =~ /@\\./) -> FALSE (3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : No '@' in User-Name = "dumm", looking up realm NULL (3) suffix : Found realm "NULL" (3) suffix : Adding Stripped-User-Name = "dumm" (3) suffix : Adding Realm = "NULL" (3) suffix : Authentication realm is LOCAL (3) [suffix] = ok (3) eap : EAP packet type response id 5 length 6 (3) eap : Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0xa86480cfaa61997d (3) eap : Finished EAP session with state 0xa86480cfaa61997d (3) eap : Previous EAP request found for state 0xa86480cfaa61997d, released from the list (3) eap : Peer sent PEAP (25) (3) eap : EAP PEAP (25) (3) eap : Calling eap_peap to process EAP data (3) eap_peap : processing EAP-TLS (3) eap_peap : Received TLS ACK (3) eap_peap : Received TLS ACK (3) eap_peap : ACK handshake fragment handler (3) eap_peap : eaptls_verify returned 1 (3) eap_peap : eaptls_process returned 13 (3) eap_peap : FR_TLS_HANDLED (3) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfab62997d (3) [eap] = handled (3) } # authenticate = handled Sending Access-Challenge of id 175 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfab62997d12828dafc6890954 (3) Finished request 3. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=176, length=228 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020600061900 State = 0xa86480cfab62997d12828dafc6890954 Message-Authenticator = 0xed7f6b286401975720341fcbc89f9455 (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) filter_username filter_username { (4) ? if (!User-Name) (4) ? if (!User-Name) -> FALSE (4) ? if (User-Name != "%{tolower:%{User-Name}}") (4) expand: "%{tolower:%{User-Name}}" -> 'dumm' (4) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (4) ? if (User-Name =~ / /) (4) ? if (User-Name =~ / /) -> FALSE (4) ? if (User-Name =~ /@.*@/ ) (4) ? if (User-Name =~ /@.*@/ ) -> FALSE (4) ? if (User-Name =~ /\\.\\./ ) (4) ? if (User-Name =~ /\\.\\./ ) -> FALSE (4) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (4) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (4) ? if (User-Name =~ /\\.$/) (4) ? if (User-Name =~ /\\.$/) -> FALSE (4) ? if (User-Name =~ /@\\./) (4) ? if (User-Name =~ /@\\./) -> FALSE (4) } # filter_username filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : No '@' in User-Name = "dumm", looking up realm NULL (4) suffix : Found realm "NULL" (4) suffix : Adding Stripped-User-Name = "dumm" (4) suffix : Adding Realm = "NULL" (4) suffix : Authentication realm is LOCAL (4) [suffix] = ok (4) eap : EAP packet type response id 6 length 6 (4) eap : Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap : Expiring EAP session with state 0xa86480cfab62997d (4) eap : Finished EAP session with state 0xa86480cfab62997d (4) eap : Previous EAP request found for state 0xa86480cfab62997d, released from the list (4) eap : Peer sent PEAP (25) (4) eap : EAP PEAP (25) (4) eap : Calling eap_peap to process EAP data (4) eap_peap : processing EAP-TLS (4) eap_peap : Received TLS ACK (4) eap_peap : Received TLS ACK (4) eap_peap : ACK handshake fragment handler (4) eap_peap : eaptls_verify returned 1 (4) eap_peap : eaptls_process returned 13 (4) eap_peap : FR_TLS_HANDLED (4) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfac63997d (4) [eap] = handled (4) } # authenticate = handled Sending Access-Challenge of id 176 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfac63997d12828dafc6890954 (4) Finished request 4. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=177, length=228 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020700061900 State = 0xa86480cfac63997d12828dafc6890954 Message-Authenticator = 0x350c6496caddb678f4145338d352ff5f (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) filter_username filter_username { (5) ? if (!User-Name) (5) ? if (!User-Name) -> FALSE (5) ? if (User-Name != "%{tolower:%{User-Name}}") (5) expand: "%{tolower:%{User-Name}}" -> 'dumm' (5) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (5) ? if (User-Name =~ / /) (5) ? if (User-Name =~ / /) -> FALSE (5) ? if (User-Name =~ /@.*@/ ) (5) ? if (User-Name =~ /@.*@/ ) -> FALSE (5) ? if (User-Name =~ /\\.\\./ ) (5) ? if (User-Name =~ /\\.\\./ ) -> FALSE (5) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (5) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (5) ? if (User-Name =~ /\\.$/) (5) ? if (User-Name =~ /\\.$/) -> FALSE (5) ? if (User-Name =~ /@\\./) (5) ? if (User-Name =~ /@\\./) -> FALSE (5) } # filter_username filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : No '@' in User-Name = "dumm", looking up realm NULL (5) suffix : Found realm "NULL" (5) suffix : Adding Stripped-User-Name = "dumm" (5) suffix : Adding Realm = "NULL" (5) suffix : Authentication realm is LOCAL (5) [suffix] = ok (5) eap : EAP packet type response id 7 length 6 (5) eap : Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0xa86480cfac63997d (5) eap : Finished EAP session with state 0xa86480cfac63997d (5) eap : Previous EAP request found for state 0xa86480cfac63997d, released from the list (5) eap : Peer sent PEAP (25) (5) eap : EAP PEAP (25) (5) eap : Calling eap_peap to process EAP data (5) eap_peap : processing EAP-TLS (5) eap_peap : Received TLS ACK (5) eap_peap : Received TLS ACK (5) eap_peap : ACK handshake fragment handler (5) eap_peap : eaptls_verify returned 1 (5) eap_peap : eaptls_process returned 13 (5) eap_peap : FR_TLS_HANDLED (5) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfad6c997d (5) [eap] = handled (5) } # authenticate = handled Sending Access-Challenge of id 177 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfad6c997d12828dafc6890954 (5) Finished request 5. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=178, length=560 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020801501980000001461603010106100001020100895db16795383e66c1fbe477e6a32de3bbf7284cedcb90d740413663bb5723b9d64ebc2cd4fc722d68bbb218dd74930a5696ae34e6b6668d6da308cb4f056eaa47e914dfb5afc1ac3ea4060d56430d37b79b3f61203a2f5f13faa11be9ee39f6ad29e894d7fe443569ba4ce8c91245e17b0d198d0bdd5a5a838eaad32d44be2fa954ad8be8ca01c9542f438fd9c2018ccc398b5fc326cd2bd6610d6fe3cc57fbffca875bcd9a93c812ecf0e33f9fcbfd9c11ef94b2f730de6d2745976d5c74521cb4628257351c280ec41f32b9311cde2b72d8cb3919a5d6c8dbbee1542d0014b02ba361ac9a156fd03226538d356541c6f6a3412f5db8251c9a5a25de2ee2c81403010001011603010030119978f0e9951fc0d9d6d4850d606edc4b3339ae5452c58db1699e709dfa5d5e3f910008914565a5b8d435aa41888ce3 State = 0xa86480cfad6c997d12828dafc6890954 Message-Authenticator = 0xa0338b8ac9c33aa4898dff4aaff042fc (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) filter_username filter_username { (6) ? if (!User-Name) (6) ? if (!User-Name) -> FALSE (6) ? if (User-Name != "%{tolower:%{User-Name}}") (6) expand: "%{tolower:%{User-Name}}" -> 'dumm' (6) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (6) ? if (User-Name =~ / /) (6) ? if (User-Name =~ / /) -> FALSE (6) ? if (User-Name =~ /@.*@/ ) (6) ? if (User-Name =~ /@.*@/ ) -> FALSE (6) ? if (User-Name =~ /\\.\\./ ) (6) ? if (User-Name =~ /\\.\\./ ) -> FALSE (6) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (6) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (6) ? if (User-Name =~ /\\.$/) (6) ? if (User-Name =~ /\\.$/) -> FALSE (6) ? if (User-Name =~ /@\\./) (6) ? if (User-Name =~ /@\\./) -> FALSE (6) } # filter_username filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix : No '@' in User-Name = "dumm", looking up realm NULL (6) suffix : Found realm "NULL" (6) suffix : Adding Stripped-User-Name = "dumm" (6) suffix : Adding Realm = "NULL" (6) suffix : Authentication realm is LOCAL (6) [suffix] = ok (6) eap : EAP packet type response id 8 length 336 (6) eap : Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap : Expiring EAP session with state 0xa86480cfad6c997d (6) eap : Finished EAP session with state 0xa86480cfad6c997d (6) eap : Previous EAP request found for state 0xa86480cfad6c997d, released from the list (6) eap : Peer sent PEAP (25) (6) eap : EAP PEAP (25) (6) eap : Calling eap_peap to process EAP data (6) eap_peap : processing EAP-TLS TLS Length 326 (6) eap_peap : Length Included (6) eap_peap : eaptls_verify returned 11 (6) eap_peap : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange (6) eap_peap : TLS_accept: SSLv3 read client key exchange A (6) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001] (6) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished (6) eap_peap : TLS_accept: SSLv3 read finished A (6) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001] (6) eap_peap : TLS_accept: SSLv3 write change cipher spec A (6) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished (6) eap_peap : TLS_accept: SSLv3 write finished A (6) eap_peap : TLS_accept: SSLv3 flush data SSL: adding session e467ff943668da672a3a7da5e39dd0f027275656dc6f0b17019d463e6946fd42 to cache (6) eap_peap : (other): SSL negotiation finished successfully SSL Connection Established (6) eap_peap : eaptls_process returned 13 (6) eap_peap : FR_TLS_HANDLED (6) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfae6d997d (6) [eap] = handled (6) } # authenticate = handled Sending Access-Challenge of id 178 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = 0x01090041190014030100010116030100304363285a0957c59d896553101f3d7e4de5404484f6dea4258eca26e9699b520777556fd173f270a97f987c2e7a01394d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfae6d997d12828dafc6890954 (6) Finished request 6. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=179, length=228 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020900061900 State = 0xa86480cfae6d997d12828dafc6890954 Message-Authenticator = 0xba508282c219aea5755f50bf9de8429e (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) filter_username filter_username { (7) ? if (!User-Name) (7) ? if (!User-Name) -> FALSE (7) ? if (User-Name != "%{tolower:%{User-Name}}") (7) expand: "%{tolower:%{User-Name}}" -> 'dumm' (7) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (7) ? if (User-Name =~ / /) (7) ? if (User-Name =~ / /) -> FALSE (7) ? if (User-Name =~ /@.*@/ ) (7) ? if (User-Name =~ /@.*@/ ) -> FALSE (7) ? if (User-Name =~ /\\.\\./ ) (7) ? if (User-Name =~ /\\.\\./ ) -> FALSE (7) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (7) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (7) ? if (User-Name =~ /\\.$/) (7) ? if (User-Name =~ /\\.$/) -> FALSE (7) ? if (User-Name =~ /@\\./) (7) ? if (User-Name =~ /@\\./) -> FALSE (7) } # filter_username filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix : No '@' in User-Name = "dumm", looking up realm NULL (7) suffix : Found realm "NULL" (7) suffix : Adding Stripped-User-Name = "dumm" (7) suffix : Adding Realm = "NULL" (7) suffix : Authentication realm is LOCAL (7) [suffix] = ok (7) eap : EAP packet type response id 9 length 6 (7) eap : Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap : Expiring EAP session with state 0xa86480cfae6d997d (7) eap : Finished EAP session with state 0xa86480cfae6d997d (7) eap : Previous EAP request found for state 0xa86480cfae6d997d, released from the list (7) eap : Peer sent PEAP (25) (7) eap : EAP PEAP (25) (7) eap : Calling eap_peap to process EAP data (7) eap_peap : processing EAP-TLS (7) eap_peap : Received TLS ACK (7) eap_peap : Received TLS ACK (7) eap_peap : ACK handshake is finished (7) eap_peap : eaptls_verify returned 3 (7) eap_peap : eaptls_process returned 3 (7) eap_peap : FR_TLS_SUCCESS (7) eap_peap : Session established. Decoding tunneled attributes (7) eap_peap : Peap state TUNNEL ESTABLISHED (7) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfaf6e997d (7) [eap] = handled (7) } # authenticate = handled Sending Access-Challenge of id 179 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = 0x010a002b19001703010020be713b3d1fc2d5f5b78ada5c59f71d259becb60cfd631484fe72a2b116382a42 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfaf6e997d12828dafc6890954 (7) Finished request 7. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=180, length=265 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020a002b19001703010020d1ef31ba5764aeaecaa4d794b45d9412106b7d2d16fab86405e45bf76a79f9fd State = 0xa86480cfaf6e997d12828dafc6890954 Message-Authenticator = 0x390272675aad0fd9a3bb808b7e842d1d (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { (8) filter_username filter_username { (8) ? if (!User-Name) (8) ? if (!User-Name) -> FALSE (8) ? if (User-Name != "%{tolower:%{User-Name}}") (8) expand: "%{tolower:%{User-Name}}" -> 'dumm' (8) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (8) ? if (User-Name =~ / /) (8) ? if (User-Name =~ / /) -> FALSE (8) ? if (User-Name =~ /@.*@/ ) (8) ? if (User-Name =~ /@.*@/ ) -> FALSE (8) ? if (User-Name =~ /\\.\\./ ) (8) ? if (User-Name =~ /\\.\\./ ) -> FALSE (8) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (8) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (8) ? if (User-Name =~ /\\.$/) (8) ? if (User-Name =~ /\\.$/) -> FALSE (8) ? if (User-Name =~ /@\\./) (8) ? if (User-Name =~ /@\\./) -> FALSE (8) } # filter_username filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix : No '@' in User-Name = "dumm", looking up realm NULL (8) suffix : Found realm "NULL" (8) suffix : Adding Stripped-User-Name = "dumm" (8) suffix : Adding Realm = "NULL" (8) suffix : Authentication realm is LOCAL (8) [suffix] = ok (8) eap : EAP packet type response id 10 length 43 (8) eap : Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/raddb/sites-enabled/default (8) authenticate { (8) eap : Expiring EAP session with state 0xa86480cfaf6e997d (8) eap : Finished EAP session with state 0xa86480cfaf6e997d (8) eap : Previous EAP request found for state 0xa86480cfaf6e997d, released from the list (8) eap : Peer sent PEAP (25) (8) eap : EAP PEAP (25) (8) eap : Calling eap_peap to process EAP data (8) eap_peap : processing EAP-TLS (8) eap_peap : eaptls_verify returned 7 (8) eap_peap : Done initial handshake (8) eap_peap : eaptls_process returned 7 (8) eap_peap : FR_TLS_OK (8) eap_peap : Session established. Decoding tunneled attributes (8) eap_peap : Peap state WAITING FOR INNER IDENTITY (8) eap_peap : Identity - dumm (8) eap_peap : Got inner identity 'dumm' (8) eap_peap : Setting default EAP type for tunneled EAP session (8) eap_peap : Got tunneled request EAP-Message = 0x020a00090164756d6d server default { (8) eap_peap : Setting User-Name to dumm Sending tunneled request EAP-Message = 0x020a00090164756d6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'dumm' server inner-tunnel { (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) [chap] = noop (8) [mschap] = noop (8) suffix : No '@' in User-Name = "dumm", looking up realm NULL (8) suffix : Found realm "NULL" (8) suffix : Adding Stripped-User-Name = "dumm" (8) suffix : Adding Realm = "NULL" (8) suffix : Authentication realm is LOCAL (8) [suffix] = ok (8) update control { (8) Proxy-To-Realm := 'LOCAL' (8) } # update control = noop (8) eap : EAP packet type response id 10 length 9 (8) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Peer sent Identity (1) (8) eap : Calling eap_mschapv2 to process EAP data (8) eap_mschapv2 : Issuing Challenge (8) eap : New EAP session, adding 'State' attribute to reply 0xee5b016dee501bdf (8) [eap] = handled (8) } # authenticate = handled } # server inner-tunnel (8) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010b001e1a010b0019109661dbd36e0ae001fea904bee60562ae64756d6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee5b016dee501bdf8d4c45a0081cd9a7 (8) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010b001e1a010b0019109661dbd36e0ae001fea904bee60562ae64756d6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee5b016dee501bdf8d4c45a0081cd9a7 (8) eap_peap : Got tunneled Access-Challenge (8) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfa06f997d (8) [eap] = handled (8) } # authenticate = handled Sending Access-Challenge of id 180 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = 0x010b005b1900170301005073ea643c33410b75bddafebb5c6dfcb84d36924a83410e9111f31a559c3dd1583d191d435a92bab18f28ffe91e6e877127f7ad007cfbfacaead6ab6ba3a224bdad252b5049a926b9031d12e1dfa0f57d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfa06f997d12828dafc6890954 (8) Finished request 8. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=181, length=313 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020b005b190017030100501e92d5aac9bc32d3633a445500b65cf43ba2fafff188597ff64350f659c20099cd4d3cc1b46e10d3af5d214a9117445e49ff1d0117cded672220a5889795b4b0a148f0bd43b5e703cec7f0a4271868a7 State = 0xa86480cfa06f997d12828dafc6890954 Message-Authenticator = 0xd1a70dbde1b61df2d5cb92820834b904 (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) filter_username filter_username { (9) ? if (!User-Name) (9) ? if (!User-Name) -> FALSE (9) ? if (User-Name != "%{tolower:%{User-Name}}") (9) expand: "%{tolower:%{User-Name}}" -> 'dumm' (9) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (9) ? if (User-Name =~ / /) (9) ? if (User-Name =~ / /) -> FALSE (9) ? if (User-Name =~ /@.*@/ ) (9) ? if (User-Name =~ /@.*@/ ) -> FALSE (9) ? if (User-Name =~ /\\.\\./ ) (9) ? if (User-Name =~ /\\.\\./ ) -> FALSE (9) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (9) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (9) ? if (User-Name =~ /\\.$/) (9) ? if (User-Name =~ /\\.$/) -> FALSE (9) ? if (User-Name =~ /@\\./) (9) ? if (User-Name =~ /@\\./) -> FALSE (9) } # filter_username filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix : No '@' in User-Name = "dumm", looking up realm NULL (9) suffix : Found realm "NULL" (9) suffix : Adding Stripped-User-Name = "dumm" (9) suffix : Adding Realm = "NULL" (9) suffix : Authentication realm is LOCAL (9) [suffix] = ok (9) eap : EAP packet type response id 11 length 91 (9) eap : Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap : Expiring EAP session with state 0xee5b016dee501bdf (9) eap : Finished EAP session with state 0xa86480cfa06f997d (9) eap : Previous EAP request found for state 0xa86480cfa06f997d, released from the list (9) eap : Peer sent PEAP (25) (9) eap : EAP PEAP (25) (9) eap : Calling eap_peap to process EAP data (9) eap_peap : processing EAP-TLS (9) eap_peap : eaptls_verify returned 7 (9) eap_peap : Done initial handshake (9) eap_peap : eaptls_process returned 7 (9) eap_peap : FR_TLS_OK (9) eap_peap : Session established. Decoding tunneled attributes (9) eap_peap : Peap state phase2 (9) eap_peap : EAP type MSCHAPv2 (26) (9) eap_peap : Got tunneled request EAP-Message = 0x020b003f1a020b003a313eb867d7b4cd2ac386791c7fcbb3317400000000000000003772c1653fd3f345180b5ba9bd0c862349062d4fa8c63d530064756d6d server default { (9) eap_peap : Setting User-Name to dumm Sending tunneled request EAP-Message = 0x020b003f1a020b003a313eb867d7b4cd2ac386791c7fcbb3317400000000000000003772c1653fd3f345180b5ba9bd0c862349062d4fa8c63d530064756d6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'dumm' State = 0xee5b016dee501bdf8d4c45a0081cd9a7 server inner-tunnel { (9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) [chap] = noop (9) [mschap] = noop (9) suffix : No '@' in User-Name = "dumm", looking up realm NULL (9) suffix : Found realm "NULL" (9) suffix : Adding Stripped-User-Name = "dumm" (9) suffix : Adding Realm = "NULL" (9) suffix : Authentication realm is LOCAL (9) [suffix] = ok (9) update control { (9) Proxy-To-Realm := 'LOCAL' (9) } # update control = noop (9) eap : EAP packet type response id 11 length 63 (9) eap : No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) [files] = noop rlm_ldap (ldap): Reserved connection (2) (9) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=dumm)' (9) ldap : expand: "o=org" -> 'o=org' (9) ldap : Performing search in 'o=org' with filter '(cn=dumm)' (9) ldap : Waiting for search result... (9) ldap : User object found at DN "cn=dumm,ou=test1,ou=test,o=org" (9) ldap : Added eDirectory password in check items as Cleartext-Password = pwddummy (9) ldap : Binding as user for eDirectory authorization checks (9) ldap : Waiting for bind result... (9) ldap : Bind successful (9) ldap : Bind as user "cn=dumm,ou=test1,ou=test,o=org" was successful rlm_ldap (ldap): Released connection (2) (9) [ldap] = ok (9) [expiration] = noop (9) [logintime] = noop (9) WARNING: pap : Auth-Type already set. Not setting to PAP (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = EAP (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap : Expiring EAP session with state 0xee5b016dee501bdf (9) eap : Finished EAP session with state 0xee5b016dee501bdf (9) eap : Previous EAP request found for state 0xee5b016dee501bdf, released from the list (9) eap : Peer sent MSCHAPv2 (26) (9) eap : EAP MSCHAPv2 (26) (9) eap : Calling eap_mschapv2 to process EAP data (9) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) eap_mschapv2 : Auth-Type MS-CHAP { (9) mschap : Creating challenge hash with username: dumm (9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password (9) mschap : adding MS-CHAPv2 MPPE keys (9) [mschap] = ok (9) } # Auth-Type MS-CHAP = ok MSCHAP Success (9) eap : New EAP session, adding 'State' attribute to reply 0xee5b016def571bdf (9) [eap] = handled (9) } # authenticate = handled } # server inner-tunnel (9) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010c00331a030b002e533d33393932423341383241334531364636313133364145443537463742314531383142423232323739 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee5b016def571bdf8d4c45a0081cd9a7 (9) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010c00331a030b002e533d33393932423341383241334531364636313133364145443537463742314531383142423232323739 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee5b016def571bdf8d4c45a0081cd9a7 (9) eap_peap : Got tunneled Access-Challenge (9) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfa168997d (9) [eap] = handled (9) } # authenticate = handled Sending Access-Challenge of id 181 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = 0x010c008b1900170301008046339821146757e1169814d336fa5f44c5ce7a0e601f78caedb3fd62a4fa62b2f7d8d34cc19780af80a57723dadd2585f7fa37d7cdca90f4cdb16b2d35e36f36c6a4bcb7638a02e9dd200cde370816f25c171bc348b6a5282ae214face960bd0eede6e44d5006125861933e0fdc966b82a9a03e63641d184d1c5244f6023ecae Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfa168997d12828dafc6890954 (9) Finished request 9. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=182, length=265 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020c002b19001703010020b0ac95690bead98890fb01b1789e3dcdc33e358f214f171ebe643ab87330ea1a State = 0xa86480cfa168997d12828dafc6890954 Message-Authenticator = 0x7c14084404119159c3d9e6416e0a8110 (10) # Executing section authorize from file /etc/raddb/sites-enabled/default (10) authorize { (10) filter_username filter_username { (10) ? if (!User-Name) (10) ? if (!User-Name) -> FALSE (10) ? if (User-Name != "%{tolower:%{User-Name}}") (10) expand: "%{tolower:%{User-Name}}" -> 'dumm' (10) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (10) ? if (User-Name =~ / /) (10) ? if (User-Name =~ / /) -> FALSE (10) ? if (User-Name =~ /@.*@/ ) (10) ? if (User-Name =~ /@.*@/ ) -> FALSE (10) ? if (User-Name =~ /\\.\\./ ) (10) ? if (User-Name =~ /\\.\\./ ) -> FALSE (10) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (10) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (10) ? if (User-Name =~ /\\.$/) (10) ? if (User-Name =~ /\\.$/) -> FALSE (10) ? if (User-Name =~ /@\\./) (10) ? if (User-Name =~ /@\\./) -> FALSE (10) } # filter_username filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix : No '@' in User-Name = "dumm", looking up realm NULL (10) suffix : Found realm "NULL" (10) suffix : Adding Stripped-User-Name = "dumm" (10) suffix : Adding Realm = "NULL" (10) suffix : Authentication realm is LOCAL (10) [suffix] = ok (10) eap : EAP packet type response id 12 length 43 (10) eap : Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = EAP (10) # Executing group from file /etc/raddb/sites-enabled/default (10) authenticate { (10) eap : Expiring EAP session with state 0xee5b016def571bdf (10) eap : Finished EAP session with state 0xa86480cfa168997d (10) eap : Previous EAP request found for state 0xa86480cfa168997d, released from the list (10) eap : Peer sent PEAP (25) (10) eap : EAP PEAP (25) (10) eap : Calling eap_peap to process EAP data (10) eap_peap : processing EAP-TLS (10) eap_peap : eaptls_verify returned 7 (10) eap_peap : Done initial handshake (10) eap_peap : eaptls_process returned 7 (10) eap_peap : FR_TLS_OK (10) eap_peap : Session established. Decoding tunneled attributes (10) eap_peap : Peap state phase2 (10) eap_peap : EAP type MSCHAPv2 (26) (10) eap_peap : Got tunneled request EAP-Message = 0x020c00061a03 server default { (10) eap_peap : Setting User-Name to dumm Sending tunneled request EAP-Message = 0x020c00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'dumm' State = 0xee5b016def571bdf8d4c45a0081cd9a7 server inner-tunnel { (10) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (10) authorize { (10) [chap] = noop (10) [mschap] = noop (10) suffix : No '@' in User-Name = "dumm", looking up realm NULL (10) suffix : Found realm "NULL" (10) suffix : Adding Stripped-User-Name = "dumm" (10) suffix : Adding Realm = "NULL" (10) suffix : Authentication realm is LOCAL (10) [suffix] = ok (10) update control { (10) Proxy-To-Realm := 'LOCAL' (10) } # update control = noop (10) eap : EAP packet type response id 12 length 6 (10) eap : EAP-MSCHAPV2 success, returning short-circuit ok (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = EAP (10) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (10) authenticate { (10) eap : Expiring EAP session with state 0xee5b016def571bdf (10) eap : Finished EAP session with state 0xee5b016def571bdf (10) eap : Previous EAP request found for state 0xee5b016def571bdf, released from the list (10) eap : Peer sent MSCHAPv2 (26) (10) eap : EAP MSCHAPv2 (26) (10) eap : Calling eap_mschapv2 to process EAP data (10) eap : Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) Login OK: [dumm/<via Auth-Type = EAP>] (from client uni port 0 via TLS tunnel) (10) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (10) post-auth { (10) reply_log : expand: "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" -> '/var/log/radacct/xxx.xx.xxx.x/reply-detail-20131218' (10) reply_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radacct/xxx.xx.xxx.x/reply-detail-20131218 (10) reply_log : expand: "%t" -> 'Wed Dec 18 13:34:42 2013' (10) [reply_log] = ok (10) ldap : expand: "." -> '.' (10) ldap : expand: "Authenticated at %S" -> 'Authenticated at 2013-12-18 13:34:42' rlm_ldap (ldap): Reserved connection (2) (10) ldap : Waiting for bind result... (10) ldap : Bind successful (10) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=dumm)' (10) ldap : expand: "o=org" -> 'o=org' (10) ldap : Performing search in 'o=org' with filter '(cn=dumm)' (10) ldap : Waiting for search result... (10) ldap : User object found at DN "cn=dumm,ou=test1,ou=test,o=org" (10) ldap : Modifying object with DN "cn=dumm,ou=test1,ou=test,o=org" (10) ldap : Waiting for modify result... rlm_ldap (ldap): Released connection (2) (10) [ldap] = reject (10) } # post-auth = reject } # server inner-tunnel (10) eap_peap : Got tunneled reply code 3 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0x30a31126813a40c345aeaa9b3c725a4f MS-MPPE-Recv-Key = 0x3d6d7a5365ac052cd38b9f526e56747d EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 Stripped-User-Name = 'dumm' (10) eap_peap : Got tunneled reply RADIUS code 3 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0x30a31126813a40c345aeaa9b3c725a4f MS-MPPE-Recv-Key = 0x3d6d7a5365ac052cd38b9f526e56747d EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 Stripped-User-Name = 'dumm' (10) eap_peap : Tunneled authentication was rejected (10) eap_peap : FAILURE (10) eap : New EAP session, adding 'State' attribute to reply 0xa86480cfa269997d (10) [eap] = handled (10) } # authenticate = handled Sending Access-Challenge of id 182 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = 0x010d002b19001703010020b5173c1b2cec565ddf2100e27bc0bea6358257604cbf176f1e6b006c028fccb9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86480cfa269997d12828dafc6890954 (10) Finished request 10. Waking up in 0.1 seconds. rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770, id=183, length=265 User-Name = 'dumm' Calling-Station-Id = 'xx-xx-xx-xx-xx-xx' Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663' NAS-IP-Address = xxx.xx.xxx.x NAS-Identifier = 'cisco' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '219' EAP-Message = 0x020d002b19001703010020c712a6ac4a0db2089c88254691e2fc91f9efdff20bffff880f830a5a22706162 State = 0xa86480cfa269997d12828dafc6890954 Message-Authenticator = 0xdfd550bec019140e91d79fe8c9eb081a (11) # Executing section authorize from file /etc/raddb/sites-enabled/default (11) authorize { (11) filter_username filter_username { (11) ? if (!User-Name) (11) ? if (!User-Name) -> FALSE (11) ? if (User-Name != "%{tolower:%{User-Name}}") (11) expand: "%{tolower:%{User-Name}}" -> 'dumm' (11) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (11) ? if (User-Name =~ / /) (11) ? if (User-Name =~ / /) -> FALSE (11) ? if (User-Name =~ /@.*@/ ) (11) ? if (User-Name =~ /@.*@/ ) -> FALSE (11) ? if (User-Name =~ /\\.\\./ ) (11) ? if (User-Name =~ /\\.\\./ ) -> FALSE (11) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (11) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (11) ? if (User-Name =~ /\\.$/) (11) ? if (User-Name =~ /\\.$/) -> FALSE (11) ? if (User-Name =~ /@\\./) (11) ? if (User-Name =~ /@\\./) -> FALSE (11) } # filter_username filter_username = notfound (11) [preprocess] = ok (11) [chap] = noop (11) [mschap] = noop (11) [digest] = noop (11) suffix : No '@' in User-Name = "dumm", looking up realm NULL (11) suffix : Found realm "NULL" (11) suffix : Adding Stripped-User-Name = "dumm" (11) suffix : Adding Realm = "NULL" (11) suffix : Authentication realm is LOCAL (11) [suffix] = ok (11) eap : EAP packet type response id 13 length 43 (11) eap : Continuing tunnel setup (11) [eap] = ok (11) } # authorize = ok (11) Found Auth-Type = EAP (11) # Executing group from file /etc/raddb/sites-enabled/default (11) authenticate { (11) eap : Expiring EAP session with state 0xa86480cfa269997d (11) eap : Finished EAP session with state 0xa86480cfa269997d (11) eap : Previous EAP request found for state 0xa86480cfa269997d, released from the list (11) eap : Peer sent PEAP (25) (11) eap : EAP PEAP (25) (11) eap : Calling eap_peap to process EAP data (11) eap_peap : processing EAP-TLS (11) eap_peap : eaptls_verify returned 7 (11) eap_peap : Done initial handshake (11) eap_peap : eaptls_process returned 7 (11) eap_peap : FR_TLS_OK (11) eap_peap : Session established. Decoding tunneled attributes (11) eap_peap : Peap state send tlv failure (11) eap_peap : Received EAP-TLV response (11) eap_peap : The users session was previously rejected: returning reject (again.) (11) eap_peap : *** This means you need to read the PREVIOUS messages in the debug output (11) eap_peap : *** to find out the reason why the user was rejected (11) eap_peap : *** Look for "reject" or "fail". Those earlier messages will tell you (11) eap_peap : *** what went wrong, and how to fix the problem SSL: Removing session e467ff943668da672a3a7da5e39dd0f027275656dc6f0b17019d463e6946fd42 from the cache (11) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed (11) eap : Failed in EAP select (11) [eap] = invalid (11) } # authenticate = invalid (11) Failed to authenticate the user (11) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed): [dumm/<via Auth-Type = EAP>] (from client uni port 1 cli xx-xx-xx-xx-xx-xx) (11) Using Post-Auth-Type Reject (11) # Executing group from file /etc/raddb/sites-enabled/default (11) Post-Auth-Type REJECT { (11) attr_filter.access_reject : expand: "%{User-Name}" -> 'dumm' (11) attr_filter.access_reject : Matched entry DEFAULT at line 11 (11) [attr_filter.access_reject] = updated (11) ldap : expand: "." -> '.' (11) ldap : expand: "Authenticated at %S" -> 'Authenticated at 2013-12-18 13:34:42' rlm_ldap (ldap): Reserved connection (2) (11) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=dumm)' (11) ldap : expand: "o=org" -> 'o=org' (11) ldap : Performing search in 'o=org' with filter '(cn=dumm)' (11) ldap : Waiting for search result... (11) ldap : User object found at DN "cn=dumm,ou=test1,ou=test,o=org" (11) ldap : Modifying object with DN "cn=dumm,ou=test1,ou=test,o=org" (11) ldap : Waiting for modify result... rlm_ldap (ldap): Released connection (2) (11) [ldap] = reject (11) } # Post-Auth-Type REJECT = reject (11) Finished request 11. Waking up in 0.1 seconds. Waking up in 0.6 seconds. (11) Sending delayed reject Sending Access-Reject of id 183 from xxx.xx.x.xx port 1812 to xxx.xx.xxx.x port 32770 EAP-Message = 0x040d0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (0) Cleaning up request packet ID 172 with timestamp +22 (1) Cleaning up request packet ID 173 with timestamp +22 (2) Cleaning up request packet ID 174 with timestamp +22 (3) Cleaning up request packet ID 175 with timestamp +22 (4) Cleaning up request packet ID 176 with timestamp +22 (5) Cleaning up request packet ID 177 with timestamp +22 (6) Cleaning up request packet ID 178 with timestamp +22 (7) Cleaning up request packet ID 179 with timestamp +22 (8) Cleaning up request packet ID 180 with timestamp +22 (9) Cleaning up request packet ID 181 with timestamp +22 (10) Cleaning up request packet ID 182 with timestamp +22 Waking up in 1.0 seconds. (11) Cleaning up request packet ID 183 with timestamp +22 Ready to process requests Signalled to terminate Exiting normally rlm_ldap (ldap): Removing connection pool rlm_ldap (ldap): Closing connection (2) rlm_ldap (ldap): Closing connection (1) rlm_ldap (ldap): Closing connection (0)
On 18.12.2013 13:49, Hubert Kupper wrote:
Am 18.12.2013 10:54, schrieb Hubert Kupper: Ok, I resetted the password for user dumm and tried it again. Here is the output: [snip] rlm_ldap (ldap): Reserved connection (2) (9) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=dumm)' (9) ldap : expand: "o=org" -> 'o=org' (9) ldap : Performing search in 'o=org' with filter '(cn=dumm)' (9) ldap : Waiting for search result... (9) ldap : User object found at DN "cn=dumm,ou=test1,ou=test,o=org" (9) ldap : Added eDirectory password in check items as Cleartext-Password = pwddummy (9) ldap : Binding as user for eDirectory authorization checks (9) ldap : Waiting for bind result... (9) ldap : Bind successful (9) ldap : Bind as user "cn=dumm,ou=test1,ou=test,o=org" was successful rlm_ldap (ldap): Released connection (2) (9) [ldap] = ok
That's good [snip]
/etc/raddb/sites-enabled/inner-tunnel (9) eap_mschapv2 : Auth-Type MS-CHAP { (9) mschap : Creating challenge hash with username: dumm (9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password (9) mschap : adding MS-CHAPv2 MPPE keys (9) [mschap] = ok
that's also good :) [snip]
(10) ldap : expand: "." -> '.' (10) ldap : expand: "Authenticated at %S" -> 'Authenticated at 2013-12-18 13:34:42' rlm_ldap (ldap): Reserved connection (2) (10) ldap : Waiting for bind result... (10) ldap : Bind successful (10) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=dumm)' (10) ldap : expand: "o=org" -> 'o=org' (10) ldap : Performing search in 'o=org' with filter '(cn=dumm)' (10) ldap : Waiting for search result... (10) ldap : User object found at DN "cn=dumm,ou=test1,ou=test,o=org" (10) ldap : Modifying object with DN "cn=dumm,ou=test1,ou=test,o=org" (10) ldap : Waiting for modify result... rlm_ldap (ldap): Released connection (2) (10) [ldap] = reject
that's not good. you're calling the ldap module in inner-tunnel.post-auth, I guess you're updating values in the LDAP. But for some reason it fails and return a reject. The logs doesn't show what went wrong though. If you comment the ldap module in post-auth, it will work. Is there a reason why you have ldap listed in post-auth ? can you post your inner-tunnel config ? Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
Inner tunnel auth is working. Inner tunnel postauth is failing on an ldap operation What are you trying to do with ldap in the post auth? alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
On 18 Dec 2013, at 14:29, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Inner tunnel auth is working. Inner tunnel postauth is failing on an ldap operation What are you trying to do with ldap in the post auth?
It's an LDAP modify. I've fixed the code. Looks like the ldap_rcode_t was being treated as an rlm_rcode_t, which the compiler should of warned about. That's the whole point of creating types from the enums. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Am 18.12.2013 16:12, schrieb Arran Cudbard-Bell:
On 18 Dec 2013, at 14:29, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Inner tunnel auth is working. Inner tunnel postauth is failing on an ldap operation What are you trying to do with ldap in the post auth? It's an LDAP modify. I've fixed the code. Looks like the ldap_rcode_t was being treated as an rlm_rcode_t, which the compiler should of warned about. That's the whole point of creating types from the enums.
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hello, I've comment out ldap in the post-auth section and it works fine now. Hurra! :-) Many thanks for your help to all. I wish you a good time. Hubert
participants (4)
-
Alan Buxey -
Arran Cudbard-Bell -
Hubert Kupper -
Olivier Beytrison