..::Change to MD5 passwords::..
Hi everyone. We have a freeradius server working great, it authenticate users from a squid proxy and a wireless ap. The reason of my email is because we would like to use the same md5 passwords that we use for the squid, the issue is when we try to use the MD5 passwords. The radius server always reject the user. We are using the following password sintax for the user passwords: bob Cleartext-Password := "Test" and we would like to use the following: bob MD5-Password := "f43ed6ad2f43ea778b65557c626262ysu" What changes do we need to do ir order to allow that kind of authentication, any ideas? thanks in advance. Regards. Alfonso. ##################################################################################### El contenido de este mensaje es confidencial. Si usted ha recibido este mensaje por error, le ruego que no lo reenv�e y lo borre inmediatamente. The contents of this message are confidential. If message has been received in error, please do not forward and destroy immediately. #####################################################################################
On Mon, Apr 23, 2012 at 12:48:33PM -0500, Reyes Jimenez Alfonso Alejandro wrote:
bob Cleartext-Password := "Test"
and we would like to use the following:
bob MD5-Password := "f43ed6ad2f43ea778b65557c626262ysu"
There are non-hex chars in that string, so it's never going to work.
What changes do we need to do ir order to allow that kind of authentication, any ideas?
It works fine. Generate password: $ echo -n Test | md5sum 0cbc6611f5540bd0809a388dc95a615b - Add to users: bob MD5-Password := "0cbc6611f5540bd0809a388dc95a615b" Check: $ radtest bob Test localhost 1 testing123 Sending Access-Request of id 73 to 127.0.0.1 port 1812 User-Name = "bob" User-Password = "Test" NAS-IP-Address = 127.0.0.1 NAS-Port = 1 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=73, length=20 Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Thanks Mathew I will check that out. regards. Alfonso. On Apr 23, 2012, at 3:14 PM, Matthew Newton wrote:
On Mon, Apr 23, 2012 at 12:48:33PM -0500, Reyes Jimenez Alfonso Alejandro wrote:
bob Cleartext-Password := "Test"
and we would like to use the following:
bob MD5-Password := "f43ed6ad2f43ea778b65557c626262ysu"
There are non-hex chars in that string, so it's never going to work.
What changes do we need to do ir order to allow that kind of authentication, any ideas?
It works fine. Generate password:
$ echo -n Test | md5sum 0cbc6611f5540bd0809a388dc95a615b -
Add to users:
bob MD5-Password := "0cbc6611f5540bd0809a388dc95a615b"
Check:
$ radtest bob Test localhost 1 testing123 Sending Access-Request of id 73 to 127.0.0.1 port 1812 User-Name = "bob" User-Password = "Test" NAS-IP-Address = 127.0.0.1 NAS-Port = 1 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=73, length=20
Cheers,
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
##################################################################################### El contenido de este mensaje es confidencial. Si usted ha recibido este mensaje por error, le ruego que no lo reenv�e y lo borre inmediatamente. The contents of this message are confidential. If message has been received in error, please do not forward and destroy immediately. #####################################################################################
Mathew/List I tried and I'm getting the same issue. Here's the debug. rad_recv: Access-Request packet from host 172.16.15.57 port 1034, id=6, length=245 Message-Authenticator = 0x948b8c046dfeede3e79b0b99ef7afa1a Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xe1943d61e4922436507a40c0ae7feeb0 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0206002b19001703010020cba7d86600d185f93548bb4b8a904a38a9374114ae4f376530f2636234997179 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - bob [peap] Got inner identity 'bob' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206000801626f62 server { PEAP: Setting User-Name to bob Sending tunneled request EAP-Message = 0x0206000801626f62 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "bob" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry bob at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0107001d1a010700181041ddee2c965cc666b59a722846b03606626f62 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdcb7ba18dcb0a038bd0375a7346d3160 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0107001d1a010700181041ddee2c965cc666b59a722846b03606626f62 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdcb7ba18dcb0a038bd0375a7346d3160 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 6 to 172.16.15.57 port 1034 EAP-Message = 0x0107003b19001703010030f361b42992d2fe185b2ecb50a0ad36b527d73dba8701ca1054c8cc470dc3d24f6264911b5e402218e4d768082be0e2fc Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe1943d61e7932436507a40c0ae7feeb0 Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1034, id=7, length=293 Message-Authenticator = 0x8069a3d06eedbc23049e7abb97238b0c Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xe1943d61e7932436507a40c0ae7feeb0 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0207005b1900170301005006888ad17e1479ebf1252dd882c59af57fcbd8fc6fdc408be3aa9bca0f848910aaa971fce0d84e6bb295c7cfcb97bde44fa36080cf0b6339724dfb31451e7c555b8368fa68abb401ef4865dcee9697a8 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0207003e1a0207003931348dead339a96f464c6888db1dc6b1d10000000000000000bc37500d01943525cfbf94e73d034ffad65687700df882e200626f62 server { PEAP: Setting User-Name to bob Sending tunneled request EAP-Message = 0x0207003e1a0207003931348dead339a96f464c6888db1dc6b1d10000000000000000bc37500d01943525cfbf94e73d034ffad65687700df882e200626f62 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "bob" State = 0xdcb7ba18dcb0a038bd0375a7346d3160 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 62 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry bob at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: bob [mschap] Told to do MS-CHAPv2 for bob with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. expand: password incorrecto -> password incorrecto Login incorrect: [bob/<via Auth-Type = EAP>] (from client 172.16.15.57 port 0 via TLS tunnel) password incorrecto } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 7 to 172.16.15.57 port 1034 EAP-Message = 0x0108002b1900170301002083fe169562401f5c43afaf4cb74fbe5ea4774a2cd7c7fa97b12f9b79166d7851 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe1943d61e69c2436507a40c0ae7feeb0 Finished request 8. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1034, id=8, length=245 Message-Authenticator = 0xe3af8b2689dcb116c182ab22757afc9b Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xe1943d61e69c2436507a40c0ae7feeb0 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0208002b19001703010020924f468aa5f7c1dbbec3ec8dd582e3d54f437bf2d65be67569273dead8ad2a34 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. expand: password incorrecto -> password incorrecto Login incorrect: [bob/<via Auth-Type = EAP>] (from client 172.16.15.57 port 3 cli 10-40-F3-95-22-24) password incorrecto Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 8 to 172.16.15.57 port 1034 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. Cleaning up request 1 ID 0 with timestamp +22 Cleaning up request 2 ID 1 with timestamp +22 Cleaning up request 3 ID 2 with timestamp +22 Cleaning up request 4 ID 3 with timestamp +22 Cleaning up request 5 ID 4 with timestamp +22 Cleaning up request 6 ID 5 with timestamp +22 Cleaning up request 7 ID 6 with timestamp +22 Cleaning up request 8 ID 7 with timestamp +22 Waking up in 1.0 seconds. Cleaning up request 9 ID 8 with timestamp +22 Ready to process requests. rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=0, length=192 Message-Authenticator = 0xa0906d6e9baa55c0f2d52b574d79f6a4 Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000801626f62 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry bob at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.15.57 port 1036 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee9c16b0ee9d0f4bc37318d43ce26de7 Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=1, length=334 Message-Authenticator = 0x5cdd8e0b50791ff49a6476fd24974e5e Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xee9c16b0ee9d0f4bc37318d43ce26de7 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201008419800000007a16030100750100007103014f95ca5308334a7b6c18c056215661784e21c986bfc41f2918fa48cff1d52b1b000036c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00320033003800390016001301000012000a00080006001700180019000b00020100 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 132 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 122 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0075], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 08f8], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 1 to 172.16.15.57 port 1036 EAP-Message = 0x0102040019c000000935160301002a0200002603014f95ca5327cc991e70b77e26acf693105f409e8c76a846939d9390bbee807a7b00002f0016030108f80b0008f40008f10003e7308203e3308202cba003020102020101300d06092a864886f70d01010505003081b0310b3009060355040613024d583119301706035504081310446973747269746f204665646572616c310c300a06035504071303575443312a3028060355040a13215365637572697479204f7065726174696f6e732043656e7465722042657374656c3125302306092a864886f70d0109011616616172657965736a4062657374656c2e636f6d2e6d6331253023060355040313 EAP-Message = 0x1c456e746964616420436572746966696361646f72612042657374656c301e170d3132303432333136323135325a170d3133303432333136323135325a30819f310b3009060355040613024d583119301706035504081310446973747269746f204665646572616c312a3028060355040a13215365637572697479204f7065726174696f6e732043656e7465722042657374656c3122302006035504031319436572746966696361646f2070617261205365727669646f723125302306092a864886f70d0109011616616172657965736a4062657374656c2e636f6d2e6d7830820122300d06092a864886f70d01010105000382010f003082010a0282 EAP-Message = 0x010100be75d786c09b4ef3a52a43a2fc0723f7cd12a909b8291eeb3f8c9e7f29d7b7082b7d045c9c6d682586d91fa55b30554ad190f4fd241669f8734dfc7c4d012c3a5753743c7c03fe84e33058c63f9385d770e58d3cf12c97879405021f7ca9b262b526466981e02933caf75f648b914b00e5be0718c82eca14bfd1440dbe0688986daf6dad82c0bcc6d2ac53d7b59d413c57f2bf26fa95336ee180e7c6b8186b855e106848509a3d8aacdf7023db636aa6156cfe7727133fb613f1db344e3cf6c4258f4ec2f01f5eb17c1a453b93de4a7c8168471f5c5109f2e9c5f465e216ede9164dfbd67de0cc0f867b6ad7833321ced88941e0b383c171da7c EAP-Message = 0xf80977f08a110203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101004e8939f33961439f8e21c3a110d5b82bd414149574f752504e3b0c97ce37b9895e2aebbba2de1ccc2f62f51071355352a6608991447ba34605a79c9bd15b9392104ebdb949038ae58c762c930d56391b739aada4226a109c460087bad50e41bef46ba5de1fe76fce5221376074d481e038556e7dda6b30f907fc20ef4f9c07efd33c887d13032120747840851ff6646e1a9da6cced9a3ee49c634092563b6474fb220d43e19fb8084aca3fd81829558bd30863886ec5410e4bcf892ae8ff5f00c015cbc615 EAP-Message = 0x381cca41e1ac6b870a2a6c38 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee9c16b0ef9e0f4bc37318d43ce26de7 Finished request 11. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=2, length=208 Message-Authenticator = 0xc739fbd0ef9dcf866e7499bf3e1fc0da Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xee9c16b0ef9e0f4bc37318d43ce26de7 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200061900 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 172.16.15.57 port 1036 EAP-Message = 0x010303fc1940032746efe07ca1609b26d9870be420ff5c895ebab9edb979d34b3b21bcceee350934c34e8eba673c365095035004c100050430820500308203e8a003020102020900a2c39c984894d7f1300d06092a864886f70d01010505003081b0310b3009060355040613024d583119301706035504081310446973747269746f204665646572616c310c300a06035504071303575443312a3028060355040a13215365637572697479204f7065726174696f6e732043656e7465722042657374656c3125302306092a864886f70d0109011616616172657965736a4062657374656c2e636f6d2e6d63312530230603550403131c456e7469646164 EAP-Message = 0x20436572746966696361646f72612042657374656c301e170d3132303432333136323132385a170d3133303432333136323132385a3081b0310b3009060355040613024d583119301706035504081310446973747269746f204665646572616c310c300a06035504071303575443312a3028060355040a13215365637572697479204f7065726174696f6e732043656e7465722042657374656c3125302306092a864886f70d0109011616616172657965736a4062657374656c2e636f6d2e6d63312530230603550403131c456e746964616420436572746966696361646f72612042657374656c30820122300d06092a864886f70d01010105000382 EAP-Message = 0x010f003082010a0282010100b5ae278d69d605cdfce08ee4627348f7f149b236821a9a96c38e349599718719ea4e69d46b50a4ebb8d5b2e4e51a81f5770e3996e946045b866e9ba4fd644d23d3a9edaa2047aaeb8d65d49665f76cd4889388363204bf1a1a6ee09401700e80569e50a3795b9a8c6f0780045a2901c72a5bf5eb40787d6be22dc85e0480dcc72bd4e5a1b3b47459e5f38accc9a86687a3938f81969df947fb5a1dc4cdae760a533c53ec8b6a1558bc80f187211a322a9a2b831d0a6548885ada107ecc26482238b7bd9bca2fc65da92c0f934aceb404fa0348ff0b71b16bd642b5710f3cbccea2394e90881b6e00f82938e8a1e931401e EAP-Message = 0xd13863d429632c3c8c6a414ea14de70203010001a382011930820115301d0603551d0e04160414dd636dabfd2d63daa0df7f064e9e80524f09f8973081e50603551d230481dd3081da8014dd636dabfd2d63daa0df7f064e9e80524f09f897a181b6a481b33081b0310b3009060355040613024d583119301706035504081310446973747269746f204665646572616c310c300a06035504071303575443312a3028060355040a13215365637572697479204f7065726174696f6e732043656e7465722042657374656c3125302306092a864886f70d0109011616616172657965736a4062657374656c2e636f6d2e6d63312530230603550403131c45 EAP-Message = 0x6e74696461642043 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee9c16b0ec9f0f4bc37318d43ce26de7 Finished request 12. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=3, length=208 Message-Authenticator = 0x9721441fee42173f4ac830082831c323 Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xee9c16b0ec9f0f4bc37318d43ce26de7 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300061900 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 172.16.15.57 port 1036 EAP-Message = 0x0104014f19006572746966696361646f72612042657374656c820900a2c39c984894d7f1300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100a858e937f386ebf0d5cbafd3df632b75ed8f91985e2400074681a54c8218e23da99bed40feab9526ad2304f50d642ec64fe87a35a129bb188f9dacc905483cbaa538136be6c5c3964daa9f6c734dd58f80a21c606784c1481b3ec64f079d140e812c025dc0551be03714c9a1f1d91a33efffbae16d9ad9ff3d764384ecbf3fe416ef62d19218714d040eb537b2c9b857bfea26e6bdbb6cd1ab06219b2f8dfda391cfcedbec42191a3e69e783a54cbbc07e08f2073dc05e EAP-Message = 0x46df94eed2015f11ee6d142419cf527a2b89a1e0d42f2476fc0f3658280de7c9fb0bc12ceee819419e565037a8a3f9346ec46baaca43702384a2582d5972fe10b09ba2859d03649add16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee9c16b0ed980f4bc37318d43ce26de7 Finished request 13. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=4, length=540 Message-Authenticator = 0x5fca46c54b0196cd6fe7153f9dbfca56 Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xee9c16b0ed980f4bc37318d43ce26de7 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0204015019800000014616030101061000010201005bc6e8f77b4a5f1639708d69bde492a488c3d32ae3b24c27ff529908a3d5b69f49481e2d4915f43951aab38ac7aebade7ca22bf60cb88147ed7269538bfb74c436e36adbb94888c95cb71860bb8dd0e87a5a98aa321d45f89415ad6a44e56c5a2ba9b4f94e4ad43f63e1791472a1debf7bf3158cc571b112e65ee818b30b4b7a5027107e9550cc1fa3705174cd4a0013efa821316a1e3de4249677c5977bca910562f21ca05ccdef26df5d629cc34566885728d35d6d59b0534125bdcbf57d10cfd05ee862bccfffaa76b7d0b3d8a58ecc884720a3ed57fd5cb1eb3ab6d6588a6c22265acad15bad EAP-Message = 0xaade04d74274d3f88d15932924f524eed688578761c114e7140301000101160301003004903e31b67d27b0bd637926db96e06f986d29e87babe80894627deed61fe3df128a74864e9a5476c0a58340aab4a7c9 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 172.16.15.57 port 1036 EAP-Message = 0x01050041190014030100010116030100308669e55fd54bb312e722034e440cc89da9572b59e5fe404548a0ffaba858b0e3acd9c4a9fc0afb4c7e98bd9ef665cc7a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee9c16b0ea990f4bc37318d43ce26de7 Finished request 14. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=5, length=208 Message-Authenticator = 0xbe2776375b4e10ab3f30444b3ace7d8a Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xee9c16b0ea990f4bc37318d43ce26de7 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020500061900 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 5 to 172.16.15.57 port 1036 EAP-Message = 0x0106002b19001703010020336f1efa15562f7ec63d5a266a4ae594c54e973da46098c6b50fc906e6a6f50b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee9c16b0eb9a0f4bc37318d43ce26de7 Finished request 15. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=6, length=245 Message-Authenticator = 0x13b610bf50f117d1384d073b43625dec Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xee9c16b0eb9a0f4bc37318d43ce26de7 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0206002b1900170301002007db074f7d46924de79aecb4a8341354a13dff53821c77586e64075cd4579212 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - bob [peap] Got inner identity 'bob' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206000801626f62 server { PEAP: Setting User-Name to bob Sending tunneled request EAP-Message = 0x0206000801626f62 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "bob" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry bob at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0107001d1a0107001810a72ac61743ac31416a9d10a086efbb79626f62 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3ba3714d3ba46ba312c4d56b659c6f28 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0107001d1a0107001810a72ac61743ac31416a9d10a086efbb79626f62 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3ba3714d3ba46ba312c4d56b659c6f28 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 6 to 172.16.15.57 port 1036 EAP-Message = 0x0107003b190017030100305098dffb457482369d0a6ca4edb03a7362a3576cbcb7976426a24c938797a00685892c96b169a0cee843e8213e0f1ba0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee9c16b0e89b0f4bc37318d43ce26de7 Finished request 16. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=7, length=293 Message-Authenticator = 0x4d87ac714c2dd5f1386fa20d1ec9d726 Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xee9c16b0e89b0f4bc37318d43ce26de7 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0207005b1900170301005088a6556be482f16c6160b5d7b7491a57531befe9dba60a051bbfb7b5f1048c62e587d3f8626c3bf6cef973d56912f54af6fe66eaeac67f32132086a0e57dcc8931082247f05059dad398c9955e215ee4 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0207003e1a0207003931d18a71697552b4f92cd285af401063bd0000000000000000152e50cdf17822fe76795c1346d0211b7854c6ffc3cce09000626f62 server { PEAP: Setting User-Name to bob Sending tunneled request EAP-Message = 0x0207003e1a0207003931d18a71697552b4f92cd285af401063bd0000000000000000152e50cdf17822fe76795c1346d0211b7854c6ffc3cce09000626f62 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "bob" State = 0x3ba3714d3ba46ba312c4d56b659c6f28 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 62 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry bob at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: bob [mschap] Told to do MS-CHAPv2 for bob with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. expand: password incorrecto -> password incorrecto Login incorrect: [bob/<via Auth-Type = EAP>] (from client 172.16.15.57 port 0 via TLS tunnel) password incorrecto } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 7 to 172.16.15.57 port 1036 EAP-Message = 0x0108002b19001703010020a4fa56ea5314462b9c6b1d0de620729da0601187d25fd2d532da2b68c0b86e35 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee9c16b0e9940f4bc37318d43ce26de7 Finished request 17. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.15.57 port 1036, id=8, length=245 Message-Authenticator = 0xcf8322e778b5603e0bc5c162899a06b9 Service-Type = Framed-User User-Name = "bob" Framed-MTU = 1488 State = 0xee9c16b0e9940f4bc37318d43ce26de7 Called-Station-Id = "40-01-C6-DF-C7-C2:Tamales" Calling-Station-Id = "10-40-F3-95-22-24" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0208002b1900170301002055063fcb378b90263f36683d8bd9718d1f4d94963c882c3685c815dee3d336f1 NAS-IP-Address = 192.168.1.11 NAS-Port = 3 NAS-Port-Id = "STA port # 3" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. expand: password incorrecto -> password incorrecto Login incorrect: [bob/<via Auth-Type = EAP>] (from client 172.16.15.57 port 3 cli 10-40-F3-95-22-24) password incorrecto Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 18 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 18 Sending Access-Reject of id 8 to 172.16.15.57 port 1036 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. I think I'm missing something on the configuration, any ideas? Regards. Alfonso. On Apr 23, 2012, at 3:14 PM, Matthew Newton wrote:
On Mon, Apr 23, 2012 at 12:48:33PM -0500, Reyes Jimenez Alfonso Alejandro wrote:
bob Cleartext-Password := "Test"
and we would like to use the following:
bob MD5-Password := "f43ed6ad2f43ea778b65557c626262ysu"
There are non-hex chars in that string, so it's never going to work.
What changes do we need to do ir order to allow that kind of authentication, any ideas?
It works fine. Generate password:
$ echo -n Test | md5sum 0cbc6611f5540bd0809a388dc95a615b -
Add to users:
bob MD5-Password := "0cbc6611f5540bd0809a388dc95a615b"
Check:
$ radtest bob Test localhost 1 testing123 Sending Access-Request of id 73 to 127.0.0.1 port 1812 User-Name = "bob" User-Password = "Test" NAS-IP-Address = 127.0.0.1 NAS-Port = 1 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=73, length=20
Cheers,
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
##################################################################################### El contenido de este mensaje es confidencial. Si usted ha recibido este mensaje por error, le ruego que no lo reenv�e y lo borre inmediatamente. The contents of this message are confidential. If message has been received in error, please do not forward and destroy immediately. #####################################################################################
hi, you said you were doing EAP-MD5 this isnt EAP-MD5 , this is PEAP to do PEAP you either need the password in plain test, or in HT-hash format as per the docs, as per deployingradius.com compatibility chart alan
thanks I just don't want to store the passwords in plain text, do you know how can I hash with HT? is there some linux function or something? I tried to google it with no luck. Thanks. On Apr 23, 2012, at 5:02 PM, alan buxey wrote:
hi,
you said you were doing EAP-MD5
this isnt EAP-MD5 , this is PEAP
to do PEAP you either need the password in plain test, or in HT-hash format as per the docs, as per deployingradius.com compatibility chart
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
##################################################################################### El contenido de este mensaje es confidencial. Si usted ha recibido este mensaje por error, le ruego que no lo reenv�e y lo borre inmediatamente. The contents of this message are confidential. If message has been received in error, please do not forward and destroy immediately. #####################################################################################
On Mon, Apr 23, 2012 at 05:21:38PM -0500, Reyes Jimenez Alfonso Alejandro wrote:
thanks I just don't want to store the passwords in plain text, do you know how can I hash with HT? is there some linux function or something? I tried to google it with no luck.
smbencrypt $ smbencrypt Test LM Hash NT Hash -------------------------------- -------------------------------- 01FC5A6BE7BC6929AAD3B435B51404EE 4A1FAB8F6B5441E0493DC7D41304BFB6 comes with freeradius Matthew
On Apr 23, 2012, at 5:02 PM, alan buxey wrote:
hi,
you said you were doing EAP-MD5
this isnt EAP-MD5 , this is PEAP
to do PEAP you either need the password in plain test, or in HT-hash format as per the docs, as per deployingradius.com compatibility chart
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
#####################################################################################
El contenido de este mensaje es confidencial. Si usted ha recibido este mensaje por error, le ruego que no lo reenv?e y lo borre inmediatamente.
The contents of this message are confidential. If message has been received in error, please do not forward and destroy immediately.
#####################################################################################
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Thank you very much for you help. Regards Alfonso. On Apr 23, 2012, at 5:43 PM, Matthew Newton wrote:
On Mon, Apr 23, 2012 at 05:21:38PM -0500, Reyes Jimenez Alfonso Alejandro wrote:
thanks I just don't want to store the passwords in plain text, do you know how can I hash with HT? is there some linux function or something? I tried to google it with no luck.
smbencrypt
$ smbencrypt Test LM Hash NT Hash -------------------------------- -------------------------------- 01FC5A6BE7BC6929AAD3B435B51404EE 4A1FAB8F6B5441E0493DC7D41304BFB6
comes with freeradius
Matthew
On Apr 23, 2012, at 5:02 PM, alan buxey wrote:
hi,
you said you were doing EAP-MD5
this isnt EAP-MD5 , this is PEAP
to do PEAP you either need the password in plain test, or in HT-hash format as per the docs, as per deployingradius.com compatibility chart
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
#####################################################################################
El contenido de este mensaje es confidencial. Si usted ha recibido este mensaje por error, le ruego que no lo reenv?e y lo borre inmediatamente.
The contents of this message are confidential. If message has been received in error, please do not forward and destroy immediately.
#####################################################################################
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
##################################################################################### El contenido de este mensaje es confidencial. Si usted ha recibido este mensaje por error, le ruego que no lo reenv�e y lo borre inmediatamente. The contents of this message are confidential. If message has been received in error, please do not forward and destroy immediately. #####################################################################################
On Mon, Apr 23, 2012 at 04:36:04PM -0500, Reyes Jimenez Alfonso Alejandro wrote:
I tried and I'm getting the same issue.
Here's the debug.
Ah, it's clear now.
EAP-Message = 0x0206002b19001703010020cba7d86600d185f93548bb4b8a904a38a9374114ae4f376530f2636234997179
...
[peap] processing EAP-TLS
PEAP ...
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: bob [mschap] Told to do MS-CHAPv2 for bob with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. expand: password incorrecto -> password incorrecto
MS-CHAPv2
I think I'm missing something on the configuration, any ideas?
You can't store passwords in MD5 for PEAP/MS-CHAPv2. You have three options - clear text, LM-hash or NT-hash. I'll add the link. I don't think it's been posted today so far... http://deployingradius.com/documents/protocols/compatibility.html Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (3)
-
alan buxey -
Matthew Newton -
Reyes Jimenez Alfonso Alejandro