sorry have some problem with this maillist, get the messages not a valid mail address... let's see I try new thread, and hope it will work... ------------------------- Hi all, I have a problem, can't authenticate my user with win login user/pass. I use: - 802.1x - newest freeradius, and ubuntu 8.4 - eap-tls - win xp sp2 client, use automatic win logon and pass When "Automatically use my Windows login name and password" is unchecked on the windows, i type user/pass and my radius is accept the request. and everything is okay. But, When i try it with automatic win login/pass, the radius reject the request. I set the with-ntdomain-hack=yes to preprocess and it cut the domain part. its seems okay but still reject. I have good user settings. what is the problem? password encription? log: when windows send automaticly the login and pass: Auth: Login incorrect: [Joe/<via Auth-Type = EAP>] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) Auth: Login incorrect: [Joe/<via Auth-Type = EAP>] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) Auth: Login incorrect: [joe/<via Auth-Type = EAP>] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) when I type the l/p: Auth: Login OK: [Joe/<via Auth-Type = EAP>] (from client switch port 0 via TLS tunnel) Auth: Login OK: [Joe/<via Auth-Type = EAP>] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) Here is the settings: main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.1.0/24 { require_message_authenticator = no secret = "cisco" shortname = "switch" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "tls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "pass" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = yes } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = yes with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } ---------------------------------------------------- the debug log: rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=228, length=160 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "DOMAIN\\Joe" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200001001524f555445525c48656765 Message-Authenticator = 0xda8ce7b609ed190bf55552b960fb9007 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "Joe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry Hege at line 78 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> Joe attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 228 to 192.168.1.1 port 1812 Waking up in 4.9 seconds. Cleaning up request 0 ID 228 with timestamp +37 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=229, length=160 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "DOMAIN\\Joe" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0201001001524f555445525c48656765 Message-Authenticator = 0x899e38e1fdff02cd06c656b01129c91c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "joe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry joe at line 78 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> Joe attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 229 to 192.168.1.1 port 1812 Waking up in 4.9 seconds. Cleaning up request 1 ID 229 with timestamp +43 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=230, length=160 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "DOMAIN\\Joe" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0201001001524f555445525c48656765 Message-Authenticator = 0x7458dfe5581c573158e7bbd81998837c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "Joe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry Joe at line 78 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> Joe attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 230 to 192.168.1.1 port 1812 Waking up in 4.9 seconds. Cleaning up request 2 ID 230 with timestamp +49 Ready to process requests.
Hegedus Gabor wrote:
sorry have some problem with this maillist, get the messages not a valid mail address... let's see I try new thread, and hope it will work... ------------------------- Hi all, I have a problem, can't authenticate my user with win login user/pass.
I use: - 802.1x - newest freeradius, and ubuntu 8.4 - eap-tls - win xp sp2 client, use automatic win logon and pass
When "Automatically use my Windows login name and password" is unchecked on the windows, i type user/pass and my radius is accept the request. and everything is okay.
But, When i try it with automatic win login/pass, the radius reject the request. I set the with-ntdomain-hack=yes to preprocess and it cut the domain part. its seems okay but still reject.
I have good user settings.
what is the problem? password encription?
log: when windows send automaticly the login and pass: Auth: Login incorrect: [Joe/<via Auth-Type = EAP>] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) Auth: Login incorrect: [Joe/<via Auth-Type = EAP>] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) Auth: Login incorrect: [joe/<via Auth-Type = EAP>] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) when I type the l/p: Auth: Login OK: [Joe/<via Auth-Type = EAP>] (from client switch port 0 via TLS tunnel) Auth: Login OK: [Joe/<via Auth-Type = EAP>] (from client switch port 50003 cli 00-13-D4-E7-B3-FB)
<snip> Two quick simple questions, is your windows password the same as the radius server password? The biggest thing with this that I have seen is Windows, the password may not be the same as what you may type in. If it works in manual mode, I wouldn't think it is anything else but user/pass not working right. The EAP messages you see (Joe/<via Auth-Type = EAP>) shows that the encrypted tunnel is correct, and since manual mode works, password encryption is working as well. I would double check the passwords first, make sure that the cert profiles seem to match for windows auto mode, and then if that fails, run radius in debug (radiusd -xxx) and see what is breaking in that debug then run that forward to the list.
~Seann
Hi all, I have a problem, can't authenticate my user with win login
user/pass.
I use: - 802.1x - newest freeradius, and ubuntu 8.4 - eap-tls - win xp sp2 client, use automatic win logon and pass
When "Automatically use my Windows login name and password" is unchecked on the windows, i type user/pass and my radius is accept the request. and everything is okay.
But, When i try it with automatic win login/pass, the radius reject the request. I set the with-ntdomain-hack=yes to preprocess and it cut the domain part. its seems okay but still reject.
I have good user settings.
what is the problem? password encription?
log: when windows send automaticly the login and pass: Auth: Login incorrect: [Joe/<via Auth-Type = EAP>] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) Auth: Login incorrect: [Joe/<via Auth-Type = EAP>] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) Auth: Login incorrect: [joe/<via Auth-Type = EAP>] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) when I type the l/p: Auth: Login OK: [Joe/<via Auth-Type = EAP>] (from client switch port 0 via TLS tunnel) Auth: Login OK: [Joe/<via Auth-Type = EAP>] (from client switch port 50003 cli 00-13-D4-E7-B3-FB)
<snip> Two quick simple questions, is your windows password the same as the radius server password?
radius server password means the password after the username in the users file? or anything else? users file contains: Joe Cleartext-Password:= "pass"
The biggest thing with this that I have seen is Windows, the password may not be the same as what you may type in. If it works in manual mode, I wouldn't think it is anything else but user/pass not working right. The EAP messages you see (Joe/<via Auth-Type = EAP>) shows that the encrypted tunnel is correct, and since manual mode works, password encryption is working as well. I would double check the passwords first,
I checked the uname and pass in the users file, this u/p and the win logon/pass is same. This u/p is not the same with the client certificate u/p. my passwords: for server cert: private_key_password = "pass" for client cert: test/test for winlogin: Joe/joepass in users file: Joe/joepass I created the cerst like certs/README said, and then set tls modul. I installed the server cert and the client cert to the windows client, and the client cert asked the pass and I wrote it in, and that was correct. This was all what I do with the certs. Yes, it works good with manual mode, when I type it... I think something wrong with the password encription or the windows send it to the radius in wrong format... I don't know.
make sure that the cert profiles seem to match for windows auto mode,
sry I dont understand, what have to check?
and then if that fails, run radius in debug (radiusd -xxx) and see what is breaking in that debug then run that forward to the list. ~Seann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi all, I have a problem, can't authenticate my user with win login user/pass.
I use: - 802.1x - newest freeradius, and ubuntu 8.4 - eap-tls - win xp sp2 client, use automatic win logon and pass
When "Automatically use my Windows login name and password" is unchecked on the windows, i type user/pass and my radius is accept the request. and everything is okay.
But, When i try it with automatic win login/pass, the radius reject the request. I set the with-ntdomain-hack=yes to preprocess and it cut the domain part. its seems okay but still reject.
I have good user settings.
what is the problem? password encription?
No.
the debug log:
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=228, length=160 .. User-Name = "DOMAIN\\Joe" .. [suffix] No '@' in User-Name = "Joe", looking up realm NULL .. [eap] Identity does not match User-Name, setting from EAP Identity. ..
You are rewriting the User-Name. Don't do that. Ivan Kalik Kalik Informatika ISP
Hi all, I have a problem, can't authenticate my user with win login user/pass.
I use: - 802.1x - newest freeradius, and ubuntu 8.4 - eap-tls - win xp sp2 client, use automatic win logon and pass
When "Automatically use my Windows login name and password" is unchecked on the windows, i type user/pass and my radius is accept the request. and everything is okay.
But, When i try it with automatic win login/pass, the radius reject the request. I set the with-ntdomain-hack=yes to preprocess and it cut the domain part. its seems okay but still reject.
I have good user settings.
what is the problem? password encription?
No.
the debug log:
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=228, length=160
..
User-Name = "DOMAIN\\Joe"
..
[suffix] No '@' in User-Name = "Joe", looking up realm NULL
..
[eap] Identity does not match User-Name, setting from EAP Identity.
..
You are rewriting the User-Name. Don't do that.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
when I use the with-ntdomain-hack=no the result is : rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=137, length=200 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = DOMAIN\\Joe" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xd2b62910daab305146382a3fd0fd1f65 EAP-Message = 0x021d00261900170301001b4857496f15b6b51dff76c2cd1e72b58feb956122b8ae08030ba37d Message-Authenticator = 0x2361c53f5b43fce8fdfa4799b5112dde +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "DOMAIN\Joe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 29 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [DOMAIN\\Joe/<via Auth-Type = EAP>] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> DOMAIN\Joe attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 29 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 29 Sending Access-Reject of id 137 to 192.168.1.1 port 1812 EAP-Message = 0x041d0004 Message-Authenticator = 0x00000000000000000000000000000000 rejected too. GH
when I use the with-ntdomain-hack=no the result is :
Where is that line? You should enable it in mschap module. It shouldn't have any effect on EAP Identity.
[peap] Had sent TLV failure. User was rejected earlier in this session.
Debug you posted is useless. You have deleted the important bits. Ivan Kalik Kalik Informatika ISP
when I use the with-ntdomain-hack=no the result is :
Where is that line? You should enable it in mschap module. It shouldn't have any effect on EAP Identity.
I use it in preprocess file, now I set it in mschap module too
[peap] Had sent TLV failure. User was rejected earlier in this session.
Debug you posted is useless. You have deleted the important bits.
I think peap is work good, don't it? ( ... [peap] (other): SSL negotiation finished successfully ... [peap] EAPTLS_SUCCESS ... ) machap module: mschap { with_ntdomain_hack = no } --------------------- eap.conf file: eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 leap { } gtc { #challenge = "Password: " auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = pass private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random fragment_size = 1024 include_length = yes cache { enable = no lifetime = 24 # hours max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap default_eap_type = mschapv2 virtual_server = "inner-tunnel" } mschapv2 { } } -------------------------------------- here is the debug, I hope it is usefull: [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 084e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 97 to 192.168.1.1 port 1812 EAP-Message = 0x0103040019c00000088b160301002a0200002603014922ab54fa757c7768f8d465c3e5679f3e35b71e1933e5aad7ad7d60b6ea8d2900000400160301084e0b00084a000847000396308203923082027aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3038313131323134313231355a170d3039313131323134313231355a306c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e311330110603550403130a736572766572636572743120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a02820101009cf50fd32f4c11e95fb8dc2e365a1d0246c0dd39e616ed0621a36edea241836b39bd38ab2b008b2c1f00f8034d31664e0557ef16daa4bb8bc6ba05765b46be150ed10a90e18a960a1f634a300c1a EAP-Message = 0x40ab58da8da31c607e05e359781ed7bc73b443c21c46eca871ae4fe72627cae7b5222852bc50b9d843f4e53469f51cf84726dca616c85e804c839b438a187a28e03872af3a01265ffd51d37f15c2df5007e264948a2b44ddf367268123db200c007408528d35296009e884ef9ecc648a754ef6e674d33abbc466178cf1c51b91cdf50d235e70bdb043237d47809a89fb628f3be91d318ffbe70b7df70cf74e8ff0b2fb66996b64863074f2daef8da1ac411d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100a966a877dac3f553bc1350f31aa5e89da01a9b3cd7d3488016 EAP-Message = 0x63fd1c780ae69af09d1200e1d3aaf514ee8fecc8e182a4e5e900727a4988e9e644fb5fc351a3553558a96ebed4db761b2d1c4cd5ac978ae2234d02ca514a4f4fc4ff5e13cd2f805b3f1b50e9bcd42a32487d04160d3d6eee0b5d15890f2d7cbd201ccdfad9806f2d2b993e71e341d817ef31ff6c8906f89b2a5673a7368d166a2244a65f2de426e322dbcfb114e8d9c08ebadae09c411838c274b4834b4eaa6aee7590b643bcff77057eb94525185e1cf3e760f675d104ff5fdd43f5e8b119806300db9913112fb38ae30721c6702080822add762cf9101134bc2159370d4739f94f41bcce10940004ab308204a73082038fa00302010202090089def0 EAP-Message = 0x223a727e53300d06092a8648 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf9af3e19fbac2729f634465079c20687 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=98, length=168 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "ROUTER\\Hege" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xf9af3e19fbac2729f634465079c20687 EAP-Message = 0x020300061900 Message-Authenticator = 0x0dd953ac5a0b9ac9d33afc8f9e85cb8c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 98 to 192.168.1.1 port 1812 EAP-Message = 0x010403fc194086f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038313131323134303630325a170d3038313231323134303630325a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013 EAP-Message = 0x060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d6254f5b7dca4a0429bfeb81eb3f2c33c1aee1cd37b8ab285ea762e728c89b92c9f6def3ae3ef2565c7d0c3a891cf07ab0de99232fedd2193b10026f2a52d7159f7adfabdd33289b653d7fa230c2f8acd2b3b12ff946c4c456e621e40d02debbb2272f619896e75707de5011751d5e5798e76629161e09de868a818d8c15c6 EAP-Message = 0xb3b6bc37dc8b7360ebafa08a472f4f08324f94baf52176c33a70c2a3e9859860d4a38b2ddba21ec57d28f0db6ba26499df7b7f38b79636bef4e2a3eede3270d5ea1e362405db07ee761236044f7cdcb444c807b186307d62ae4a62f54ae4d9c00dc7ffc74703b67da9de4cdba901ed955bd5e0290a23f22ea98587a165e4a48dbf0203010001a381fb3081f8301d0603551d0e04160414bfc663b94da2edbfe2e3496d345fefb975df680c3081c80603551d230481c03081bd8014bfc663b94da2edbfe2e3496d345fefb975df680ca18199a48196308193310b3009060355040613024652310f300d0603550408130652616469757331123010060355 EAP-Message = 0x04071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747982090089def0223a727e53300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004d7a670b516773d9e34798399495b4fb7f173248f96bd51f14015a5b0502b7d8193759e4508aad49c44e9ee0b0a3a0ccb6655c85d6218c0f8ee982ba16ef6393c5415edadcc63381337d3f6f5fc764c287a968fe86f9050e4a30038ce45d83306fb5 EAP-Message = 0x6478ad919a40d53b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf9af3e19faab2729f634465079c20687 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=99, length=168 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "ROUTER\\Hege" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xf9af3e19faab2729f634465079c20687 EAP-Message = 0x020400061900 Message-Authenticator = 0x2903cae7a8b539c0052a57fdf5fa17ad +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 99 to 192.168.1.1 port 1812 EAP-Message = 0x010500a5190050d2fe7290c9148457049118d051c1aed898c63ba4b4137717f010d720d687dfc94a4a1a6ceadf41c02795724b4842f9951646b1149fd1170c091d11b023eda2cd60bec931560c747702eef5b5ff49fde1d2246fe8edfe998ce57398fa375afac3f1314e3086e6586872bd3a0572c271c08c0c715c3a51c38655c6f13d4d315c364c87b365e3d69bd361418fca16894de67fe5086b2a16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf9af3e19fdaa2729f634465079c20687 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=100, length=484 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "ROUTER\\Hege" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xf9af3e19fdaa2729f634465079c20687 EAP-Message = 0x020501401980000001361603010106100001020100531fcfd0446c581fbfbc50ddd96e5df661c19cd3c04e9cd8c72d8de897c39c4926676109afb1ca8c8bfc4ae167096c0ca7a031a1ea50727eb22ca1c046cb3ba3dda3bbc2db0126e6d8c4f1ec853827b3b0cae9cee996e718fe5267730bca196abe7fbfc02b5e5e82a579ea81e4a978287184ea63505d8d98263f9fbce51931ee718285051d7f4a80911173daa6db0b127942813da4d4f80a4a0d0b828ff35a23b1e9dea7fa669efeaee68d58c83b39b52622418ce99aa96f06fd55c7061d379cd57c395fb0c0035ce7abef33fdee64dec42d3f3429202572481a226712907cc9fe391669131484b0 EAP-Message = 0x3fa57c9f73c239293b994eec582d42a68979dddbfecb46301403010001011603010020c013ed8bfcb781f55c3ccbdb2f88bb8c6684f1e141c1f3284763121ad33ad697 Message-Authenticator = 0x1eccd1c62fcae6de90ee9ad71ee3f4c4 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 100 to 192.168.1.1 port 1812 EAP-Message = 0x01060031190014030100010116030100206d497e013ac12cd59a70ed0e843cdf19c07e87dc999d2a74fa6afaf3a4d71c3f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf9af3e19fca92729f634465079c20687 Finished request 5. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=101, length=168 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "ROUTER\\Hege" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xf9af3e19fca92729f634465079c20687 EAP-Message = 0x020600061900 Message-Authenticator = 0x1785840b012b68397f073225c8178e28 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 101 to 192.168.1.1 port 1812 EAP-Message = 0x0107002019001703010015086a2b4c0bbe8ba0ff8b0bd8a05b4a81152567b963 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf9af3e19ffa82729f634465079c20687 Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=102, length=201 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "ROUTER\\Hege" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xf9af3e19ffa82729f634465079c20687 EAP-Message = 0x020700271900170301001ca1b8414fd75ccd01cde3fe489e7cb2426bc2b1010c7e426666c43900 Message-Authenticator = 0x95acaa8bb8f013b713401522aae4bbe6 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 39 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - ROUTER\Hege [peap] Got tunnled request EAP-Message = 0x0207001001524f555445525c48656765 server (null) { PEAP: Got tunneled identity of ROUTER\Hege PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to ROUTER\Hege Sending tunneled request EAP-Message = 0x0207001001524f555445525c48656765 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ROUTER\\Hege" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800251a0108002010baa8bce2ab7f754af66ca37dca11bdfb524f555445525c48656765 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x13f3ed6713fbf70e77af625de147f876 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800251a0108002010baa8bce2ab7f754af66ca37dca11bdfb524f555445525c48656765 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x13f3ed6713fbf70e77af625de147f876 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 102 to 192.168.1.1 port 1812 EAP-Message = 0x0108003c1900170301003122f781e48bee5ca858b2fadc15c1701f0b2e9d222f7b7a86a4e9ab5c9be0fd58be946282e5ae6823590353e614108f01a7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf9af3e19fea72729f634465079c20687 Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=103, length=248 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "ROUTER\\Hege" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xf9af3e19fea72729f634465079c20687 EAP-Message = 0x020800561900170301004b8a5f812b2ebd3534c1f7bbfca7fd4254ea57cbbfe3b1b571277441e4676f8e1b169635636883c648bb7b2744288fa1a439af624aac87de7ae083cb3d455b44f1dedc4a3b5bbd01451966ba Message-Authenticator = 0xbe581a9933642f838bd86d2bf15cc1cf +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 86 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x0208003f1a0208003a31a18116247e3cf107cb80957aebda429e0000000000000000ab0bc307e1083f338935929421910d46588c08903505e85f0048656765 server (null) { PEAP: Setting User-Name to ROUTER\Hege Sending tunneled request EAP-Message = 0x0208003f1a0208003a31a18116247e3cf107cb80957aebda429e0000000000000000ab0bc307e1083f338935929421910d46588c08903505e85f0048656765 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ROUTER\\Hege" State = 0x13f3ed6713fbf70e77af625de147f876 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack? [mschap] Told to do MS-CHAPv2 for ROUTER\Hege with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [ROUTER\\Hege/<via Auth-Type = EAP>] (from client switch port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 103 to 192.168.1.1 port 1812 EAP-Message = 0x010900261900170301001bc71968d5cb15656ea6b482aba56df99a166bfba8c87844a6ad1c2a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf9af3e19f1a62729f634465079c20687 Finished request 8. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=104, length=200 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "ROUTER\\Hege" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xf9af3e19f1a62729f634465079c20687 EAP-Message = 0x020900261900170301001b9806b1334ba9d945be522f2855f11e974d221b5b4c98dc0f8402ff Message-Authenticator = 0x7865e1d4e89a37f9d8a2daa60f56bdd6 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [ROUTER\\Hege/<via Auth-Type = EAP>] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> ROUTER\Hege attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 104 to 192.168.1.1 port 1812 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.4 seconds.
Hegedus Gabor wrote:
...
and here is the first part of debug: main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.1.0/24 { require_message_authenticator = no secret = "cisco" shortname = "switch" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "tls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "pass" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests.
User-Name = "ROUTER\\Hege"
Create (local) ream ROUTER { } in proxy.conf.
++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6
Uncomment ntdomain in authorize in inner-tunnel virtual server (it's just below suffix). If doesn't work, enable with-ntdomain-hack in mschap module. Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
User-Name = "ROUTER\\Hege"
Create (local) ream ROUTER { } in proxy.conf.
ok
++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6
Uncomment ntdomain in authorize in inner-tunnel virtual server (it's just below suffix).
Sry but I don't know where is the authorize section... in the radiusd.conf it says in 2.0.0.0 version the authorise section is in a separate config file. it's ok, dut i don't find this file.
If doesn't work, enable with-ntdomain-hack in mschap module.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hegedus Gabor wrote:
tnt@kalik.net wrote:
User-Name = "ROUTER\\Hege"
Create (local) ream ROUTER { } in proxy.conf.
ok
++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6
Uncomment ntdomain in authorize in inner-tunnel virtual server (it's just below suffix).
Sry but I don't know where is the authorize section... in the radiusd.conf it says in 2.0.0.0 version the authorise section is in a separate config file. it's ok, dut i don't find this file.
If doesn't work, enable with-ntdomain-hack in mschap module.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Storno I found it!
tnt@kalik.net wrote:
User-Name = "ROUTER\\Hege"
Create (local) ream ROUTER { } in proxy.conf.
++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6
Uncomment ntdomain in authorize in inner-tunnel virtual server (it's just below suffix).
If doesn't work, enable with-ntdomain-hack in mschap module.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you, it works fine with this options gl GH
participants (4)
-
Hegedus Gabor -
Hegedus Gabor -
Seann Clark -
tnt@kalik.net