Setting ntlm_auth parameters depending on NAS-IP-Address
Hello, We currently have a Freeradius server version 2.1.12 used to authenticate our Wifi users against our Active Directory server. The link between Freeradius and the Active Directory is done by Winbind. In order for the user to be able to obtain authorization, it needs to be belong to a group in the Active Directory. This is done by adding an argument to the ntlm_auth command and it works great so far. We are now adding 802.1X to our cabled networks and would like to re-use the existing Radius server to authenticate against the same Active Directory. Everything will be the same except the authorization will need to be based on whether the user belongs to a different one than that of the Wifi networks. I have browsed the Freeradius documentation as much as possible and have seen that it is possible to use conditionnals and variables. My plan therefore was to put a variable in the ntlm_auth command that would contain the group SID (as suggested on this mailing-list : http://freeradius.1045715.n5.nabble.com/Different-Auth-Methods-based-on-clie...). The group SID would be dependent on the IP of the network device which should be contained in "NAS-IP-Address". This should just be a case of writing a simple conditionnal statement and setting a variable. Nonetheless, I have not been able to do this as Freeradius will not start every time I try to add a conditional to the configuration files. I have tried doing it in the "default" site and a few other places. How would I go about doing this ? Where would I put the conditional and how would I write it ? Thank you in advance for your help, Antoine
What's the error message when you try to run radiusd -X? Without the debug output, no-one knows what your condition was that you inserted, or where you inserted it, or what the error message is. Stefan -----Original Message----- From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Antoine Benkemoun Sent: 07 May 2014 08:28 To: freeradius-users@lists.freeradius.org Subject: Setting ntlm_auth parameters depending on NAS-IP-Address Hello, We currently have a Freeradius server version 2.1.12 used to authenticate our Wifi users against our Active Directory server. The link between Freeradius and the Active Directory is done by Winbind. In order for the user to be able to obtain authorization, it needs to be belong to a group in the Active Directory. This is done by adding an argument to the ntlm_auth command and it works great so far. We are now adding 802.1X to our cabled networks and would like to re-use the existing Radius server to authenticate against the same Active Directory. Everything will be the same except the authorization will need to be based on whether the user belongs to a different one than that of the Wifi networks. I have browsed the Freeradius documentation as much as possible and have seen that it is possible to use conditionnals and variables. My plan therefore was to put a variable in the ntlm_auth command that would contain the group SID (as suggested on this mailing-list : http://freeradius.1045715.n5.nabble.com/Different-Auth-Methods-based-on-clie...). The group SID would be dependent on the IP of the network device which should be contained in "NAS-IP-Address". This should just be a case of writing a simple conditionnal statement and setting a variable. Nonetheless, I have not been able to do this as Freeradius will not start every time I try to add a conditional to the configuration files. I have tried doing it in the "default" site and a few other places. How would I go about doing this ? Where would I put the conditional and how would I write it ? Thank you in advance for your help, Antoine - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
Thank you for your answer and sorry for overlooking this. The syntax that I have added to <RADIUS_ETC_DIR>/sites-enabled/default is the following : if (NAS-IP-Address == 172.16.2.254) { ntlm_group_membership = "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1387" } if (NAS-IP-Address == 172.16.0.200) { ntlm_group_membership = "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1459" } The idea is to set this variable in function of NAS-IP-Address. I have tried putting double quotes around the IP and using ":=" instead of "=" but that still didn't work. The error I get is : Module: Checking authorize {...} for more modules to load /etc/freeradius/sites-enabled/default[72]: Unknown action 'S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1387'. /etc/freeradius/sites-enabled/default[69]: Errors parsing authorize section. This is what makes me think that I am doing something incorrectly in terms of variable assignment because the conditional seems to happen correctly. Antoine ________________________________________ From: freeradius-users-bounces+antoine.benkemoun=nexthink.com@lists.freeradius.org <freeradius-users-bounces+antoine.benkemoun=nexthink.com@lists.freeradius.org> on behalf of Stefan Paetow <Stefan.Paetow@ja.net> Sent: Wednesday, May 7, 2014 10:23 AM To: FreeRadius users mailing list Subject: RE: Setting ntlm_auth parameters depending on NAS-IP-Address What's the error message when you try to run radiusd -X? Without the debug output, no-one knows what your condition was that you inserted, or where you inserted it, or what the error message is. Stefan -----Original Message----- From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Antoine Benkemoun Sent: 07 May 2014 08:28 To: freeradius-users@lists.freeradius.org Subject: Setting ntlm_auth parameters depending on NAS-IP-Address Hello, We currently have a Freeradius server version 2.1.12 used to authenticate our Wifi users against our Active Directory server. The link between Freeradius and the Active Directory is done by Winbind. In order for the user to be able to obtain authorization, it needs to be belong to a group in the Active Directory. This is done by adding an argument to the ntlm_auth command and it works great so far. We are now adding 802.1X to our cabled networks and would like to re-use the existing Radius server to authenticate against the same Active Directory. Everything will be the same except the authorization will need to be based on whether the user belongs to a different one than that of the Wifi networks. I have browsed the Freeradius documentation as much as possible and have seen that it is possible to use conditionnals and variables. My plan therefore was to put a variable in the ntlm_auth command that would contain the group SID (as suggested on this mailing-list : http://freeradius.1045715.n5.nabble.com/Different-Auth-Methods-based-on-clie...). The group SID would be dependent on the IP of the network device which should be contained in "NAS-IP-Address". This should just be a case of writing a simple conditionnal statement and setting a variable. Nonetheless, I have not been able to do this as Freeradius will not start every time I try to add a conditional to the configuration files. I have tried doing it in the "default" site and a few other places. How would I go about doing this ? Where would I put the conditional and how would I write it ? Thank you in advance for your help, Antoine - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 07/05/14 10:03, Antoine Benkemoun wrote:
Thank you for your answer and sorry for overlooking this.
The syntax that I have added to <RADIUS_ETC_DIR>/sites-enabled/default is the following :
if (NAS-IP-Address == 172.16.2.254) { ntlm_group_membership = "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1387" } if (NAS-IP-Address == 172.16.0.200) { ntlm_group_membership = "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1459" }
This is completely wrong. See "man unlang". You will need to: 1. Define a local attribute in raddb/dictionary 2. Use the correct syntax i.e. if (...) { update request { NTLM-Group-Required := "..." } }
Thank you for your help. I am now able to start freeradius with the conditional. The ntlm_auth command is now the following : ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --require-membership-of=%{request:NTLM-Group-Required} The conditional is now the following : if ("%{request:NAS-IP-Address}" == "172.16.2.254") { update request { NTLM-Group-Required := "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1387" } } elsif ("%{request:NAS-IP-Address}" == "172.16.0.200") { update request { NTLM-Group-Required := "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1459" } } else { update request { NTLM-Group-Required := "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1387" } } According to the logs, the if gets evaluated correctly. ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 6: Preceding "if" was taken ++ ... skipping else for request 6: Preceding "if" was taken The problem is that the variable is not expanded in the mschap module as shown in the following logs. [mschap] expand: %{mschap:Challenge} -> c056dfa8e298aaaa [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=c056dfa8e298aaaa [mschap] expand: %{mschap:NT-Response} -> 13fc04face0302e96a75eba82ecaaaaaaaaaaa [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=13fc04face0302e96a75eba82ecaaaaaaaaaaa [mschap] expand: --require-membership-of=%{request:NTLM-Group-Required} -> --require-membership-of= What am I doing incorrectly ? Thanks in advance, Antoine ________________________________________ From: freeradius-users-bounces+antoine.benkemoun=nexthink.com@lists.freeradius.org <freeradius-users-bounces+antoine.benkemoun=nexthink.com@lists.freeradius.org> on behalf of Phil Mayers <p.mayers@imperial.ac.uk> Sent: Wednesday, May 7, 2014 12:05 PM To: freeradius-users@lists.freeradius.org Subject: Re: Setting ntlm_auth parameters depending on NAS-IP-Address On 07/05/14 10:03, Antoine Benkemoun wrote:
Thank you for your answer and sorry for overlooking this.
The syntax that I have added to <RADIUS_ETC_DIR>/sites-enabled/default is the following :
if (NAS-IP-Address == 172.16.2.254) { ntlm_group_membership = "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1387" } if (NAS-IP-Address == 172.16.0.200) { ntlm_group_membership = "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1459" }
This is completely wrong. See "man unlang". You will need to: 1. Define a local attribute in raddb/dictionary 2. Use the correct syntax i.e. if (...) { update request { NTLM-Group-Required := "..." } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you for your answer. Sorry for that. Please find the entire debug log below. peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Instantiating module "ntlm_auth" from file /etc/freeradius/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "ntdomain" from file /etc/freeradius/modules/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 37680 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=251, length=246 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0201000f016162656e6b656d6f756e Message-Authenticator = 0x1b5aad0ef8877762ea2832178b4e0ab1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 0: Preceding "if" was taken ++ ... skipping else for request 0: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 1 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 251 to 172.16.2.254 port 32769 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eaf4ccd2ead553f96bd63d5fd0e3e5f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=252, length=401 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0202009819800000008e1603010089010000850301536a43a6444bca59bfbbdf23e1910b4f04015192225639f4786e7f40b6822ef500004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100 State = 0x2eaf4ccd2ead553f96bd63d5fd0e3e5f Message-Authenticator = 0xb7ab88c129f84efe838c9e455df34eae # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 1: Preceding "if" was taken ++ ... skipping else for request 1: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 2 length 152 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 142 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0089], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0550], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 252 to 172.16.2.254 port 32769 EAP-Message = 0x0103040019c0000006ec1603010039020000350301536a43a901ec5af2e220c3545bda41f6f503016e8d45900d46f694f27ecb346a00c01400000dff01000100000b00040300010216030105500b00054c000549000546308205423082042aa0030201020209009163e378a45e4373300d06092a864886f70d0101050500306e310b3009060355040613024348310d300b06035504081304566175643111300f060355040a13084e65787468696e6b310b3009060355040b130249543110300e060355040313074954205465616d311e301c06092a864886f70d010901160f6974406e65787468696e6b2e636f6d301e170d3134303330353039353933 EAP-Message = 0x335a170d3139303631323039353933335a3081a2310b3009060355040613024348310d300b06035504081304566175643111300f060355040713084c617573616e6e653111300f060355040a13084e65787468696e6b3110300e060355040b13074954205465616d312c302a06035504031323636973636f2d7377632d323530302d312e696e7472612e6e65787468696e6b2e636f6d311e301c06092a864886f70d010901160f6974406e65787468696e6b2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ba39cee32672aca7bbf26026be98e0563338f575ae8f93fe4c62b12c9c1653938f7b7b146284 EAP-Message = 0xe7ead531d6472e71d052af2cc834d48bb7db7ecf3c9256bee6aba1ef3d4033d01c5b5b6cc3979ca3c1a79ee5b008a93cbeb3a71e3afb7045181e4816d533c96a4f97c416888fab2567e3418d2bd9b717cf2d12e0f794ffe7a079526b86d88fc1071dfed371972c22f92dbe2ead837f56d54ac4dc8198458eb1bc853742594a383051f9cc7d587b1a54e5effe71ba0d66c0714469ee79c4908f9db05685971c97464787fb7de17249367db0298994a6bdc7a58c4e107b76d44c97a4d2b7eebbab98fa128487a5bce934f777335da34da5ed7004e1896f734122370203010001a38201ac308201a830090603551d1304023000301106096086480186f842 EAP-Message = 0x0101040403020640300b0603551d0f0404030203f830130603551d25040c300a06082b06010505070301303506096086480186f842010d042816264e65787468696e6b204f70656e53534c2047656e657261746564204365727469666963617465304e0603551d11044730458223636973636f2d7377632d323530302d312e696e7472612e6e65787468696e6b2e636f6d8210636973636f2d7377632d323530302d31820c3137322e31362e322e323534301d0603551d0e04160414d3f2b3a6d48a468f738ff5dd6056d3f384a6dbee301f0603551d23041830168014fb320a0d0c3081f1517718946a7797aee67a6e08303206096086480186f84201 EAP-Message = 0x0404251623687474703a2f2f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eaf4ccd2fac553f96bd63d5fd0e3e5f Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=253, length=255 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x020300061900 State = 0x2eaf4ccd2fac553f96bd63d5fd0e3e5f Message-Authenticator = 0xe14e3c9ead9b88944258c7934f444fe8 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 2: Preceding "if" was taken ++ ... skipping else for request 2: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 253 to 172.16.2.254 port 32769 EAP-Message = 0x010402fc190069742e6e65787468696e6b2e6c6f63616c2f63612d63726c2e70656d30340603551d1f042d302b3029a027a0258623687474703a2f2f69742e6e65787468696e6b2e6c6f63616c2f63612d63726c2e70656d303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f69742e6e65787468696e6b2e6c6f63616c2f300d06092a864886f70d0101050500038201010016fde58d60d1a9567e825fa65720dabad5ecfafc8ee146c6312a4b60983808a1261d94e1c4e84f4a70d770e8262a217f43a23cf034e86179aa921287198553fecea4f1277b811692a530321194137b17ef47c5b261ac36c8211e EAP-Message = 0x617b4e14cdd8dda6627de232040efd97d69c71d926d44869e59e91fcfcb8f90a5875aa9ddec2417dfa82c35980e7dacbb7fdd7a6247b961ff3fe0db906a8544982cc72fa100fd5a799e809eb4b9c4e0dac5728573f0b95aae8439a55528227d946fc1efae3ad8c28cacf093b62f6a27950ae3ea2ca391717334744d73ecfcd0152b3cc7b9eed59c5ece62c91846fc0e126fa1d2bdc3a8f4a9d1f806f9487fabae3a214d59d6f160301014b0c0001470300174104ddfa1e9eb4aba37ed9f6718df44b350c01e5c0093d17eb66b67d037ffa765aa658bc9dcc5821bfcdea7ae0f3d602799c2b379b9174f157c9ae136e9ad5025dee0100ade26975d9f952 EAP-Message = 0x14c06d26f4651e8c66cb7783fd9a10d4acc500dee83c016b4f71de3f62610299b67fffb8e3abb449ebbde99b782d1d0a94ff53a490f9ea4c536dfbb4c68495a9dd26ac4c51b5088194d5089e7cf8e7d621a97af03f57c209b19046f57ed1b8e41f4e5a9d5a9104e02bae4d32b070788a28e9902470c569a5cae54cfbe2f97114e8bbc9ac422ebe62766528e8471dd31c785fecfeeb14c539c305df7590314b2bdbf8e8f2399a116a26b2b36e2065b2ac08f052f330cd473ed2c1f39a4272a951c5f31b9fa9b3586e671e7be73d7954bac2d0c7c72718fde0b9ed77f1e65bbf2a384c2f9fbeb18d44ce443a9700e9335962cb4dd0dd689e503216030100 EAP-Message = 0x040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eaf4ccd2cab553f96bd63d5fd0e3e5f Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=254, length=393 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x02040090198000000086160301004610000042410479a5816fc4469badb7b96f2d7834854fdf750af1fe94bffa525defcf879bc6a05ea66400643db7ec9869c4c9f54149817a136f75e79b19d35d57851568f75d3a14030100010116030100302bed7dd77900cb202884e16b48589fbeaabf7e297a3a96d813c0b95baad8fe84b3e2692c838db3aba4ace134e7747aa2 State = 0x2eaf4ccd2cab553f96bd63d5fd0e3e5f Message-Authenticator = 0x92ac34611d403b2f0799da5552ffeccf # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 3: Preceding "if" was taken ++ ... skipping else for request 3: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 4 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 254 to 172.16.2.254 port 32769 EAP-Message = 0x010500411900140301000101160301003041d0c407f76f5234af15ff78f9ec99228fca6447b2ab593c26d7b33fb092deb4b7608eda7cefa100d7610e35623831dd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eaf4ccd2daa553f96bd63d5fd0e3e5f Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=255, length=255 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x020500061900 State = 0x2eaf4ccd2daa553f96bd63d5fd0e3e5f Message-Authenticator = 0x64b278fc4d4e892fdf0eaf6de21b6250 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 4: Preceding "if" was taken ++ ... skipping else for request 4: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 255 to 172.16.2.254 port 32769 EAP-Message = 0x0106002b1900170301002017ab6fcfec80bac56aef6061cc21dd5936e5f17ba6871bd39c0e0f39f03b5250 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eaf4ccd2aa9553f96bd63d5fd0e3e5f Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=0, length=292 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0206002b1900170301002050a7b15799682707695b0ecca644c907cd9b7126153b23cbffbfc55d36a93a4a State = 0x2eaf4ccd2aa9553f96bd63d5fd0e3e5f Message-Authenticator = 0x154a6f183ef57ed2759cdb84d248eb7b # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 5: Preceding "if" was taken ++ ... skipping else for request 5: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 6 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - user1 [peap] Got inner identity 'user1' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206000f016162656e6b656d6f756e server { [peap] Setting User-Name to user1 Sending tunneled request EAP-Message = 0x0206000f016162656e6b656d6f756e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "user1" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 6 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010700241a0107001f1057083219cce753ec4da2946e4cf315b96162656e6b656d6f756e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6a5cdbc96a5bc19791d80465670c3e25 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700241a0107001f1057083219cce753ec4da2946e4cf315b96162656e6b656d6f756e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6a5cdbc96a5bc19791d80465670c3e25 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.2.254 port 32769 EAP-Message = 0x0107004b190017030100405edb4c91479e44b4fbd4542db40e3bee3aed09237d3fd39be1dca6f7b6dfb6d151c78bbac47a3e6a5d0b5a17ac2aa81e942f6c966bc1f04f21e41e3af729237e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eaf4ccd2ba8553f96bd63d5fd0e3e5f Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=1, length=356 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0207006b190017030100605ec951545ca8b0283435811c00367d135a3573a01c484b2c3caef30d1dc21d48e463ec0edeb61f0531bef4bc621f666ed6c370d3d9c56c9449a448beeaac32fc3efbbcb3fb01b47dcd98a26a9b2231b051870ed9701c6232b1e3cb83764bda9d State = 0x2eaf4ccd2ba8553f96bd63d5fd0e3e5f Message-Authenticator = 0x322b09af70b49fce3659602a50ef58fb # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 6: Preceding "if" was taken ++ ... skipping else for request 6: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 7 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700451a0207004031e4a9b4721b606c910d4cbfae477a37e30000000000000000279a92d632ac266295b6bf7ddcd03019b97daabbcf55de3a006162656e6b656d6f756e server { [peap] Setting User-Name to user1 Sending tunneled request EAP-Message = 0x020700451a0207004031e4a9b4721b606c910d4cbfae477a37e30000000000000000279a92d632ac266295b6bf7ddcd03019b97daabbcf55de3a006162656e6b656d6f756e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "user1" State = 0x6a5cdbc96a5bc19791d80465670c3e25 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 7 length 69 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: user1 [mschap] Told to do MS-CHAPv2 for user1 with NT-Password [mschap] expand: %{Stripped-User-Name} -> user1 [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=user1 [mschap] Creating challenge hash with username: user1 [mschap] expand: %{mschap:Challenge} -> 8ca1377208f1742e [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=8ca1377208f1742e [mschap] expand: %{mschap:NT-Response} -> 279a92d632ac266295b6bf7ddcd03019b97daabbcf55de3a [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=279a92d632ac266295b6bf7ddcd03019b97daabbcf55de3a [mschap] expand: --require-membership-of=%{request:NTLM-Group-Required} -> --require-membership-of= Could not parse into seperate domain/name parts! Exec-Program output: (null) (0xc000000d) Exec-Program-Wait: plaintext: (null) (0xc000000d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect (mschap: External script says (null) (0xc000000d)): [user1] (from client 172.16.2.254 port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 1 to 172.16.2.254 port 32769 EAP-Message = 0x0108002b19001703010020feb623eb0bb3dca917592b6afe1500709bd79b96337e135d970d06b8997c26d0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eaf4ccd28a7553f96bd63d5fd0e3e5f Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=2, length=292 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0208002b1900170301002019b84798928d1bde9fcf75002a3e1044b6dd2fa2cce8da7f6cab1292767e66cb State = 0x2eaf4ccd28a7553f96bd63d5fd0e3e5f Message-Authenticator = 0x290721d82f147cc6fc88b27c5d3b81b1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 7: Preceding "if" was taken ++ ... skipping else for request 7: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [user1] (from client 172.16.2.254 port 3 cli bc-92-6b-aa-aa-aa) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 2 to 172.16.2.254 port 32769 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=3, length=246 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0201000f016162656e6b656d6f756e Message-Authenticator = 0xef0454742ef67005127515ded256b71a # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 8: Preceding "if" was taken ++ ... skipping else for request 8: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 1 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 3 to 172.16.2.254 port 32769 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd864ff25d866e67d724fec8265bde908 Finished request 8. Going to the next request Waking up in 2.0 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=4, length=401 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0202009819800000008e1603010089010000850301536a43a90310de667ed488f873dba4d02a4f737c10edfb934fa6f18c237690fd00004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100 State = 0xd864ff25d866e67d724fec8265bde908 Message-Authenticator = 0x2cf136d506f7df502ecc34ba6b7a30f3 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 9: Preceding "if" was taken ++ ... skipping else for request 9: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 2 length 152 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 142 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0089], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0550], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 172.16.2.254 port 32769 EAP-Message = 0x0103040019c0000006ec1603010039020000350301536a43acb352e63dd22a952054553efabbaeec15d08d106ee74feb27ecbda89000c01400000dff01000100000b00040300010216030105500b00054c000549000546308205423082042aa0030201020209009163e378a45e4373300d06092a864886f70d0101050500306e310b3009060355040613024348310d300b06035504081304566175643111300f060355040a13084e65787468696e6b310b3009060355040b130249543110300e060355040313074954205465616d311e301c06092a864886f70d010901160f6974406e65787468696e6b2e636f6d301e170d3134303330353039353933 EAP-Message = 0x335a170d3139303631323039353933335a3081a2310b3009060355040613024348310d300b06035504081304566175643111300f060355040713084c617573616e6e653111300f060355040a13084e65787468696e6b3110300e060355040b13074954205465616d312c302a06035504031323636973636f2d7377632d323530302d312e696e7472612e6e65787468696e6b2e636f6d311e301c06092a864886f70d010901160f6974406e65787468696e6b2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ba39cee32672aca7bbf26026be98e0563338f575ae8f93fe4c62b12c9c1653938f7b7b146284 EAP-Message = 0xe7ead531d6472e71d052af2cc834d48bb7db7ecf3c9256bee6aba1ef3d4033d01c5b5b6cc3979ca3c1a79ee5b008a93cbeb3a71e3afb7045181e4816d533c96a4f97c416888fab2567e3418d2bd9b717cf2d12e0f794ffe7a079526b86d88fc1071dfed371972c22f92dbe2ead837f56d54ac4dc8198458eb1bc853742594a383051f9cc7d587b1a54e5effe71ba0d66c0714469ee79c4908f9db05685971c97464787fb7de17249367db0298994a6bdc7a58c4e107b76d44c97a4d2b7eebbab98fa128487a5bce934f777335da34da5ed7004e1896f734122370203010001a38201ac308201a830090603551d1304023000301106096086480186f842 EAP-Message = 0x0101040403020640300b0603551d0f0404030203f830130603551d25040c300a06082b06010505070301303506096086480186f842010d042816264e65787468696e6b204f70656e53534c2047656e657261746564204365727469666963617465304e0603551d11044730458223636973636f2d7377632d323530302d312e696e7472612e6e65787468696e6b2e636f6d8210636973636f2d7377632d323530302d31820c3137322e31362e322e323534301d0603551d0e04160414d3f2b3a6d48a468f738ff5dd6056d3f384a6dbee301f0603551d23041830168014fb320a0d0c3081f1517718946a7797aee67a6e08303206096086480186f84201 EAP-Message = 0x0404251623687474703a2f2f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd864ff25d967e67d724fec8265bde908 Finished request 9. Going to the next request Waking up in 1.8 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=5, length=255 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x020300061900 State = 0xd864ff25d967e67d724fec8265bde908 Message-Authenticator = 0xc23739ad862e1f6d0f7c7239e03e0bae # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 10: Preceding "if" was taken ++ ... skipping else for request 10: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 5 to 172.16.2.254 port 32769 EAP-Message = 0x010402fc190069742e6e65787468696e6b2e6c6f63616c2f63612d63726c2e70656d30340603551d1f042d302b3029a027a0258623687474703a2f2f69742e6e65787468696e6b2e6c6f63616c2f63612d63726c2e70656d303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f69742e6e65787468696e6b2e6c6f63616c2f300d06092a864886f70d0101050500038201010016fde58d60d1a9567e825fa65720dabad5ecfafc8ee146c6312a4b60983808a1261d94e1c4e84f4a70d770e8262a217f43a23cf034e86179aa921287198553fecea4f1277b811692a530321194137b17ef47c5b261ac36c8211e EAP-Message = 0x617b4e14cdd8dda6627de232040efd97d69c71d926d44869e59e91fcfcb8f90a5875aa9ddec2417dfa82c35980e7dacbb7fdd7a6247b961ff3fe0db906a8544982cc72fa100fd5a799e809eb4b9c4e0dac5728573f0b95aae8439a55528227d946fc1efae3ad8c28cacf093b62f6a27950ae3ea2ca391717334744d73ecfcd0152b3cc7b9eed59c5ece62c91846fc0e126fa1d2bdc3a8f4a9d1f806f9487fabae3a214d59d6f160301014b0c000147030017410478a4de69f4ad8220c537254cde9c4deab819de7b146976789b2620542928416358ba8b2046213d41b5a9e76e55eb80ef78267fe9ce67ae3ff3634883ea66d425010086a95017326c77 EAP-Message = 0x0b10f25ecac6eaf376eb49651546583a864cefedad7e433a296055474d89a606922ae82089f12e1bf5a70c0b427523a7c2e1a25a768c6e5a5e27bf693afa3e0ff073f9ec18c7940b7f39ee2e177bd253fec7e888e311aa8d44588b4cecd03d8406faf2eb4b2a186462f7b2d39861f452fc1289df0e485b09e55170de247779b33f7071d4662e146c3146d3c593837839fcedbed60590e5f57897b9aab5f8de56cc3bb02fd6f8ea0c6b67b17799b141e22e805aa335ae6970ee6904a393bdd0387de567ffb34bf399e0f29f2c735bae242897cf28c03559c848440775c4805cf4d32df122541b8a36c13ff5a7786fea547693ee40d4f7761bb016030100 EAP-Message = 0x040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd864ff25da60e67d724fec8265bde908 Finished request 10. Going to the next request Waking up in 1.8 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=6, length=393 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x02040090198000000086160301004610000042410465523734a03ce7e9294aa90ab1bdf73edf995304ed48594a22b89d9fda69b9e3f16fd81e69efb8c429c6978eb49954ab7ae742e075a49f9348d192b9da94a08b14030100010116030100300941f6b3bdb0e41dcd8db6feb7b532b06cc311d8a104046aa3a5ee388dfc7910abfcad52a634822025a635079bd931e1 State = 0xd864ff25da60e67d724fec8265bde908 Message-Authenticator = 0x2cd9b972ebdbfb770feea1c7084f121c # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 11: Preceding "if" was taken ++ ... skipping else for request 11: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 4 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 6 to 172.16.2.254 port 32769 EAP-Message = 0x01050041190014030100010116030100309ef6c697a3b591a0093d0e8820f8730c6e3aa04fbaceda76a9bfe6de1f460580aa5c1ad747bd56b16b322d53efe5d6a5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd864ff25db61e67d724fec8265bde908 Finished request 11. Going to the next request Waking up in 1.5 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=7, length=255 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x020500061900 State = 0xd864ff25db61e67d724fec8265bde908 Message-Authenticator = 0xd3ac100b594700e6e1e5022e10700a62 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 12: Preceding "if" was taken ++ ... skipping else for request 12: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 7 to 172.16.2.254 port 32769 EAP-Message = 0x0106002b19001703010020ebe2fa589f360ffc2ce812a7f1082a300c2f308607cc2100a483cd8636a2bb50 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd864ff25dc62e67d724fec8265bde908 Finished request 12. Going to the next request Waking up in 1.5 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=8, length=292 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0206002b190017030100202ed0c0fa87656289851bde561203fc530a4bc5695c2853429bf542f985236d01 State = 0xd864ff25dc62e67d724fec8265bde908 Message-Authenticator = 0x8d7853676140a0cf23c34a159f23ca9f # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 13: Preceding "if" was taken ++ ... skipping else for request 13: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 6 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - user1 [peap] Got inner identity 'user1' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206000f016162656e6b656d6f756e server { [peap] Setting User-Name to user1 Sending tunneled request EAP-Message = 0x0206000f016162656e6b656d6f756e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "user1" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 6 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010700241a0107001f10dd48fc50339afd40eeb45d1a42c441d16162656e6b656d6f756e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x26cbc59926ccdf9d42d5aad01356b8d4 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700241a0107001f10dd48fc50339afd40eeb45d1a42c441d16162656e6b656d6f756e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x26cbc59926ccdf9d42d5aad01356b8d4 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 8 to 172.16.2.254 port 32769 EAP-Message = 0x0107004b1900170301004060a123198a4de75c4dea3082f6c982779e62e1320dad9a47d826e932a14cb74274e6f0a83d978599d93402f2d936b680e1b94fff0381a1014e70dc4d2553396e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd864ff25dd63e67d724fec8265bde908 Finished request 13. Going to the next request Waking up in 1.5 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=9, length=356 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0207006b190017030100607c3790d7ef3ab9b4bd3afdbc886ab2858d4ae0245c2c6c319fcc6e2779dd178d925be524703ea209f9ca275622178ace50e7e0799597ee87472655dc67e4367455be9555df9f705d26b133793e6b600fffd16456de72dd1da02e9413d1fe75f4 State = 0xd864ff25dd63e67d724fec8265bde908 Message-Authenticator = 0xafc5c3ea6de3504bbe6465406721cb95 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 14: Preceding "if" was taken ++ ... skipping else for request 14: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 7 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700451a0207004031f9f5cbb4ddaf2892719829fd9bb26356000000000000000014db6cd3d628987cf96dc4c9029301b17f7ea5c2837b8874006162656e6b656d6f756e server { [peap] Setting User-Name to user1 Sending tunneled request EAP-Message = 0x020700451a0207004031f9f5cbb4ddaf2892719829fd9bb26356000000000000000014db6cd3d628987cf96dc4c9029301b17f7ea5c2837b8874006162656e6b656d6f756e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "user1" State = 0x26cbc59926ccdf9d42d5aad01356b8d4 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 7 length 69 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: user1 [mschap] Told to do MS-CHAPv2 for user1 with NT-Password [mschap] expand: %{Stripped-User-Name} -> user1 [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=user1 [mschap] Creating challenge hash with username: user1 [mschap] expand: %{mschap:Challenge} -> 758a3904d98ee0d6 [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=758a3904d98ee0d6 [mschap] expand: %{mschap:NT-Response} -> 14db6cd3d628987cf96dc4c9029301b17f7ea5c2837b8874 [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=14db6cd3d628987cf96dc4c9029301b17f7ea5c2837b8874 [mschap] expand: --require-membership-of=%{request:NTLM-Group-Required} -> --require-membership-of= Could not parse into seperate domain/name parts! Exec-Program output: (null) (0xc000000d) Exec-Program-Wait: plaintext: (null) (0xc000000d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect (mschap: External script says (null) (0xc000000d)): [user1] (from client 172.16.2.254 port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 9 to 172.16.2.254 port 32769 EAP-Message = 0x0108002b19001703010020df11358c618d7724dc94e50e988bc104feceb801687c7f6d3e521f967399a96e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd864ff25de6ce67d724fec8265bde908 Finished request 14. Going to the next request Waking up in 1.5 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=10, length=292 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0208002b1900170301002096139b810b608b186b59db65e9d832b454b9f15a4445131330c212922c7e56db State = 0xd864ff25de6ce67d724fec8265bde908 Message-Authenticator = 0x75af079e0a94a782e2a349b17eb87ef9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 15: Preceding "if" was taken ++ ... skipping else for request 15: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [user1] (from client 172.16.2.254 port 3 cli bc-92-6b-aa-aa-aa) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 15 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 15 Sending Access-Reject of id 10 to 172.16.2.254 port 32769 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 0.5 seconds. Cleaning up request 0 ID 251 with timestamp +6 Cleaning up request 1 ID 252 with timestamp +6 Cleaning up request 2 ID 253 with timestamp +6 Cleaning up request 3 ID 254 with timestamp +6 Cleaning up request 4 ID 255 with timestamp +6 Cleaning up request 5 ID 0 with timestamp +6 Cleaning up request 6 ID 1 with timestamp +6 Waking up in 1.0 seconds. ________________________________________ From: freeradius-users-bounces+antoine.benkemoun=nexthink.com@lists.freeradius.org <freeradius-users-bounces+antoine.benkemoun=nexthink.com@lists.freeradius.org> on behalf of Phil Mayers <p.mayers@imperial.ac.uk> Sent: Wednesday, May 7, 2014 3:55 PM To: freeradius-users@lists.freeradius.org Subject: Re: Setting ntlm_auth parameters depending on NAS-IP-Address On 07/05/14 14:17, Antoine Benkemoun wrote:
What am I doing incorrectly ?
Only sending a tiny portion of the debugging... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, May 07, 2014 at 02:35:27PM +0000, Antoine Benkemoun wrote:
Please find the entire debug log below.
That's still not the complete debug output (shoud start with the copyright notice), but there's at least enough to go on.
peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no
Set copy_request_to_tunnel to yes, otherwise the inner-tunnel doesn't see anything you've set. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (4)
-
Antoine Benkemoun -
Matthew Newton -
Phil Mayers -
Stefan Paetow