Re: Renaming during Machine Authentication
Hi Phil thanks for answering. I am trying to authenticate the machines on bootup. I have an edir backend and am following this cool solutions article which is fairly old: http://www.novell.com/coolsolutions/feature/17044.html In it they talk about atrrib-rewrite but use it in the radiusd.conf file which in my limited knowledge of freeradius I think is an older way of doing it. Right now if i join a machine to the samba domain I have created, it automatically is imported into edirectory and named "machinename$". The article is not complete so I am really not sure if the machine is supposed to authenticate to edir or samba during bootup but the end result I want is the machine to authenticate on startup so the user has a single sign on experience like they would if they plugged into the network. Thanks again Mark
Phil Mayers <p.mayers@imperial.ac.uk> 05/14/11 2:50 AM >>> On 05/13/2011 11:21 PM, Mark Jones wrote: That sounds good...where exactly do I put that in the config files?
Well, since you didn't explain why you wanted to rename it (for what purpose) I can't say for sure. Usually, a lot of what goes on in FreeRADIUS is done with string expansions - for example you might have an SQL query defined in sql.conf: some_query = "select something from table where username='%{SQL-User-Name}" In this case, you're replace that with: some_query = "select something from table where username='%{mschap:User-Name}" But this is just an example. You need to be more specific about the problem(s) you're having if you want people to give you advice. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This communication is intended for the use of the recipient to which it is addressed and may contain confidential, personal and/or privileged information. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
On 05/16/2011 01:03 AM, Mark Jones wrote:
Hi Phil thanks for answering. I am trying to authenticate the machines on bootup. I have an edir backend and am following this cool solutions article which is fairly old: http://www.novell.com/coolsolutions/feature/17044.html In it they talk about atrrib-rewrite but use it in the radiusd.conf file which in my limited knowledge of freeradius I think is an older way of doing it.
Yeah, don't do it that way. Aside from the config in the article being subtly wrong (regexp in the 2nd rewrite module isn't right), there are easier ways to accomplish mutating the username if you need to do that, which you don't because you can just use %{mschap:User-Name} and it'll do it for you (as well as being more obvious IMHO)
Right now if i join a machine to the samba domain I have created, it automatically is imported into edirectory and named "machinename$". The article is not complete so I am really not sure if the machine is
I'm not familiar with eDir so can't say. Is it working for you now? If not, post a debug and someone can probably suggest what needs changing.
Still not working. Here is the debug: radius2:/home/radius # radiusd -X FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Mar 23 2011 at 11:28:44 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket main { allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.152.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.24.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.56.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.32.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.16.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.72.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap ldap { server = "172.17.152.4" port = 636 password = "xxxxxx" identity = "cn=admin,o=hpsd_48" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "o=hpsd_48" filter = "(uid=%{mschap:User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "nspmPassword" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = yes set_auth_type = no } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x8197a38 Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=91, length=203 NAS-IP-Address = 10.152.0.100 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "host/TECH-11501" Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" MS-CHAP-Challenge = 0x5551e00f40ce355de8053dbc2f64b5dd MS-CHAP2-Response = 0x0700226e95f1d0ae4efe8f381fd3714c7b0f0000000000000000904f33f5941ab6017f433da0f45438dc665447e9d6510a2d Service-Type = Login-User Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "host/TECH-11501", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for host/TECH-11501 [ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TECH-11501$) [ldap] expand: o=hpsd_48 -> o=hpsd_48 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 172.17.152.4:636, authentication 0 [ldap] setting TLS mode to 1 [ldap] bind as cn=admin,o=hpsd_48/xxxxx to 172.17.152.4:636 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=hpsd_48, with filter (uid=TECH-11501$) [ldap] Added the eDirectory password xxxxx in check items as Cleartext-Password [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user host/TECH-11501 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/TECH-11501 [mschap] Told to do MS-CHAPv2 for host/TECH-11501 with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/TECH-11501 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 91 to 10.152.0.100 port 32819 Waking up in 4.9 seconds. Cleaning up request 0 ID 91 with timestamp +41 Ready to process requests.
Phil Mayers <p.mayers@imperial.ac.uk> 5/16/2011 3:01 AM >>> On 05/16/2011 01:03 AM, Mark Jones wrote: Hi Phil thanks for answering. I am trying to authenticate the machines on bootup. I have an edir backend and am following this cool solutions article which is fairly old: http://www.novell.com/coolsolutions/feature/17044.html In it they talk about atrrib-rewrite but use it in the radiusd.conf file which in my limited knowledge of freeradius I think is an older way of doing it.
Yeah, don't do it that way. Aside from the config in the article being subtly wrong (regexp in the 2nd rewrite module isn't right), there are easier ways to accomplish mutating the username if you need to do that, which you don't because you can just use %{mschap:User-Name} and it'll do it for you (as well as being more obvious IMHO)
Right now if i join a machine to the samba domain I have created, it automatically is imported into edirectory and named "machinename$". The article is not complete so I am really not sure if the machine is
I'm not familiar with eDir so can't say. Is it working for you now? If not, post a debug and someone can probably suggest what needs changing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This communication is intended for the use of the recipient to which it is addressed and may contain confidential, personal and/or privileged information. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
User-Name = "host/TECH-11501"
Machines which are in the domain normally have this as: host/name.domain.com i.e. there is a "domain.com" at the end of the name. The absence of that suggests to me that the machine is not a domain member. Is that the case? If so, it cannot do machine auth.
Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" MS-CHAP-Challenge = 0x5551e00f40ce355de8053dbc2f64b5dd MS-CHAP2-Response = 0x0700226e95f1d0ae4efe8f381fd3714c7b0f0000000000000000904f33f5941ab6017f433da0f45438dc665447e9d6510a2d Service-Type = Login-User Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01"
Great. More Aruba, probably terminating the PEAP locally. What a junky product. See other posts on the list in the past few days - you should DISABLE "terminate PEAP" (or whatever the option is) on your Aruba equipment, and let it do the EAP/PEAP.
+- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/TECH-11501 [mschap] Told to do MS-CHAPv2 for host/TECH-11501 with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect
Hmm. Indicating the password is not correct or the EAP has been fiddled with.
This is on a samba domain Phil as per the cool solutions article I mentioned in an earlier post. I am looking into my Aruba settings now for termination Mark
Phil Mayers <p.mayers@imperial.ac.uk> 5/19/2011 1:58 AM >>>
User-Name = "host/TECH-11501"
Machines which are in the domain normally have this as: host/name.domain.com i.e. there is a "domain.com" at the end of the name. The absence of that suggests to me that the machine is not a domain member. Is that the case? If so, it cannot do machine auth.
Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" MS-CHAP-Challenge = 0x5551e00f40ce355de8053dbc2f64b5dd MS-CHAP2-Response = 0x0700226e95f1d0ae4efe8f381fd3714c7b0f0000000000000000904f33f5941ab6017f433da0f45438dc665447e9d6510a2d Service-Type = Login-User Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01"
Great. More Aruba, probably terminating the PEAP locally. What a junky product. See other posts on the list in the past few days - you should DISABLE "terminate PEAP" (or whatever the option is) on your Aruba equipment, and let it do the EAP/PEAP.
+- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/TECH-11501 [mschap] Told to do MS-CHAPv2 for host/TECH-11501 with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect
Hmm. Indicating the password is not correct or the EAP has been fiddled with. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This communication is intended for the use of the recipient to which it is addressed and may contain confidential, personal and/or privileged information. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
Yeah, not sure what "Abooba" does when it terminates PEAP, but it weirds things out sometimes. Still doesn't explain why XP just worked but W7 had bunches of issues, but I can attest that making the Abooba controllers pas *eap to FR works better - maybe works 100%. The only thing we noticed is, if Abooba does NOT terminate PEAP - there is no "local" login option available. We had our two FR servers configured as well as local login (as last resort). I guess now we need to be REALLY sure at least one FR server is up all the time! G ________________________________ From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Mark Jones Sent: Thursday, May 19, 2011 12:15 PM To: freeradius-users@lists.freeradius.org Subject: Re: Renaming during Machine Authentication This is on a samba domain Phil as per the cool solutions article I mentioned in an earlier post. I am looking into my Aruba settings now for termination Mark
Phil Mayers <p.mayers@imperial.ac.uk> 5/19/2011 1:58 AM >>>
User-Name = "host/TECH-11501"
Machines which are in the domain normally have this as: host/name.domain.com i.e. there is a "domain.com" at the end of the name. The absence of that suggests to me that the machine is not a domain member. Is that the case? If so, it cannot do machine auth.
Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" MS-CHAP-Challenge = 0x5551e00f40ce355de8053dbc2f64b5dd MS-CHAP2-Response = 0x0700226e95f1d0ae4efe8f381fd3714c7b0f0000000000000000904f33f5941ab6017f433da0f45438dc665447e9d6510a2d Service-Type = Login-User Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01"
Great. More Aruba, probably terminating the PEAP locally. What a junky product. See other posts on the list in the past few days - you should DISABLE "terminate PEAP" (or whatever the option is) on your Aruba equipment, and let it do the EAP/PEAP.
+- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/TECH-11501 [mschap] Told to do MS-CHAPv2 for host/TECH-11501 with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect
Hmm. Indicating the password is not correct or the EAP has been fiddled with. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This communication is intended for the use of the recipient to which it is addressed and may contain confidential, personal and/or privileged information. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Here is the latest debug...Im not sure what to try next. mark radius2:/home/radius # radiusd -X FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Mar 23 2011 at 11:28:44 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket main { allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.152.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.24.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.56.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.32.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.16.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.72.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap ldap { server = "172.17.152.4" port = 636 password = "xxxxxx" identity = "cn=admin,o=hpsd_48" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "o=hpsd_48" filter = "(uid=%{mschap:User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "nspmPassword" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = yes set_auth_type = no } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x819b6d0 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=186, length=216 NAS-IP-Address = 10.152.0.100 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "host/TEST-11501.hpsd48.ab.ca" Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" MS-CHAP-Challenge = 0xa389f8f8a19c2761c3f31128115bac7f MS-CHAP2-Response = 0x0800afc6531b8f43785e186a0578c795c13b00000000000000005f4828b8f016c112e3e453505d0c203f7172ad8a40f17c02 Service-Type = Login-User Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for host/TEST-11501.hpsd48.ab.ca [ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TEST-11501$) [ldap] expand: o=hpsd_48 -> o=hpsd_48 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 172.17.152.4:636, authentication 0 [ldap] setting TLS mode to 1 [ldap] bind as cn=admin,o=hpsd_48/xxxxxx to 172.17.152.4:636 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$) [ldap] Added the eDirectory password xxxxxx in check items as Cleartext-Password [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/TEST-11501.hpsd48.ab.ca [mschap] Told to do MS-CHAPv2 for host/TEST-11501.hpsd48.ab.ca with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/TEST-11501.hpsd48.ab.ca attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 186 to 10.152.0.100 port 32819 Waking up in 4.9 seconds. Cleaning up request 0 ID 186 with timestamp +41 Ready to process requests.
Phil Mayers <p.mayers@imperial.ac.uk> 5/19/2011 1:58 AM >>>
User-Name = "host/TECH-11501"
Machines which are in the domain normally have this as: host/name.domain.com i.e. there is a "domain.com" at the end of the name. The absence of that suggests to me that the machine is not a domain member. Is that the case? If so, it cannot do machine auth.
Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" MS-CHAP-Challenge = 0x5551e00f40ce355de8053dbc2f64b5dd MS-CHAP2-Response = 0x0700226e95f1d0ae4efe8f381fd3714c7b0f0000000000000000904f33f5941ab6017f433da0f45438dc665447e9d6510a2d Service-Type = Login-User Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01"
Great. More Aruba, probably terminating the PEAP locally. What a junky product. See other posts on the list in the past few days - you should DISABLE "terminate PEAP" (or whatever the option is) on your Aruba equipment, and let it do the EAP/PEAP.
+- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/TECH-11501 [mschap] Told to do MS-CHAPv2 for host/TECH-11501 with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect
Hmm. Indicating the password is not correct or the EAP has been fiddled with. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This communication is intended for the use of the recipient to which it is addressed and may contain confidential, personal and/or privileged information. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
On 05/20/2011 10:33 PM, Mark Jones wrote:
Here is the latest debug...Im not sure what to try next.
Latest debug... ok, what has changed?
rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=186, length=216 NAS-IP-Address = 10.152.0.100 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "host/TEST-11501.hpsd48.ab.ca" Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" MS-CHAP-Challenge = 0xa389f8f8a19c2761c3f31128115bac7f MS-CHAP2-Response = 0x0800afc6531b8f43785e186a0578c795c13b00000000000000005f4828b8f016c112e3e453505d0c203f7172ad8a40f17c02 Service-Type = Login-User Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01"
This is still a plain MSCHAP request, indicating that the Aruba equipment is still terminating the PEAP itself, and translating the EAP-MSCHAP to plain MSCHAP. As per my previous emails, I recommend you change this.
# Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' <mailto:'@'> in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for host/TEST-11501.hpsd48.ab.ca
So this is a full host/name.domain.com now - what did you change?
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TEST-11501$) [ldap] expand: o=hpsd_48 -> o=hpsd_48 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 172.17.152.4:636, authentication 0 [ldap] setting TLS mode to 1 [ldap] bind as cn=admin,o=hpsd_48/xxxxxx to 172.17.152.4:636 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$) [ldap] Added the eDirectory password xxxxxx in check items as Cleartext-Password
Ok, you're using Novell eDir here? Are you using DSFW? I know almost nothing about Novell, but a recent poster to the list was using eDir and DFSW, and he suggested that you need to: 1. use LDAP/eDir for users 2. use Samba/ntlm_auth for machines See here: https://lists.freeradius.org/pipermail/freeradius-users/2011-May/msg00069.ht...
[ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/TEST-11501.hpsd48.ab.ca [mschap] Told to do MS-CHAPv2 for host/TEST-11501.hpsd48.ab.ca with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect
Again, only three possible choices: 1. The client is sending the wrong data (i.e password - unlikely) 2. The server is using the wrong data (i.e. password from LDAP is incorrect) 3. Something is fiddling with the data in-flight (e.g. Aruba messing with the EAP)
Phil Mayers <p.mayers@imperial.ac.uk> 5/21/2011 3:08 AM >>> On 05/20/2011 10:33 PM, Mark Jones wrote: Here is the latest debug...Im not sure what to try next.
Latest debug... ok, what has changed? I added the dns suffix to the computer name
rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=186, length=216 NAS-IP-Address = 10.152.0.100 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "host/TEST-11501.hpsd48.ab.ca" Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" MS-CHAP-Challenge = 0xa389f8f8a19c2761c3f31128115bac7f MS-CHAP2-Response = 0x0800afc6531b8f43785e186a0578c795c13b00000000000000005f4828b8f016c112e3e453505d0c203f7172ad8a40f17c02 Service-Type = Login-User Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01"
This is still a plain MSCHAP request, indicating that the Aruba equipment is still terminating the PEAP itself, and translating the EAP-MSCHAP to plain MSCHAP. As per my previous emails, I recommend you change this. Your right I turned it off and then re-enabled it my next post will be with it off
# Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' <mailto:'@'> in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for host/TEST-11501.hpsd48.ab.ca
So this is a full host/name.domain.com now - what did you change? as per above i added the dns suffix to the computer (under name change...more)
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TEST-11501$) [ldap] expand: o=hpsd_48 -> o=hpsd_48 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 172.17.152.4:636, authentication 0 [ldap] setting TLS mode to 1 [ldap] bind as cn=admin,o=hpsd_48/xxxxxx to 172.17.152.4:636 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$) [ldap] Added the eDirectory password xxxxxx in check items as Cleartext-Password
Ok, you're using Novell eDir here? Are you using DSFW? Edir only I know almost nothing about Novell, but a recent poster to the list was using eDir and DFSW, and he suggested that you need to: 1. use LDAP/eDir for users 2. use Samba/ntlm_auth for machines See here: https://lists.freeradius.org/pipermail/freeradius-users/2011-May/msg00069.ht...
[ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/TEST-11501.hpsd48.ab.ca [mschap] Told to do MS-CHAPv2 for host/TEST-11501.hpsd48.ab.ca with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect
Again, only three possible choices: 1. The client is sending the wrong data (i.e password - unlikely) 2. The server is using the wrong data (i.e. password from LDAP is incorrect) 3. Something is fiddling with the data in-flight (e.g. Aruba messing with the EAP) I will post a new debug with termination off in a couple minutes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This communication is intended for the use of the recipient to which it is addressed and may contain confidential, personal and/or privileged information. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
Your email client is mangling the quoting, which makes it really hard to read your replies. Please fix it!
So this is a full host/name.domain.com now - what did you change?
as per above i added the dns suffix to the computer (under name change...more)
Just renaming the machine won't help. Is the machine a member of a windows domain? If it is, you shouldn't be able to do this renaming. If it isn't, machine auth will NEVER WORK.
Here is the latest debug with termination on Aruba turned off: FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Mar 23 2011 at 11:28:44 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket main { allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.152.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.24.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.56.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.32.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.16.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.72.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap ldap { server = "172.17.152.4" port = 636 password = "xxxxxx" identity = "cn=admin,o=hpsd_48" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "o=hpsd_48" filter = "(uid=%{mschap:User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "nspmPassword" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = yes set_auth_type = no } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x819b6d0 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=150, length=207 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0201002101686f73742f544553542d31313530312e6870736434382e61622e6361 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0xd085e26d93c4b3b3b8a8216df234d3bb # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 33 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for host/TEST-11501.hpsd48.ab.ca [ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TEST-11501$) [ldap] expand: o=hpsd_48 -> o=hpsd_48 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 172.17.152.4:636, authentication 0 [ldap] setting TLS mode to 1 [ldap] bind as cn=admin,o=hpsd_48/xxxxxx to 172.17.152.4:636 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$) [ldap] Added the eDirectory password xxxxxx in check items as Cleartext-Password [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 150 to 10.152.0.100 port 32819 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1ab6f1051ab4e8e1468070e7a1c1e9d1 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=151, length=279 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0202005719800000004d16030100480100004403014ddbdf3f62ea8c5aa9ab117c6f32a20223b3c8cfadcb0df46e53f4399ec0f5cd00001600040005000a0009006400620003000600130012006301000005ff01000100 State = 0x1ab6f1051ab4e8e1468070e7a1c1e9d1 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x4fec125239de4a288eb02c41591ea8bf # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 87 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 77 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0048], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 151 to 10.152.0.100 port 32819 EAP-Message = 0x0103040019c0000008a216030100310200002d03014ddbdf3f7498d35fd0d0429af7935ec53b4449a441f38731b159837073552faa000004000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3131303231303136333231325a170d3132303231303136333231325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c2962fab65858e76d1ddf7925706800d725d67efa3e928fc5b835d1da4e3d5c99cd3ba137db87cd26b5609df9ff9a00d2e26b6569bd5d5 EAP-Message = 0x7906b0ac844bcb0dcdafc47a271d7f4184b8e7c49def18565a1308653df9bf9af520481adbca2724c10912c5a027ebaf413980d610ac6deba96c5648b540eddcd14904c44ccdea22b433302f61cbe597a5d8587cf9cd1265a8eb71cbcd86db81668b26104bde6f85a48915ff0b49db217fddfc14199887a02eea6bab884c45f948e1ac8dfff1b174428ea59679abc877ed9a63d9d45a49e5c9260c8dfea7751f40742a8f4bdc3a159ca21c94180134fa8397913337b28431d3958f736c26766793bb5bb1f3d5b133c30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101004cec EAP-Message = 0x45279ca506050661330f4a17d5cadf66ab4afcd673447238a372ab3fa04a4290b7329b34267c54ad822d9f5d52975247bd61560abaa1e6b5c189edf03731340a167f225be1f70bc782ae26ff1599a4f69892b7cbde36cf5a85b6e955b4fa52c512140091a0750b11c5a5aafb2572b582856ae20c7c96d42dc0bf0104467b02d7fcb088f371ee192d529d4fde2233d2f8d7c1825bcf23781cadd11aeabf49cd8ca853b47b5dc74b760d34faf67941eaced3bd06b86b65ff23c247b82527ddd7136397230ad87c477643afe9c748f0cf83eff9b102206276b4d0d682f2e5ed27afa85e45426b25f152b16012918d4c04ce0a8641da60885e3c3197b4e3ed EAP-Message = 0x860004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1ab6f1051bb5e8e1468070e7a1c1e9d1 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=152, length=198 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020300061900 State = 0x1ab6f1051bb5e8e1468070e7a1c1e9d1 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x899f79b4481a142ba9d400d8ffc3e8b3 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 152 to 10.152.0.100 port 32819 EAP-Message = 0x010403fc1940a003020102020900a014abbd42e47192300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303231303136333231325a170d3132303231303136333231325a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100aad4b906b8f15d9efa212c359bbae114566f2f9b0c75bf45ab4def0f4a617b3fe4e56795ecf32f378d128990b6317f25252528a101362bf9345a0a394dba35688e07e2eae969c4913c3796c1c224aced4e41e9d51f5335e6b9ec030da7c36217b48835b1df864ff9 EAP-Message = 0xd82ada8cda0de980115896e4bd8ec5bab2a6b9111c109dafdb3e07d6ee4a5cebfa21f39e4efeb6a45e8a8cefc278ef3418aa2ccdb710ebe491eda4ed31df9156020958cddc21ce23a5749c9f06eeb098f3894184707af45719ff0d29350defa774ea4dbda2d0c61b7939abb1757a3ee271f1bb8d4b9868bc6289db9516b6a3d7fa5ad8abdbe57b5ce5359c9eb6a6169647d1310a53e40e930203010001a381fb3081f8301d0603551d0e0416041493331cbb1ef41d0e3c45f31449266f0c304c9b193081c80603551d230481c03081bd801493331cbb1ef41d0e3c45f31449266f0c304c9b19a18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900a014abbd42e47192300c0603551d13040530030101ff300d06092a864886f70d010105050003820101003cf11452f274ea06f722666622248542b6934b4f9aa2e919e20fb227801b1addbd2626d3570f8e4c20db411f132aa313a4e877f352772d0414b67207468978a5727bc5a22843f42390103f EAP-Message = 0x53c8cb22d3f8f1f7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1ab6f10518b2e8e1468070e7a1c1e9d1 Finished request 2. This communication is intended for the use of the recipient to which it is addressed and may contain confidential, personal and/or privileged information. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
On 05/24/2011 06:00 PM, Mark Jones wrote:
Here is the latest debug with termination on Aruba turned off: FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Mar 23
Sending Access-Challenge of id 152 to 10.152.0.100 port 32819 EAP-Message = 0x010403fc1940a003020102020900a014abbd42e47192300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303231303136333231325a170d3132303231303136333231325a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100aad4b906b8f15d9efa212c359bbae114566f2f9b0c75bf45ab4def0f4a617b3fe4e56795ecf32f378d128990b6317f25252528a101362bf9345a0a394dba35688e07e2eae969c4913c3796c1c224aced4e41e9d51f5335e6b9ec030da7c36217b48835b1df864ff9 EAP-Message = 0xd82ada8cda0de980115896e4bd8ec5bab2a6b9111c109dafdb3e07d6ee4a5cebfa21f39e4efeb6a45e8a8cefc278ef3418aa2ccdb710ebe491eda4ed31df9156020958cddc21ce23a5749c9f06eeb098f3894184707af45719ff0d29350defa774ea4dbda2d0c61b7939abb1757a3ee271f1bb8d4b9868bc6289db9516b6a3d7fa5ad8abdbe57b5ce5359c9eb6a6169647d1310a53e40e930203010001a381fb3081f8301d0603551d0e0416041493331cbb1ef41d0e3c45f31449266f0c304c9b193081c80603551d230481c03081bd801493331cbb1ef41d0e3c45f31449266f0c304c9b19a18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900a014abbd42e47192300c0603551d13040530030101ff300d06092a864886f70d010105050003820101003cf11452f274ea06f722666622248542b6934b4f9aa2e919e20fb227801b1addbd2626d3570f8e4c20db411f132aa313a4e877f352772d0414b67207468978a5727bc5a22843f42390103f EAP-Message = 0x53c8cb22d3f8f1f7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1ab6f10518b2e8e1468070e7a1c1e9d1 Finished request 2.
Is this *really* the last thing it printed out? It didn't print something about session expiry and a URL for you to look at? Anyway - this is probably because the client doesn't know the CA cert. You were previously terminating PEAP on the Aruba, so the cert was the one belonging to Aruba. Now, it'll be the cert belonging to FreeRADIUS.
I tried to paste the full log in but it was rejected because of size, what the best option to cut it into pieces and post a few times or is there another way to do it? Thanks Mark -- View this message in context: http://freeradius.1045715.n5.nabble.com/Renaming-during-Machine-Authenticati... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Here is my debug now I might have to break it up into 2 posts though because of the size FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Mar 23 2011 at 11:28:44 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket main { allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.152.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.24.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.56.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.32.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.16.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.72.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Instantiating module "ntdomain" from file /etc/raddb/modules/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap ldap { server = "172.17.152.4" port = 636 password = "xxxx" identity = "cn=admin,o=hpsd_48" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "o=hpsd_48" filter = "(uid=%{mschap:User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "nspmPassword" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = yes set_auth_type = no } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x819b1b8 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=100, length=207 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0201002101686f73742f544553542d31313530312e6870736434382e61622e6361 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x3fc51307320dc5715e92eecad18a7497 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 33 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for host/TEST-11501.hpsd48.ab.ca [ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TEST-11501$) [ldap] expand: o=hpsd_48 -> o=hpsd_48 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 172.17.152.4:636, authentication 0 [ldap] setting TLS mode to 1 [ldap] bind as cn=admin,o=hpsd_48/xxxx to 172.17.152.4:636 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$) [ldap] Added the eDirectory password xxxx in check items as Cleartext-Password [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 100 to 10.152.0.100 port 32819 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x019a929401988b9c422c188eb1599474 Finished request 0. Going to the next request Waking up in 4.9 seconds. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 107 to 10.152.0.100 port 32819 EAP-Message = 0x010900261900170301001bff964598d07d4dd0c38635418e6dc2288e2d28f07cdec632840d8d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x019a929406938b9c422c188eb1599474 Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=108, length=230 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020900261900170301001b484dac5941c9c6e1e6f5f65245aa4a15dadcff5adf50aa9a55e7a2 State = 0x019a929406938b9c422c188eb1599474 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0xe8ecd2a6e6c5d0e2d1748001c7e06674 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/TEST-11501.hpsd48.ab.ca attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 108 to 10.152.0.100 port 32819 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=109, length=207 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0201002101686f73742f544553542d31313530312e6870736434382e61622e6361 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x853e6724620b407fe84ff5501ca8df01 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 33 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for host/TEST-11501.hpsd48.ab.ca [ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TEST-11501$) [ldap] expand: o=hpsd_48 -> o=hpsd_48 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$) [ldap] Added the eDirectory password xxxx in check items as Cleartext-Password [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 109 to 10.152.0.100 port 32819 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf0b06b8af091f13414e4025002a7e0a Finished request 9. Going to the next request Waking up in 3.4 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=110, length=279 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0202005719800000004d16030100480100004403014de906da35a800084268cf2d0a7eafe7044381e765dfb217746f493469c8e29500001600040005000a0009006400620003000600130012006301000005ff01000100 State = 0xaf0b06b8af091f13414e4025002a7e0a Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0xb5d520483b1671c6a09a1aae6bf8c27b # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 87 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 77 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0048], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 110 to 10.152.0.100 port 32819 EAP-Message = 0x0103040019c0000008a216030100310200002d03014de906d553ea9f270955c1768c97f226626fd90106e0e89b67d60cba8bd146c7000004000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3131303231303136333231325a170d3132303231303136333231325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c2962fab65858e76d1ddf7925706800d725d67efa3e928fc5b835d1da4e3d5c99cd3ba137db87cd26b5609df9ff9a00d2e26b6569bd5d5 EAP-Message = 0x7906b0ac844bcb0dcdafc47a271d7f4184b8e7c49def18565a1308653df9bf9af520481adbca2724c10912c5a027ebaf413980d610ac6deba96c5648b540eddcd14904c44ccdea22b433302f61cbe597a5d8587cf9cd1265a8eb71cbcd86db81668b26104bde6f85a48915ff0b49db217fddfc14199887a02eea6bab884c45f948e1ac8dfff1b174428ea59679abc877ed9a63d9d45a49e5c9260c8dfea7751f40742a8f4bdc3a159ca21c94180134fa8397913337b28431d3958f736c26766793bb5bb1f3d5b133c30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101004cec EAP-Message = 0x45279ca506050661330f4a17d5cadf66ab4afcd673447238a372ab3fa04a4290b7329b34267c54ad822d9f5d52975247bd61560abaa1e6b5c189edf03731340a167f225be1f70bc782ae26ff1599a4f69892b7cbde36cf5a85b6e955b4fa52c512140091a0750b11c5a5aafb2572b582856ae20c7c96d42dc0bf0104467b02d7fcb088f371ee192d529d4fde2233d2f8d7c1825bcf23781cadd11aeabf49cd8ca853b47b5dc74b760d34faf67941eaced3bd06b86b65ff23c247b82527ddd7136397230ad87c477643afe9c748f0cf83eff9b102206276b4d0d682f2e5ed27afa85e45426b25f152b16012918d4c04ce0a8641da60885e3c3197b4e3ed EAP-Message = 0x860004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf0b06b8ae081f13414e4025002a7e0a Finished request 10. Going to the next request Waking up in 3.3 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=111, length=198 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020300061900 State = 0xaf0b06b8ae081f13414e4025002a7e0a Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0xe25c0d2221df89334b616e7691ae672d # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 111 to 10.152.0.100 port 32819 EAP-Message = 0x010403fc1940a003020102020900a014abbd42e47192300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303231303136333231325a170d3132303231303136333231325a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100aad4b906b8f15d9efa212c359bbae114566f2f9b0c75bf45ab4def0f4a617b3fe4e56795ecf32f378d128990b6317f25252528a101362bf9345a0a394dba35688e07e2eae969c4913c3796c1c224aced4e41e9d51f5335e6b9ec030da7c36217b48835b1df864ff9 EAP-Message = 0xd82ada8cda0de980115896e4bd8ec5bab2a6b9111c109dafdb3e07d6ee4a5cebfa21f39e4efeb6a45e8a8cefc278ef3418aa2ccdb710ebe491eda4ed31df9156020958cddc21ce23a5749c9f06eeb098f3894184707af45719ff0d29350defa774ea4dbda2d0c61b7939abb1757a3ee271f1bb8d4b9868bc6289db9516b6a3d7fa5ad8abdbe57b5ce5359c9eb6a6169647d1310a53e40e930203010001a381fb3081f8301d0603551d0e0416041493331cbb1ef41d0e3c45f31449266f0c304c9b193081c80603551d230481c03081bd801493331cbb1ef41d0e3c45f31449266f0c304c9b19a18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900a014abbd42e47192300c0603551d13040530030101ff300d06092a864886f70d010105050003820101003cf11452f274ea06f722666622248542b6934b4f9aa2e919e20fb227801b1addbd2626d3570f8e4c20db411f132aa313a4e877f352772d0414b67207468978a5727bc5a22843f42390103f EAP-Message = 0x53c8cb22d3f8f1f7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf0b06b8ad0f1f13414e4025002a7e0a Finished request 11. Going to the next request Waking up in 3.3 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=112, length=198 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020400061900 State = 0xaf0b06b8ad0f1f13414e4025002a7e0a Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0xf3d64b1ad71afcaa8f52b1e07dec75ef # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 112 to 10.152.0.100 port 32819 EAP-Message = 0x010500bc19004c396c46b788613f2eae5433381f96d583a69217e9b3504b2751ba9b7c98b5795763ec2dca296f1c69e6a6c0814c9723f903ff293ab3d5bd932b98d0e833e3a01ded48b321eb509dd2e61548875967dc1282a4022b615f7360c573c4d1e52b10f16387a6d3ab90066bb454697e5715108aa946fe9208e0c56acbc5ba8277b15393f6d3ce03a2fb07536a1177550c4dbb473cf421ba6fd64330b3ef931207d7af48184e874f2e55130a498d722c16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf0b06b8ac0e1f13414e4025002a7e0a Finished request 12. Going to the next request Waking up in 3.3 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=113, length=514 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020501401980000001361603010106100001020100b0943f5f64fa2282445f363ac440b64c37fb18cf4763326ec0e402a023da264ce7cc7a130998beadf6b1f6bc3a512207a7342f7ebd20467c050ff31fc12e9ea8a0de0e4458981c22e12280e9ebbf12578698db93fb15b01d445d5c0efa99f691827dede72db6391749b3def236fc3d09fcc03f42a8a7de92a4016589a1739642ffe3174280b275afc31e6d65404efea2d76e7b4455fdb049a5050f4f1832126cd9bec305bdc050e172b3ab877d3dfdecf36dcda7fb99b964a2e6692e42af12241078c724b9de44d94f5b7f9e571092cb536e4fb2ee26a199fcb81e2f897b33cb8c24fcf401767a3a EAP-Message = 0xa4355e662e9950b8933b040af55133487ac046b9417defd814030100010116030100202189ed42f5c686a93a7b80563149c8ec9c01a092f8ab4636d1c594e0d1e44f03 State = 0xaf0b06b8ac0e1f13414e4025002a7e0a Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x4f0f6002da5fa6dafa6fe46827e2ed2c # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 113 to 10.152.0.100 port 32819 EAP-Message = 0x01060031190014030100010116030100203c5e6364785ff9c2b98e606384d0ae00a07e305e10c79c4ccbbea4e20f469c2d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf0b06b8ab0d1f13414e4025002a7e0a Finished request 13. Going to the next request -- View this message in context: http://freeradius.1045715.n5.nabble.com/Renaming-during-Machine-Authenticati... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Here is the rest of the debug Waking up in 3.3 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=114, length=198 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020600061900 State = 0xaf0b06b8ab0d1f13414e4025002a7e0a Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x39806663461b05b46cf3125e79491f35 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 114 to 10.152.0.100 port 32819 EAP-Message = 0x01070020190017030100154b001c00411832b717df4ad0a3453ea7f54a7477c6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf0b06b8aa0c1f13414e4025002a7e0a Finished request 14. Going to the next request Waking up in 3.3 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=115, length=248 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020700381900170301002d801b74be448ec8e8a1fd0bf61c7419611e41c0204edf3ec539b25c8f86becf0c98758d6c769df73dac4be09a7b State = 0xaf0b06b8aa0c1f13414e4025002a7e0a Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x76eadd506811e5fbaaa9bd651c72cfa5 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 56 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - host/TEST-11501.hpsd48.ab.ca [peap] Got inner identity 'host/TEST-11501.hpsd48.ab.ca' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0207002101686f73742f544553542d31313530312e6870736434382e61622e6361 server { PEAP: Setting User-Name to host/TEST-11501.hpsd48.ab.ca Sending tunneled request EAP-Message = 0x0207002101686f73742f544553542d31313530312e6870736434382e61622e6361 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/TEST-11501.hpsd48.ab.ca" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 33 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800361a0108003110220f374aa19eb0c598b341bacd23b48e686f73742f544553542d31313530312e6870736434382e61622e6361 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdff71f9adfff05115ad48af9ef7a1fd6 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800361a0108003110220f374aa19eb0c598b341bacd23b48e686f73742f544553542d31313530312e6870736434382e61622e6361 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdff71f9adfff05115ad48af9ef7a1fd6 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 115 to 10.152.0.100 port 32819 EAP-Message = 0x0108004d190017030100425ef5a87c0a89a3105bf08c246ea2b5f9d4f8990c41a5470ac8a417f2cd1fc7185c7532f146e5a5fa1e72281909ecd7d165106e810b1ce29ff074c729c9d8cd61e309 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf0b06b8a9031f13414e4025002a7e0a Finished request 15. Going to the next request Waking up in 3.3 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=116, length=302 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0208006e190017030100631163c930bb03d723a3c5143fcee6ce082aa6f00527213d8a73b60c459b3389d075c7b996a57cacefcbb9e334fe5daa6ffe65302162975fa7278d6bbda91168fd2feebfb195f81b9c86f8aabd245aebd7f460f11f77b59f2ae5fd01705424599959124f State = 0xaf0b06b8a9031f13414e4025002a7e0a Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0xddfda2824f60dccbb3557bb433925a59 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 110 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800571a0208005231fd1a7399db6c1b2c5c96bc7c05ab8c640000000000000000ecc35bcd4fa61e28c30c0bfd3a037d19e5c407a645b6b72a00686f73742f544553542d31313530312e6870736434382e61622e6361 server { PEAP: Setting User-Name to host/TEST-11501.hpsd48.ab.ca Sending tunneled request EAP-Message = 0x020800571a0208005231fd1a7399db6c1b2c5c96bc7c05ab8c640000000000000000ecc35bcd4fa61e28c30c0bfd3a037d19e5c407a645b6b72a00686f73742f544553542d31313530312e6870736434382e61622e6361 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/TEST-11501.hpsd48.ab.ca" State = 0xdff71f9adfff05115ad48af9ef7a1fd6 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 87 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: host/TEST-11501.hpsd48.ab.ca [mschap] Told to do MS-CHAPv2 for host/TEST-11501.hpsd48.ab.ca with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 116 to 10.152.0.100 port 32819 EAP-Message = 0x010900261900170301001bf6ec223e7d7181a93f75f4a26254ad4f18df3930289d171931ccee Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf0b06b8a8021f13414e4025002a7e0a Finished request 16. Going to the next request Waking up in 3.3 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=117, length=230 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020900261900170301001b906645443f39afc09080a4a678ca79b9dc210aa4f63d8b4fed2563 State = 0xaf0b06b8a8021f13414e4025002a7e0a Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x4513566759242c90b364904f4b5131dd # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/TEST-11501.hpsd48.ab.ca attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 17 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 17 Sending Access-Reject of id 117 to 10.152.0.100 port 32819 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.3 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=118, length=207 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0201002101686f73742f544553542d31313530312e6870736434382e61622e6361 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x3079a4568eb504dec1712dd4b53b8d02 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 33 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for host/TEST-11501.hpsd48.ab.ca [ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TEST-11501$) [ldap] expand: o=hpsd_48 -> o=hpsd_48 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$) [ldap] Added the eDirectory password xxxx in check items as Cleartext-Password [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 118 to 10.152.0.100 port 32819 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x29d0da4429d2c35a7379c61a78aa62d0 Finished request 18. Going to the next request Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=119, length=279 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0202005719800000004d16030100480100004403014de906db4ca3903f904303e7bc398d558b043af3ab9131895a99c73afb08b2f100001600040005000a0009006400620003000600130012006301000005ff01000100 State = 0x29d0da4429d2c35a7379c61a78aa62d0 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x060dab8335726b77ad25c74cf5654e79 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 87 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 77 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0048], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 119 to 10.152.0.100 port 32819 EAP-Message = 0x0103040019c0000008a216030100310200002d03014de906d73ba63b93c9399f1a39454ce72415a5c96ab5a9addea94e17540cd87a000004000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3131303231303136333231325a170d3132303231303136333231325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c2962fab65858e76d1ddf7925706800d725d67efa3e928fc5b835d1da4e3d5c99cd3ba137db87cd26b5609df9ff9a00d2e26b6569bd5d5 EAP-Message = 0x7906b0ac844bcb0dcdafc47a271d7f4184b8e7c49def18565a1308653df9bf9af520481adbca2724c10912c5a027ebaf413980d610ac6deba96c5648b540eddcd14904c44ccdea22b433302f61cbe597a5d8587cf9cd1265a8eb71cbcd86db81668b26104bde6f85a48915ff0b49db217fddfc14199887a02eea6bab884c45f948e1ac8dfff1b174428ea59679abc877ed9a63d9d45a49e5c9260c8dfea7751f40742a8f4bdc3a159ca21c94180134fa8397913337b28431d3958f736c26766793bb5bb1f3d5b133c30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101004cec EAP-Message = 0x45279ca506050661330f4a17d5cadf66ab4afcd673447238a372ab3fa04a4290b7329b34267c54ad822d9f5d52975247bd61560abaa1e6b5c189edf03731340a167f225be1f70bc782ae26ff1599a4f69892b7cbde36cf5a85b6e955b4fa52c512140091a0750b11c5a5aafb2572b582856ae20c7c96d42dc0bf0104467b02d7fcb088f371ee192d529d4fde2233d2f8d7c1825bcf23781cadd11aeabf49cd8ca853b47b5dc74b760d34faf67941eaced3bd06b86b65ff23c247b82527ddd7136397230ad87c477643afe9c748f0cf83eff9b102206276b4d0d682f2e5ed27afa85e45426b25f152b16012918d4c04ce0a8641da60885e3c3197b4e3ed EAP-Message = 0x860004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x29d0da4428d3c35a7379c61a78aa62d0 Finished request 19. Going to the next request Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=120, length=198 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020300061900 State = 0x29d0da4428d3c35a7379c61a78aa62d0 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x7a7426cfa0958f6618608192a3cb78ee # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 120 to 10.152.0.100 port 32819 EAP-Message = 0x010403fc1940a003020102020900a014abbd42e47192300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303231303136333231325a170d3132303231303136333231325a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100aad4b906b8f15d9efa212c359bbae114566f2f9b0c75bf45ab4def0f4a617b3fe4e56795ecf32f378d128990b6317f25252528a101362bf9345a0a394dba35688e07e2eae969c4913c3796c1c224aced4e41e9d51f5335e6b9ec030da7c36217b48835b1df864ff9 EAP-Message = 0xd82ada8cda0de980115896e4bd8ec5bab2a6b9111c109dafdb3e07d6ee4a5cebfa21f39e4efeb6a45e8a8cefc278ef3418aa2ccdb710ebe491eda4ed31df9156020958cddc21ce23a5749c9f06eeb098f3894184707af45719ff0d29350defa774ea4dbda2d0c61b7939abb1757a3ee271f1bb8d4b9868bc6289db9516b6a3d7fa5ad8abdbe57b5ce5359c9eb6a6169647d1310a53e40e930203010001a381fb3081f8301d0603551d0e0416041493331cbb1ef41d0e3c45f31449266f0c304c9b193081c80603551d230481c03081bd801493331cbb1ef41d0e3c45f31449266f0c304c9b19a18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900a014abbd42e47192300c0603551d13040530030101ff300d06092a864886f70d010105050003820101003cf11452f274ea06f722666622248542b6934b4f9aa2e919e20fb227801b1addbd2626d3570f8e4c20db411f132aa313a4e877f352772d0414b67207468978a5727bc5a22843f42390103f EAP-Message = 0x53c8cb22d3f8f1f7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x29d0da442bd4c35a7379c61a78aa62d0 Finished request 20. Going to the next request Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=121, length=198 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020400061900 State = 0x29d0da442bd4c35a7379c61a78aa62d0 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0xbf252b738f6dd6c069edff642dcff0a3 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 121 to 10.152.0.100 port 32819 EAP-Message = 0x010500bc19004c396c46b788613f2eae5433381f96d583a69217e9b3504b2751ba9b7c98b5795763ec2dca296f1c69e6a6c0814c9723f903ff293ab3d5bd932b98d0e833e3a01ded48b321eb509dd2e61548875967dc1282a4022b615f7360c573c4d1e52b10f16387a6d3ab90066bb454697e5715108aa946fe9208e0c56acbc5ba8277b15393f6d3ce03a2fb07536a1177550c4dbb473cf421ba6fd64330b3ef931207d7af48184e874f2e55130a498d722c16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x29d0da442ad5c35a7379c61a78aa62d0 Finished request 21. Going to the next request Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=122, length=514 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x02050140198000000136160301010610000102010074d7e95eee9fd74281d703c3aa7c3e5dff43c1eeba1a2cc9fccdf4eadaf91df4aec03bb4fcd96f04635243700a5feb2a3423993747f86e8b677e6d764888eac01f97d4187f16bbe13493b5aad227a4ba1f49bb198db2442282307bfdc2b52b5eedab35d074391c42c5bf0c7b6853d486b0c4e2c8c2648f27924df70951a0c25b1bd8fe9e5528443cfc0e5ae1134da157d2d7beea23455462e773e70d545febfc7dff19c84f465b995771fdbd461a158dfa38d9ac1c8ab8d97d6c023abcd656d162f1594a4c6f5b791a7a49b7eff9980dd205f044f0476c17d4572a0e548a227f79570e9f0fba3647 EAP-Message = 0x98b7f22d36a71d0685b5d5fafaf98623c53d6dc45fa8cd6f1403010001011603010020a14543890a5dda3193cd901b8a99f172b116b429819b014dd66ca733501f598b State = 0x29d0da442ad5c35a7379c61a78aa62d0 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x22b3c9ec5509579aebcb622ef41a99f9 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 122 to 10.152.0.100 port 32819 EAP-Message = 0x010600311900140301000101160301002065c36b929321418de0e1096fbb9555584f14371181b00aecd5802aa580f27b9c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x29d0da442dd6c35a7379c61a78aa62d0 Finished request 22. Going to the next request Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=123, length=198 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020600061900 State = 0x29d0da442dd6c35a7379c61a78aa62d0 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x22b2a94e6a00270f56a88f4f5755a62a # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 123 to 10.152.0.100 port 32819 EAP-Message = 0x0107002019001703010015ccb56467d6b0b54c5477e97ad9751807c835598567 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x29d0da442cd7c35a7379c61a78aa62d0 Finished request 23. Going to the next request Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=124, length=248 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020700381900170301002d48cecbbd34d5253b28194dd676fb9010c530bb8c13bdc47e488941a4d19dc7fa726e873a58cc44a35786a88bca State = 0x29d0da442cd7c35a7379c61a78aa62d0 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x1c1b6e63188001569dd59e8dd28f44fa # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 56 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - host/TEST-11501.hpsd48.ab.ca [peap] Got inner identity 'host/TEST-11501.hpsd48.ab.ca' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0207002101686f73742f544553542d31313530312e6870736434382e61622e6361 server { PEAP: Setting User-Name to host/TEST-11501.hpsd48.ab.ca Sending tunneled request EAP-Message = 0x0207002101686f73742f544553542d31313530312e6870736434382e61622e6361 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/TEST-11501.hpsd48.ab.ca" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 33 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800361a01080031100bb281db72ca99c10b76e04212a60721686f73742f544553542d31313530312e6870736434382e61622e6361 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x04a0b3fa04a8a9fd98f0050caec42b47 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800361a01080031100bb281db72ca99c10b76e04212a60721686f73742f544553542d31313530312e6870736434382e61622e6361 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x04a0b3fa04a8a9fd98f0050caec42b47 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 124 to 10.152.0.100 port 32819 EAP-Message = 0x0108004d19001703010042f0c1c86e64d32ea8aed9ed5b247a786c682e0dd1147f09f7f38a84e22962866feb92d411a6bb3cce29ac674c28dae6183ad8bc850ccd422b730f25fc4211f09bbd9a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x29d0da442fd8c35a7379c61a78aa62d0 Finished request 24. Going to the next request Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=125, length=302 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0208006e1900170301006340fc69efabd3d8f90ac150f75ddf678f3883cd42adb89bda7afbab0a65ba53704c12b81f6103378b6af24eb0afa71b713a158c68b156911a19f9ab018f668ab34d30e6723e54f5427081ef4f8b188f4b7e9955fcce333dd2348dfa921405a4783b51e0 State = 0x29d0da442fd8c35a7379c61a78aa62d0 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x44e390f025907d46607bd59ed8e82319 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 110 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800571a020800523116ba5e375232b558ea4bec3f09e0546e0000000000000000485051644aaaccf4feb374d5727dbb181b312a8cace7a5b300686f73742f544553542d31313530312e6870736434382e61622e6361 server { PEAP: Setting User-Name to host/TEST-11501.hpsd48.ab.ca Sending tunneled request EAP-Message = 0x020800571a020800523116ba5e375232b558ea4bec3f09e0546e0000000000000000485051644aaaccf4feb374d5727dbb181b312a8cace7a5b300686f73742f544553542d31313530312e6870736434382e61622e6361 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/TEST-11501.hpsd48.ab.ca" State = 0x04a0b3fa04a8a9fd98f0050caec42b47 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 87 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: host/TEST-11501.hpsd48.ab.ca [mschap] Told to do MS-CHAPv2 for host/TEST-11501.hpsd48.ab.ca with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 125 to 10.152.0.100 port 32819 EAP-Message = 0x010900261900170301001be55c10c14a8b99626e68d81135abe0fb267983cae3140a3f79f036 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x29d0da442ed9c35a7379c61a78aa62d0 Finished request 25. Going to the next request Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=126, length=230 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020900261900170301001b5e56eb7f54ff792cf3528485b41854c30fd2491432b132c8482f96 State = 0x29d0da442ed9c35a7379c61a78aa62d0 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0xbe379e062b1087985d9ec6cc244923a1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/TEST-11501.hpsd48.ab.ca attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 26 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 26 Sending Access-Reject of id 126 to 10.152.0.100 port 32819 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 0.9 seconds. Cleaning up request 0 ID 100 with timestamp +45 Cleaning up request 1 ID 101 with timestamp +45 Cleaning up request 2 ID 102 with timestamp +45 Cleaning up request 3 ID 103 with timestamp +45 Cleaning up request 4 ID 104 with timestamp +45 Cleaning up request 5 ID 105 with timestamp +45 Cleaning up request 6 ID 106 with timestamp +45 Cleaning up request 7 ID 107 with timestamp +45 Waking up in 1.0 seconds. Cleaning up request 8 ID 108 with timestamp +45 Waking up in 0.3 seconds. Cleaning up request 9 ID 109 with timestamp +46 Cleaning up request 10 ID 110 with timestamp +46 Cleaning up request 11 ID 111 with timestamp +46 Cleaning up request 12 ID 112 with timestamp +46 Cleaning up request 13 ID 113 with timestamp +46 Cleaning up request 14 ID 114 with timestamp +46 Cleaning up request 15 ID 115 with timestamp +46 Cleaning up request 16 ID 116 with timestamp +46 Waking up in 1.0 seconds. Cleaning up request 17 ID 117 with timestamp +46 Waking up in 0.3 seconds. Cleaning up request 18 ID 118 with timestamp +48 Cleaning up request 19 ID 119 with timestamp +48 Cleaning up request 20 ID 120 with timestamp +48 Cleaning up request 21 ID 121 with timestamp +48 Cleaning up request 22 ID 122 with timestamp +48 Cleaning up request 23 ID 123 with timestamp +48 Cleaning up request 24 ID 124 with timestamp +48 Cleaning up request 25 ID 125 with timestamp +48 Waking up in 1.0 seconds. Cleaning up request 26 ID 126 with timestamp +48 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Renaming-during-Machine-Authenticati... Sent from the FreeRadius - User mailing list archive at Nabble.com.
mjonesmcne wrote:
Here is the rest of the debug ... [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: host/TEST-11501.hpsd48.ab.ca [mschap] Told to do MS-CHAPv2 for host/TEST-11501.hpsd48.ab.ca with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject
That's pretty definitive. You didn't tell the server how to authenticate the user. Alan DeKok.
Ok so where or how do I tell it? Mark
Alan DeKok <aland@deployingradius.com> 6/3/2011 11:57 PM >>> mjonesmcne wrote: Here is the rest of the debug ... [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: host/TEST-11501.hpsd48.ab.ca [mschap] Told to do MS-CHAPv2 for host/TEST-11501.hpsd48.ab.ca with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject
That's pretty definitive. You didn't tell the server how to authenticate the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This communication is intended for the use of the recipient to which it is addressed and may contain confidential, personal and/or privileged information. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
Mark Jones wrote:
Ok so where or how do I tell it?
http://deployingradius.com/ Follow the "Active Directory" guide. Alan DeKok.
Ok Im going to try following that guide Monday morning, just one question before I get started...does it work with an edir backend and a samba server acting as a PDC on an OES2 server? Thanks for the advice Alan Mark
Alan DeKok <aland@deployingradius.com> 6/4/2011 1:22 PM >>> Mark Jones wrote: Ok so where or how do I tell it?
http://deployingradius.com/ Follow the "Active Directory" guide. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This communication is intended for the use of the recipient to which it is addressed and may contain confidential, personal and/or privileged information. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
Mark Jones wrote:
Ok Im going to try following that guide Monday morning, just one question before I get started...does it work with an edir backend and a samba server acting as a PDC on an OES2 server?
Uh... no. The guide is for getting Active Directory to work. Active Directory is not Samba. eDir is just an LDAP server. You've configured it as an LDAP server: [ldap] expand: o=hpsd_48 -> o=hpsd_48 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$) [ldap] Added the eDirectory password xxxx in check items as Cleartext-Password [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access ... But you *HAVEN'T* changed the "inner-tunnel" virtual server to use the LDAP module. Go read it, and un-comment the line saying "ldap". Alan DeKok.
I have enabled ldap in the inner-tunnel...here is the lastest debug log (part 1) Mark FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Mar 23 2011 at 11:28:44 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket main { allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.152.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.24.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.56.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.32.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.16.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } client 10.72.0.0/13 { require_message_authenticator = no secret = "centrino" shortname = "centrino" nastype = "aruba" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap ldap { server = "172.17.152.4" port = 636 password = "xxxxx" identity = "cn=admin,o=hpsd_48" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "o=hpsd_48" filter = "(uid=%{mschap:User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "nspmPassword" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = yes set_auth_type = no } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x8185770 Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=181, length=207 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0201002101686f73742f544553542d31313530312e6870736434382e61622e6361 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0xc6fdd5f61d24d6fa10711429844ac704 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 33 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for host/TEST-11501.hpsd48.ab.ca [ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TEST-11501$) [ldap] expand: o=hpsd_48 -> o=hpsd_48 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 172.17.152.4:636, authentication 0 [ldap] setting TLS mode to 1 [ldap] bind as cn=admin,o=hpsd_48/xxxxx to 172.17.152.4:636 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$) [ldap] Added the eDirectory password xxxxx in check items as Cleartext-Password [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 181 to 10.152.0.100 port 32819 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x351287c635109e107d0e4bf1d59ff6a4 Finished request 0.
Alan DeKok <aland@deployingradius.com> 6/5/2011 2:18 AM >>> Mark Jones wrote: Ok Im going to try following that guide Monday morning, just one question before I get started...does it work with an edir backend and a samba server acting as a PDC on an OES2 server?
Uh... no. The guide is for getting Active Directory to work. Active Directory is not Samba. eDir is just an LDAP server. You've configured it as an LDAP server: [ldap] expand: o=hpsd_48 -> o=hpsd_48 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$) [ldap] Added the eDirectory password xxxx in check items as Cleartext-Password [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access ... But you *HAVEN'T* changed the "inner-tunnel" virtual server to use the LDAP module. Go read it, and un-comment the line saying "ldap". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This communication is intended for the use of the recipient to which it is addressed and may contain confidential, personal and/or privileged information. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
Here is the next piece Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=182, length=279 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0202005719800000004d16030100480100004403014ded0eabe88ab61a73d2eb01d8d7a0aeb692c5c29abad87ddbd6bef2a7ad2d4200001600040005000a0009006400620003000600130012006301000005ff01000100 State = 0x351287c635109e107d0e4bf1d59ff6a4 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0xc76135b813c9043695f6eefee2253abf # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 87 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 77 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0048], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 182 to 10.152.0.100 port 32819 EAP-Message = 0x0103040019c0000008a216030100310200002d03014ded0ea574477edb854fb55aebb36adb4abb79a8b8bd4e781eaccbe17e59d0de000004000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3131303231303136333231325a170d3132303231303136333231325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c2962fab65858e76d1ddf7925706800d725d67efa3e928fc5b835d1da4e3d5c99cd3ba137db87cd26b5609df9ff9a00d2e26b6569bd5d5 EAP-Message = 0x7906b0ac844bcb0dcdafc47a271d7f4184b8e7c49def18565a1308653df9bf9af520481adbca2724c10912c5a027ebaf413980d610ac6deba96c5648b540eddcd14904c44ccdea22b433302f61cbe597a5d8587cf9cd1265a8eb71cbcd86db81668b26104bde6f85a48915ff0b49db217fddfc14199887a02eea6bab884c45f948e1ac8dfff1b174428ea59679abc877ed9a63d9d45a49e5c9260c8dfea7751f40742a8f4bdc3a159ca21c94180134fa8397913337b28431d3958f736c26766793bb5bb1f3d5b133c30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101004cec EAP-Message = 0x45279ca506050661330f4a17d5cadf66ab4afcd673447238a372ab3fa04a4290b7329b34267c54ad822d9f5d52975247bd61560abaa1e6b5c189edf03731340a167f225be1f70bc782ae26ff1599a4f69892b7cbde36cf5a85b6e955b4fa52c512140091a0750b11c5a5aafb2572b582856ae20c7c96d42dc0bf0104467b02d7fcb088f371ee192d529d4fde2233d2f8d7c1825bcf23781cadd11aeabf49cd8ca853b47b5dc74b760d34faf67941eaced3bd06b86b65ff23c247b82527ddd7136397230ad87c477643afe9c748f0cf83eff9b102206276b4d0d682f2e5ed27afa85e45426b25f152b16012918d4c04ce0a8641da60885e3c3197b4e3ed EAP-Message = 0x860004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x351287c634119e107d0e4bf1d59ff6a4 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=183, length=198 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020300061900 State = 0x351287c634119e107d0e4bf1d59ff6a4 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x0c02c2e486671a676f2146214b7d6329 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 183 to 10.152.0.100 port 32819 EAP-Message = 0x010403fc1940a003020102020900a014abbd42e47192300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303231303136333231325a170d3132303231303136333231325a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100aad4b906b8f15d9efa212c359bbae114566f2f9b0c75bf45ab4def0f4a617b3fe4e56795ecf32f378d128990b6317f25252528a101362bf9345a0a394dba35688e07e2eae969c4913c3796c1c224aced4e41e9d51f5335e6b9ec030da7c36217b48835b1df864ff9 EAP-Message = 0xd82ada8cda0de980115896e4bd8ec5bab2a6b9111c109dafdb3e07d6ee4a5cebfa21f39e4efeb6a45e8a8cefc278ef3418aa2ccdb710ebe491eda4ed31df9156020958cddc21ce23a5749c9f06eeb098f3894184707af45719ff0d29350defa774ea4dbda2d0c61b7939abb1757a3ee271f1bb8d4b9868bc6289db9516b6a3d7fa5ad8abdbe57b5ce5359c9eb6a6169647d1310a53e40e930203010001a381fb3081f8301d0603551d0e0416041493331cbb1ef41d0e3c45f31449266f0c304c9b193081c80603551d230481c03081bd801493331cbb1ef41d0e3c45f31449266f0c304c9b19a18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900a014abbd42e47192300c0603551d13040530030101ff300d06092a864886f70d010105050003820101003cf11452f274ea06f722666622248542b6934b4f9aa2e919e20fb227801b1addbd2626d3570f8e4c20db411f132aa313a4e877f352772d0414b67207468978a5727bc5a22843f42390103f EAP-Message = 0x53c8cb22d3f8f1f7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x351287c637169e107d0e4bf1d59ff6a4 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=184, length=198 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020400061900 State = 0x351287c637169e107d0e4bf1d59ff6a4 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x119cdba488a7d26989d8954bd433b4a8 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 184 to 10.152.0.100 port 32819 EAP-Message = 0x010500bc19004c396c46b788613f2eae5433381f96d583a69217e9b3504b2751ba9b7c98b5795763ec2dca296f1c69e6a6c0814c9723f903ff293ab3d5bd932b98d0e833e3a01ded48b321eb509dd2e61548875967dc1282a4022b615f7360c573c4d1e52b10f16387a6d3ab90066bb454697e5715108aa946fe9208e0c56acbc5ba8277b15393f6d3ce03a2fb07536a1177550c4dbb473cf421ba6fd64330b3ef931207d7af48184e874f2e55130a498d722c16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x351287c636179e107d0e4bf1d59ff6a4 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=185, length=514 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020501401980000001361603010106100001020100af7d947b9773fe9077a2c66ee404afa0fb678991285a865d2d9de4f04ad98609bf599137e35f0f4aeffc8033d9c5e702472b08b65c73f6eae34045425c3ad875f168525f35e62e193f69c83d991a99416211e8db06afdc9bed2dd0de002302c482f5eea79f1ab9d00f428fb77bd2cdaed394eee44927d41d681435c641bcac71196996f34064206e571a7bb1866ddbb27241fd4a12e934ee15052cb25edd4c7d22fae6b989c6896ca7cf99eb5d851146c410c8dd046dc977d2e57c88727a269eb15830e388ef9d37822cc9331999e53827293d9dfcbdc73920d548a3e53c97e62541d8fa660912fe EAP-Message = 0xf414ea8a401cc6382dfbf9a1a47ff89b7b62d49cc942bbfb1403010001011603010020a045024939506667da57643c8bd83399c6a3e3a8649eb38d44594e43305e74c1 State = 0x351287c636179e107d0e4bf1d59ff6a4 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0xebfb81416fe897f931bfb8daa890ead8 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 185 to 10.152.0.100 port 32819 EAP-Message = 0x0106003119001403010001011603010020cfda713e83ee9c9ade69432531cf7ef8fc28d87a9d03e8eee868c8575762052f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x351287c631149e107d0e4bf1d59ff6a4 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=186, length=198 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020600061900 State = 0x351287c631149e107d0e4bf1d59ff6a4 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x1bfb600b6f0a8f5375f18a985b9c2c19 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 186 to 10.152.0.100 port 32819 EAP-Message = 0x0107002019001703010015950d4132031906006e4af6d74aa4b14f552a22839a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x351287c630159e107d0e4bf1d59ff6a4 Finished request 5. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=187, length=248 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020700381900170301002d554f7f2caee0c646ba77fefbe2a91efd7ac46e6330fb7d473da6df47dd8dac9408aacfd1894589bca2ed220675 State = 0x351287c630159e107d0e4bf1d59ff6a4 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x39f962a302fc2678b3938b9e1dc9451e # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 56 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - host/TEST-11501.hpsd48.ab.ca [peap] Got inner identity 'host/TEST-11501.hpsd48.ab.ca' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0207002101686f73742f544553542d31313530312e6870736434382e61622e6361 server { PEAP: Setting User-Name to host/TEST-11501.hpsd48.ab.ca Sending tunneled request EAP-Message = 0x0207002101686f73742f544553542d31313530312e6870736434382e61622e6361 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/TEST-11501.hpsd48.ab.ca" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 33 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for host/TEST-11501.hpsd48.ab.ca [ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TEST-11501$) [ldap] expand: o=hpsd_48 -> o=hpsd_48 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$) [ldap] Added the eDirectory password xxxxx in check items as Cleartext-Password [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800361a0108003110767e2048d63fb3b8fa7ee26dd9790895686f73742f544553542d31313530312e6870736434382e61622e6361 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1dc7def21dcfc42cab2b21ed670261c1 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800361a0108003110767e2048d63fb3b8fa7ee26dd9790895686f73742f544553542d31313530312e6870736434382e61622e6361 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1dc7def21dcfc42cab2b21ed670261c1 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 187 to 10.152.0.100 port 32819 EAP-Message = 0x0108004d19001703010042c80199f6a3197bda613806b420f4193a31f45282edef246bd619d1cb90cf141f66abc9fd0e95e46b6a1ce68729d036ed7707e5d48393c0035810dfd87ac6c8d496d5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x351287c6331a9e107d0e4bf1d59ff6a4 Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=188, length=302 User-Name = "host/TEST-11501.hpsd48.ab.ca" NAS-IP-Address = 10.152.0.100 NAS-Port = 1 NAS-Identifier = "10.152.0.100" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0208006e19001703010063b3597f44056259644b57977d26c5a386f64d577d92db2939b7357b9abaaa70521d52172f236039fc057506c544456c3d9cc0bdd2aab1e8fa4092fcc8a98d423c6b005189fc94712ce4adf77a8499c88dd5eab72a7dac41f8dcbf9077281e149f77571e State = 0x351287c6331a9e107d0e4bf1d59ff6a4 Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01" Message-Authenticator = 0x215d182fd95fe0adcd92e6ddfd90d0f3 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 110 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800571a0208005231a83f8b39603c94edfee997158adcbffe00000000000000008168523c8deddfdf6a1eab9bd60d764976d278d43586a58200686f73742f544553542d31313530312e6870736434382e61622e6361 server { PEAP: Setting User-Name to host/TEST-11501.hpsd48.ab.ca Sending tunneled request EAP-Message = 0x020800571a0208005231a83f8b39603c94edfee997158adcbffe00000000000000008168523c8deddfdf6a1eab9bd60d764976d278d43586a58200686f73742f544553542d31313530312e6870736434382e61622e6361 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/TEST-11501.hpsd48.ab.ca" State = 0x1dc7def21dcfc42cab2b21ed670261c1 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 87 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for host/TEST-11501.hpsd48.ab.ca [ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TEST-11501$) [ldap] expand: o=hpsd_48 -> o=hpsd_48 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$) [ldap] Added the eDirectory password xxxxx in check items as Cleartext-Password [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/TEST-11501.hpsd48.ab.ca [mschap] Told to do MS-CHAPv2 for host/TEST-11501.hpsd48.ab.ca with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 188 to 10.152.0.100 port 32819 EAP-Message = 0x010900261900170301001b072adbce833a69b1eafb74ca2eec741cb66b500120cb916456c36a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x351287c6321b9e107d0e4bf1d59ff6a4 Finished request 7. Going to the next request
Alan DeKok <aland@deployingradius.com> 6/5/2011 2:18 AM >>> Mark Jones wrote: Ok Im going to try following that guide Monday morning, just one question before I get started...does it work with an edir backend and a samba server acting as a PDC on an OES2 server?
Uh... no. The guide is for getting Active Directory to work. Active Directory is not Samba. eDir is just an LDAP server. You've configured it as an LDAP server: [ldap] expand: o=hpsd_48 -> o=hpsd_48 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$) [ldap] Added the eDirectory password xxxx in check items as Cleartext-Password [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access ... But you *HAVEN'T* changed the "inner-tunnel" virtual server to use the LDAP module. Go read it, and un-comment the line saying "ldap". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This communication is intended for the use of the recipient to which it is addressed and may contain confidential, personal and/or privileged information. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
Is there any documentation someone can point me to on doing machine authentication with edirectory, or with an ldap backend? Thanks Mark -- View this message in context: http://freeradius.1045715.n5.nabble.com/Renaming-during-Machine-Authenticati... Sent from the FreeRadius - User mailing list archive at Nabble.com.
mjonesmcne wrote:
Is there any documentation someone can point me to on doing machine authentication with edirectory, or with an ldap backend?
Nope. The machine authentication passwords are normally controlled by Active Directory. Your role is to find out what password the machine is using, and then configure that in LDAP. After that, it *should* work. Alan DeKok.
participants (5)
-
Alan DeKok -
Gary Gatten -
Mark Jones -
mjonesmcne -
Phil Mayers