Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
You certainly dont need to set anything in your users file for 802.1X with an AD backend As already stated, where is your radiusd -X ? alan
Alan Buxey wrote
You certainly dont need to set anything in your users file for 802.1X with an AD backend
As already stated, where is your radiusd -X ?
I really apologize, I misunderstood you. Thank you so much! Here it is: FreeRADIUS Version 2.1.11, for host x86_64-redhat-linux-gnu, built on Sep 20 2011 at 13:55:32 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/mschap.org including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/perl.rpmnew including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/packetfence.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/packetfence including configuration file /etc/raddb/sites-enabled/packetfence-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.10.20.62 { ipaddr = 10.10.20.62 require_message_authenticator = no secret = "testing123" shortname = "ap-tech01" } client 10.10.10.248 { ipaddr = 10.10.10.248 require_message_authenticator = no secret = "testing123" shortname = "wl-mgmt" } client 10.10.20.6 { ipaddr = 10.10.20.6 require_message_authenticator = no secret = "testing123" shortname = "testswitch" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap.org mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Instantiating module "ntlm_auth" from file /etc/raddb/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=domain.net--username=%{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/pf/conf/ssl/server.key" certificate_file = "/usr/local/pf/conf/ssl/server.crt" dh_file = "/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "peap" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "packetfence-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "packetfence-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server packetfence { # from file /etc/raddb/sites-enabled/packetfence modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_perl Module: Instantiating module "perl" from file /etc/raddb/modules/perl.rpmnew perl { module = "/etc/raddb/example.pl" func_authorize = "authorize" func_authenticate = "authenticate" func_accounting = "accounting" func_preacct = "preacct" func_checksimul = "checksimul" func_detach = "detach" func_xlat = "xlat" func_pre_proxy = "pre_proxy" func_post_proxy = "post_proxy" func_post_auth = "post_auth" func_recv_coa = "recv_coa" func_send_coa = "send_coa" } Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /etc/raddb/sql.conf sql { driver = "rlm_sql_mysql" server = "localhost" port = "" login = "pf" password = "pfz3n" radius_db = "pf" read_groups = yes sqltrace = no sqltracefile = "/var/log/radius/sqltrace.sql" readclients = yes deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret FROM radius_nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " CALL acct_update ( '%S', '%{Acct-Session-Time}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Acct-Session-Id}', '%{SQL-User-Name}', '%{NAS-IP-Address}', '%{Framed-IP-Address}', '%{Acct-Status-Type}')" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', REPLACE(REPLACE('%{Called-Station-Id}','-',''),':',''), REPLACE(REPLACE('%{Calling-Station-Id}','-',''),':',''), '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " CALL acct_start ( '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', REPLACE(REPLACE('%{Called-Station-Id}','-',''),':',''), REPLACE(REPLACE('%{Calling-Station-Id}','-',''),':',''), '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}', '%{Acct-Status-Type}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " CALL acct_stop ( '%S', '%{Acct-Session-Time}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Acct-Terminate-Cause}', '%{%{Acct-Delay-Time}:-0}', '%{Connect-Info}', '%{Acct-Session-Id}', '%{SQL-User-Name}', '%{NAS-IP-Address}', '%{Acct-Status-Type}')" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', REPLACE(REPLACE('%{Called-Station-Id}','-',''),':',''), REPLACE(REPLACE('%{Calling-Station-Id}','-',''),':',''), '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to pf@localhost:/pf rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret FROM radius_nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Read entry nasname=10.0.10.2,shortname=10.0.10.2,secret=s3cr3t rlm_sql (sql): Adding client 10.0.10.2 (10.0.10.2, server=<none>) to clients list rlm_sql (sql): Read entry nasname=10.0.10.3,shortname=10.0.10.3,secret=s3cr3t rlm_sql (sql): Adding client 10.0.10.3 (10.0.10.3, server=<none>) to clients list rlm_sql (sql): Released sql socket id: 4 Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server packetfence-tunnel { # from file /etc/raddb/sites-enabled/packetfence-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" virtual_server = "packetfence" ipaddr = * port = 0 } listen { type = "acct" virtual_server = "packetfence" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 59940 Listening on authentication address * port 1812 as server packetfence Listening on accounting address * port 1813 as server packetfence Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Getting-NT-STATUS-WRONG-PASSWORD-Wro... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
Module: Instantiating module "ntlm_auth" from file /etc/raddb/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=domain.net--username=%{mschap:User-Name} ^^^^^^^^^^^^^^
PS you have a typo alan
Alan Buxey wrote
Hi,
Module: Instantiating module "ntlm_auth" from file /etc/raddb/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=domain.net--username=%{mschap:User-Name} ^^^^^^^^^^^^^^
PS you have a typo
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan, sorry, I manually removed my domain and changed it to domain.net in the log. It is actually like this: program = "/usr/bin/ntlm_auth --request-nt-key --domain=domain.net --username=%{mschap:User-Name} --password=%{User-Password}" -- View this message in context: http://freeradius.1045715.n5.nabble.com/Getting-NT-STATUS-WRONG-PASSWORD-Wro... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Alan, here is the output of everything with a failed request: FreeRADIUS Version 2.1.11, for host x86_64-redhat-linux-gnu, built on Sep 20 2011 at 13:55:32 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/mschap.org including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/perl.rpmnew including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/packetfence.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/packetfence including configuration file /etc/raddb/sites-enabled/packetfence-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.10.20.62 { ipaddr = 10.10.20.62 require_message_authenticator = no secret = "testing123" shortname = "ap-tech01" } client 10.10.10.248 { ipaddr = 10.10.10.248 require_message_authenticator = no secret = "testing123" shortname = "wl-mgmt" } client 10.10.20.6 { ipaddr = 10.10.20.6 require_message_authenticator = no secret = "testing123" shortname = "testswitch" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap.org mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Instantiating module "ntlm_auth" from file /etc/raddb/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=domain.net --username=%{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/pf/conf/ssl/server.key" certificate_file = "/usr/local/pf/conf/ssl/server.crt" dh_file = "/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "peap" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "packetfence-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "packetfence-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server packetfence { # from file /etc/raddb/sites-enabled/packetfence modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_perl Module: Instantiating module "perl" from file /etc/raddb/modules/perl.rpmnew perl { module = "/etc/raddb/example.pl" func_authorize = "authorize" func_authenticate = "authenticate" func_accounting = "accounting" func_preacct = "preacct" func_checksimul = "checksimul" func_detach = "detach" func_xlat = "xlat" func_pre_proxy = "pre_proxy" func_post_proxy = "post_proxy" func_post_auth = "post_auth" func_recv_coa = "recv_coa" func_send_coa = "send_coa" } Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /etc/raddb/sql.conf sql { driver = "rlm_sql_mysql" server = "localhost" port = "" login = "pf" password = "pfz3n" radius_db = "pf" read_groups = yes sqltrace = no sqltracefile = "/var/log/radius/sqltrace.sql" readclients = yes deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret FROM radius_nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " CALL acct_update ( '%S', '%{Acct-Session-Time}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Acct-Session-Id}', '%{SQL-User-Name}', '%{NAS-IP-Address}', '%{Framed-IP-Address}', '%{Acct-Status-Type}')" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', REPLACE(REPLACE('%{Called-Station-Id}','-',''),':',''), REPLACE(REPLACE('%{Calling-Station-Id}','-',''),':',''), '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " CALL acct_start ( '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', REPLACE(REPLACE('%{Called-Station-Id}','-',''),':',''), REPLACE(REPLACE('%{Calling-Station-Id}','-',''),':',''), '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}', '%{Acct-Status-Type}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " CALL acct_stop ( '%S', '%{Acct-Session-Time}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Acct-Terminate-Cause}', '%{%{Acct-Delay-Time}:-0}', '%{Connect-Info}', '%{Acct-Session-Id}', '%{SQL-User-Name}', '%{NAS-IP-Address}', '%{Acct-Status-Type}')" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', REPLACE(REPLACE('%{Called-Station-Id}','-',''),':',''), REPLACE(REPLACE('%{Calling-Station-Id}','-',''),':',''), '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to pf@localhost:/pf rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret FROM radius_nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Read entry nasname=10.0.10.2,shortname=10.0.10.2,secret=s3cr3t rlm_sql (sql): Adding client 10.0.10.2 (10.0.10.2, server=<none>) to clients list rlm_sql (sql): Read entry nasname=10.0.10.3,shortname=10.0.10.3,secret=s3cr3t rlm_sql (sql): Adding client 10.0.10.3 (10.0.10.3, server=<none>) to clients list rlm_sql (sql): Released sql socket id: 4 Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server packetfence-tunnel { # from file /etc/raddb/sites-enabled/packetfence-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" virtual_server = "packetfence" ipaddr = * port = 0 } listen { type = "acct" virtual_server = "packetfence" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 55126 Listening on authentication address * port 1812 as server packetfence Listening on accounting address * port 1813 as server packetfence Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.10.10.248 port 20002, id=61, length=147 NAS-Port-Id = "AP106/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-5D-44:SISD-Network" Service-Type = Framed-User EAP-Message = 0x0201000901726f6f74 User-Name = "root" NAS-Port = 34226 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" Message-Authenticator = 0x67b17e9993463e70db7e096dd5d4b3b6 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 1 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Called-Station-Id = 00-1F-DA-26-5D-44:SISD-Network rlm_perl: Added pair Calling-Station-Id = 00-16-EA-B9-D1-CC rlm_perl: Added pair Message-Authenticator = 0x67b17e9993463e70db7e096dd5d4b3b6 rlm_perl: Added pair User-Name = root rlm_perl: Added pair NAS-Identifier = nortel rlm_perl: Added pair EAP-Message = 0x0201000901726f6f74 rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-Port = 34226 rlm_perl: Added pair NAS-IP-Address = 10.10.10.248 rlm_perl: Added pair NAS-Port-Id = AP106/1 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 61 to 10.10.10.248 port 20002 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf36b0c2af34a91245e3660c64ffaedc Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.248 port 20002, id=62, length=261 NAS-Port-Id = "AP106/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-5D-44:SISD-Network" Service-Type = Framed-User User-Name = "root" NAS-Port = 34226 State = 0xaf36b0c2af34a91245e3660c64ffaedc EAP-Message = 0x0202006919800000005f160301005a0100005603014edff0b468a58899972e56fbb9f1b99c921d470fe5329bcfe95178b01e4edac000002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100000400230000 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" Message-Authenticator = 0x0892c5e18f0c208992ade2392662cb3e server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 2 length 105 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 95 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 03c6], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 62 to 10.10.10.248 port 20002 EAP-Message = 0x0103040019c00000059c16030100310200002d03014edff0adacd131ad32bec0487d28c935cc37e7b21c6c9004cb41063b0e395e4d000039010005ff0100010016030103c60b0003c20003bf0003bc308203b830820321a003020102020900d7e5a8b062d02a9d300d06092a864886f70d010105050030819a310b3009060355040613024341310f300d060355040813065175656265633111300f060355040713084d6f6e747265616c3110300e060355040a1307496e766572736531123010060355040b13095a656e2047726f75703121301f0603550403131870662d7a656e2e7061636b657466656e63652e6c6f63616c311e301c06092a864886 EAP-Message = 0xf70d010901160f696e666f40696e76657273652e6361301e170d3130313231353133303334315a170d3131313231353133303334315a30819a310b3009060355040613024341310f300d060355040813065175656265633111300f060355040713084d6f6e747265616c3110300e060355040a1307496e766572736531123010060355040b13095a656e2047726f75703121301f0603550403131870662d7a656e2e7061636b657466656e63652e6c6f63616c311e301c06092a864886f70d010901160f696e666f40696e76657273652e636130819f300d06092a864886f70d010101050003818d0030818902818100d0bae3ce81b9b0400f3c5a0797 EAP-Message = 0x883f6d5e65f47406d8113d6f130a23e3a8b510b77151cc3b9649a00f8da02ee73708db086a6ad7edc3fdc7b05f177de8e8ad213b6ac89caa7b90cc280c23bfd25dcf7301b36b3b818843f9fe77a257cc1fab440810681231fc36f46adb975d8a11e3e087184c2c39e4c9d2d30b1720277266830203010001a38201023081ff301d0603551d0e04160414efaa30ae427efe60d4b7c35731e0ca43a1b75a483081cf0603551d230481c73081c48014efaa30ae427efe60d4b7c35731e0ca43a1b75a48a181a0a4819d30819a310b3009060355040613024341310f300d060355040813065175656265633111300f060355040713084d6f6e747265616c31 EAP-Message = 0x10300e060355040a1307496e766572736531123010060355040b13095a656e2047726f75703121301f0603550403131870662d7a656e2e7061636b657466656e63652e6c6f63616c311e301c06092a864886f70d010901160f696e666f40696e76657273652e6361820900d7e5a8b062d02a9d300c0603551d13040530030101ff300d06092a864886f70d010105050003818100c09312319dccad1bfec206a62c9c77bbb74656590be5a561286a908164511222d6e6186469f138ea8a3fd6c8275c52099e8fe3cc320f6608ac985aa708e12849557fe2eaeab145218b564afe1912e89598827acb8a8a9a6470c5ef9069a850a8b4e385247883b1ac7d EAP-Message = 0xfaab6e6afe7983e3ceb172c2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf36b0c2ae35a91245e3660c64ffaedc Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.248 port 20002, id=63, length=162 NAS-Port-Id = "AP106/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-5D-44:SISD-Network" Service-Type = Framed-User User-Name = "root" NAS-Port = 34226 State = 0xaf36b0c2ae35a91245e3660c64ffaedc EAP-Message = 0x020300061900 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" Message-Authenticator = 0xe38005c4b1706e6a7e29a119271fbb9e server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 63 to 10.10.10.248 port 20002 EAP-Message = 0x010401ac1900e7070bb109e432d02aff17160301018d0c0001890080ae1d1b6b98fc24a1c1a88fc0a5cc9336e32a91ffdbbd7cdda4254471177ebdcf5cb8290384e622ac3e1662827ca4de0c714f54f13a7312a947377cf1ffbd023973d0273d4639f3c6c40362daed439f6255cd2e0413361d5300867f69b4ab9dca321e2b78e7c8165b4e8fdbeca2553ff4863437af508d69005b120eaa588cf823000102008020ddb6aa8cb827e7e5be20b502f84a73fe0a8dbff1945af8831747285261ae418bbfac2d0579df608e1006eb7e415072a8a860d8b9c2b8499dc1525f2081d26dc8ccd2054365b61eebec90345984a9fec5af45b335fd7c2e44a69bca EAP-Message = 0xf9fbfb95f4a13a08d42df26a32d8c926d3d72c0664126521b6c8bf232d5fd69e315a8851008003f9499c227efa3b95e285c45357685011aeb0beaa2c0422378382e88ee3f4258da149c67ce3e8584ef76f70ee947ab2da275ccf031e413417ab72d8889d93af4f1ca17a0c9a21a09147110d1fc789055030d32d86da39ba23c42ffb72b59d159bf5ec4172dc15965514614648754da6b0902e80b27a837b8918608e6d8e318516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf36b0c2ad32a91245e3660c64ffaedc Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.248 port 20002, id=64, length=364 NAS-Port-Id = "AP106/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-5D-44:SISD-Network" Service-Type = Framed-User User-Name = "root" NAS-Port = 34226 State = 0xaf36b0c2ad32a91245e3660c64ffaedc EAP-Message = 0x020400d01980000000c6160301008610000082008092b9a410e808d237744779f110f70552b38ec2d4dd188e21575b6d5f7cd22b1e6db23b4dda7b1cfb9b4a6772c0c03c5640162592d066de5a1bcb4b79e21a960fe4990db86f7e568f68050e56a3bc56b0c745068ad73fa850fc347a1eba7646e2294d733ced97b62ae5b7404dd98cf9df9d8f2596151f5298f2f4bdd099799ec51403010001011603010030df577db3d91d6a53405732e0a7eba3f6ab6cc4cf6552e5016328c539cf31f675ffd998f533fdd5093095bf248045b523 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" Message-Authenticator = 0xf5d9553516cf0faaec30deb3e79c929f server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 4 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 64 to 10.10.10.248 port 20002 EAP-Message = 0x0105004119001403010001011603010030e4e932ca10085dc09c1bd1acfe0bdc87b26add99901309336399b1d80dbfbb63852a27a2e9c1675864720e1427e77fc3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf36b0c2ac33a91245e3660c64ffaedc Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.248 port 20002, id=65, length=162 NAS-Port-Id = "AP106/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-5D-44:SISD-Network" Service-Type = Framed-User User-Name = "root" NAS-Port = 34226 State = 0xaf36b0c2ac33a91245e3660c64ffaedc EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" Message-Authenticator = 0xbf3a9673681c3544660979bcfdd9b7c6 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 65 to 10.10.10.248 port 20002 EAP-Message = 0x0106002b19001703010020e87c17e1cbf292b1387072fbf82e0f8306925df48600f6024d353ad9f0515980 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf36b0c2ab30a91245e3660c64ffaedc Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.248 port 20002, id=66, length=236 NAS-Port-Id = "AP106/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-5D-44:SISD-Network" Service-Type = Framed-User User-Name = "root" NAS-Port = 34226 State = 0xaf36b0c2ab30a91245e3660c64ffaedc EAP-Message = 0x0206005019001703010020b98b473f80dcbe37e138317408332995274dc8832866adbe5d4578824a37c13f1703010020f13c60a3f1a6e62bc66ffc2b4cd9be5d37bc5eb4e3a394945dce930a1710683a NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" Message-Authenticator = 0x8c20eac6c85651df81786df0a66c9542 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 6 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - root [peap] Got inner identity 'root' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206000901726f6f74 server packetfence { [peap] Setting User-Name to root Sending tunneled request EAP-Message = 0x0206000901726f6f74 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "root" NAS-Port-Id = "AP106/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-5D-44:SISD-Network" Service-Type = Framed-User NAS-Port = 34226 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" server packetfence-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence-tunnel +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server packetfence-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0107001e1a0107001910fb87d2354d16a17ba3aa64af6c95fb27726f6f74 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6b88b6ab6b8facaa14b7c1873fd1677f [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0107001e1a0107001910fb87d2354d16a17ba3aa64af6c95fb27726f6f74 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6b88b6ab6b8facaa14b7c1873fd1677f [peap] Got tunneled Access-Challenge ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 66 to 10.10.10.248 port 20002 EAP-Message = 0x0107004b190017030100405fec8f8ae5015542f5e084b6b4f67293733c2effe80335b42743c49489a6062d535d6117ce761ac83a5410e80e61932c3f93f9678abe00b4265416ca3be08e8e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf36b0c2aa31a91245e3660c64ffaedc Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.248 port 20002, id=67, length=300 NAS-Port-Id = "AP106/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-5D-44:SISD-Network" Service-Type = Framed-User User-Name = "root" NAS-Port = 34226 State = 0xaf36b0c2aa31a91245e3660c64ffaedc EAP-Message = 0x02070090190017030100206596115f207417624f7e845470af0daba727efb425ba1ff92e5a84387bce9dbb170301006074f16a40d50bc69b19aaedcb83bd9c7f621b74124c7931f77f8de496e0acc65855ed639549468d8c377d9fa5f38b6bef176bf360b3ce0680441a3cfd90303fd0761c3fa4ee743750b7a04401b06dbc39a90553bdb8b9c9d22ea0af456dfacd33 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" Message-Authenticator = 0x46167adc047836922a303f08d753acd6 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 7 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0207003f1a0207003a310bda09a2bb62b8ca9a94e214e64373b20000000000000000c89da9ba6263f2d4df64b83fd944c0a92235c071adacb59400726f6f74 server packetfence { [peap] Setting User-Name to root Sending tunneled request EAP-Message = 0x0207003f1a0207003a310bda09a2bb62b8ca9a94e214e64373b20000000000000000c89da9ba6263f2d4df64b83fd944c0a92235c071adacb59400726f6f74 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "root" State = 0x6b88b6ab6b8facaa14b7c1873fd1677f NAS-Port-Id = "AP106/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-5D-44:SISD-Network" Service-Type = Framed-User NAS-Port = 34226 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" server packetfence-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence-tunnel +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: root [mschap] Told to do MS-CHAPv2 for root with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server packetfence-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 67 to 10.10.10.248 port 20002 EAP-Message = 0x0108003b19001703010030d18b45652351f7055aa8417380e76fce9407bb8e74b1d976dd08afaef470ff74b1270a5c085e0741cee95216b810a5b7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf36b0c2a93ea91245e3660c64ffaedc Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.248 port 20002, id=68, length=252 NAS-Port-Id = "AP106/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-5D-44:SISD-Network" Service-Type = Framed-User User-Name = "root" NAS-Port = 34226 State = 0xaf36b0c2a93ea91245e3660c64ffaedc EAP-Message = 0x0208006019001703010020b867c7f00506b3da75ae1601e918021a86f57769a75309e0fb9a3bab27747d01170301003043ca211c07014d4bb70d4cf6f6ef8a6a734c407f18a53e60231a8576d3be6a38093d4c8d9e955cf6f82095aca0af0849 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" Message-Authenticator = 0x959967d9d0f9546b78e7b41e418ebb0f server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 8 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server packetfence Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> root attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 68 to 10.10.10.248 port 20002 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 61 with timestamp +24 Cleaning up request 1 ID 62 with timestamp +24 Cleaning up request 2 ID 63 with timestamp +24 Cleaning up request 3 ID 64 with timestamp +24 Cleaning up request 4 ID 65 with timestamp +24 Cleaning up request 5 ID 66 with timestamp +24 Cleaning up request 6 ID 67 with timestamp +24 Waking up in 1.0 seconds. Cleaning up request 7 ID 68 with timestamp +24 Ready to process requests. rad_recv: Access-Request packet from host 10.10.10.248 port 20002, id=69, length=146 NAS-Port-Id = "AP10/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-13-84:SISD-Network" Service-Type = Framed-User EAP-Message = 0x0201000901726f6f74 User-Name = "root" NAS-Port = 34227 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" Message-Authenticator = 0x0b98b579a67fd329b8eada71c739bd17 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 1 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Called-Station-Id = 00-1F-DA-26-13-84:SISD-Network rlm_perl: Added pair Calling-Station-Id = 00-16-EA-B9-D1-CC rlm_perl: Added pair Message-Authenticator = 0x0b98b579a67fd329b8eada71c739bd17 rlm_perl: Added pair User-Name = root rlm_perl: Added pair NAS-Identifier = nortel rlm_perl: Added pair EAP-Message = 0x0201000901726f6f74 rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-Port = 34227 rlm_perl: Added pair NAS-IP-Address = 10.10.10.248 rlm_perl: Added pair NAS-Port-Id = AP10/1 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 69 to 10.10.10.248 port 20002 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4c55c4024c57ddad96cddff26bead54e Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.248 port 20002, id=70, length=260 NAS-Port-Id = "AP10/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-13-84:SISD-Network" Service-Type = Framed-User User-Name = "root" NAS-Port = 34227 State = 0x4c55c4024c57ddad96cddff26bead54e EAP-Message = 0x0202006919800000005f160301005a0100005603014edff0c206fa4aebac77ea7287a730712aa02a639261fb9263a31f4dba9570f500002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100000400230000 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" Message-Authenticator = 0x65754af26fd67660dc824381a2234e2c server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 2 length 105 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 95 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 03c6], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 70 to 10.10.10.248 port 20002 EAP-Message = 0x0103040019c00000059c16030100310200002d03014edff0bcc8d51f46c18cf9ec3e9797df99364c4294a4a1ab97ea46efdb5183fa000039010005ff0100010016030103c60b0003c20003bf0003bc308203b830820321a003020102020900d7e5a8b062d02a9d300d06092a864886f70d010105050030819a310b3009060355040613024341310f300d060355040813065175656265633111300f060355040713084d6f6e747265616c3110300e060355040a1307496e766572736531123010060355040b13095a656e2047726f75703121301f0603550403131870662d7a656e2e7061636b657466656e63652e6c6f63616c311e301c06092a864886 EAP-Message = 0xf70d010901160f696e666f40696e76657273652e6361301e170d3130313231353133303334315a170d3131313231353133303334315a30819a310b3009060355040613024341310f300d060355040813065175656265633111300f060355040713084d6f6e747265616c3110300e060355040a1307496e766572736531123010060355040b13095a656e2047726f75703121301f0603550403131870662d7a656e2e7061636b657466656e63652e6c6f63616c311e301c06092a864886f70d010901160f696e666f40696e76657273652e636130819f300d06092a864886f70d010101050003818d0030818902818100d0bae3ce81b9b0400f3c5a0797 EAP-Message = 0x883f6d5e65f47406d8113d6f130a23e3a8b510b77151cc3b9649a00f8da02ee73708db086a6ad7edc3fdc7b05f177de8e8ad213b6ac89caa7b90cc280c23bfd25dcf7301b36b3b818843f9fe77a257cc1fab440810681231fc36f46adb975d8a11e3e087184c2c39e4c9d2d30b1720277266830203010001a38201023081ff301d0603551d0e04160414efaa30ae427efe60d4b7c35731e0ca43a1b75a483081cf0603551d230481c73081c48014efaa30ae427efe60d4b7c35731e0ca43a1b75a48a181a0a4819d30819a310b3009060355040613024341310f300d060355040813065175656265633111300f060355040713084d6f6e747265616c31 EAP-Message = 0x10300e060355040a1307496e766572736531123010060355040b13095a656e2047726f75703121301f0603550403131870662d7a656e2e7061636b657466656e63652e6c6f63616c311e301c06092a864886f70d010901160f696e666f40696e76657273652e6361820900d7e5a8b062d02a9d300c0603551d13040530030101ff300d06092a864886f70d010105050003818100c09312319dccad1bfec206a62c9c77bbb74656590be5a561286a908164511222d6e6186469f138ea8a3fd6c8275c52099e8fe3cc320f6608ac985aa708e12849557fe2eaeab145218b564afe1912e89598827acb8a8a9a6470c5ef9069a850a8b4e385247883b1ac7d EAP-Message = 0xfaab6e6afe7983e3ceb172c2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4c55c4024d56ddad96cddff26bead54e Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.248 port 20002, id=71, length=161 NAS-Port-Id = "AP10/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-13-84:SISD-Network" Service-Type = Framed-User User-Name = "root" NAS-Port = 34227 State = 0x4c55c4024d56ddad96cddff26bead54e EAP-Message = 0x020300061900 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" Message-Authenticator = 0x9ebd80fc54e21300c0a0c31f86904746 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 71 to 10.10.10.248 port 20002 EAP-Message = 0x010401ac1900e7070bb109e432d02aff17160301018d0c0001890080ae1d1b6b98fc24a1c1a88fc0a5cc9336e32a91ffdbbd7cdda4254471177ebdcf5cb8290384e622ac3e1662827ca4de0c714f54f13a7312a947377cf1ffbd023973d0273d4639f3c6c40362daed439f6255cd2e0413361d5300867f69b4ab9dca321e2b78e7c8165b4e8fdbeca2553ff4863437af508d69005b120eaa588cf82300010200801e74524c3b3b710f2c47c5eaa13cb2e8ed528998e66944b2159ef2cbbc2b21895b51e3fbd1e93c2472be7d06356b6384bcaff0e11ca550299217a0f86b13ae783a0a7dba5f98d1462c1ed9a45a04199574cd3b626f0161a33131de6f EAP-Message = 0x75885183faccf5b044eb1d954ddabd1fcd4d14311bc82bfc2b5e2d1cd95b68c6288f374400807831af77278bd0b8487c1c60d50ede5c2ec2fbd25d49dec7c19d8cfa8e46d2479b221b7d5a70bd05605c30d8fdb3ba549b42d35969e24c7e6a406fc82d60892b44d6adee4c5191249dda21449bca7bc287c8669f2093b152f4f2b8c106bbb8d0d6016d5ae05036beda4dc63499631556bda3e6ebf0e212f3d6ca95a748127c6a16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4c55c4024e51ddad96cddff26bead54e Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.248 port 20002, id=72, length=363 NAS-Port-Id = "AP10/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-13-84:SISD-Network" Service-Type = Framed-User User-Name = "root" NAS-Port = 34227 State = 0x4c55c4024e51ddad96cddff26bead54e EAP-Message = 0x020400d01980000000c616030100861000008200809707ada8891b5b8732d3e2e6559732053186f9906caa95a932f689aea84078bd551a4a2baa584897609c49fccf18bc33be35937af45b0d14ef022875b0476b38ea7bf21a008e759a80a09f0b3a4d29924ac4e1e99e927449c86087a548bcf7a092678598c01337502582d857e25516653b95288b7b04f9f34ff0dfae4faf40b514030100010116030100301a93526835d73374242910e3a1d44b77c8e1b4f07a71e1cdf93e8cdbef044ee21b5f77354378c203d53c1b6384766313 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" Message-Authenticator = 0x4573cb2feb18e1ae10b45140dfb491f0 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 4 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 72 to 10.10.10.248 port 20002 EAP-Message = 0x0105004119001403010001011603010030b7f2dda2141908d5c00b03a993ecf65d0e8276aeaa704260fdc3510379f0268dcdde58ee9c33dac7cbeaeea0a2d67583 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4c55c4024f50ddad96cddff26bead54e Finished request 11. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.248 port 20002, id=73, length=161 NAS-Port-Id = "AP10/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-13-84:SISD-Network" Service-Type = Framed-User User-Name = "root" NAS-Port = 34227 State = 0x4c55c4024f50ddad96cddff26bead54e EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" Message-Authenticator = 0xd00e6c4f35ab22f0edcef9c920f9a16e server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 73 to 10.10.10.248 port 20002 EAP-Message = 0x0106002b190017030100205512c1050028141dad167996c3a6213ffa391c6bd74751fe66b0e4ff7adc0cf3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4c55c4024853ddad96cddff26bead54e Finished request 12. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.248 port 20002, id=74, length=235 NAS-Port-Id = "AP10/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-13-84:SISD-Network" Service-Type = Framed-User User-Name = "root" NAS-Port = 34227 State = 0x4c55c4024853ddad96cddff26bead54e EAP-Message = 0x020600501900170301002000f271c8996a0ca382e1f1b06f30848c5d9abfc6eee88c4e59fe2dcb6025d0ae17030100208db10d6e4050fa30653e9a7d3d4319ac5d8629475ba86712a3abd58204b85309 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" Message-Authenticator = 0x40afcade72b64e4ac74db86f50cf49f0 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 6 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - root [peap] Got inner identity 'root' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206000901726f6f74 server packetfence { [peap] Setting User-Name to root Sending tunneled request EAP-Message = 0x0206000901726f6f74 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "root" NAS-Port-Id = "AP10/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-13-84:SISD-Network" Service-Type = Framed-User NAS-Port = 34227 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" server packetfence-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence-tunnel +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server packetfence-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0107001e1a01070019103c00ea0133661772652dfb87862e4efd726f6f74 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfe4925f9fe4e3f08e2a0212b65b17789 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0107001e1a01070019103c00ea0133661772652dfb87862e4efd726f6f74 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfe4925f9fe4e3f08e2a0212b65b17789 [peap] Got tunneled Access-Challenge ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 74 to 10.10.10.248 port 20002 EAP-Message = 0x0107004b19001703010040d6434d09c133555bd4d8867f97f04b1963209c2643ae362557c20a6ebdc0903deff56d1dfb16bd0aa2c98a8568fccd2d9242ae292398f19acd4616129bca8687 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4c55c4024952ddad96cddff26bead54e Finished request 13. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.248 port 20002, id=75, length=283 NAS-Port-Id = "AP10/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-13-84:SISD-Network" Service-Type = Framed-User User-Name = "root" NAS-Port = 34227 State = 0x4c55c4024952ddad96cddff26bead54e EAP-Message = 0x0207008019001703010020459b689e94fcfd2a88456d0ede1bab1721702871480871c66851ab0277cd9aad170301005017ff917d7bd7d65f4fac6bc5853dfc80aa95c3ec2695db019b324735ff3ebabf4cfe58c0af3b9267144f70adacd1f63c6dbbe8df1e9586949355c8e16e6294cadf57f022ed2bee71ae73d8b2b22936b1 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" Message-Authenticator = 0x246fc719dd9f9021625e84eacb4fbe15 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 7 length 128 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0207003f1a0207003a311f382a1292c90e9994672e496c68b35900000000000000004570058d9c93331e2bb40eb615aebd08af8d2b07e989150b00726f6f74 server packetfence { [peap] Setting User-Name to root Sending tunneled request EAP-Message = 0x0207003f1a0207003a311f382a1292c90e9994672e496c68b35900000000000000004570058d9c93331e2bb40eb615aebd08af8d2b07e989150b00726f6f74 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "root" State = 0xfe4925f9fe4e3f08e2a0212b65b17789 NAS-Port-Id = "AP10/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-13-84:SISD-Network" Service-Type = Framed-User NAS-Port = 34227 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" server packetfence-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence-tunnel +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: root [mschap] Told to do MS-CHAPv2 for root with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server packetfence-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 75 to 10.10.10.248 port 20002 EAP-Message = 0x0108003b19001703010030f23ec13089472e78eb2bbf1832ccd10aacee066f33334760c631b443d839d475eeb2154f7fd7cfb7a8fc15d49c0f1726 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4c55c4024a5dddad96cddff26bead54e Finished request 14. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.248 port 20002, id=76, length=251 NAS-Port-Id = "AP10/1" Calling-Station-Id = "00-16-EA-B9-D1-CC" Called-Station-Id = "00-1F-DA-26-13-84:SISD-Network" Service-Type = Framed-User User-Name = "root" NAS-Port = 34227 State = 0x4c55c4024a5dddad96cddff26bead54e EAP-Message = 0x0208006019001703010020d0a076e0886ed8f711e2d9f2db9c6a6771d313da2404188e915fda4f1037106f170301003027d03276b097f867ad673c482e27ab904084d0aaa8b5ca189cc35d2324a22d895883dae6632429c25bffb5dd5c9e7e6b NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.10.10.248 NAS-Identifier = "nortel" Message-Authenticator = 0x58010b5c4b58602e6d1a9ee4ae7e4b38 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 8 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server packetfence Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> root attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 15 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 15 Sending Access-Reject of id 76 to 10.10.10.248 port 20002 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 8 ID 69 with timestamp +39 Cleaning up request 9 ID 70 with timestamp +39 Cleaning up request 10 ID 71 with timestamp +39 Cleaning up request 11 ID 72 with timestamp +39 Cleaning up request 12 ID 73 with timestamp +39 Cleaning up request 13 ID 74 with timestamp +39 Cleaning up request 14 ID 75 with timestamp +39 Waking up in 1.0 seconds. Cleaning up request 15 ID 76 with timestamp +39 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Getting-NT-STATUS-WRONG-PASSWORD-Wro... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Thu, Dec 8, 2011 at 6:11 AM, lint <lint@pillclan.com> wrote:
Alan, here is the output of everything with a failed request:
Did you read this?
Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap.org mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes }
and http://deployingradius.com/documents/configuration/active_directory.html , section Configuring FreeRADIUS to use ntlm_auth for MS-CHAP: "... Then, fine the mschap module in raddb/modules/mschap file, and look for the line containing ntlm_auth = . It is commented out by default, and should be uncommented, and edited to be as follows ..." you either have NOT edit it, or have a rogue file (/etc/raddb/modules/mschap.org?) that messed up your configuration. Fix it until the debug log shows mschap module is using ntlm_auth. -- Fajar
Fajar A. Nugraha-2 wrote
Did you read this?
Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap.org mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes }
and http://deployingradius.com/documents/configuration/active_directory.html , section Configuring FreeRADIUS to use ntlm_auth for MS-CHAP: "... Then, fine the mschap module in raddb/modules/mschap file, and look for the line containing ntlm_auth = . It is commented out by default, and should be uncommented, and edited to be as follows ..."
you either have NOT edit it, or have a rogue file (/etc/raddb/modules/mschap.org?) that messed up your configuration. Fix it until the debug log shows mschap module is using ntlm_auth.
-- Fajar -
Ah, that is clear now. I made backups of the files in modules before I modified them, as I always do with configuration files. I didn't realize that FreeRADIUS loads all modules. I will move the backups to my home directory and try again tomorrow. Thank you Alan and Fajar! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Getting-NT-STATUS-WRONG-PASSWORD-Wro... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Thu, Dec 8, 2011 at 9:26 AM, lint <lint@pillclan.com> wrote:
I made backups of the files in modules before I modified them, as I always do with configuration files. I didn't realize that FreeRADIUS loads all modules. I will move the backups to my home directory and try again tomorrow
Somewhat off topic, did you know you can use git to keep track of configuration changes? Something like this should make your live a lot easier - cd /etc/raddb - git init - everytime you make a change, do "git commit -a" -- Fajar
Fajar A. Nugraha-2 wrote
Somewhat off topic, did you know you can use git to keep track of configuration changes? Something like this should make your live a lot easier - cd /etc/raddb - git init - everytime you make a change, do "git commit -a"
-- Fajar
I have heard of git in the past through github, but thought that it was really only used by programmers to collaborate on project changes. I will definitely start using this command. Seriously, Fajar, thank you for your time on this. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Getting-NT-STATUS-WRONG-PASSWORD-Wro... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Just to post a confirmation, this was my issue (multiple copies of modules in the /etc/raddb/modules directory), which was self-inflicted since I kept them there. I had other issues come up with permissions, logon failures due to realm, etc. All were resolved with the FreeRADIUS documentation and radius log. I now am able to authenticate against AD! Thank you both, Alan and Fajar! This has been a great learning experience :) -- View this message in context: http://freeradius.1045715.n5.nabble.com/Getting-NT-STATUS-WRONG-PASSWORD-Wro... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (3)
-
Alan Buxey -
Fajar A. Nugraha -
lint